Colonial Pipeline Attackers Linked to Infamous REvil Group

The DarkSide ransomware group blamed by the US government for a crippling attack on a major East Coast fuel pipeline has been linked to a notorious variant used in extortion attacks against Apple and Donald Trump.

The DarkSide variant first appeared in around August 2020, but after a few months of operating it themselves, its Russian-speaking owners opened it up to affiliates, as most ransomware groups do today.

Researchers at Flashpoint claimed with “moderate confidence” that the owners of DarkSide are likely to have been former affiliates of REvil — a group in the news recently for its attempted extortion of Apple and supplier Quanta Computer and one of the most successful Ransomware as a Service (RaaS) operations around.

They also argued that the malware itself is based on the REvil code.

“The design of the ransom note, wallpaper, file encryption extension and details, and inner workings bear similarities to REvil ransomware, which is of Russian origin and has an extensive affiliate program,” Flashpoint claimed. “This shows the evolution path of this ransomware and ties it to other Russian-origin ransomware families.”

An analysis by FireEye pointed to an overlap between the two RaaS operations, but only in that some threat groups have probably been affiliates of both.

The Colonial Pipeline itself is reported to have resumed operations on Wednesday after five days out of action, although its website is inaccessible and the firm has claimed that service interruptions are still likely over the next few days.

The outage forced some states to declare an emergency as US motorists queued up to fill their cars and gas prices soared.

Investigators are still looking into the origins of the attack, although cyber-insurance provider Coalition, which last year bought cybersecurity firm BinaryEdge, reckons it may have found a “smoking gun.”

The firm claimed that Colonial was running a vulnerable version of Microsoft Exchange Server at the time it was hit, although remote scanning revealed it was also running exposed SNMP, NTP and DNS services.

“Other possibilities include the numerous network protocols exposed on the internet publicly, as well as targeted virtualization software or SSL VPN access with names that imply ICS network access – also with an invalid certificate,” argued Coalition’s head of threat intelligence, Jeremy Turner.

“Overall, Colonial Pipeline likely did not have the awareness needed to protect themselves. It could be as simple as a lack of two-factor authentication on their VPN — one of the most common threats to an organization’s cybersecurity — or it could have been an indirect victim of the general, and widespread targeting of Exchange servers.”

The US Cybersecurity and Infrastructure Security Agency (CISA) has released best practice guidance for organizations on how to protect themselves from ransomware attacks.

What’s Hot on Infosecurity Magazine?