The Colonial Pipeline Company, the United States’ one of the largest pipeline operators, was hacked by a Russian military intelligence-affiliated gang operating under the flag of the Dark Side hacker group based on the military unit 74455.
According to Acronis International mbH, the group’s malware checked the language of the machine it was running on and would not run on computers using a language of the former USSR. DarkSide is one of many ransomware gangs extorting victims while avoiding targets in post-Soviet states .They demand payment to decrypt the files and increasingly ask for additional money not to publish stolen content.
The tactics is similar to NotPetya ransomware malware attacks carried out by the Sandworm Team, associated with the Russian military intelligence unit 74455.
The groups operating in unit 74455 have been specializing in energy infrastructure attacks for a long time. For example, this unit controlled-Energetic Bear group attacked oil and gas companies in the United States in 2014.
In 2020, hackers calling themselves as DarkSide claimed to have extorted millions of dollars from big businesses to ‘make the world better’. On its blog, Darkside stated that they hacked accounts and demanded ransom, allegedly, mainly, from large companies earning large profits. After last year’s attack, the group tried to transfer Bitcoin donations to some charitable foundations. Since the total amount stolen is unknown, it is impossible to state that the group tried to donate all stolen funds to charity.
It is highly likely that by using statements about charity, the Darkside group hides its affiliation and steals money in the interests of the Russian Ministry of Defense top officials. Thus, Russia could have repeated the tactics of the DPRK who uses Bureau 121 hackers to use received funds to support its defense programs bypassing sanctions. We estimate that the money stolen by Darkside is used to finance Russian military intelligence operations abroad thereby making it profitable and capable to work despite sanctions pressure on Russia.
Thus, Russia continues a large-scale hybrid war against the United States and its allies, despite statements of the White House warning about the consequences of previous cyberattacks carried out on the territory of the United States. It confirms the hypothesis that Russia will continue its subversive operations abroad and expand its range of tools up to the chance to have critical impact on the state administration system and paralyze the work of a foreign state by infiltrating chaos in its social sphere.
