The group behind the hacking of privately held Colonial Pipeline has been identified as "DarkSide," a ransomware group with possible connections to Eastern Bloc countries.

Georgia-based Colonial Pipeline maintains it shut down its facilities proactively, but the presence of ransomware hackers suggests the closure could last long enough to affect gas prices along the East Coast. Colonial Pipeline has not said whether it paid a ransom.

DarkSide’s presence was first reported by Bloomberg. Sources from Colonial Pipeline remain anonymous due to the private nature of the information.

DarkSide is a relatively new hacker group but reportedly has experienced members. On its website, a post published soon after the attacks reiterated their code of ethics -- they will not attack hospitals, hospices, schools, universities, nonprofit organizations, and government agencies.

“We are apolitical, we do not participate in geopolitics, do not need to tie us with a defined government and look for our motives,” the post reads. “Our goal is to make money, and not creating problems for society. From today we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future.”

DarkSide also says it donates a portion of its earnings to charity, though many charities have declined to accept their funds.

"They're very new but they're very organized," Lior Div, chief executive of Boston-based cybersecurity company Cybereason, told Reuters on Sunday. "It looks like someone who's been there, done that."

The Colonial Pipeline serves millions of customers on the East Coast, including Washington Dulles International Airport
The Colonial Pipeline serves millions of customers on the East Coast, including Washington Dulles International Airport AFP / KAREN BLEIER

DarkSide’s target list doesn't include companies from the former Soviet Union, Reuters noted. Ransomware groups are increasingly associated with Russia, as the Kremlin provides them with a sympathetic base of operations, even in cases without explicit government connections.

Colonial Pipeline says it’s already gotten some smaller pipelines running again, and confirmed Sunday that a “system restart” is in the works. If the company refuses to pay the hackers, there might be consequences beyond having to rebuild digital infrastructure from the ground up. DarkSide’s characteristic “double extortion” plan also threatens to leak the company’s data online.

Ed Amoroso, CEO of TAG Cyber, told the Associated Press that Colonial Pipeline was lucky the hackers were only motivated by money. State-based actors and terrorist organizations use the same infiltration methods as their extortionist counterparts but have far more destructive goals.

“For companies vulnerable to ransomware, it’s a bad sign because they are probably more vulnerable to more serious attacks,” Amoroso said, noting that Russian cyberattacks crippled Ukraine’s electrical grid in the winters of 2015 and 2016.

RELATED STORIES