By Ellen Nakashima
Washington - The U.S. government was not behind the disruption last week of a Russian hacker ring's computer network in the wake of the devastating cyber attack on a major U.S. fuel pipeline, four U.S. officials said, while experts said the group's disappearance could be a ploy.
The shuttering of DarkSide's operation last Thursday also has led to grousing by hackers affiliated with the group who claim they have not been paid by the ringleaders, according to cyber experts tracking the group. It is not clear if these affiliates were involved with the cyber attack on Colonial Pipeline on May 7, which led the company to shut down its pipeline for days, creating fuel shortages and panic buying in the southeastern United States.
Last Thursday, DarkSide announced that it had lost access to its servers, which it used to house and display data stolen from victims and to store ransoms it had collected for unlocking computer networks or refraining from releasing victims' data online.
"In addition," the group stated in a blog post, "funds from the payment server (belonging to us and our clients) were withdrawn to an unknown account."
The announcement came shortly after President Joe Biden at a new briefing had said the U.S. government was "going to pursue a measure to disrupt their ability to operate." That fueled speculation that U.S. Cyber Command had knocked DarkSide offline.
But officials, speaking on condition of anonymity because of the matter's sensitivity, said military cyber operators did not undertake such an action nor had any other U.S. agency.
Spokesmen for the Justice Department, the FBI, National Security Council and the National Security Agency declined to comment. "We don't comment on cyber planning, intelligence, or operations as a matter of operational security," Cyber Command spokeswoman Katrina Cheesman said Wednesday.
Colonial's CEO, Joseph Blount, told the Wall Street Journal in an interview published Wednesday that he authorized the payment of $4.4 million to the hackers the night of the hack in hopes of quickly regaining control of company data the hackers had encrypted.
"I will admit that I wasn't comfortable seeing money go out the door to people like this," Blount told the Journal. "But it was the right thing to do for the country."
Still, it was days before the pipeline restored service, creating a fuel shortage across the eastern United States as consumers emptied service stations of gasoline in panicked buying and no new supplies arrived.
In his remarks last week, Biden said the United States did not believe the Russian government was involved in the attack, but had "strong reason to believe" the criminals operate out of Russia.
He said his administration has been in "direct communication with Moscow" about "the imperative for responsible countries to take decisive action against these ransomware attacks."
A number of cyber experts say they believe DarkSide's disappearance is a scam, and that the criminals will regroup and return.
The group operates under a "ransomware-as-a-service" model in which it develops the malware that affiliates use to hold victims hostage in exchange for a cut of the ransom proceeds.
"I believe they likely will rebrand and return under a new banner because there's so much money to be made," said Dmitry Smilyanets, a cyberthreat intelligence expert with the firm Recorded Future. The analytics firm Elliptics reported that DarkSide had received at least $90 million in ransoms since October.
In its blog post last week, DarkSide said it would pay its affiliates by May 23. Citing the disruption of its servers "as well as pressure from the United States," it said its affiliate program was now "closed."
Since last Friday, at least four criminals affiliated with DarkSide have complained in a hacker forum that the fees they are owed have not been paid, according to Smilyanets, who monitors the forum discussion, which is in Russian. The amounts owed range from $150,000 to more than $1 million, he said.
"We don't know if they seized the opportunity and just took the money and ran or if they really lost access to their payment server," he said, referring to a digital purse that receives the ransom payments from victims. "I don't believe that they're so incompetent to lose control of their hot wallet."
Michael Daniel, former White House cyber coordinator in the Obama administration, said the disruption of the servers took place too soon after the attack for it to have been a U.S. government operation.
"From a technical standpoint, it takes time to figure out what your targets are going to be and what you want to do to them," he said. Unless the government had made DarkSide a priority in advance of the attack the time frame was "too limited to design" such a disruption.
"Where are those servers? Who owns them? Whose country are you carrying out that operation in?" he said. "Unless all of that had been already in place ahead of time, the length of time was just" too short.
Daniel also said he doubted U.S. officials could have approved such an action so quickly. "Even under the expedited processes, I find it unlikely that the policy process would have moved fast enough" to approve such an operation.
Daniel said, however, he wouldn't be opposed to such an operation. "This is the kind of thing you'd want to be imposing on the adversary instead of just letting them regroup and rebrand themselves," he said.
John Carlin, the principal associate deputy attorney general, pledged in an interview last week to pursue the instigators of such attacks at all levels. "That includes the operators - the digital triggermen, the coders, and those who provide digital command and control, and do the money laundering of the proceeds," he said.
The Justice Department is working with partners in other countries to "seize, disrupt" and deter the criminals' operations, he said. Together, he said, the U.S. and its partners will "figure out who they are and hold them to account."
The Washington Post