[By Tom Uren]
Almost inadvertently, US energy security has been threatened by a ransomware attack which demonstrated dramatically how the consequences of such hacks are escalating.
This one probably won’t be the worst, but it will change the way governments respond to ransomware.
Colonial Pipeline carries gasoline, diesel and jet fuel from Houston to New York, with an array of branch lines servicing states across the eastern seaboard of the US. On Saturday May 8, Colonial announced that it had been the victim of a ransomware attack and that to contain the threat it “proactively took certain systems offline,” which “temporarily halted all pipeline operations.”
In a sense that highlights critical infrastructure’s vulnerability. The halt to pipeline operations was entirely unintended by those who carried out the ransomware attack and the operational disruption was “collateral damage.”
The hackers did not target the pipeline’s industrial control systems to deliberately stop the flow of oil. Colonial itself shut down systems to prevent further spread of malware. This disruption would likely have been far worse had the group intended to disrupt the pipeline.
As the shutdown continued over several days, petrol prices surged, service station queues lengthened, customers hoarded fuel as pumps ran dry and the US Consumer Product Safety Commission warned people to “not fill plastic bags with gasoline.” The US Department of Transportation temporarily loosened road transport rules to allow more road-based shipment of fuel as concern over shortages escalated within government.
By Monday May 10, the FBI announced that DarkSide ransomware was responsible for the Colonial hack.
DarkSide operates on a “ransomware as a service” business model, providing centralized services that their “affiliates” can use to extort money from victim organizations. The affiliates conduct the operations, but DarkSide receives a 10–25 percent cut of the ransom. Services fundamental to running ransomware operations include payment servers, encryption and decryption tools to lock and unlock victim data, and a blog to claim responsibility, advertise hacks and pressure companies.
But beyond ransomware, DarkSide affiliates also steal data and threaten to leak it. As victims with good backups may still be motivated by the threat of sensitive data being leaked, this second method of extortion is increasingly common among ransomware gangs. In these instances, DarkSide would collect and store victim data on staging servers.
Other services were even more innovative. It appears that DarkSide was also willing to let paying customers know when they’d hacked publicly listed companies ahead of their blog announcements, presumably so they could short sell stocks ahead of the news of a ransomware attack.
While they were developing a portfolio of extortion tools and tactics, DarkSide was also attempting to manage its reputation to avoid attracting law enforcement attention. It stated that it would not attack medical facilities, schools and universities, non-profits, governments and the funeral sector.
There’s good evidence that the criminals are Russian. They recruit Russian-speaking affiliates and advertise on Russian language forums, they don’t attack the former Soviet republics of the Commonwealth of Independent States and their malware won’t attack devices with Russian language settings.
In the aftermath of the Colonial Pipeline hack, DarkSide issued a statement saying:
We are apolitical, we do not participate in geopolitics, do not need to tie us with a defined government and look for other our motives. Our goal is to make money, and not creating problems for society. From today we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future.
In part this seems to be an attempt to distance DarkSide from the Russian government; parts of Eastern Europe and Russia are a permissive environment where cyber criminals are tolerated, but if gangs start to cause geopolitical problems local law enforcement could suddenly become motivated to act.
And diplomatic pressure is being applied. US President Joe Biden said that although he didn’t believe the Russian government was involved, the criminals were Russian. “We have been in direct communication with Moscow about the imperative for responsible countries to take decisive action against these ransomware networks,” Biden said.
Within a day of discovering the attack the CEO of Colonial Pipeline had decided to pay the ransom, saying later that “it was the right thing to do for the country.” The pipeline returned to full operation within the week, although the decryption tool was reportedly so slow that Colonial continued to restore from backups.
Paying ransoms is clearly undesirable from a public policy point of view—it encourages further ransomware attacks and funds the evolution of the ransomware ecosystem. Yet at the same time ransom negotiations will settle on a price where the cost–benefit of paying can be justified and there are many situations where payment is clearly in the best interests of stakeholders.
But cyber insurance should not be used to pay ransoms. Unlike many other types of insurance, cyber insurance deals with a human adversary and the threat is rapidly evolving. Current practice is a vicious circle where insurance payouts encourage and fund improved ransomware which extracts more insurance payouts. Perversely, ransomware hackers will search for their victims’ insurance policies and then use the insured amount to set ransom demands.
In total, DarkSide appears to have extracted at least $90 million in ransoms since August, and more than $9 million in the month of May alone. That was made up of $4.4 million from a chemical distribution company and $5 million from Colonial Pipeline. With increasing attention—Biden said the US would “pursue a measure to disrupt their ability to operate” – the sum seems to have been enough for the hackers.
The day after Biden’s statement the DarkSide hackers said they’d lost access to their infrastructure including their blog and payment servers and would be shutting their service. Lightning-fast US retaliatory action seems unlikely given the time required to prepare for a cyber operation, and the DarkSide crew may simply have taken the money instead of paying their affiliates.
In the short term, DarkSide may have disappeared but, given the sheer volume of money available, other criminals will fill the void. Beyond improving defences, this story also shows that a promising approach is to focus on the ransomware ecosystem and its incentives.
DarkSide and similar groups actively try to avoid law enforcement attention and minimize associations with the state in which they operate. Western nations need to align diplomatic, intelligence and law enforcement efforts to make it much harder for ransomware crews to operate with impunity.
Tom Uren is a senior analyst in ASPI’s International Cyber Policy Centre. This article appears courtesy of The Strategist and may be found in its original form here.
A massive fire broke out at the Port of Beirut on Thursday, incinerating a warehouse full of tires and oil within the port’s free zone. The same area was heavily damaged in the ammonium nitrate explosion that leveled the central port area and the adjacent waterfront on August 4. According to Lebanon’s civil defense agency, […]
Over the course of the past five days, the Australian Maritime Safety Authority arranged a medical intervention for an injured aboard a freighter in the Indian Ocean. On Saturday evening, the Spliethoff tweendecker Dolfijngracht called for assistance while under way about 1,000 nauical miles off the coast of Western Australia. A crewmember had sustained serious […]
The naval forces of the US and Bahrain recently staged a joint force training exercise which showcased the interoperability between coalition warships operating I the Arabian Gulf. Coalition Task Force Sentinel executed combined exercise Sentinel Shield supporting Sentry and Sentinel patrols in the coalition’s area of operations. The guided-missile destroyer USS John Paul Jones and […]
The U-Freight Group (UFL), with its considerable involvement in eCommerce logistics, says that the latest statistics showing that global e-commerce sales hit $25.6 trillion in 2018 are a further vindication of its decision to enter this sector of the international freight market several years ago. The latest available estimates, up 8% from 2017, were recently […]
DSV Belgium has solid experience in the transport of pharmaceutical products for different customers. With a pharma hub based at Brussels Airport a lot of experience and know-how has been built up over the years. Last weekend, the forwarder handled one hundred million mouth masks, an important milestone for its Belgian organisation that has put […]
The UK government’s new post-Brexit tariff regime will result in both winners and losers. The new regime is set to replace the European Union’s Common External Tariff from the end of the Brexit Transition Period on December 31, 2020. The UK’s commitment to the ongoing Brexit process and ending the UK’s transition from EU membership […]
With close to 100 daily cargo flights operated to a destination network spanning more than 65 cities across six continents, Emirates SkyCargo is delivering essential supplies and commodities to people around the world. The air cargo carrier is currently operating 11 Boeing 777 freighter aircraft, each with a capacity to transport about 100 tonnes of […]
The National Transportation Safety Board (NTSB) has released a Marine Accident Brief about an accident that occurred on April 15, 2019, involving the towing vessel DeJeanne Maria which struck the end of a submerged dredge pipeline while pushing two spud barges to the Gulf of Mexico. The incident occurred on the Mississippi River in Pass […]
Astral Aviation has increased its intra-African network with cargo freighters during the pandemic. While there has been a reduction in capacity to, from, and within Africa, which has been caused by a stoppage of passenger flights and limited frequencies on freighter aircraft, Astral Aviation continues to operate cargo freighters from its Nairobi hub to 13 destinations […]
Best known as a leading passenger airport serving Germany’s most populated federal state North Rhine-Westphalia, Düsseldorf has become transformed into a vital distribution point, during the COVID 19 pandemic, for medical equipment and other life-saving goods, mostly from China. Gerton Hulsman, managing director of cargo operations, reports that the handling teams are working hard to […]
Global commercial aviation charter company Albion Aviation Group is reporting that it is seeing a considerable uptake in its professional cargo broker training courses from the current global pandemic crisis and surge in charter demand. “We have completed a number webinar courses for a whole of host of companies, looking to manage their own cargo […]
Operators can continue to use pilots and other crew members who have unable to comply with certain training, recent experience, testing, and checking requirements due to the COVID-19 outbreak in support of essential operations. Additionally, this Special Federal Aviation Regulation (SFAR) provides regulatory relief to certain persons and pilot schools unable to meet duration and […]
Emirates SkyCargo has expanded its weekly scheduled cargo flight operations to cover 75 destinations across six continents. Through its wider reach, Emirates SkyCargo is able to transport essential commodities and other urgently needed cargo more rapidly across the world, allowing exporters and importers across markets to benefit from direct access to widebody cargo capacity. Some […]
Callan Marine is serving as the prime contractor to the Texas Department of Transportation for a maintenance dredging project located at the Bolivar Ferry Terminal, in Galveston, Texas. Work began in May and is estimated to be complete in late July 2020. The project consists of the removal of 600,000 cubic yards of material and […]
Network Airline Management and TAAG Angola Airlines are pleased to announce the renewal of their long-term freighter aircraft contract by an additional 12 months, sealing an ongoing partnership for the foreseeable future. Operating a regular weekly scheduled service from Liege, Belgium, to the capital of Angola, Luanda, Network Airline Management provides a Boeing 747-400F aircraft […]
Qatar Airways Cargo transported 56 SkyCell containers with vaccines from one of the largest vaccine manufacturers worldwide on its scheduled freighter and belly-hold cargo flights for its customer, CEVA Logistics. The 54-tonne shipment consisting of pneumococcal and varicella vaccines were flown from Brussels to Mumbai via the carrier’s hub in Doha on two separate flights. […]