US Denies Disruption of Russian Ransomware Ring (Drew Angerer/Getty Images)
By Nick Koutsobinas | Wednesday, 19 May 2021 09:44 PM
The United States government was not behind the disruption of the Russian ransomware ring, DarkSide, responsible for the Colonial Pipeline hack, according to four United States officials. Last Thursday, the hacker group announced it lost access to its servers that displayed its stolen data.
The group stated in a blog post that "funds from the payment server (belonging to us and our clients) were withdrawn to an unknown account," according to The Washington Post.
Shortly after the group made its blog post announcement, President Joe Biden stated in a press briefing that the United States is "going to pursue a measure to disrupt their ability to operate." The following fueled speculation that the U.S. knocked them offline.
But U.S. officials denied the claim. Most likely due to the matter's sensitivity. The FBI, National Security Council, National Security Agency, and Justice Department all declined to comment. Cyber Command spokeswoman Katrina Cheesman said on Wednesday, "We don't comment on cyber planning, intelligence, or operations as a matter of operational security."
The CEO of Colonial Pipeline, Joseph Blount, said he authorized the payment of $4.4 million to the hackers to regain control of the company quickly. Blount told the Wall Street Journal, "I will admit that I wasn't comfortable seeing money go out the door to people like this. But it was the right thing to do for the country."
Last week President Biden said he did not believe the Russian government was behind the attack, but he had a "strong reason to believe" the hackers operated out of Russia. Biden said his administration was in "direct communication with Moscow" about "the imperative for responsible countries to take decisive action against these ransomware attacks."
There is speculation that DarkSide going dark is just a distraction from their real motives. According to one cyber threat expert, Dmitry Smilyanets, who works with Recorded Future, "they likely will rebrand and return under a new banner because there's so much money to be made."
Since Friday, at least four hackers affiliated with DarkSide complained in a forum that they had not received payment. "We don't know if they seized the opportunity and just took the money and ran or if they really lost access to their payment server," Smilyanets said. "I don't believe that they're so incompetent to lose control of their hot wallet."
A former White House cyber coordinator who worked with the Obama administration said the disruption occurred too quickly to have been a U.S. operation. "From a technical standpoint, it takes time to figure out what your targets are going to be and what you want to do to them," he said, unless the U.S. government had already made DarkSide a priority before the attack.
"Where are those servers? Who owns them? Whose country are you carrying out that operation in?" he continued. "Unless all of that had been already in place ahead of time, the length of time was just" too quick.