Cyberattack US Pipeline: Who’s Behind DarkSide? What are the use cases, methods and goals? Unit42 / Palo Alto Networks
Palo Alto Networks’ research unit Unit42 investigated the DarkSide hacker group following their ransomware attack targeting the largest oil pipeline and vital infrastructure in the United States.
What are the precedents? What is the attack method and target? Details of their research and analysis of DarkSide can be found here.
It took an attack on America’s largest pipeline and the possibility of disrupting fuel supplies to much of the country to show the world that ransomware was not going to stop there after they had already taken it for granted. Targeting administrations, schools and hospitals, to name just a few examples.
DarkSide has become one of the most famous hacking groups in the world after the FBI confirmed it was responsible for this high-profile attack. When a group of cybercriminals can operate on the other side of the world and in just a few actions threaten fuel supplies to the entire east coast of the United States, everyone understands that no one is immune from malicious cyber attacks of this type.
The impact of this attack is a reflection of the fact that ransomware operators are always on the move – improving, automating and becoming more effective when targeting ever larger organizations. And they get a lot more money for their efforts. According to Unit42’s 2021 Ransomware Report, the average cyber ransom size more than doubled in 2020 to $ 312,493 compared to 2019. So far, in 2021, the average payout has nearly tripled from the previous year, to around $ 850,000.
DarkSide has helped increase those averages by continually focusing on ways to optimize its business model over a short period of time (we first met the group about a year ago). Like other leading hacker and ransomware groups, DarkSide recently adopted the Ransomware-as-a-Service (RaaS) model. He outsourced code development, infrastructure and operations, and turned to the darknet to recruit new employees. As a result, the group can now better focus on knowing the victims and targeting the most valuable types of data in each target organization so that they can obtain the highest possible ransom and increase the cost-effectiveness of their criminal activities.
The group began gaining the attention of Unit 42 experts in October 2020. Since then, Unit42 researchers have found its “fingerprint” in an increasing number of cases. What sets DarkSide apart is that the group displayed a discipline that only intruders against nation states have. However, researchers noted that DarkSide was likely a criminal group operating outside of Russia; so far no one has linked it directly to the Russian government.
Interestingly, in November, the ransomware firm put DarkSide on an internal shortlist after announcing plans to locate infrastructure in Iran – since Iran is under US sanctions, facilitating payments in that location could be against the law.
Wherever they are, there are indications that DarkSide attackers are highly skilled and successful in conducting ransomware attacks. They are clearly operating in an ecosystem of ransomware that appears to be “high-end,” targeting a smaller circle of victims from whom they can get a large ransom.