US intelligence officials are concerned that Moscow has covertly carried out the Colonial Pipeline ransomware attack disguised as a criminal group, according to a US official familiar with intelligence reports who said suspicions of the link to the Russian government are based on comments Russian President Vladimir Putin made last month. .
Putin promised in his April 21 state of the nation address that the Kremlin would retaliate unspecified for Western sanctions against Moscow. He also said that while Russia does not want to “burn our bridges” with adversaries, anyone who “intends to burn or even blow up these bridges … should know that Russia’s response will be asymmetric, fast and tough.”
US intelligence and security agencies have so far traced the Colonial Pipeline cyberattack to a relatively new criminal group from Russia or Eastern Europe known as DarkSide that installed software inside Colonial’s information technology.
Anne Neuberger, deputy national security adviser for cyber and emerging technology, told reporters this week that “US intelligence agencies are seeking links with nation-state actors.”
President Biden said Thursday that his administration does not believe the Russian government was behind the attack. “But we have strong reasons to believe that the criminals who committed the attack live in Russia,” Biden said.
He also said that the administration has been in direct communication with Moscow “about the imperative that responsible countries take decisive action against these ransomware networks.”
The FBI and the US Cybersecurity and Infrastructure Security Agency (CISA) have described DarkSide as “a ransomware-as-a-service variant” that was used in the Colonial Pipeline attack.
“Cybercriminal groups use DarkSide to gain access to a victim’s network to encrypt and exfiltrate data,” the two law enforcement agencies said in an advisory. “These groups then threaten to expose data if the victim does not pay the ransom.”
“Groups leveraging DarkSide have recently targeted organizations across various [critical infrastructure] sectors that include manufacturing, legal, insurance, health and energy, ”the agencies said.
The US official, who spoke on condition of anonymity to The Washington Times, said one theory is that the Russian government carried out the attack using foreign intelligence hackers disguised as a criminal or non-governmental organization to mask the origin.
Another theory is that the Russians contracted the operation to a criminal group to maintain denial of any role in the attack.
The Russian government was linked by the US government to the recent SolarWinds cyberattack involving hacking teams from Moscow’s SVR foreign intelligence service.
Days after Putin’s April 21 threat of retaliation, CISA and the FBI issued a detailed assessment of SVR’s cyber operations.
SVR’s cyber teams included those identified by security researchers as Advanced Persistent Threat 29, or APT 29, Dukes, Cozy Bear, and Yttrium.
The SVR “will continue to seek intelligence from US and foreign entities through cyber exploitation, using a range of initial exploitation techniques that vary in sophistication, along with stealth intrusion trading within compromised networks,” the assessment said, adding that the SVR primarily attacks the government. computer networks, think tanks and policy analysis organizations and information technology companies.
He also said that the SVR switched in 2018 from using malware on victims’ networks to targeting cloud computing, primarily email, for information. “Targeting cloud resources likely reduces the likelihood of detection by using compromised accounts or misconfigurations of the system to blend in with normal or unmonitored traffic in an environment not well defended, monitored, or understood by victim organizations.” the evaluation said.
The difference between the SolarWinds and DarkSide attacks was evident in the use of SVR maneuvers within compromised computer networks.
In the DarkSide attack, the FBI and CISA concluded that “at this time, there is no indication that the entity’s operational technology (OT) networks have been directly affected by ransomware,” the two agencies stated in an 11/11 advisory. of May. The hackers did not appear to “move sideways” within the company’s systems, they added.
An FBI spokesperson declined to comment when asked if the Russian government is linked to the pipeline attack.
