Russian group DarkSide claims responsibility for hacking 2 Carolina-based companies

The group that the FBI says hacked Colonial Pipeline, identified as DarkSide, is also claiming responsibility for a number of other hacks, including the Charlotte-based company Piedmont Plastics.

FOX 46 Charlotte reached out to Piedmont Plastics for comment on Monday. A woman who answered the phone said they are “aware” of the hack.

On the dark web, DarkSide says it has “more than 150 GB of sensitive data” including accounting, HR, branch shares, and Excel share for Piedmont Plastics.

Another Carolina company impacted is Carolina Eastern, Inc. DarkSide claims to have:

Personal data of clients

Details of agreements

Terms of cooperation

Databases

Bank details

Information about the company’s activities

The group has also released a statement on the Colonial Pipeline attack:

“We are apolitical, we do not participate in geopolitics, do not need to tie us with a defined government and look for other our motives. Our goal is to make money, and not creating problems for society. From today we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future.”

DarkSide says they have certain rules for how they operate. They reportedly no longer attack the following organizations:

Funeral services (Morgues, crematoria, funeral homes)

DarkSide clarified the list of medical companies that they will not attack:

Medicine (only: hospitals, any palliative care organization, nursing

homes

Companies that develop and participate (to a large extent) in the

distribution of the COVID-19 vaccine)

FOX 46 spoke with Charlotte cyber-security expert Theresa Payton, the CEO of Foratalice Solutions. Payton was a White House chief information officer under President George W. Bush.

So how do these cyber attacks happen?

“Sending an email that looks legitimate,” explained Payton. “It could be they spoofed your own company’s domain name and they make it look like someone within the company. It could be a vendor of yours and they send an email and trick you into clicking on a link or opening an attachment. And that, typically, is the popular way they get in.”

FOX 46 tracked down DarkSide’s hidden website on the dark web. It contains the names of dozens of companies the group claims to have hacked, threatening to release thousands of gigabytes of sensitive financial and personal information if undisclosed ransoms aren’t paid. Two companies held up by these cybercriminals are based in the Carolinas: Carolina Eastern, which helps farmers, and Piedmont Plastics, based in Charlotte.

DarkSide claims to have more than 500 gigabytes of “sensitive” day for both companies.

President Biden said Monday there is no evidence the ransomware attack is tied to the Kremlin but there’s evidence it may have originated in Russia.

Payton says they have the hallmarks of “very seasoned professionals.”

“Even though they haven’t been around for a year it comes across as if maybe they’re nation-state operatives by day,” said Payton, “and perhaps this is maybe a commercial ransomware syndicate.”

Colonia Pipeline says segments of its pipeline are being brought back online. The plan is to “substantially restore operational service” by the end of the week, the company said.

Payton says the attack, which shut down the massive pipeline, couldn’t have come at a worse time.

“After months and months of reduced consumption of fuel because we didn’t need it for transportation, we’re just getting ready to ramp up, and then this happens,” said Payton. “I can’t think of a worse time for a horrible event like this to occur.”

The Colonial Pipeline transports gasoline and other fuel through 10 states between Texas and New Jersey. It delivers roughly 45% of the fuel consumed on the East Coast, according to the company.

At the moment, though, officials said there is no fuel shortage.

Colonial Pipeline said Saturday that it had been hit by a ransomware attack and had halted all pipeline operations to deal with the threat. DarkSide cultivates a Robin Hood image of stealing from corporations and giving a cut to charity.

The FBI has investigated this ransomware variant since October 2020.