(Bloomberg) -- The Federal Bureau of Investigation attributed the massive Colonial Pipeline breach to ransomware created by a relatively new gang called DarkSide on Monday as new details emerged about the group accused of carrying out the attack.
“The FBI confirms that the DarkSide ransomware is responsible for the compromise of the Colonial Pipeline networks,” the agency wrote in a Monday statement.
In its own statement, the DarkSide group hinted that an affiliate may have been behind the attack and that it never intended to cause such upheaval. Like some other ransomware groups, DarkSide offers to sell its malware to others in what is known as “ransomware-as-a-service,” according to the cybersecurity firm Cybereason.
In a message posted on the dark web, where DarkSide maintains a site, the group suggested one of its customers was behind the attack and promised to do a better job vetting them going forward.
“We are apolitical. We do not participate in geopolitics,” the message says. “Our goal is to make money and not creating problems for society. From today, we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future.”
Rob Lee, chief executive officer of the industrial security firm Dragos Inc., said that the distinction between DarkSide and affiliates doesn’t shift blame. “Whether they passed off the keyboard or not I don’t know,” he said. “But they’re responsible either way.” He added that the group may avoid targets that draw federal law enforcement attention in the future, but that most ransomware targets have implications for society.
Colonial Pipeline halted all operations on its systems May 7 when it was hit with ransomware and is working to restore operations as investigators assess the damage. On Monday, Colonial pledged to restore deliveries of gasoline and other fuels to the eastern U.S. by the end of the week.
The group’s message came after the White House announced over the weekend that it had pulled together an inter-agency task force to tackle the problem. The task force worked through the weekend to address the breach, including exploring options for lessening its impact on the energy supply, according to a White House official.
While the inquiry remains in its early stages, some evidence has emerged linking DarkSide to Russia or elsewhere in Eastern Europe.
The attackers are known by cybersecurity experts as a “Russian-speaking group that popped up last summer,” according to Dmitri Alperovitch, the chairman of Silverado Policy Accelerator and former chief technology officer of the cybersecurity firm Crowdstrike Holdings Inc.
“Like many Russian cyber crime operations they specifically exclude Russian companies from being targeted by their malware,” he added in a statement.
Lee said his teams at Dragos have responded to a few incidents involving DarkSide ransomware in recent months, including a U.S. power company that he declined to name. In those cases -- which involve companies smaller than Colonial Pipeline -- DarkSide ransoms were typically in the single-digit millions of dollars, Lee said.
Dragos investigators didn’t pinpoint the group’s location. But Lee said that IP and email addresses found in the investigations were based in Russia. In addition, he said, DarkSide doesn’t typically work on systems operating in Russian and other Eastern European languages.
The Russian Embassy in Washington didn’t immediately respond to a request for comment. The Kremlin has previously denied responsibility for hacking attacks.
The hackers stole almost 100 gigabytes of data from Colonial Pipeline’s networks in just two hours on Thursday, before locking its computers with ransomware and demanding payment, according to two people familiar with the investigation.
DarkSide has been identified as the suspected hacking group by two people familiar with the investigation and by Allan Liska, a senior threat analyst at the cybersecurity firm Recorded Future. The group first surfaced in August 2020, according to a blog post by the cybersecurity firm Cybereason.
On Sunday, Colonial Pipeline said it was still developing a plan for restarting the pipeline, which is critical for supplies along the East Coast.
The Transportation Security Administration, which is responsible for working to enhance pipeline security, said in a statement it has been in contact with Colonial Pipeline.
Senator Angus King, independent from Maine, and Representative Mike Gallagher, Republican from Wisconsin, who are co-chairs of the CyberSpace Solarium Commission, said in a statement the Colonial Pipeline attack underscores the need for more robust cybersecurity measures.
“We are disappointed, though unsurprised, to learn of the cyber-attack that shut down 5,500 miles of pipeline,” they said. “This interruption of the distribution of refined gasoline and jet fuel underscores the vulnerability of our national critical infrastructure in cyberspace and the need for effective cybersecurity defenses.”