The Colonial Pipeline Ransomware Attack, One Year Later
This week marks the one-year anniversary of the Colonial Pipeline attack. The anniversary is significant as this was the first time a foreign attacker brought US critical infrastructure to a halt, leading to a massive fuel shortage across the East coast of the United States. Fortunately, the impact lasted only a week when Colonial restored services and fuel operations.
While researching another ransomware gang in April 2021, a month before the pipeline attack, DarkSide caught my attention with various posts recruiting for their ransomware program. I wanted to know more about the group and began profiling the gang and the personas it used. Due to this, when the pipeline attack occurred, I had good insight into the gang’s activities, including underground forums, the accounts they used, and many of the affiliate hackers who interacted with them. Once the attack occurred, I provided the information I had obtained in my research to law enforcement and discussed the situation with reporters and media organizations covering the story. While I admit it was luck, I found myself in the middle of the attack. Even though I was not able to identify the true identities of DarkSide members, the time spent researching and profiling the gang gave me more insight into their activities.
Today, I want to discuss what has changed since the attack, how it affected the United States, its national security posture, and triggered events that impacted the Russian ransomware community. Ransomware attacks occur every day; however, few have the impact seen in the pipeline attack. While I don’t believe they intended to do so, DarkSide, the criminal gang behind the attack, changed how we view ransomware today.
You can use the timeline shown below to follow along as we discuss the incident and the significant events that transpired due to the pipeline attack.
DarkSide completed the attack on May 7, 2021; however, they likely breached Colonial Pipelines’s infrastructure three to seven days before and executed the ransomware payload on May 7, leaving systems used to control and operate the pipeline inoperable. As a direct result, Colonial shut down operations to prevent further damage to their infrastructure and contacted federal law enforcement for assistance. The following day, Colonial met DarkSide’s demands and paid over $4 million ransom in bitcoin currency.
Over the following week, President Biden announced the US government planned to disrupt the DarkSides group’s operation. Shortly after the announcement, DarkSide posted a message stating they lost control of their infrastructure to include their data auction site and payment portal.
Further, DarkSide claimed someone, presumably the United States government, also took funds obtained through victim ransom payments from the payment server. DarkSide liked to take money that didn’t belong to them from victims. Apparently, they did not find it as fun when it was done to them.
In the same thread, DarkSide announced their retirement. As seen in the past, ransomware criminals rarely retire. Instead, they rebrand under a new name or go separate ways to support other criminal gangs conducting similar operations.
Takeaway #1: The US government (likely) used Intelligence community resources, such as Cyber Command, normally reserved for government and military hacking operations, to disrupt the criminal operation of the DarkSide attacker. Traditionally, these resources are not used for criminal investigations, which shows the escalation and new focus now being leveraged against Russian ransomware criminals.
Within hours of DarkSide’s post, REvil, another ransomware gang with close ties to DarkSide, began posting messages on DarkSide’s behalf. REvil and DarkSide have a close relationship, which we detail in our “A History of REvil” white paper.
Takeaway #2: The ransomware community is much smaller than most of us think. As observed in this incident, criminals in this community often have working relationships and even share attack resources.
This was a huge win for good guys. While it may seem trivial, banning the topic and any user who discusses ransomware makes it much harder for criminals to recruit affiliate hackers to participate in their operations. It also makes it more difficult for ransomware gangs to purchase attack resources commonly brokered on these sites.
Takeaway #3: Criminals will self-govern themselves if the stakes are high enough. The attention and resources of the US government leading the takedown of DarkSide infrastructure and the direct messaging from the President of the United States and the FBI resulted in the loss of access to major criminal forums used by ransomware criminals.
A month after the attack took place, on June 7, a second cryptocurrency seizure operation took place. However, this time, the US Department of Justice announced the action in a press release stating it seized 63.7 bitcoins ($2.3 million) from the wallet used by DarkSide to collect the ransom payment in the pipeline attack. The FBI received permission from a federal court that issued a seizure warrant before retrieving the extorted bitcoin currency. Unlike the previous bitcoin seizure, the US government and the FBI made a point to publicly document the approval process and were transparent with the press release and court paperwork. The fact that the FBI took steps to get a US judge to approve the action prior to conducting the operation also supports the theory that Cyber Command conducted the previous cryptocurrency seizure. Cyber Command would have the proper congressional authorities to conduct such an operation without requiring permission from a judge or need any sort of warrant.
Takeaway #4: Cryptocurrency is not as secure as we thought. The US government used “special” resources to obtain the private key necessary to facilitate a transfer of cryptocurrency out of a DarkSide controlled crypto-wallet. Prior to these two events, I was unaware of any instance in which law enforcement or government operation successfully stole money back from the bad guys (well done, guys). The only way to do this is to obtain the secret key associated with the wallet. This means the US had identified the accounts or systems associated with the wallet owner/controller and then either hacked their way in or used secret squirrel tools to obtain the key.
Regardless, this sent a strong message to attackers and, more importantly, it will make them think twice before they disrupt US critical infrastructure. If you can’t keep the money, why invest the time to steal/extort it. Unfortunately, the US government and law enforcement cannot do this most of the time. The resources necessary to implement such an endeavor are reserved for the most significant attacks, like this one.
The following week, on June 16, 2021, US President Biden and Russian President Vladimir Putin met in Geneva. The forefront of the conversation revolved around ransomware, specifically driven by the Pipeline attack. President Biden requested help from the Russian government to deter criminals and warned if the attacks continued, the United States would “respond in kind.” DarkSide managed to get two of the world’s most powerful leaders to sit in a room and discuss ransomware because of the attack they conducted. Certainly, this was not the attention they wanted.
I believe DarkSide knew they screwed up and were concerned that the attention from the United States, which was being directed at the Russian government, might cause difficulties for them in their home country. While most Russian criminals feel protected by the Russian government, in my opinion, DarkSide knew they went too far with this attack. Evidence to support my opinion can be seen in the message they posted shortly after the attack took place, before the retirement announcement.
“Our goal is to make money and not creating problems for society. From today, we introduce moderation and check each company that our partners want to encrypt to avoid social consequence in the future.”
Takeaway #5: This takeaway is for the bad guys. Do not target organizations responsible for critical infrastructure or the services they provide. Based on conversations between ransomware criminals, I can tell you most of them want to make money and do not want the problems associated with a US government response. Russian ransomware criminals specifically have discussed this on various underground forums. After observing the US response to the pipeline attack, things have changed. Most ransomware criminals are more cautious today than they were a year ago regarding their target selection. Now, most gangs try to avoid these targets by staying under the radar to continue to operate and make money.
In July 2021, President Biden directed the Departments of Homeland Security and Justice to establish a federal interagency ransomware task force. The task force shares resources across various law enforcement and intelligence agencies in an effort to work together collectively against ransomware threats. Additionally, they also stood up StopRansomware.gov (since changed to https://www.cisa.gov/stopransomware), which supplies an “interagency resource that provides FSA partners and stakeholders with ransomware protection, detection, and response guidance that they can use on a single website.”
Takeaway #6: There are now additional resources to address ransomware threats. The most impactful is the interagency task force. Time will tell how well these organizations within the task force will work together and how effective they will be. Still, the pipeline response demonstrated what the US government could do when using all available resources to go after a ransomware actor.
Several months later, in November 2021, the US government announced it would pay $10 million for information leading to the identification of key leaders of the DarkSide gang and $5 million for information on any individual who had supported or took part in the gang’s operations. To my knowledge, no one has collected the reward, but it has had an effect on the criminal community or at least has got them talking. Below is an example of some of the conversations taking place on Russian underground forums after the reward announcement was made. In one instance, you see an individual who claims they know someone who provided info on one of their accomplices, and in another, where the individual warns if you are not within the US or EU, you will not qualify for payment.
Takeaway #7: Bounty/rewards do impact cybercriminals. You have to think that if the conversations are taking place on the forums once utilized heavily by DarkSide and I am seeing them, there is a good chance DarkSide is, too. If nothing else comes of it, it will have DarkSide looking over their shoulder and questioning whom to trust. While this is more of a psychological effect, I still consider this impact a new development that has begun as a direct result of the Pipeline attack.
Two months later, in January of 2022, likely as a result of the Putin/Biden meeting that took place the previous summer, FSB agents arrested 14 men believed to be part of the REvil gang. If you recall, we discussed how REvil and DarkSide had a relationship and supported each other’s operations. The effort was geared more toward REvil but did include the arrest of at least one individual associated with the DarkSide gang who played an essential role in the Pipeline attack.
Takeaway #8: While not very common, political pressure can motivate foreign governments to police criminals targeting US companies. Certainly, the presidential meeting played a role in the arrest; however, it is worth noting this was likely a move by Russia to play nice as they prepared to invade Ukraine. Regardless of the reason, it is an event that had never happened before, and as detailed in our “A History of REvil” white paper, it had a dramatic effect on the Russian criminal community at the time.
A lot has happened over the past year. As you can see, each event played a role in changing the mindset of criminals in the ransomware community. These are small steps, but today, it is harder for ransomware attackers to recruit hacker affiliates to participate in their operations. It is also more difficult to discuss and purchase attack resources since the topic is banned on the most significant underground criminal forums. Additionally, attackers are now being more selective on their targets and specifically avoiding US critical infrastructure. This does not mean it won’t happen again, but it does show that we have made progress in deterring targets vital to our society and day-to-day lives.
Further, criminals now know that cryptocurrency is not as secure as they previously thought. Criminals use cryptocurrency because it is hard to attribute back to an individual and even harder to confiscate. However, the United States demonstrated in two different instances that while difficult, it can be done. This and the arrest are likely the most notable aspects of the post-pipeline response that deter criminals from targeting our critical infrastructure. Ultimately, criminals want their money and do not want to deal with the US government, its resources, or the political pressure that comes from attacks like this one.