American intelligence officials are concerned Moscow may have covertly carried out the Colonial Pipeline ransomware attack disguised as a criminal group, according to a U.S. official familiar with intelligence reports who said suspicions of the Russian government link are based on comments Russian President Vladimir Putin made last month.
Mr. Putin vowed in his April 21 state-of-the-nation speech that the Kremlin would engage in unspecified retaliation for Western sanctions on Moscow. He also said that while Russia doesn’t want to “burn our bridges” with adversaries, anyone who “intends to burn or even blow up these bridges … must know that Russia’s response will be asymmetrical, swift and tough.”
American intelligence and security agencies have so far traced the Colonial Pipeline cyberattack to a relatively new Russian or Eastern European criminal group known as DarkSide that planted software inside Colonial’s information technology.
Anne Neuberger, deputy national security adviser for cyber and emerging technology, told reporters this week that U.S. “intelligence agencies are looking for any ties to nation-state actors.”
President Biden said Thursday his administration does not believe the Russian government was behind the attack. “But we do have strong reason to believe that the criminals who did the attack are living in Russia,” Mr. Biden said.
He also said the administration has been in direct communications with Moscow “about the imperative for responsible countries to take decisive actions against these ransomware networks.”
The FBI and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) have described DarkSide as “a ransomware-as-a services variant” that was used in the Colonial Pipeline attack.
“Cybercriminal groups use DarkSide to gain access to a victim’s network to encrypt and exfiltrate data,” the two security agencies said in an advisory. “These groups then threaten to expose data if the victim does not pay the ransom.”
“Groups leveraging DarkSide have recently been targeting organizations across various [critical infrastructure] sectors including manufacturing, legal, insurance, healthcare, and energy,” they agencies said.
The U.S. official, who spoke on condition of anonymity with The Washington Times, said one theory is the Russian government conducted the attack using foreign intelligence hackers disguised as a criminal or nongovernmental organization to mask the origin.
Another theory is the Russians contracted the operation out to a criminal group to maintain deniability for any role in the attack.
Russia’s government was linked by the U.S. government to the recent SolarWinds cyberattack that involved hacker teams from Moscow’s SVR foreign intelligence service.
Days after Mr. Putin’s April 21 threat of retaliation, CISA and the FBI issued a detailed assessment of SVR cyber operations.
SVR cyber teams included those identified by security researchers as Advanced Persistent Threat 29, or APT 29, the Dukes, Cozy Bear, and Yttrium.
The SVR “will continue to seek intelligence from U.S. and foreign entities through cyber exploitation, using a range of initial exploitation techniques that vary in sophistication, coupled with stealthy intrusion tradecraft within compromised networks,” the assessment said, adding that the SVR mainly attacks government computer networks, think tank and policy analysis organizations, and information technology companies.
It also said the SVR shifted in 2018 from using malware on victim networks to targeting cloud computing, mainly email, to obtain information. “Targeting cloud resources probably reduces the likelihood of detection by using compromised accounts or system misconfigurations to blend in with normal or unmonitored traffic in an environment not well defended, monitored, or understood by victim organizations,” the assessment said.
The difference between the SolarWinds and DarkSide attacks was evidenced in the SVR’s use of maneuvering inside compromised computer networks.
In the DarkSide attack, the FBI and CISA concluded “at this time, there is no indication that the entity’s operational technology (OT) networks have been directly affected by the ransomware,” the two agencies stated in a May 11 advisory. It did not appear the hackers “moved laterally” within the company systems, they added.
An FBI spokesman declined to comment when asked if the Russian government is linked to the pipeline attack.