When the Russian-speaking Darkside cyber-criminal syndicate shut down the Colonial Pipeline May 8, it disrupted about 50% of the gasoline, diesel fuel an jet fuel to the South and East Coast, causing shortage and spiraling prices. Options for restoring the supply chain were limited, given alternative methods like tanker trucks or trains to re-supply the 2.5 million barrels of fuel lost a day. Working feverishly to restore service the FBI working with Colonial agreed to pay Darkside about $5 million to provide decryption software needed to get Colonial’s systems up-and-running. Colonial announced May 13 that it would be back up-and-running by the weekend, meaning that the worst of supply shortages was over. President Joe Biden, 78, discouraged Colonial from paying a ransom to get their operations back in business, something Colonial ignored paying the $5 million.
Working with the FBI cyber-crimes division, Colonial did a clever thing paying Darkside in crypto-currency to meet their demands to restart the 5,500-mile pipeline fuel supply, running from Houston through the South to the Northeast. Speaking on a cyber-crime forum, the Darkside admitted that Colonial’s $5 million payment has suddenly disappeared, claiming their crypto-currency account had been drained. “Servers were seized [country not named] money of advertisers and founder was transferred to an unknown account,” read the crypto-crimes forum. “A few hours ago, we lost access to the public part of our infrastructure,” the message said. “Also, a few hours after the withdrawal, funds from the payment server [ours and our clients] were withdrawn to an unknown address,” showing that the cyber-crimes division of the FBI outsmarted Darkside to get the cash back.
Darkside knows that the FBI cyber-crimes unit is hot on their trail, capable of exposing their cyber-criminal network. When it came to Colonial Pipeline paying ransom, it was a calculated ploy to trace the funds to specific bank accounts, giving investigators the best possible way of exposing the cyber-crime gang. Darkside announced its was disbanding its network, now that the FBI was hot on its trail, something that can’t be trusted. Cyber-criminal gangs don’t throw in the towel easily, they simply morph into a different form to conduct their criminal activity. As long as they can collect hefty sums of cash, they’re likely to continue extorting money from government and companies. Disbanding a cyber-criminal group is the group’s way of going stealth because they’ve exposed themselves to possible detection. Cyber experts believe cyber-criminals don’t really disappear, they just go more stealth.
Biden administration officials have been mum about the role the FBI played in entrapping Darkside into taking the bait, the $5 million in order to go hot on their trail. Biden announced yesterday in a lengthy executive order that the government will no longer buy software from companies that don’t have a proven track record of good cyber-security. Last year’s SolarWinds alleged Russian hack showed that the government spends billions on software that isn’t properly encrypted with effective cyber-security protection. If SolarWinds or Colonial taught the government anything it’s that all government software programs should be protected from ransomware attacks. How Colonial Pipeline or SolarWinds software will protect their products in the future is anyone’s guess. Biden’s executive order made clear that the government shouldn’t buy anything unless it’s cyber-security proof.
Working with the FBI, Colonial did the right thing paying the ransomware then letting the FBI trace the origin of the bank transfers. Admitting that they’ve been emptied out, Colonial clearly played along with the FBI releasing $5 million in funds. Normally you’d expect paying ransomware would increase cyber-crime because they know crime pays. But with Darkside admitting their accounts were emptied out, there’s little doubt that cyber-criminals are on the run. FBI investigators have made no comment whether or not the Kremlin was involved. Biden certainly blamed Kremlin-backed hackers for the SolarWinds hack, not specifying whether or not the Russian government was involved in the Colonial Pipeline attack. Biden strongly discouraged companies from paying ransomware to restore their computer networks. Don’t expect to the FBI to divulge its secrets anytime soon.
Working with the FBI and other federal law enforcement agencies, Colonial Pipeline paid $5 million in order to trace the transfer of funds into various overseas bank accounts. Darkside’s response suggests that things didn’t work out the way they hoped, with cash extracted from their accounts by some unknown source. Criminal cyber-gangs like Darkside are about extorting as much cash from companies or government that leave themselves vulnerable with poor cyber-security software. “Our goal is to make money and not creating problems for society,” said Darkside’s website. If Darkside could get the governments nuclear codes they would do it, creating a much disruption and cash as possible.. Colonial Pipeline exposes the extreme vulnerability of critical U.S. infrastructure, needing better cyber-security to stay one step ahead of the cyber-criminal gang industry.
