Cybercriminals linked to the ransomware group that hit major U.S. fuel supplier Colonial Pipeline have reemerged and changed their tactics, according to cybersecurity firm FireEye.

While the DarkSide ransomware group behind the attack on the pipeline company appeared to go dormant last month, FireEye said Wednesday it detected a DarkSide affiliate later targeting closed-circuit television software users.

FireEye said its Mandiant division detected “UNC2465,” a DarkSide affiliate, attempting a new cyberattack after DarkSide was said to be shutting down last month.

DarkSide relied upon a ransomware-as-a-service model where developers of malicious software and affiliates deploying it shared portions of ransom payments made by victims to regain access to their data.

FireEye did not observe the DarkSide affiliate deploying ransomware but instead launching a software supply chain attack, which involves a single breach to obtain access to companies that run the victim’s software.

The DarkSide affiliate compromised two software installation packages from a closed-circuit television security camera provider’s website and gained access to potential victims through an unsuspecting user, according to FireEye.

“UNC2465’s move from drive-by attacks on website visitors or phishing emails to this software supply chain attack shows a concerning shift that presents new challenges for detection,” wrote FireEye threat researchers on the company’s blog.

“While many organizations are now focusing more on perimeter defenses and two-factor authentication after recent public examples of password reuse or [virtual private network] appliance exploitation, monitoring endpoints is often overlooked or left to traditional antivirus. A well-rounded security program is essential to mitigate risk from sophisticated groups such as UNC2465 as they continue to adapt to a changing security landscape.”

FireEye‘s threat researchers said they did not suspect many victims were compromised but notified the closed-circuit television company of the potential problems. FireEye did not name the company that was breached and said it was disclosing the cyberattacker’s technique for broader awareness.FireEye previously worked with Colonial Pipeline in its response to the DarkSide ransomware attack.

FireEye‘s disclosure on Wednesday comes as President Biden met with Russian President Vladimir Putin and discussed recent cyber and ransomware attacks. Mr. Biden has previously linked the DarkSide group to Russia but not the Russian government.

