The thing is that every Russian hacker group is known to FSB, SVR or GRU and can be shut down or used by them at any time. Hacking of Colonial magnitude goes well beyond extorting some hospital and looks like the show of force.
But maybe I’m wrong and it is some 600 lbs guy in his mom’s basement lol
2 Likes
Nah it’s Malware / Ransomware aaS (as a service)
You do the ground work and phishing, vishing, getting them to click the right URL, and they provide the root-kit. Any payment to the address you get 20% of.
You are 100% correct they’re all known and are pawns of the iron fist, but this particular group is known to actually have special groups (hospitals, etc.) they will not go after or hit.
Further intel showed they hit no previous USSR states either.
I could be wrong and could be another strike at our fragile infra, but most of these attacks go under the carpet. They just hit the right guys.
Hell employees are selling their credentials to shady company in Silicon Valley and get paid $25/month they gain persistence.
It’s far worse than people know.
It’s not a cyberattack. It’s ransomware.
Someone clicked on a questionable ad and it downloaded software which borked their computer. Of course they were more likely surfing porn when this happened.
Not an attack.
2 Likes
So, you are saying it cannot be a cyberattack masked as a ransomware? To make a point? 
Russia is Russia.
2 Likes
Nyet. Ransomware as a Service. You don’t need to ask Putin to get a 'puter.
This is far wide spread beyond what you know.
Most companies just sweep it under the rug after restoring Veeam backups and when called out give out a year of credit monitoring. They don’t transport roughly 50% of the gas in the East Coast, only difference.
1 Like
Welcome to CA gas prices! 
2 Likes
This is a great quote, and true.
Just try not to imagine the companies they’re silently in, and the dark-net auctions where people buy up the access. That’s when things get worrisome and you realize it’s all screwed.
Example: Remember Equifax was hacked through a freaking SQL injection, half of america’s info was dropped, and everyone just forgot?
Eventually, they went on to upload so-called web shells to gain access to Equifax’s web server. They used their position to collect credentials, giving them unfettered access to back-end databases. Think of breaking into a building: It’s a lot easier to do so if residents leave a first-floor window unlocked and you manage to steal employee IDs.
From there, they feasted. The indictment alleges that the hackers first ran a series of SQL commands to find especially valuable data. Eventually, they located a repository of names, addresses, Social Security numbers, and birth dates. The DOJ says the interlopers ran 9,000 queries in all, not stopping until the end of July.
9,000 queries ran on a SQL server to basically exfiltrate 40% of the US’s Social security data and accounts, and nothing really ever happened. We may get some credit monitoring or a $7 check in a few years.
3 Likes
I mean it’s most likely the same class of guys who pretend to be [Princes of Nigeria] than Putin behind it.
1 Like
Not him directly, of course.
Russian President Vladimir Putin on Tuesday denied any involvement. His spokesman said: ‘Russia has nothing to do with these hacker attacks, and had nothing to do with the previous hacker attacks. We categorically do not accept any accusations against us.’
But of course 
The chief security officer was forced to retire, turns out her music degree didn’t fend off the SQL injection.
4 Likes
Gonna need some first aid ointment for that burn, you summed it up well. Amateur hour at Equifax, once thought to be one of the great 3 credit companies. No, they’re all idiots, some doing their best - most bad decisions caused by C-levels who don’t understand why you need off-site backups.
3 Likes
DarkSide: The Russian hacking outfit behind the Colonial Pipeline attack is given free rein by the Kremlin to target Western countries
The cyberextortion attack that forced the shutdown of America’s largest fuel pipeline was carried out by a criminal gang known as DarkSide that is believed to based out of Russia where they are given free rein to target Western countries.
DarkSide is made up of veteran cybercriminals but insists it is not political. Like many others, however, DarkSide seems to spare Russian, Kazakh and Ukrainian-speaking companies, which does suggest a link to Russia.
Ransomware rackets are now dominated by Russian-speaking cybercriminals who are shielded - and sometimes employed - by Russian intelligence agencies, according to US officials.
Cyber experts say Russia gives free rein to hackers who target the US and European countries.
DarkSide has already boasted that it has been paid millions of dollars in ransom from 80 companies across the US and Europe.
‘Whether they work for the state or not is increasingly irrelevant, given Russia’s obvious policy of harboring and tolerating cybercrime,’ Dmitri Alperovitch, a former CTO of CrowdStrike, told NBC of DarkSide’s recent hacking.
The FBI on Monday confirmed that DarkSide was responsible for the attack on Colonial Pipeline that has experts fearing widespread gas shortages and significant price hikes. The federal agency did not mention DarkSide’s ties to Russia.
The US last month slapped sanctions on Russia for malign activities including state-backed hacking. The Treasury Department said Russian intelligence has enabled ransomware attacks by cultivating and co-opting criminal hackers and giving them safe harbor.
DarkSide, which cultivates a Robin Hood image of stealing from corporations and giving a cut to charity, said in a statement posted on the dark web that their only goal was to ‘make money’ and not create problems for society.
‘We are apolitical, we do not participate in geopolitics,’ the statement read. ‘Our goal is to make money and not creating problems for society.’
‘From today we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future.’
Despite only emerging in August last year, DarkSide appears to be very organized, experts say.
Those who have tracked DarkSide said it appears to be composed of veteran cybercriminals who are focused on squeezing out as much money as they can from their targets.
‘They’re very new but they’re very organized,’ Lior Div, the chief executive of Boston-based security firm Cybereason, said. ‘It looks like someone who’s been there, done that.’
DarkSide is one of a number of increasingly professionalized groups of digital extortionists, with a mailing list, a press center and a victim hotline to help facilitate ransom payments.
Experts say DarkSide was likely composed of ransomware veterans and that it came out of nowhere in the middle of last year and immediately unleashed a digital crimewave.
DarkSide’s site on the dark web hints at their hackers’ past crimes with claims they previously made millions from extortion and that just because their software was new ‘that does not mean that we have no experience and we came from nowhere’.
The site also features a Hall of Shame-style gallery of leaked data from victims who haven’t paid up. It advertises stolen documents from more than 80 companies across the US and Europe.
One of the more recent victims featured on its list was Georgia-based rugmaker Dixie Group Inc, which publicly disclosed a digital shakedown attempt affecting ‘portions of its information technology systems’ last month.
DarkSide has previously targeted Enterprise rental cars, Canadian real estate firm Brookfield Residential and an Office Depot subsidiary called CompuCom.
The group has a supposed code of conduct intended to spin the group as reliable, if ruthless, business partners.
They have publicly stated that they prefer not to attack hospitals, schools, non-profits, and governments. They instead go after big organizations that can afford to pay large ransoms and claims to donates a portion of its take to charity.
The group has posted receipts from donations it claims it has made to US charities in the wake of ransom attacks.
And who do you think is going to release the truth on this? there is literally no good announcement here. Small hacker group theory, that sounds like any dumbass with a computer can take down US infrastructure, not good. Direct authorization from Putin, that’s even worse because that’s an act of war. A combination of the two, then why doesn’t Russia’s government help to bring these people to justice?
At the end of the day everyone knows that this is a direct attack by Russia on US, but proving it would cause more problems than it will solve.
The public is going to get a “plausible” explanation, a few people will get fired, some security contracts will be re-bid, and we won’t hear anything about this until maybe 2022 depending on whether it’s politically convenient to bring it up during the mid-terms. Given a few years, it will be just as forgotten by everyone like Equifax was. A lot of people can’t even remember if it was Equifax or Experian that got hacked to begin with, noone will remember about colonial.
1 Like
Mandiant, FireEye or KrebsonSecurity after seeing indictments in a year or two.
Kids were using SubSeven at age 14, it was essentially a RAT. It did not need Russia.
No. People in IT will find a payload with attributable code, or at least a C&C server known to be used by certain group previously. Everyone makes a mistake, be it using an old VPS at a few criminal friendly VPS providers once or twice.
We work in 1’s and 0’s and actual data. I’m interested to see the full incident response and you can bet your ass Mandiant / FireEye are gonna bank off this case study. KrebsOnSecurity will have a field day deciphering the indictment, but until then, I’d lay off the political crap.
This is most likely Ransomware as a Service due to some remote worker who didn’t install SentinelOne or DarkTrace.
2 Likes
I can confirm there are long gas lines in South Florida and certain gas stations are limiting cars to only 10 gallons apiece. This is only gonna last about a week and then things will go back to our hyper inflated regular high gas prices
3 Likes
You could have the fanciest Cisco or Arbor networks for defense at your network, if your new HR person gets phished with a domain purchased for $8 and your IT guys didn’t lock down active directory enough, you’re done.
It’s the truth, and it’s scary how prevalent they are in networks, and how scrubbed things are. Uber did it, there’s a reason California has a law where you need to disclose.
4 Likes
Putin just scored 8 goals in a hockey game, God forbids if the goalie inadvertently block one of this shots lol.
For the Experian thing, it is also about this credit reporting model how they can aggregate your personal data, slice and dice and then profit from it. That’s why GDPR is needed, many companies IT have mickey mouse security like Solar Winds. Probably use admin/password for a lot of their logins.
1 Like
So does Igor, who’s currently at his house.
@sharksfan15 don’t get me started on SolarWinds, that was a direct source vector into MSPs, the very people who are supposed to protect people from this.
Same deal. Some are lazy and don’t practice what they preach.
Bitlocker on the AD and Backup server, but uses TeamViewer with no 2FA on their laptop.
It’s a mess and I’m pissed
