In this episode of the podcast (#214), Brandon Hoffman, the CISO of Intel 471 joins us to discuss the recent ransomware attack on the Georgia-based Colonial Pipeline, and the suspected group behind it: DarkSide a ransomware for hire cybercrime outfit.


It was just a week ago, May 7th, 2021, that a successful cyberattack against one of the largest U.S. oil and gas pipelines, operated by the Colonial Pipeline Company, forced it to shut down and plunged the U.S. government into an unanticipated crisis. Within days, there were reports of consumers panic-buying petrol leading to gas shortages in the southeastern United States.

Do Cities deserve Federal Disaster Aid after Cyber Attacks?

Then, almost as suddenly as the crisis appeared it was over. Colonial, which was reported to have paid the Darkside group a $5 million ransom to regain access to their servers, announced that it would restore pipeline operations by the end of the week. And, in a message to a private forum on Thursday captured by the firm Intel 471, the ransomware group credited with the attack, known as “Darkside,” said that it was shutting down after its blog, payment server and Internet infrastructure were seized by law enforcement and cryptocurrency from a Darkside controlled payment server was diverted to what was described as an “unknown account.” 

An image of the message posted by the Darkside group ceasing operations. (Image courtesy of intel 471.)

Other news reports suggests the cyber criminal underground was getting skittish about ransomware groups, now that the full force of the U.S. government appears to be focused on rooting them out. Reports out Friday claim that the Russian cyber hacking forum XSS has banned all topics related to ransomware

Episode 169: Ransomware comes to the Enterprise with PureLocker

What happened? And who – or what – is the Darkside group responsible for the Colonial pipeline attack? We invited Brandon Hoffman, CISO at the firm Intel 471 back into the studio to talk about Darkside, which Intel 471 has followed and profiled in depth since it emerged last summer.

“They (DarkSide) don’t necessarily want to have their affiliates attack Critical Infrastructure or the government.”

-Brandon Hoffman, CISO Intel 471

The quick collapse seen in recent days may be a case of Darkside biting off more than it can chew by attacking a target that managed to put it in the cross hairs of the U.S. government. But, as we discuss, the Colonial Pipeline hack also raises a number of questions regarding the state of America’s Critical Infrastructure, and whether it is secure enough to withstand both directed and opportunistic attacks. “Ransomware is no longer a cybercrime problem, it’s really a national security issue,” Brandon tells me.

Report: Critical Infrastructure Cyber Attacks A Global Crisis

In this conversation, Brandon briefs us on DarkSide and outlines the group’s motivations and processes when it works with affiliates and targets victims. The attack on Colonial will almost certainly prompt changes by attackers, which will be wary of inviting retaliation from nations like the U.S.

Carolynn van Arsdale (@Carolynn_VA) contributed to this story.


As always,  you can check our full conversation in our latest Security Ledger podcast at Blubrry. You can also listen to it on iTunes and check us out on SoundCloudStitcherRadio Public and more. Also: if you enjoy this podcast, consider signing up to receive it in your email. Just point your web browser to securityledger.com/subscribe to get notified whenever a new podcast is posted.

In this episode of the podcast (#212), Brandon Hoffman, the CISO of Intel 471 joins us to discuss that company’s latest report that looks at China’s diversified marketplace for stolen data and stolen identities.


Data leaks, data breaches and data dumps are so common these days that they don’t even attract that much attention. Back in 2013, news that hackers stole data on tens of millions of customers of the software maker Adobe dominated the headlines for days. These days, news that companies like Facebook or LinkedIn exposed data on hundreds of millions of users barely registered a collective shrug. 

“What’s a better way to understand a person you’re trying to victimize than to understand their habits? That way you can have a better chance that whatever scam you’re trying to run has success.” 

-Brandon Hoffman, CISO Intel 471

Data leaks and data breaches, for all intents and purposes, have become just the price of doing business online. But those who are ready to be blasé about breaches may be overlooking the role that leaked and stolen data plays in other, more serious problems such as targeted cyber attacks.

Waiting for Federal Data Privacy Reform? Don’t Hold Your Breath.

A Stolen Data Ecosystem Grows In China

Data lifted today from a health insurer, government agency or retailer often informs tomorrow’s targeted spear phishing attack that can steal sensitive intellectual property, redirect government secrets or fuel attacks on critical infrastructure. That’s the conclusion of a recent report by the company Intel 471. That company recently made a study of how Chinese cyber criminal groups were using big data technology to monetize the data they obtained (often: stole) in the Chinese language underground. The company’s research revealed a sophisticated, cybercriminal ecosystem involving cybercriminals, data brokers and insiders as well as cybercriminals who obtain sensitive data

Report: Critical Infrastructure Cyber Attacks A Global Crisis

In this interview, we invited Brandon Hoffman, the CISO at Intel 471 into the studio to talk about the report and the way that the market for stolen data has created a number of “sub economies” that help fuel cyber crime.