What is DarkSide? Russia-Linked Hacker Group Behind Colonial Pipeline Shutdown

A cyber hacking group has been accused of being behind the ransomware attack that shut down a major U.S. oil pipeline over the weekend.

In a brief statement Monday, the FBI named the DarkSide ransomware as being responsible for the compromise of the pipeline, overseen by Colonial Pipeline, which caused the disruption of fuel supply across eastern parts of the country and pushed prices up.

"We continue to work with the company and our government partners on the investigation," the FBI added.

In a statement published on the dark web, the hacking group appeared to have acknowledged the Colonial Pipeline shutdown.

"We are apolitical, we do not participate in geopolitics, do not need to tie us with a defined government and look for our motives," DarkSide said.

"Our goal is to make money, and not creating problems for society. From today we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future."

What is DarkSide?

DarkSide is a relatively new group that, since August 2020, has used ransomware cyberattacks to hack various companies in the U.S. and Europe. They have attempted to extort companies with threats, for instance, of leaking personal data. The group claims to give part of the money it makes to charity organizations.

The hacking group runs a quasi-professional operation, with its website having a press room, mailing list and a hotline for their victims to call.

As noted by Boston-based security firm Cybereason, DarkSide follows a "ransomware-as-a-service" model, in which hackers develop and sell their ransomware attack tools to those wishing to carry out an attack.

DarkSide also follows a "double extortion" trend, where the hackers not only encrypt and lock the user's data, but also threaten to make it public if the ransom is not paid

The group claims their ransom demands range between $200,000 to $2 million. The BBC previously reported that some charities have refused donations after realizing it was ransom money from such ransomware attacks.

DarkSide says it has a code of ethics and states the hackers will never attack hospitals, schools, universities, non-profit organizations, and government agencies. Cybereason notes that the group only targets English-speaking countries, and appears to avoid former Soviet countries.

President Joe Biden told reporters on Monday that while there is "no evidence" that Russia is behind the pipeline cyberattack, there is evidence that the actors' ransomware is in Russia.

"They have some responsibility to deal with this," Biden said.

The group is also alleged to be run by former affiliates of other ransomware campaigns.

"They're very new but they're very organized," Lior Div, the chief executive of Cybereason, told ABC News Australia. "It looks like someone who's been there, done that."

Speaking to Reuters, Div added the increased media coverage of DarkSide may ultimately harm their operation, which is why the hackers are now trying to put some distance between themselves and the Colonial Pipeline attack.

"The global backlash is hurting their business," said Div. "It is the only reason they are offering a mea culpa."

Colonial Pipeline
Fuel tanks are seen at Colonial Pipeline Baltimore Delivery in Baltimore, Maryland on May 10, 2021. DarkSide has been designated as the ransomware group accused of forcing the shutdown of the pipeline operator. JIM WATSON/AFP/Getty Images