What do we actually know about the Darkside Ransomware operators?
You have likely heard a great deal about attacks on U.S. companies from Russian hacking groups such as Darksides attack on Colonial Pipelines, which shut down gasoline supply to half the country, or how REvil’s attack on JBS shutdown the largest meat processing company in the world. Many have called on the government to retaliate against these blatant acts of aggression from these “Nation-State Actors”.
As is so often the case, the reality is much more nuanced. With some equating these attacks as “Acts of War” on behalf of Putin, I think it’s important to understand the nuances and consider that the evidence may suggest this group was not acting on behalf of a foreign government.
Know Your Enemy
“If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat.” — Sun Tzu
Not only is a Sun Tzu quote obligatory in Cybersecurity articles and presentations, but it serves are my over-simplified motivation for why we seek to understand our adversaries in the first place. The specific motivation behind this particular article comes in the form of a brief narrative.
It was a few days after the Colonial Pipeline hack became public news. As a member of a particular Threat Intelligence group that I am a contributor to, I just received official FBI confirmation that Darkside was indeed the malware used in the Colonial attack. Briefly, after distributing this confirmation to our other members along with some additional strategic knowledge, I was sent an intriguing reply from a top-level cybersecurity executive for a major U.S. defense contractor. In the email, a confident assertion was made that this attack was directed by Putin, likely in direct response to U.S. Sanctions for which Putin had already expelled 10 U.S. Diplomats.
This was either an act of war or a precursor to it. Putin was testing Biden’s response or trying to damage our country.
The theory was that amid increasing tensions between the U.S. Republic and the Federation, the Kremlin had deliberately and decisively launched an attack against America’s oil supply chain. As the news cycles continued, major news outlets brought on “cybersecurity experts” who I was confident would clarify the situation. All I heard was a continued exposition on how the Russian Hacking group Darkside shut down the Colonial pipeline and even more speculation that Putin was behind it all.
Even our industry’s top writers seemed unable to provide the public with any of our well-known context to Darkside ransomware, its maintainers, or any clarification to what the discipline of Cyber Threat Intelligence could genuinely inform us about regarding the likely perpetrators of the attack. Brian Kerbs, arguably one of the most prolific writers in Cybersecurity news, wrote:
“The FBI confirmed this week that a relatively new ransomware group known as DarkSide is responsible for an attack that caused Colonial Pipeline to shut down 5,550 miles of pipe…”
In actuality, the statement that Krebs was referring to read:
“The FBI confirms that the Darkside ransomware is responsible for the compromise of the Colonial Pipeline networks.”
Notice the difference. It may seem like a slight difference in phrasing. But it reveals one inconvenient truth; we still don’t know who performed the attack against Colonial.
Unfortunately, there was a lot wrong with this sentence, which seemed to sum up the position of Cybersecurity professionals as we enjoyed our 15 seconds of fame and the country seemed to suddenly share out fears, interests, and loss of sleep with us over the issue of ransomware cyber-attacks.
Not only are we unaware of which hacking group perpetrated the crime, but this Darkside group is not a new one. Leaving alone the issue that Darkside is the name of a piece of malware, not the actual group, this collection of likely more than 70 individuals have been committing cybercrimes since at least 2013.
So who is this group? It is challenging to select one name as group names are often chosen by the Threat Intelligence groups that identify them through the discipline we call attribution. Out of the many names this group has received, they are most recently and commonly known by the name Carbon Spider (a name given by CrowdStrike). This group is also known as Carbanak, Anunak, and originally FIN7.
A brief history of the Carbon Spider group:
FIN7 began as a criminal group that targeted hospitality and retail primarily. Famously efficient at compromising Point of Sale systems (PoS) to obtain payment card data for eCrime, initially and somewhat ironically, they targeted Russian financial institutions. If this group is on Putin’s payroll, I would suggest more strategically advantageous targets. In any case, in December 2015, they expanded their scope to the United States, Europe, and the Middle East. In a Seattle case against Fedir Hladyr (a member of this group), it was determined that in the United States alone, this group had compromised networks in 50 states at more than 3,600 businesses impacting 20 million customers payment records (DoJ, 2021).
In 2016 the group split, and the group commonly known today as Carbon Spider was created (this name given by CrowdStrike). This portion of the group continued to focus on Financial Sector. They primarily used spearphishing to deliver a malware called Harpy to obtain payment card data from PoS systems. Rather than using the cards to conduct purchases themselves, they then sold these cards on credit card markets.
By April 2020, Carbon Spider was an old-timer due to a surge of new financially motivated eCriminal Hacking groups resulting from the Ransomware Boom. Recognizing that ransomware was more lucrative, they did what any eCrime hacking group ought to and jumped over to conducting Ransomware operations. They rewrote their playbook and became Big Game Hunters in ransomware. A ransomware operation is generally considered Big Game Hunting when the target’s annual revenue exceeds $1 Billion annually; targets take much more skill and persistence to compromise, but the demand for payment can be much higher.
When Carbon Spider made this switch, they started using Pinchy Spider’s REvil Ransomware from April 2019 through their relatively new Partnership Program. This REvil operator is presumed to be the group that operated GrandCrab (ransomware with an affiliate network from January 2018) based on significant code overlap and nearly identical TTPs.
Eventually, in April of 2020, Carbon Spider stopped using REvil and developed their own Ransomware, Darkside. By November, they came out with their Ransomware-as-a-Service affiliate program for Darkside.
This didn’t mark the end of their dependence on other eCriminal’s services. Darksides frightening effectiveness is in no small part thanks to Night Spider’s crimeware kit Zloader. It is not uncommon for these Russian/Eastern European/Ukrainian eCrime groups (referred to as Spider groups by CrowdStrike) to share, purchase, build workflows, and develop their services around the use of another’s service. For example, Narwhal Spider maintains Cutwail, Scully Spider maintains DanaBot, the creatively named Smoky Spider maintains Smoke Bot, the aforementioned Night Spider maintains Zloader, Wizard Spider maintains the extensible malware of the year for 2020 Trickbot, and the famous Mummy Spider group operates the massive Emotet Botnet and its malicious email services. Drill down into any one eCriminal group from Eastern Europe / Russia, and you will find that your selected group likely uses more than one of these services.
This new Darkside operation comes with the responsibility of maintaining multiple services. Carbon Spider, like many other ransomware as a Service (RaaS) providers, has observed the increasing trend of victims enjoying efficient — or at least sufficient — means to contain, remediate, or in some cases prevent their attempts to encrypt their victim’s assets — very prerequisite for demanding a ransom. Thus their latest addition is a Data Leak Site (DLS) site that they change frequently.
Darkside had developed a very efficient playbook for their malware and offered their “affiliates” — here having the meaning of black-market customers, a threat to data confidentiality. This is often much more expensive for companies than the cost to rebuild affected systems when considering data privacy law penalties.
This service worked well for the group. According to experts from blockchain analysis firm Elliptic, their affiliate ransomware program allowed them to rack in around $90 million in 8 months.
And then the Colonial Pipeline Hack.
In this time, Carbon Spider has been acting, to our knowledge, exclusively as a developer and service provider to other groups. Therefore, considerations of culpability and geopolitical attribution have to be supplemented with the understanding of the role and functions of RaaS in the world of ransomware attacks.
Ransomware as a Service
An exciting aspect about this group that defines our understanding of their involvement is that they likely no longer perform attacks against companies themselves. In November of 2020, CarbonSpider released their first RaaS, jumping onto a popular — and very lucrative — bandwagon. This model sees the Ransomware developers offer prepackaged malware to other cybercriminals to use. CarbonSpider collects a portion of the paid Ransoms for profit in exchange for providing the service.
Now, while they may not have launched the attack against themselves, they are somewhat culpable. I am certainly of the opinion that these RaaS operators are enabling and, in significant part, responsible for the Ransomware attacks inflicting our world today. However, this brings us to the conclusion that a Russian group developed the ransomware that someone used to attack the Colonial Pipeline company. It is well known and assumed that Ransom attacks, at least those in which the victim pays and the criminal provides the decryption key, such as the Colonial incident, are carried out by financially motivated groups. A select few Nation-State Actors are financially motivated; some Chinese and North Korean groups come to mind. But in our industry, it is a popularly held opinion that the criminal or criminal group that Carbon Spider, Pinchy Spider, and other RaaS groups service are significantly different in motivation, leadership, operation, conduct, capability, and international association than the APT 28s and APT 29s of the world.
In other words, even if Carbon Spider were to receive the blame for this attack, that would only support the conclusion that this whole thing was financially and not geopolitically motivated.
All of this is underpinned by another inconvenient truth: we are not certain Carbon Spider is a primarily Russian group. While there are likely still dozens if not hundreds of members, this is one of the Spider groups that we have evidence to believe principally operate out of Ukraine. While Putin may wish for the rest of the world to consider Ukraine a part of Russia, we don’t.
Conclusion
It’s frustrating to have your lunch stolen from you and then not be able to point the finger of blame at precisely who did it. We all want ransomware attacks to end, and Russian adversaries certainly play a significant role. Perhaps this is why many knowledgeable cybersecurity experts have been quick to jump on this “Russia Hacking Group Darkside hacked Colonial Pipeline” bandwagon. There are plenty of Eastern European financially motivated adversaries out there. I believe we in cybersecurity should study our adversaries. Not only would this encourage our industry experts who appear on national news to speak more accurately about the whos and hows of cybersecurity instead of perpetuating speculation, but it may also allow us to direct our efforts to formulate more effective responses to deter this criminal activity. It is unlikely that Carbon Spider will be bothered by new sanctions on Russia. Keep the pressure on Carbon Spider and who they serviced. Perhaps in time, we can work out the identity of the actual criminal or criminal group Carbon Spider serviced.