Lessons Learned from Telemetry Analysis of DarkSide Affiliate Exfiltration Operations
Providing an estimated 45% of refined petroleum products for the US East Coast, Colonial Pipeline Company (ColPipe) halted operations for approximately six days, significantly affecting fuel distribution on the East Coast. ColPipe first reported the stoppage as a precaution on 07 May 2021 due to a cyber attack on the Information Technology (IT) side of ColPipe’s networks. An affiliate of DarkSide, a Ransomware as a Service (RaaS) affiliate threat, was responsible for the incident.
Dragos investigated this incident for potential Operational Technology (OT) impacts, but we did not find any. This blog post shares some of our findings related to the pre-encryption exfiltration operations of a DarkSide ransomware campaign. Some of the information discussed here, such as victims, is already public. What is new is how telemetry reveals network defense gaps against exfiltration and Command and Control (C2), and how it links multiple intrusions to a single adversary.
Telemetry Insights into DarkSide Ransomware Operations
Using internet traffic telemetry from Team Cymru, Dragos identified the DarkSide adversary’s stolen data repository hosted with a popular Virtual Private Server (VPS) hosting provider. The telemetry shows the adversary used this repository to stage information stolen from ColPipe and other compromised victim networks. Dragos observed that ColPipe was just the latest victim of this DarkSide adversary exfiltration campaign that started in the last week of April 2021. As an affiliate criminal of the DarkSide RaaS product, this adversary shares the extortion revenue from a successful ransomware operation with DarkSide.
In the following table synthesized from Pure Signal Recon network telemetry data, Dragos identifies the victim (redacted where it was not previously disclosed) and the exfiltration start, end, dump host, and estimated data transfer size. Data for each of these victims appears to be transferred via Secure File Transfer (SFTP) over Secure Shell (SSH) port 22, to a daemon listening on the adversary’s leased VPS at xxx.xx.xxx.72. Two of the victims were otherwise separate North American subsidiaries of Brenntag, a global chemical distributor. Stolen data purporting to be from Smile Brands, a dental business services provider, appeared on the DarkSide Dedicated Leak Site (DLS) on 24 April 2021. No data from victims besides Smile Brands listed in Table 1 were available for download on the DarkSide DLS, at the time of this analysis.
|Victim egress||Victim identity||UTC exfiltration start||UTC exfiltration end||exfil SSH target||Approximate data amount|
|xx.xxx.xx.11||Smile Brands||4/23/21 5:57||4/24/21 9:51||xxx.xx.xxx.72||400-600GB|
|xx.xx.xxx.169||North American subsidiary #1 of Brenntag||4/27/21 10:35||4/27/21 11:42||xxx.xx.xxx.72||10-15GB|
|xxx.xxx.xxx.42||North American subsidiary #2 of Brenntag||4/27/21 11:19||4/27/21 20:31||xxx.xx.xxx.72||60-80GB|
|xxx.xxx.xx.212||Colonial Pipeline||5/6/21 10:31||5/6/21 12:22||xxx.xx.xxx.72||95-120GB|
At 11:09 UTC time (just after 7 am Atlanta time) 07 May 2021, some eleven hours after the upload completion of approximately 95-120GB of data in less than two hours, Dragos observed connections from inside ColPipe’s network to external Tor relay hosts on port 443. Port 443 is not the default listening port for Tor relays, Port 9001 is. Dragos has medium confidence that while ColPipe may have blocked the default Tor relay port, it did not stop connections to Tor relays listening on the Transport Layer Security/Secure Socket Layer (TLS/SSL) default port of 443 which is used by typical TLS/SSL Hypertext Transfer Protocol Secure (HTTPS) connections.
Dragos observed intermittent connections to the following Tor relays until 17:43 UTC on 08 May 2021:
This time is after the known time that ColPipe publicly reported the incident, so it is possible the adversary may have had some limited visibility into initial responder actions by maintaining access to an obfuscated Remote Desktop Protocol (RDP) or other remote access session. Dragos has medium confidence that there were likely other connections initiated from system(s) inside the ColPipe network to other Tor relays listening on port 443 during this time period but that were likely in a “sensor shadow” that was not visible. Based on the approximate eighteen and a half hours of Tor traffic originating from ColPipe networks, Dragos now suspects this Tor traffic represents one (or both) of two possible types of activity originating from ColPipe.
The Tor traffic may correspond to ColPipe representatives negotiating ransom demands with the DarkSide affiliate over a Tor-anonymized chat method. Or, it could be how the adversary tunneled their Command-and-Control (C2) connections, possibly RDP sessions, the same technique as observed by Varonis in their report, “Return of the Darkside”. If this traffic in fact represents Tor-tunneled C2, Dragos assesses with medium confidence that this is the time that the adversary deployed the DarkSide ransomware, encrypting multiple computer systems throughout the ColPipe network.
After our initial analysis of this exfiltration operation revealed by telemetry data, Bloomberg reported that ColPipe paid approximately $5 million in ransom. In a subsequent Wall Street Journal article, the ColPipe CEO explained reasons for paying the ransom.
How to Mitigate Ransomware Exfiltration Attempts
The takeaways from these observations show there are opportunities to mitigate exfiltration operations by ransomware adversaries. Industry standard Data Loss Prevention (DLP) technology may have been able to detect and stop the outbound anomalous transfer of some 100 gigabytes of data to a single destination in a very short time frame. Finally, industry standard third party web filtering of uncategorized websites may have stopped arbitrary HTTPS connections (in this case to readily identified Tor relays). The encryption phase of “steal and encrypt” dual-pressure extortion attacks invariably starts after the exfiltration phase. Thus, there is potential to interrupt if not stop the encryption phase by first detecting the exfiltration mid-phase and catching the encryption operation before it starts.
One should also note the exfiltration activity in Table 1 with the two North American subsidiaries of Brenntag, reportedly the largest chemical distributor in the world. Although Dragos determined the subsidiary victim exfiltration egress IP addresses are geographically separated by over 2700 kilometers, it is clear, based on overlapping time windows in which the RaaS operator executed the exfiltration to the stolen data repository site, this was all part of one operation. Dragos has high confidence that this RaaS operator was skilled in lateral movement and obtained concurrent access to these subsidiaries via trusted network connections between the two organizations. Following our initial analysis, Bleeping Computer reported that Brenntag paid approximately $4.4 million in ransom.
In conclusion, we see that telemetry provides a unique insight into ransomware operations, and directly ties the ransomware extortion on three different victims directly to the same RaaS operator. The telemetry analysis also shows opportunities for the next potential ransomware victim to strengthen their defense in depth posture against extortion and disruption by employing web filtering and DLP technology.
Ready to put your insights into action?
Take the next steps and contact our team today.