CHARLOTTE, N.C. (WJZY) – The group that the FBI says hacked Colonial Pipeline, identified as DarkSide, is also claiming responsibility for a number of other hacks, including the Charlotte-based company Piedmont Plastics.
Sister station WJZY reached out to Piedmont Plastics for comment on Monday. A woman who answered the phone said they are “aware” of the hack.
On the dark web, DarkSide says it has “more than 150 GB of sensitive data” including accounting, HR, branch shares, and Excel share for Piedmont Plastics.
Another Carolina company impacted is Carolina Eastern, Inc. DarkSide claims to have:
- Personal data of clients
- Details of agreements
- Terms of cooperation
- Bank details
- Information about the company’s activities
The group has also released a statement on the Colonial Pipeline attack:
“We are apolitical, we do not participate in geopolitics, do not need to tie us with a defined government and look for other our motives. Our goal is to make money, and not creating problems for society. From today we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future.”
DarkSide says they have certain rules for how they operate. They reportedly no longer attack the following organizations:
- Funeral services (Morgues, crematoria, funeral homes)
DarkSide clarified the list of medical companies that they will not attack:
- Medicine (only: hospitals, any palliative care organization, nursing
- Companies that develop and participate (to a large extent) in the
distribution of the COVID-19 vaccine)
WJZY spoke with Charlotte cyber-security expert Theresa Payton, the CEO of Foratalice Solutions. Payton was a White House chief information officer under President George W. Bush.
So how do these cyber attacks happen?
“Sending an email that looks legitimate,” Payton said. “It could be they spoofed your own company’s domain name and they make it look like someone within the company. It could be a vendor of yours and they send an email and trick you into clicking on a link or opening an attachment. And that, typically, is the popular way they get in.”
WJZY tracked down DarkSide’s hidden website on the dark web. It contains the names of dozens of companies the group claims to have hacked, threatening to release thousands of gigabytes of sensitive financial and personal information if undisclosed ransoms aren’t paid. Two companies held up by these cybercriminals are based in the Carolinas: Carolina Eastern, which helps farmers, and Piedmont Plastics, based in Charlotte.
DarkSide claims to have more than 500 gigabytes of “sensitive” day for both companies.
President Joe Biden said Monday there is no evidence the ransomware attack is tied to the Kremlin but there’s evidence it may have originated in Russia.
Payton says they have the hallmarks of “very seasoned professionals.”
“Even though they haven’t been around for a year it comes across as if maybe they’re nation-state operatives by day,” Payton said, “and perhaps this is maybe a commercial ransomware syndicate.”
Colonial Pipeline says segments of its pipeline are being brought back online. The plan is to “substantially restore operational service” by the end of the week, the company said.
Payton says the attack, which shut down the massive pipeline, couldn’t have come at a worse time.
“After months and months of reduced consumption of fuel because we didn’t need it for transportation, we’re just getting ready to ramp up, and then this happens,” said Payton. “I can’t think of a worse time for a horrible event like this to occur.”
The Colonial Pipeline transports gasoline and other fuel through 10 states between Texas and New Jersey. It delivers roughly 45 percent of the fuel consumed on the East Coast, according to the company.
At the moment, though, officials said there is no fuel shortage.
Colonial Pipeline said Saturday that it had been hit by a ransomware attack and had halted all pipeline operations to deal with the threat. DarkSide cultivates a Robin Hood image of stealing from corporations and giving a cut to charity.
The FBI has investigated this ransomware variant since October 2020.