DarkSide ransomware: who are the hacking group responsible for the Colonial Pipeline US cyber attack?

The cyber attack was carried out by DarkSide, a group that cultivates a ‘Robin Hood’ image of stealing from corporations and giving to charity
Watch more of our videos on Shots! 
and live on Freeview channel 276
Visit Shots! now

On 7 May, an American oil pipeline system that originates in Texas and carries fuel to the Southeastern United States suffered a ransomware cyber attack that impacted computerised equipment managing the pipeline.

In response, the Colonial Pipeline Company was forced to halt all of the pipeline's operations to contain the attack, triggering fuel shortages and panic buying, and forcing fuel prices to their highest since 2014, reaching almost $3 (£2.14) a gallon.

Hide Ad
Hide Ad

The FBI were able to identify hacking group DarkSide as the party responsible for the largest cyber attack on an oil infrastructure target in the history of the United States, but just who are they?

DarkSide is a criminal hacking group, but claims it only attacks 'companies that can pay the requested amount, we do not want to kill your business' (Photo: THOMAS SAMSON/AFP via Getty Images)DarkSide is a criminal hacking group, but claims it only attacks 'companies that can pay the requested amount, we do not want to kill your business' (Photo: THOMAS SAMSON/AFP via Getty Images)
DarkSide is a criminal hacking group, but claims it only attacks 'companies that can pay the requested amount, we do not want to kill your business' (Photo: THOMAS SAMSON/AFP via Getty Images)

Here is everything you need to know about it.

Read More
West Midlands Trains promises staff fake bonus as part of cybersecurity exercise

What is Darkside?

DarkSide is the hacking group believed to be behind the Colonial Pipeline cyberattack.

It's not known whether Colonial have paid the ransom asked of them, but the fact DarkSide haven't acknowledged the attack suggests they may have done (Photo: LOGAN CYRUS/AFP via Getty Images)It's not known whether Colonial have paid the ransom asked of them, but the fact DarkSide haven't acknowledged the attack suggests they may have done (Photo: LOGAN CYRUS/AFP via Getty Images)
It's not known whether Colonial have paid the ransom asked of them, but the fact DarkSide haven't acknowledged the attack suggests they may have done (Photo: LOGAN CYRUS/AFP via Getty Images)

The group first made waves in late 2020, with the DarkSide ransomware attack that encrypted user data, and withdrew other information from compromised computer servers.

Ransomware works by restricting access to a computer system until a ransom is paid to the creator in order for the restriction to be removed.

Hide Ad
Hide Ad

However, keen to promote a ‘Robin Hood’ image, DarkSide announced it had not – unlike other ransomware – attacked hospitals, hospices, schools, universities, non-profit organisations, or government agencies.

"We only attack companies that can pay the requested amount, we do not want to kill your business,” it said in a statement of intent. “Before any attack, we carefully analyse your accountancy and determine how much you can pay based on your net income.”

DarkSide's attack caused fuel shortages, and led to President Biden declaring a State of Emergency (Photo: Sean Rayford/Getty Images)DarkSide's attack caused fuel shortages, and led to President Biden declaring a State of Emergency (Photo: Sean Rayford/Getty Images)
DarkSide's attack caused fuel shortages, and led to President Biden declaring a State of Emergency (Photo: Sean Rayford/Getty Images)

Tellingly, the ransomware also did not go after computers on which the language detected was one used in Russia and former USSR countries.

The group deals in so-called “double extortion”, in which not only is a company’s data seized and held at ransom, they are also threatened with having it published publicly if the payment requirements are not met.

Are they like Robin Hood?

Hide Ad
Hide Ad

A couple of months later, DarkSide claimed they had been able to extort millions of dollars from companies.

The group said it would be working to “make the world a better place”, and posted two receipts, each for $10,000 worth (£7,125) of Bitcoin donated to two charities.

“No matter how bad you think our work is," the group said in a “press release” on the dark web, “we are pleased to know that we helped change someone’s life.”

One of the charities – Children International – said it would not be keeping the donation, and though The Water Project did not comment on what it would be doing, the fact that neither charity could know exactly who donated the money or where it was stolen from meant they had no way of refunding DarkSide.

Hide Ad
Hide Ad

But experts said people shouldn’t be fooled by DarkSide’s seemingly charitable nature. At the end of the day, they’re still a criminal hacking group.

Brian Higgins, a security specialist at Comparitech.com, told the Guardian, “$10,000 is a paltry sum in comparison to the vast amounts of money they’ve extorted from their victims over the years… it’s hardly a grand philanthropic gesture.”

"Secondly, no credible charity is ever going to accept donations which are demonstrably the proceeds of crime.”

Is the group Russian?

DarkSide is just one of a number of hacking groups that have sought to “professionalise” a criminal industry that has cost Western nations tens of billions of dollars in losses in the past three years.

Hide Ad
Hide Ad

Cyber security firm Cybereason told CNBC that DarkSide is “highly professional”, offering its services to would-be customers who want to take for-profit companies down a peg or two.

“[DarkSide runs] a help desk and call in phone number for victims, and has already published confidential data on more than 40 victims,” they said.

While it’s hard to say 100 per cent where DarkSide is based, given that the group is known to avoid targeting organisations in former Soviet bloc nations, the evidence suggests a Russian base.

Their actions are also typical of known Russian hacking groups.

Did Colonial pay the ransom?

Hide Ad
Hide Ad

Colonial has not said whether it has paid or was negotiating a ransom.

But DarkSide did not announce the attack on its own dark web site, a lack of acknowledgement which, according to Associated Press, “usually indicates a victim is either negotiating or has paid.”

A message from the editor:

Thank you for reading. NationalWorld is a new national news brand, produced by a team of journalists, editors, video producers and designers who live and work across the UK. Find out more about who’s who in the team, and our editorial values. We want to start a community among our readers, so please follow us on Facebook, Twitter and Instagram, and keep the conversation going.

Related topics: