The FBI confirmed yesterday (May 10) that a Russian hacking group called DarkSide was behind a recent cyberattack that shut down Colonial Pipeline, the company that operates the largest fuel pipeline in the US.
DarkSide is not a unit of Russia’s intelligence services, and there’s no evidence that it is funded or directed by the Kremlin. Instead, DarkSide is a private, for-profit criminal organization that operates under the benign neglect of Russian authorities. DarkSide reserves its mischief for Russia’s geopolitical rivals—companies based in the US and western Europe—and Russian authorities don’t interfere with its work.
In many ways, DarkSide resembles the privateers that terrorized the seas during the golden age of piracy in the 17th and 18th centuries. In that era, a captain could obtain a letter of marque from a colonial government officially authorizing him to pillage and plunder merchant ships belonging to rival nations—so long as he left his own country’s ships alone. Unlike pirates, who were “enemies of all mankind” and liable to be captured and killed wherever they went, privateers could safely use one of the major powers’ ports as their base of operations.
Hackers get a similar deal. DarkSide is one of the many for-profit ransomware groups that have proliferated and thrived in Russia. These cyber-gangs steal companies’ data and hold it hostage in exchange for ransoms ranging from $200,000 to $20 million. Many of these groups, including DarkSide, slip lines of code into their hacking software that check to see if a victim’s computer uses Russian as its default language; if so, the software automatically stops the attack. Features like this help hackers avoid the ire of their host governments, and ensure that they don’t wear out their welcome in their safe harbor.
“Russian actors tend not to target their own country, mainly because they don’t want law enforcement coming after them,” said Jon Clay, vice president of threat intelligence at cybersecurity firm Trend Micro. “We see that around the world: Depending on which country an actor group is coming from, they tend to stay away from targeting their own.”
Russia has the biggest concentration of for-profit hacking syndicates, but Clay says there’s a similar dynamic at play in countries like China, North Korea, and Brazil. Local hackers tend to focus on foreign targets, because they’ll be treated more leniently by law enforcement if they do. Russian authorities, in fact, are constitutionally prohibited from extraditing their citizens to another country, meaning that hackers have little to fear from foreign governments.
The latest DarkSide attack, however, may test the limit of Russia’s desire to protect its hacker-privateers. The hackers targeted Colonial Pipeline, a US company that transports over 100 million gallons of gas and other fuel daily. On May 7, the company was forced to shut down its entire operation, and while it has since restored some ancillary pipelines, it will take at least a week to restore the flow of fuel to normal levels.
The scale of the attack, and its impact on critical US energy infrastructure, immediately attracted the attention of US intelligence agencies. The White House has vowed swift action. All of this is bad for DarkSide’s business, and could become an irritant for the Russian authorities who have turned a blind eye to the group’s activities.
“In the past [groups like DarkSide] have managed to carry on their activities without government focusing particularly strongly on them, and there haven’t been any sanctions imposed on countries which harbor them,” said Brett Callow, a threat analyst at the cybersecurity firm Emsisoft. “That could be about to change. This attack is of such magnitude that it really cannot go unanswered.”
The attack seems to be a serious miscalculation on the part of the cyber criminals. One explanation for the ill-advised attack is that hacking syndicates—much like the privateers of yore—are loose cannons. DarkSide is particularly hard to control because, in addition to carrying out its own attacks, it sells its hacking software as a service to other criminal groups who want to extort companies.
In a May 10 statement, DarkSide seemed to indicate that the Colonial Pipeline attack was the result of an affiliate gone rogue. “Our goal is to make money, and not creating problems for society,” the group wrote. “From today we intoduce [sic] moderation and check each company that our partners want to [attack] to avoid social consequences in the future.”
Others, however, have begun to wonder whether DarkSide secretly has been working at the behest of the Russian government. The group has attacked US oil and gas infrastructure four times in the past six months, according to data from the cybercriminal investigation firm DarkTracer, leading some to wonder whether the Kremlin pushed DarkSide to carry out the attacks to test vulnerabilities in the US energy system or embarrass its geopolitical rival.
“We know that there’s a tacit approval here that these folks are allowed to operate with relative impunity,” said Bryson Bort, a senior fellow studying cybersecurity and emerging threats at the think tank The R Street Institute. “The real question we’re all wondering is, is there more than tacit acceptance by the Russian government?”