The Colonial Pipeline cyber attack is being seen by many a step too far by clumsy cyber actors. Will it be the catalyst for stronger government action globally? Or is it a business model that will continue to render profits to threat actors?
When the largest petroleum pipeline in the US shut down recently, it brought parts of the country to a standstill. You see, the Colonial Pipeline weaves over 8,850 kilometres between Texas and New York supplying some 10 states with gas, diesel, jet fuel and heating oil. So when, on May 7 this year, the Colonial Pipeline Company shuttered this veritable economic lifeblood of America, it caused fears of fuel shortages and a mass run at petrol bowsers.
We’ve seen something like this before – for toilet paper during Australia’s first shut-down last year during the COVID-19 pandemic!
DarkSide strikes again
Hackers affiliated with the DarkSide crime group had broken into Colonial’s network, and the company claimed it feared they could cause massive damage to the pipeline.
So the firm decided to pay the hackers a US$4.4 million ransom to help recover its encrypted data.
Demand for petrol shot up 40%. So many people were caught filling up storage tanks and unsafe containers that American consumers had to be warned against filling plastic bags with gasoline.
Shortages of petrol were reported across 5 states. By day #11, some 87% of petrol bowsers in Washington, D.C. were empty. On May 9, as bowsers ran dry, President Joe Biden declared a state of emergency. All this over a cybersecurity incident.
Russian hackers (likely) strike again
There was a time when cyber attacks barely captured public attention. Now, a cybercrime storm deals damage that is often impossible to quantify.
The storm is a financially-motivated digital assault from criminal ransomware hacker groups often sheltered in Russia who target organisations in the West.
These hackers break into organisations to encrypt sensitive and mission-critical data, forcing victims to reverse the damage by paying ransom demands that regularly exceed US$10 million. Those who refuse watch helpless as their customers’ and corporate sensitive files appear online.
This assault adheres to no known rules of war (literal or metaphorical); threat actor groups have ground hospitals to a halt amid raging COVID-19 outbreaks. They have released the health records and personal information of untold scores of victims when their ransom demands have gone unmet.
Extortion demands only five years ago broke records if they exceeded AUD$10,000. The decision then to pay was trivial for many large businesses. It is now fraught, with some cyber insurance companies refusing to cover ransomware attacks.
This crime wave has left a litany of victims. Technology giants Apple and Acer – the latter which was extorted for US$50 million – aircraft manufacturer Bombardier, and insurance firms CNA and AXA join others too numerous to quantify.
A darker side
The DarkSide cybercrime group emerged in August last year as a developer of ransomware. By November, it stopped hacking organisations directly and instead rented out its eponymously named ransomware to customers, known as affiliates, who would themselves conduct attacks and hand DarkSide an average 20 percent cut of the profits, or 10 percent when the ransom payment exceeded US$5 million.
This so-called ransomware-as-a-service model first emerged almost exactly six years before the Colonial Pipeline attack. The innovator, known as Tox ransomware, was a shaky proposition that ultimately failed. Yet it set the groundwork for what would years later become a very profitable criminal enterprise.
Now, most cybercrime can be pulled off by much lower-skilled criminals who buy access to organisations from other criminals who have already broken in. Criminals then use popular and relatively simple hacker tools to complete their mission.
The rush of new entrants to the ransomware game has fattened those 20% commissions to DarkSide and other groups operating the same model.
Tox made little money and quickly folded. But its legacy is profound: DarkSide in a mere nine months is thought to have amassed an eye-watering US$90 million in profits of which US$75 million went to affiliates.
Then in early May, a DarkSide affiliate overstepped what many saw as a red line.
Hack them back?
Former US Federal Reserve chairman Alan Greenspan shocked few when he wrote that the Iraq war was “largely about oil”; successive US administrations have been proactive in ensuring the security of global oil reserves.
And so the hack of Colonial Pipeline Company was largely seen within the cyber security community as the crossing of a red line by cybercrime groups. All eyes were on the US government – whose public response to the ransomware crises to date has been minimal– to see how it would react to the loss of the major fuel pipeline.
President Biden said the Administration had been in “direct communication with Moscow about the imperative for responsible countries to take decisive action against ransomware networks”.
A day later, DarkSide claimed to have lost control of its infrastructure. Its Bitcoin ransom stash was drained and had been funnelled to an “unknown account”, according to the group
“A couple of hours ago, we lost access to the public part of our infrastructure, in particular to the blog, payment server, CDN (content delivery network) servers … [and] the hosting panels,” it said in a post on the Russian language XSS underground crime forum.
“In view of the above and due to the pressure from the US, the affiliate program is closed. Stay safe and good luck”.
DarkSide shut down its services and was accused of running off with ransom money meant for affiliate criminal groups. And in a bizarre turn of events, the XSS crime forum then held what was dubbed a ‘hacker’s court’ to reimburse affiliates from a US$900,000 deposit DarkSide had left with the website.
Decryption tools needed for victims to restore their ransomed files were released, but it is unclear if they were sent to those who had not paid ransoms.
US officials denied the shutting of DarkSide was the US government’s handiwork.
Cyber security experts wondered if the disruption had even happened at all, and was potentially a distraction used by DarkSide to cut and run with affiliate profits.
Is a storm coming?
The ransomware crisis has continued unbated. Strained diplomatic ties between the US and Russia, and a history of Moscow sheltering cyber criminals who advance its economic and geopolitical interests, have made traditional law enforcement via extradition and arrest warrants all but impossible.
Cyber criminals have made hundreds of millions of dollars targeting the West from under the protection of Moscow. They go so far to avoid the ire of their overseers that many, including DarkSide, ensure their malware shuts down when the Russian language is detected on target computers.
Troubled old arguments espousing the need to hack back against cyber attacks have risen in the wake of the Colonial Pipeline attack.
Governments, including in Australia, have the capability and capacity to effectively disrupt ransomware groups. They do so routinely against child exploitation rings and online illegal drug markets.
The ransomware gangs for their part are as vulnerable as the victims they target. Many are far from the technically-skilled adversaries of decades prior. Rather, they demonstrate a mediocre ability to secure and conceal their operations, and as a result their identities are often known to law enforcement.
Sources close to Colonial Pipeline incident say the DarkSide cybercriminals did not showcase great technical capability in hacking the pipeline control systems. Rather, they accessed the corporate network and were close to getting into Colonial Pipeline Company’s billing platforms.
The pipeline shutdown that caused so many to flock to the bowser, sources claim, was an economic decision by the company over concerns it would not know how much to bill customers for the fuel they received.
Yet hacking back is fraught. Cyber criminals often launch their attacks from hacked infrastructure owned by small businesses whose unpatched websites function as malware caches, and hosts for phishing sites and watering hole attacks.
Hack back operations risk disrupting legitimate organisations and running into legal trouble when infrastructure lies across jurisdictions.
Cyber criminals haven’t appreciated the extra attention. DarkSide and other ransomware affiliate groups have been banned from several criminal underground forums.
Meanwhile, President Biden has signed a new executive order requiring federal contractors to quickly report cyber security incidents to the government and ordered a review, similar to air crash investigations, be conducted into major breaches. It would also increase cyber security requirements across government.
“The current market development of build, sell and maybe patch later means we routinely install software with significant vulnerabilities into some of our most critical systems and infrastructure,” a senior Biden administration official said earlier this month.
“The cost of the continuing status quo is simply unacceptable.”