What We Know About DarkSide, the Russian Hacker Group That Just Wreaked Havoc on the East Coast

Dustin Carmack /

It’s been less than two weeks since a criminal cybergang group known as DarkSide succeeding in shutting down a pipeline that transports 45% of the United State’s gas and fuel supply along the East Coast, causing severe outages from Georgia to Virginia. While Colonial Pipeline slowly resumed operation last week, service will likely be impacted in the near-term.

Cyber and ransomware attacks have become more frequent and more severe in recent years, targeting schools, hospitals, corporations, and government networks. The ransomware attack on the Colonial Pipeline further demonstrates what cyberattacks—perpetrated by nonstate actors—can do to disrupt U.S. markets.

It also hints at how devastating a large-scale cyberattack, launched by a hostile nation-state, could be.

DarkSide, which surfaced in August 2020, has openly acknowledged that its malware was used by associates in the case of the Colonial Pipeline attack. The group fashions itself as a modern-day cyber Robin Hood—making money off of the rich and even donating some to charity.

Ransomware platforms, like the one used in the Colonial Pipeline attack, usually operate through a routine of double or triple extortion, insisting on money for both the decryption key to unlock an organization’s files and servers while also requesting ransom for a commitment to destroy any data stolen.

The organization is part of a constellation of criminal actors—long-known in the cybersecurity world—that emanates from Russia and its former Soviet states, as well as North Korea, China, Syria, and Iran.

Russian President Vladimir Putin provides safe harbor for these cybercriminals to operate in Russia as long as their malware and ransomware do not target domestic assets. As cyber expert Brian Krebs recently noted, many of these malwares refuse to install on Windows networks if they detect the capability of a Russian or Cyrillic keyboard.

“DarkSide, like a great many other malware strains, has a hard-coded do-not-install list of countries which are the principal members of the Commonwealth of Independent States (CIS)—former Soviet satellites that mostly have favorable relations with the Kremlin,” writes Krebs.

Although it is unknown if Putin knew about specific details of the Colonial Pipeline attack in advance, he has created an environment that gives flexibility to malicious actors in Russia to undermine the United States and its allies without direct guidance or authority from the Kremlin.

This arrangement allows for harm to occur to the Kremlin’s adversaries while allowing the Kremlin to maintain an arm’s length of distance from nonstate groups like DarkSide. It is also likely that many of these cybercriminals within Russia and the former Soviet states have military or intelligence backgrounds and previous cyber training.

The likelihood that Putin cracked down on those responsible is zero. If anything, Putin was likely pleased by the temporary chaos this created for the average American consumer and for the Biden administration.

Less than a week out from the pipeline coming back online, ransomware attacks are back up to the historical average, after dipping in the wake of the Colonial Pipeline attack. In fact, Ireland’s health care system is currently struggling with a brutal ransomware attack that has caused enormous problems as workers there continue to respond to the COVID-19 pandemic.

>>> What’s the best way for America to reopen and return to business? The National Coronavirus Recovery Commission, a project of The Heritage Foundation, assembled America’s top thinkers to figure that out. So far, it has made more than 260 recommendations. Learn more here.

Back in the U.S., the damage done to Colonial Pipeline will be long-lasting. The company’s CEO, Joseph Blount, has acknowledged now that the company paid a $4.4 million ransom to DarkSide the day he was alerted to the attack, and that the company’s decision to shut down the pipeline was to prevent the attack from moving over from its corporate systems to the pipeline’s operating systems.

After the decryption key was passed along, though, the systems couldn’t be adequately brought back online quickly, and Blount claims they’re still unable to properly bill customers. The long-term impact will likely cost the company “tens of millions of dollars,” he said.

As U.S. lawmakers, private sector leaders, and the Biden administration continue to respond to the ramifications of this attack, it is mind-boggling that President Joe Biden is reportedly handing Putin a win by waiving sanctions on the company in charge of completing the Nord Stream 2 pipeline.

The Nord Stream 2 pipeline project will allow Putin to extend his tentacles further into Europe and will cause economic harm to U.S. ally Ukraine—which is still reeling from Russia’s illegal annexation of Crimea.

Biden has boasted that nobody is tougher on Russia than himself. To help Putin complete his pipeline just days after Russians shut down a U.S. pipeline proves that his actions do not match his rhetoric.

Now is the time for the U.S. to take the threat of cybercriminals serious—and not turn a blind eye to the nation-states that harbor them.

Have an opinion about this article? To sound off, please email [email protected] and we’ll consider publishing your edited remarks in our regular “We Hear You” feature. Remember to include the URL or headline of the article plus your name and town and/or state.