Cybercriminals linked to the ransomware group that hit major U.S. fuel supplier Colonial Pipeline have reemerged and changed their tactics, according to cybersecurity firm FireEye.
While the DarkSide ransomware group behind the attack on the pipeline company appeared to go dormant last month, FireEye said Wednesday it detected a DarkSide affiliate later targeting closed-circuit television software users.
FireEye’s disclosure comes as President Biden met with Russian President Vladimir Putin Wednesday and discussed recent hacks and ransomware attacks attributed to Russia’s government and its cyber criminals. Mr. Biden previously linked the DarkSide group to Russia, but not the Russian government, and he said on Wednesday that he told Mr. Putin that Russia needs to abide the “rules of the road” in keeping certain critical infrastructure targets off-limits.
Mr. Putin sought to shift the blame for cyberattacks from Russia to the United States in remarks to the press after his meeting with Mr. Biden.
“From American sources, it follows that most of the cyberattacks in the world are carried out from the cyber realm of the United States,” Mr. Putin said. “Second place is Canada, then two Latin American countries, afterward comes Great Britain. Russia is not on the list of countries from where — from the cyber space of which — most of the various cyberattacks are carried out.”
He did not identify the source of his list and many of the most damaging hacks and cyberattacks in recent years have traced back to Russia, according to U.S. officials and cybersecurity researchers alike. The U.S. government attributed the SolarWinds hack that compromised nine federal government agencies to the Russian Foreign Intelligence Service, and recent ransomware attacks on Colonial Pipeline and meat producer JBS have been linked to Russian cybercriminals.
FireEye said Wednesday that its Mandiant division detected “UNC2465,” a DarkSide affiliate, attempting a new cyberattack after DarkSide was said to be shutting down last month.
DarkSide relied on a ransomware-as-a-service model in which developers of malicious software and affiliates deploying it shared portions of ransom payments made by victims to regain access to their data.
FireEye did not observe the DarkSide affiliate deploying ransomware but instead launching a software supply chain attack, which involves a single breach to obtain access to companies that run the victim’s software.
The DarkSide affiliate compromised two software installation packages from a closed-circuit television security camera provider’s website and gained access to potential victims through an unsuspecting user, according to FireEye.
“UNC2465’s move from drive-by attacks on website visitors or phishing emails to this software supply chain attack shows a concerning shift that presents new challenges for detection,” wrote FireEye threat researchers on the company’s blog.
“While many organizations are now focusing more on perimeter defenses and two-factor authentication after recent public examples of password reuse or [virtual private network] appliance exploitation, monitoring endpoints is often overlooked or left to traditional antivirus. A well-rounded security program is essential to mitigate risk from sophisticated groups such as UNC2465 as they continue to adapt to a changing security landscape.”
FireEye‘s threat researchers said they did not suspect many victims were compromised but notified the closed-circuit television company of the potential problems. FireEye did not name the company that was breached and said it was disclosing the cyberattacker’s technique for broader awareness. FireEye previously worked with Colonial Pipeline in its response to the DarkSide ransomware attack.
• Dave Boyer contributed to this article, which is based partly on wire-service reports.