Colonial Pipeline & DarkSide: Assaf Dahan [B-Side]

Transcription edited by SODA

[Ran] Hi and welcome to Cybereason’s Malicious Life, I’m Ran Levi.
Colonial Pipeline, a privately held pipeline operator, was founded in 1962, yet despite being one of the largest operators in the U.S. and providing roughly 45% of the east coast supply of gasoline, diesel fuel and even jet fuel, Colonial Pipeline became a household name only a few weeks ago and not in a good way.
On Friday, May 7th, 2021, Colonial Pipeline suffered a cyberattack that forced the company to shut down its operations. As a result, gasoline outages were reported in many east coast states and the federal administration issued a regional emergency declaration for several states to keep fuel supply lines open.
The entity behind the attack is a criminal group known as Darkside.
For this B-side episode, Nate Nelson, our senior producer, spoke with Assaf Dahan, head of threat research at Cybereason, about the Colonial Pipeline attack, how and why it happened and its implications both for the security of critical infrastructure in the U.S. and for the criminal underground of ransomware groups. That last one is particularly interesting, since it seems that the Colonial Pipeline attack has set off a somewhat unexpected trend on the dark web.
That’s it for me.
Over to Nate and Assaf.
Enjoy the interview.

 

[Assaf] I’m Assaf Dahan.
I’m the head of the Nocturnist team. This is the threat research team at Cybereason.
My team kind of like tracks down different threat actors, be it cybercrime or APT nation-state threat actors, and that’s pretty much it.

 

[Nate] For those who don’t know the full story, what was the Colonial Pipeline attack?

 

[Assaf] Based on the information that is available to us, we know that on May 6th, the business network of the Colonial Pipeline was compromised due to a ransomware attack. Colonial Pipeline is the biggest supplier of fuels on the East Coast of the United States. There have been different reports that they supply more than 45% of the East Coast fuels, which is quite a lot.
Now, the attack effectively forced the company to temporarily shut down its operation for a few days, basically to allow time to investigate and also mitigate the attack.

 

[Nate] A lot of the details in this case are still not public knowledge, so there are certain limitations to what we can say, but can you tell me, generally speaking, about Darkside’s attack methodology, how they go at targets step-by-step because, of course, they’re not an entirely new threat?

 

[Assaf] Yes, that is correct.
This group, Darkside, became publicly known around August 2020, and since then, my team and other team at Cybereason, of course, as other security vendors have been tracking down their operations, and we’ve responded to multiple incidents involving this group.
They seem to have rather some sort of a template for their attack. It seems like, first, the attack will start, like the initial compromise is usually through some sort of a password-guessing attack on the perimeter, either brute-forcing, an internet facing asset, or maybe they obtained credentials somewhere on, let’s say, the underground communities. There’s a big market for selling access to different endpoints all over the world, so if I wanted to get access to an asset at a certain company, on a certain location, that is available for buying on the different underground communities.
In certain cases, they also use spearphishing or malicious emails with links, and also exploiting different vulnerabilities on publicly facing assets.

Usually it’s one of those three options, and once they get this initial foothold, or once they compromise an endpoint on the network, they’ll try to establish some foothold. They usually use a Cobaltstrike beacon, and Cobaltstrike is a very well-known red team or penetration testing tool that simulates advanced attackers. It’s basically the go-to tool that a lot of ethical hackers or penetration testers use, but also we see a lot of different threat actors use it because it’s very effective. They would establish a foothold using different implants, such as Cobaltstrike payloads.

The group uses a lot of what we call lull bins, of living off the land binaries. Basically it’s different programs or software that are shipped with Windows, like they come with Windows and they use it to download different tools. It gives it more stealth because they use Windows’ own software, so it can go under the radar. This is something that we see.

Once they established foothold and downloaded different payloads, they would try to escalate their privileges to be able to, let’s say, dump different credentials. They’ll probably try to get access or dump credentials of what you call high-privilege accounts, such as the domain administrator or other privileged accounts. Then they’ll start with what we call internal reconnaissance. Usually they’ll try to map out the network, understand the topology architecture, trying to identify the crown jewels. Usually it’s where you have the active directory or the domain controller or other important servers.

Once they map it out, they’ll start to try to move laterally using different tools, whether it’s RDP or cobalt strike Beacon, as I mentioned before, and then they will move from one machine to another until they are able to compromise major assets, such as the domain controller. Before they actually deploy the ransomware, we see that they’ll, because they’re using the double extortion scheme, which I’ll get to it in a few minutes, they will try to steal a lot of data and exfiltrate it using different tools. Sometimes we’re talking about gigs and even terabytes of data and basically exfiltrate it to their remote servers.
Once they collected enough information that will be used later as leverage, then they will deploy the ransomware. Usually it’s by compromising the domain controller, they’ll create some sort of a group policy and then blast the network, the environment, with ransomware.
The ransomware is actually the last phase of the attack.
When we talk about timeline of the attack, it can vary. Some groups are very aggressive and it can be done within a few hours, but usually it takes around nine to, let’s say, 11 days. It used to be longer. In the past, we saw that threat actors, ransomware groups, were on the network for about four to five weeks till they actually deployed the ransomware, but we see that with the more aggressive groups, it can take from a few days and also even a couple of hours to do it. That’s on the network and their security posture and also the level of aggressiveness, I guess.

 

[Nate] Let’s talk about the fallout of this attack in particular.
As someone who lives on the East Coast of the United States, I know some people who are rushing to gas stations because they heard of this story.

 

[Assaf] Oh, yeah. That’s a good question.
In terms of the fallout, there have been major impacts. For example, when the company shut down their systems, it created problems obviously with supply chain, causing a sharp, I think, 4% or even more rise in fuel prices. That created a ripple effect that affected the entire energy industry and also related industries that depend on gas, for instance. In order to mitigate it, for instance, the Department of Transportation issued a temporary waiver that enabled oil products to be shipped in tankers all the way up to New York, but this probably didn’t come near to match the pipeline’s capacity.
They tried to mitigate it, so there wouldn’t be a lot of shortage, I guess.
In addition, we saw that the…
That’s quite almost unprecedented, I think. We saw that the Biden administration issued an executive order detailing measures to improve nationwide cybersecurity measures. I think this attack was, in a sense, the last straw after a series of cyber attacks, either by different nations or cyber criminals. What it means is that the US government actually recognizes its cyber posture. The cyber posture is actually rather weak and lacking measure to secure its critical infrastructure.
I think it dawned on many people, I guess, in the US and also outside of the US that critical infrastructure in the US is simply not as resilient as people might have thought. If you think about it, this incident was carried by a group of cyber criminals that claimed that they didn’t mean to do it.
It was kind of a bit of a oopsie daisy, quote unquote. If you think about that, if it was a mistake, they didn’t even mean to do it, if you believe what they’re saying. Think about what would happen if a foreign country, for instance, like an intelligence agency or a military, wanted to carry out an attack and bring down a critical infrastructure.
I think a lot of people realized the danger, I guess, that lies with the…
How important it is to protect critical infrastructures.

 

[Nate] Is it that we’re still using old legacy machines, running old operating systems, and so they’re weak to new threats? Is it that all these machines are new and connected, and so it’s easy to access them over the internet?
What exactly is it?

 

[Assaf] It could mean all of the above, actually.
I think when it comes to critical infrastructure, I think sometimes it can be harder to secure because a lot of time you get black boxes, assets, and not a lot of people know how to deal with it. But generally speaking, when we talk about critical infrastructure, you talk about thousands and thousands of machines that you have to secure. Some of them are publicly internet-facing, and some of them are within the internal network that is not supposed to be exposed, but obviously there are connections sometimes. If the networks are not segregated well enough, that could pose a problem, but yeah, I mean, we know that even with enterprises or even small to medium businesses, securing the parameter is not an easy task.
If you have thousands and thousands of endpoints and all of them needs to be secure, it takes only one endpoint that was not properly patched or somehow forgotten, and attackers don’t need to win this battle once, because once they get a foothold, they can propagate.

 

[Nate] What do we know about the people behind this attack?

 

[Assaf] Darkside are a relatively new ransomware group. They made their first appearance around August 2020. They operate a RAS model, which is a ransomware as a service where they offer a subscription-based model in which they give access to their infrastructure and also the ransomware itself to people who want to, I guess, engage in cybercrime and have a ransomware operation. They have an affiliate program, which is a major force multiplier.
If I, for instance, or anyone else wanted to engage with them, you would contact them through different means in the underground community, and then they’ll probably vet you, and then you pay them an agreed sum of money to get access to their infrastructure.
Yeah, it’s pretty much like that.
Now, they made themselves a name for being quite aggressive, and they implement what we call the double extortion scheme, meaning that, as I mentioned, not only do they encrypt the victim’s data, but they also exfiltrate large amounts of data, and they basically threaten the victims to publish it or sell it to the highest bidder. With the information that they’re stealing from their victims, they use it as leverage to put on more pressure on the victims and basically twisting their arms into pain. It’s quite effective against what we call more mature organization that even if they have backups or disaster recovery plans, and they can restore their own data, most companies would not want to risk having sensitive data being published or sold out there on the dark web.
It’s basically every company’s worst nightmare to have their data out there, whether it’s contracts, customer information, financial reports, it could be intellectual property, patents, and so on. If this data is out there and being published, it can inflict a lot of damage on the company, so a lot of companies, even if they can restore their own data, they still find themselves in a situation that they still have to pay the ransom fee just so this data would not be leaked to the public.
Another thing that is interesting about this company, this group, the Darkside group, that they seem to mainly target English-speaking countries. We’ve seen some other European countries also affected, some places in Asia, but we see that they really avoid targeting or attacking countries that were what we call in the former Soviet bloc nations. You can actually see it in the malware code, the ransomware code itself, that they look for language settings and keyboard of Russian-speaking countries, like Ukraine, Uzbekistan, Russia, of course, and they won’t encrypt the endpoint if they discover that Russian language is installed there, probably not too, I guess, targeted by the Russian law enforcement agencies.
They’re probably afraid of Russian retaliation if they attacked former Soviet bloc nations, I guess.

 

[Nate] One other quirk of this group, you could say, is that they have a certain code of ethics that you don’t always find among hacker groups.
I heard that they will not go after hospitals, charitable organizations, that kind of thing.
Am I allowed to like them just a little bit because they kind of have this Peter Pan thing going on?

 

[Assaf] Yeah.
Well, they also posted the invoices on their blog showing that they actually contributed some of their money to charities.
Does that absolve them of their crimes? I’m not sure.
In my opinion, their Robin Hood model of trying to appear as hackers with morals or ethics is basically a cover-up.
They try to appear maybe less dangerous, but as this incident taught us, it’s not really the case.
I don’t know.
They tried to claim that when one of their posts that, or they suggested very gently that it’s probably one of their affiliates who broke their code of conduct.
It was almost by mistake, but I don’t know if we should believe them or not.
My guess is good as yours, I guess.

 

[Nate] Fair enough.
In the end, Colonial did pay their ransom, or at least that’s what the reports say.
I know that the rule is that you’re not supposed to pay ransomware dealers, but in their position would you have really done anything different assaf?

 

[Assaf] Well, it’s hard to put yourself in other people’s shoes.
It’s very hard to judge a company in that situation. I think the truth is, or at least my opinion, is that there’s no absolute right or wrong
here. I think each company has to run its own risk assessment and carefully calculate the pros and cons of what they would gain or lose from keeping it hush-hush, and paying the ransom, or standing up to the attackers. Also, paying the ransom is not always that simple because it might expose the company to some legal actions. In some countries, cooperating with, let’s say, whether it’s a terror entity or a criminal entity could be considered as a crime.
It’s not always that straightforward, but then again, on the other hand, if they don’t pay and data is leaked, then they are also exposed to legal actions or even regulatory fines. If you think about GDPR, for example, if, let’s say, their customer’s data was leaked and there’s PII information there, they could be exposed to legal and regulatory actions.
It’s a real pickle.

 

[Nate] What do we know about what happened after they paid their ransom?
Did Darkside Group fulfill their end of the deal?

 

[Assaf] Well, it has been reported that Colonial paid around $5 million.
The figures changed from one report to another, but it’s around $5 million in ransom. It seems like they restored their business continuity, so I guess that Darkseid did follow through. I mean, and it’s usually the case with the big ransomware groups. The truth is that 95% around that number, if you pay, you’ll get your data back or they’ll decrypt your data. They do seem quite reliable on that case.
Can’t say that you can trust them blindly, right?
But usually if you pay, you’ll get your data back.

 

[Nate] My next question.
In sports, there’s a kind of truism that sometimes you lose games and sometimes the other team beats you. As in sometimes you play poorly and make silly mistakes, but other times you do everything you can and then you’re just outplayed.
Assaf, did Colonial lose here or did the Darkside Group beat them?

 

[Assaf] Well, there’s an old saying that says that in war there are only losers.
I think it might apply to this incident as well, although I’m quite convinced that the attackers still won to a certain extent. If you consider the damages that were inflicted on Colonial, all of the costs involving the business side or business continuity, they lost millions of dollars each day they were not operating. The supply chain attack, the cost of the investigation, the forensic and incident response efforts, rebuilding their network probably, not to mention the reputational damage, that alone is far greater than what they paid or allegedly paid in ransom fee.
On the other hand, if you consider Darkside, they were put under the spotlight of basically every security company and law enforcement agencies in America and also probably around the world.
Basically, they had to shut down their operation or at least that’s what they’re claiming. It was reported or claimed that some unknown law enforcement agency took down their servers and seized their Bitcoin wallet and transferred the funds to an unknown location.
Again, it’s according to the hackers.
I don’t think any, at least to the best of my knowledge, no law enforcement agency confirmed that or at least took responsibility or claimed responsibility for this. But in a way, it seems like they closed shop for a while.
But overall, if you think about it, it has been estimated that they made, that Darkside made at least $90 million in revenue so far since they began their operation. Unless they’re actually physically caught by law enforcement agencies, they can probably enjoy early retirement and with $90 million, you can do quite a lot.
Maybe one day if they’re still hungry for the greedy and then they’re hungry for making more money, they can regroup, rebrand and make a comeback.
If you think about it, I think they have the upper hand here unless they’re caught and everything, all their money is seized.

 

[Nate] What can companies do to protect themselves against threats like the Darkside group?

 

[Assaf] That’s a good question.
I’ll just say that in terms of the aftermath of the attack, I think this is also something that is important to keep in mind.
According to one of the members of Revel, which is another prominent ransomware group, so shortly after the incident, they kind of posted something on behalf of Darkside saying that Darkside lost access to their servers and as I mentioned that their Bitcoin wallet was seized and their funds were transferred to an unknown location. Now we don’t know whether it’s true or not, but the group’s website has been down since.
They also said that they’re going to seize their ransomware as a service operation and they encouraged other groups to switch to a tighter, closed-knit operation, meaning that working less with affiliates, making it less accessible to whoever. I think this is one effect.
They also mentioned that they released a decrypter for all of their victims, which also means that they kind of try to repent in a way. But I think one of the most interesting side effects or ripple effect is actually seen in the underground cybercrime community. So we saw groups like Revel and Avidon, Avidon by the way is the group that took down the Irish healthcare system, completely paralyzing their network. And healthcare is, in my opinion, critical infrastructure. Those groups, Revel and Avidon, announced that they will now avoid hitting critical infrastructure, healthcare charities. Basically, they kind of adopted their Darkside Robinhood model.

In addition, they said that in addition to revising their code of conduct, the admins of those groups said that they will create a verification or approval process or vetting for their affiliates. So before they, let’s say, hit a target, the core team has to authorize it so they kind of can avoid similar incidents in the future. And perhaps one of the most interesting side effects that we’re seeing in the underground communities that the admins and moderators of prominent hacking forums are now banning ransomware groups there.
So they’re probably fear that they’ll be put on the spot and taken down by law enforcement agencies for enabling and facilitating ransomware attacks.
So I think it’s going to be very interesting to see if this trend will continue and how it will affect this ransomware, the overall ransomware landscape. So that was a bit of a detour.

And now to answer your question, what companies can do in order to protect themselves. So when it comes to that, there’s no magic trick.
It basically boils down to a few basic principles of keeping a good IT hygiene, making sure that every internet facing asset or endpoint is properly patched, updated, it has some sort of a security solution, be it a next gen antivirus or EDR, that your network is
also protected. So we’re looking at security and layers. So you want to protect your endpoints, you want to protect the network. So you want to make sure that you have good topology or network architecture, that things are segregated well enough, that you have good auditing.
So there’s that.
I think early detection in these cases is an absolute must because as we’ve seen again and again and again, when a ransomware is deployed or mass deployed on an environment, it’s not like all of a sudden, it usually takes days or sometimes weeks of operation from the initial compromise until they actually manage to deploy ransomware. So if you are able to detect those early stages, you can hopefully nip it in the bud, preventing such attacks from occurring.
And I’m also a great advocate of threat hunting.
So you want to be able to, I think each company should, aside from, you know, looking after the security posture, they need to be aware of what’s out there, what threats are out there, different malware or ransomware strains, different groups study their modus operandi, their TTPs and create their own hunting rules, basically continuously hunting proactively for threats.
Because sometimes by the time you get an alert from a given security product, it could be too late.
So I really encourage companies to be more proactive rather than respond or reactive by responding to alerts.
You have to look for threats constantly.