Colonial Pipeline were still using vulnerable Microsoft program during Russian hack attack

COLONIAL Pipeline were still using a vulnerable Microsoft program during a Russian hack attack.

Hacking group DarkSide compromised the 5,500-mile pipeline with a ransomware attack on Friday, causing panic to erupt in 18 states along the East Coast as fuel supplies run low.

Read our Gas shortage live blog for the very latest news and updates…


Private company Colonial issued a statement following the news, insisting that the pipeline was still using a vulnerable version of Microsoft Exchange prior to the shortage.

"Coalition evaluated Colonial Pipeline and found numerous potential risks that could have led to the breach: The most likely culprit is vulnerable Microsoft Exchange services, but the organization also exposed SNMP, NTP, and DNS services, which indicates an overall lack of cybersecurity sophistication, unfortunately," the comment read.

It added that other possibilities include network protocols being available to the public online, and targeted virtualization software with an invalid certificate.

Another threat "could be as simple" as not having two-factor authentication on their VPN, the company found.

"Overall, Colonial Pipeline likely did not have the awareness needed to protect themselves," it determined.


After the FBI named the group as the culprits behind the attack, DarkSide published a statement to the dark web.

With national average gas prices soaring to six-year highs, and gas stations in several states running out of fuel, DarkSide assured its aim behind the hack was never to cause chaos.

"Our goal is to make money and not creating problems for society," the statement read.

"From today, we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future."

The group also appeared to push back against accusations it was working at the behest of the Russian government.

"We are apolitical, we do not participate in geopolitics, do not need to tie us with a defined government and look for our motives," the group insisted.


The Colonial Pipeline, which supplies 45 percent of the East Coast's fuel, was completely shut down in the wake of the attack.

Four days into the crisis and Colonial has only managed to manually operate a small segment of the pipeline as a stop-gap measure.

It's unclear if Colonial has paid or is negotiating a ransom fee, however, the company doesn't expect to fully restore service until at least the weekend.

A day before executing its ransomware attack, DarkSide reportedly stole 100 gigabytes of data and is threatening to leak it all over the internet if their desired ransom amount is not paid within an allotted time frame.

Cybersecurity experts who have tracked DarkSide said it appears to be composed of veteran hackers who run the group like a for-profit business.

The group first emerged in August 2020 and immediately unleashed a digital crime wave.

"They're very new but they're very organized," Lior Div, the chief executive of Boston-based security firm Cybereason, said on Sunday. "It looks like someone who's been there, done that."

According to Cybereason, DarkSide has a "ransomware as a service" business model, meaning its hackers develop and market hacking tools, and sell them to other criminals who then carry out attacks.

The group also reportedly has a strong desire to appear ethical – a digital Robin Hood, of sorts – pledging to only take from those "who can pay" and donating some of their illicitly obtained proceeds to charity.

To enforce its apparent code of conduct, DarkSide informs its customers who and what targets are acceptable to attack.

Protected organizations that are not to be harmed include hospitals, hospices, schools, universities, nonprofit organizations, and government agencies.

Also off the cards are any entities based in Russia or other former Soviet countries.

Darkside, like many of Russia's for-profit ransomware groups, put lines of code into their hacking software that check to see if a victim’s computer uses Russian as its default language, Quartz reported.

If so, the software automatically stops the attack.

This safe-guard is put in place to help hackers avoid the fury of their host government.

“Russian actors tend not to target their own country, mainly because they don’t want law enforcement coming after them,” Jon Clay, vice president of threat intelligence at cybersecurity firm Trend Micro, explained.

“We see that around the world: Depending on which country an actor group is coming from, they tend to stay away from targeting their own.”

Cybereason also described DarkSide as a highly professional outfit, with the group having a mailing list, a press center, and a help desk for any of its victims to contact.

It also maintains a website called "DarkSide Leaks" – modeled on WikiLeaks – through which the hackers post the private data of companies they've stolen from.

Ransom software works by encrypting victims' data; typically hackers will offer the victim a key in return for cryptocurrency payments that can run into the hundreds of thousands or even millions of dollars.

If the victim resists, hackers typically increase the ransom amount of begin leaking data to pile on the pressure.

In the case of DarkSide, the group sends its victims a notice which reads: "Your network has been locked!"

The group specifies its ransom and writes that "after payment we will provide you a universal decryptor for all network [sic]."

In addition to a notice on their computer screens, victims of a DarkSide attack receive an information pack informing them that their computers and servers are encrypted.

The gang lists all the types of data it has stolen and sends victims the URL of a "personal leak page" where the data is waiting automatically published should the victim not meet their demands.



DarkSide also tells victims it will provide proof of the data it has taken and is prepared to delete all of it from the victim's network, according to the BBC.

Before carrying out an attack, DarkSide typically knows "who is the manager, they know who they're speaking with, they know where the money is, they know who is the decision maker," Div said.

Typical ransom demands range from $200,000 to $20 million, depending on the scale of the business or organization falling victim to the scheme.

In the case of Colonial Pipeline, Digital Shadows reported that coronavirus pandemic likely played a hand in DarkSide's attack.

The group said the hack was aided by the pandemic as a result of more engineers remotely accessing control systems for the pipeline from home.

James Chappell, the co-founder of Digital Shadows, said DarkSide could have bought account login details for remote desktop software such as TeamViewer and Microsoft Remote Desktop.

"We're seeing a lot of victims now, this is seriously a big problem," Chapel told the BBC. "The amount of small businesses that are falling victim to this… It's becoming a big problem for the economy globally."


But Cybereason's Lior Div believes that the targeting of Colonial Pipeline, with its potentially massive knock-on consequences for Americans up and down the Eastern seaboard – may have been a miscalculation by DarkSide.

"It's not good for business for them when the U.S. government becomes involved when the FBI becomes involved," he said. "It's the last thing they need."

Brett Callow, a threat analyst at the cybersecurity firm Emsisoft, agrees.

He told Quartz: "In the past [groups like DarkSide] have managed to carry on their activities without government focusing particularly strongly on them, and there haven’t been any sanctions imposed on countries which harbor them.

"That could be about to change. This attack is of such magnitude that it really cannot go unanswered.”

Many, however, have been questioning whether DarkSide may be working at the direction of the Kremlin and Russian President Vladimir Putin.

The hacking group has attacked the US oil and gas industry four times in just the last six months, according to dark web crime investigation firm Dark Tracer.

Former Speaker of the House Newt Gingrich insisted in an interview with Fox News on Monday night that anyone found to have been involved in the hack should be executed for carrying out an "act of war" on the US.

Biden, meanwhile, assured that US intelligence hasn't discovered any evidence to suggest the Kremlin was behind the attack.

He did, however, say that Putin has "some responsibility" to help the US with the attack and prosecution of those involved. The pair will be speaking about the matter soon, he said.

Russia on Tuesday attributed the attack at least partially to America's refusal to cooperate with Moscow on matters of shared security concern, including potential cyberattacks while denying direct involvement.

"We can still only regret that the United States refuses any cooperation with us in countering cyber threats. We believe that such cooperation is both international and bilateral," Peskov told reporters.

"[It] could really help in the common fight against this evil, with cybercrimes."

    Source: Read Full Article