The Colonial Pipeline – DarkSide Ransomware Attack

Colonial Pipeline – DarkSide Ransomware Attack

Last week, the United States experienced one of the most significant cyber-attacks in its history. The Department of Homeland Security established a working joint public and private partnership called the Industrial Control Systems Joint Working Group. Its goal is to share treat intelligence and data from various potentially deadly cyber-attacks, as well prepare and defend critical infrastructure. Are we doing enough? The US does more than most countries globally in terms of ransomware indictments. Some European countries avoid it altogether, so from that perspective, the DOJ is doing as much as it can. It is incredibly difficult to prepare for, which is why having contingency plans in place and conducting consistent offensive practices like red teaming is so important.

Supply chain attacks have played a significant role in nation state espionage for last decade. APT10 (one of the most massive supply chain attacks) happened in 2015-2016 via MSPs data center providers and affected most of the Fortune 2000 companies. The SolarWinds attack earlier this year emphasized that many such attacks are ongoing and often undetected because they are not massively deployed. Supply chain attacks will continue to be used by cybercriminals in ransomware attacks.

 

Besides the internal steps needed to educate employees, LIFARS advises clients, especially those involved in government or critical infrastructure, to place emphasis on controlling what a third-party vendor can access, and also limiting connectivity data flow to any third-party provider. Third-party audits and risk reviews will continue to gain deepness and an increase of technical audits on the provider side.

 

The DarkSide Ransomware beginnings date to August 2020, when the DarkSide ransomware group announced its Ransomware-as-a-Service (“RaaS”) offering. Since then, the group has become notorious for its sophistication, technical abilities and high ransoms [3][4][5]. Noteworthy this group has exfiltrated data from its victim in 100% of the known cases, victims which, beside Colonial Pipeline, include BCC di Roma [15] which saw its 188 branches shut down after the attack.

The Darkside/ Colonial Pipeline Ransomware Timeline:

  • Friday May 7 2021, the Georgia-based company Colonial Pipeline notified the FBI of a disruption of its networks [1].
  • Saturday May 8 2021, Colonial Pipeline publicly announced that some of its systems were down due to a ransomware attack, which resulted in a major U.S. fuel pipeline being shut down.
  • Sunday May 9 2021, Commerce Secretary Gina Raimondo announced that the White House was actively working with Colonial Pipeline to restart its network which carries up to 45% of the East Coast’s fuel and is part of the U.S. critical infrastructure.
  • May 10 2021, the FBI confirmed the ransomware DarkSide is responsible for the compromised of the Colonial Pipeline networks [2].

 

 

LIFARS recommends that IT administrators and security teams, especially in companies active in professional services and manufacturing, perform threat hunts with the following indicators, provided by various cybersecurity companies and analysts.

 

SHA256 Hashes

9cee5522a7ca2bfca7cd3d9daba23e9a30deb6205f56c12045839075f7627297 (MD5 and SHA1 available in [6])

151fbd6c299e734f7853497bd083abfa29f8c186a9db31dbe330ace2d35660d5 (MD5 and SHA1 available in [7])

06cfe7f5d88e82f7adda6d8333ca8b302debb22904c68a942188be5730e9b3c8 (MD5 and SHA1 available in [8]) (source [9])

6d134cdf470f03707ad481b617e67b9018f92f72a0e2fb3e6cc9f2ab17ac1439 (source [9])

243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60 (MD5 and SHA1 available in [10]) (source [9])

0839aabe5fd63b16844a27b3c586c02a044d119010a1a40ee4035501c34eae0d (MD5 and SHA1 available in [11]) (source [9])

1a1ea6418811d0dc0b4eea66f0d348f0 (source [12])

25bb5ae5bb6a2201e980a590ef6be561 (source [12])

Domains and hostnames

www[.]privatlab[.]com (source [9])

www[.]mega[.]nz (source [9])

Additionally, yara rule files are available at [13] and [14].

 

References
  1. https://www.fbi.gov/news/pressrel/press-releases/fbi-statement-on-network-disruption-at-colonial-pipeline
  2.  https://www.fbi.gov/news/pressrel/press-releases/fbi-statement-on-compromise-of-colonial-pipeline-networks
  3. https://www.varonis.com/blog/darkside-ransomware/
  4. https://www.cybereason.com/blog/cybereason-vs-darkside-ransomware
  5. https://www.avertium.com/darkside-ransomware-overview/
  6. https://www.virustotal.com/gui/file/9cee5522a7ca2bfca7cd3d9daba23e9a30deb6205f56c12045839075f7627297/
  7. https://www.virustotal.com/gui/file/151fbd6c299e734f7853497bd083abfa29f8c186a9db31dbe330ace2d35660d5/
  8. https://www.virustotal.com/gui/file/06cfe7f5d88e82f7adda6d8333ca8b302debb22904c68a942188be5730e9b3c8/
  9. https://www.areteir.com/darkside-ransomware-caviar-taste-on-your-big-game-budget
  10. https://www.virustotal.com/gui/file/243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60/
  11. https://www.virustotal.com/gui/file/0839aabe5fd63b16844a27b3c586c02a044d119010a1a40ee4035501c34eae0d/
  12. https://www.digitalshadows.com/blog-and-research/darkside-the-new-ransomware-group-behind-highly-targeted-attacks/
  13. http://chuongdong.com/reverse%20engineering/2021/05/06/DarksideRansomware/
  14. https://github.com/advanced-threat-research/Yara-Rules/blob/master/ransomware/RANSOM_darkside.yar
  15. https://www.databreaches.net/it-banca-di-credito-cooperativo-suffers-cyberattack-impacting-188-branches/