Cyber Attack with National Security Implication, but no Intentions

  • Simone Neads
  • 3.6.2021 18:07

The Darkside ransomware attack of US infrastructure shows the real danger of for profit cyber operations. These operations are increasing -- both in the number of criminal groups, and in the ransom they demand. Stopping them means improving defence, and trying to hold the guilty responsible.

The recent cyber attack on the Colonial Pipeline, could have been the perfect attack on American infrastructure. It took out a key energy source, disrupting transportation, trade, and economics. It the outage had lasted longer, the consequences of the attack would have been catastrophic. 

Imagine for a second if the outage had been caused by a terrorist organization or a rogue state. If the attack had been intended to cause as much harm as possible to the United States, instead of extorting crypto currency. The attack could have been carried out in almost the exact same way. 

The attackers could have first gotten access into the system, either through social engineering or traditional hacking. Both are very possible given the age of much of the digital infrastructure in the United States. Exploiting employees would probably be the easiest and cheapest method. Social engineering takes comparatively little digital skills, and in large organizations finding someone to exploit would be highly probable. 

Then instead of encrypting the system with ransomware, attackers could have infected the entire system with malware designed to inflict as much harm as possible. This would take much longer to recover from than a ransomware attack, because it could remove access to the system completely, or worse take control of the system and intentionally sabotage it. 

Thankfully the Colonial Pipeline attack was not hostile. The group responsible, Darkside, even put out a statement in response to the attack, saying that they are not political: 

“We are apolitical, we do not participate in geopolitics, do not need to tie us with a defined [government] and look for other our motives,” DarkSide’s statement said. “Our goal is to make money, and not creating problems for society.”

Despite this, the nature of the Colonial Pipeline attack, that it hit directly to the heart of American infrastructure, led many to speculate that it was more than just a ransom attack, that it was politically or strategically motivated. The truth may never be truly discovered, but looking at cyber attacks as either purely criminal acts or purely political, often hides much of the complexity of attribution.  

Cyber Attribution 

Joshua Miller @chicagocyber, a senior intelligence analyst created a highly useful spectrum in which to understand foreign cyber attacks. The spectrum starts with highly effective states that are able and willing to investigate, prosecute, and even extradite cyber criminals, like the UK. Then progresses to states that are willing but not able to stop cyber crime, like Nigeria. The spectrum elevates through the levels of government involvement in criminal cyber activity, and concludes with fully government operated cyber units. 

- State-Prohibited
- State-Prohibited but Inadequate
- State-Ignored
- State-Encouraged
- State-Shaped
- State-Coordinated
- State-Ordered
- State-Rogue
- State-Executed
- State-Integrated

This spectrum helps to break away from simple binaries when trying to attribute cyber attacks. When applied to the Colonial Pipeline attack, most evidence suggests that it originated from Russia, and was either State-Ignored or State-Encouraged. 

Currently, there is no official attribution that has found that the attack originated in Russia, however it is being reported as Russian in many media sources. This is partly because of the code that was used, and partly because of similar attacks that have been traced back to Russia. 

Darkside and Ransom attacks 

The program that is used by Darkside will not encrypt a Russian language computer. The program, once it has access to a user account, will run certain preliminary tests of the system before launching the decryption attack. The first is to climb as high within the organization’s system as possible in order to infect as much as possible. Another part of the software looks specifically for Russian characters in the operating system, if these are detected the attack is terminated. This on its own does not prove that the group is Russian, it could always be a false-flag as internet commentators are always eager to point out. However, it is an interesting indicator. 

There have been many previous ransomware attacks that have originated in Russia, Evil Corp, a previous international ransomware group registered all domains through Russia. WIZARD SPIDER which uses Ryuk ransomware was identified because they used Russian filenames. And FIN7, which stole 15 million credit card records as well as orchestrated social engineering attacks against mostly US targets, was found recruiting in Russian forums.

One of the reasons that cyber criminals operate out of Russia, is because Russia does not extradite to the US. This means that even in cases where the criminals are tracked by the FBI or similar international intelligence, they often are unable to prosecute them directly, and are left with issuing indictments or creating targeted sanctions. 

This means that even non-Russian cyber operations may choose to be located in Russia. Especially in the case of for profit operations that do not have underlying political or strategic motivations. The group responsible, Darkside, seems to fit this profile perfectly; they offered their encryption software to subsidiary groups in exchange for a percentage of any successful operations. 

There may be a much more practical reason for the geographic choice of targets, as it is not just Darkside that has followed this pattern. Previous groups have also been found to not only spare Russian targets, but also Russian allies with filters against Kazakh and Ukrainian targets. This could indicate that they are operating in these territories and are trying to avoid any clashes with local authorities.

The final aspect to take into consideration is the complex history of the Kremlin engagement with these groups. Often cyber criminals will carry out attacks that mirror Russian national interests. These include the attacks against the Olympics, political rivals, and the most well known NotPetya attack that was originally against Ukraine. While the Kremlin generally denies any connection to these acts, the British Government has stated that the Russian military was “almost certainly” behind NotPetya. 

This historic connection, on its own, does not prove that the Kremlin was connected to Darkside. However, it does indicate at least some level of awareness between the criminal organizations and Russian institutions. 

State responsibility? 

Given the amount of information that is available right now, it is impossible to attribute the Darkside attack to Russia. Doing so not only risks being proved wrong, it covers up a much more interesting story. However, stating that these are purely apolitical, and motivated by profit, ignores Russia’s complicity in the operations.

Using Miller’s continuum it would be more appropriate to assume that the attack may be State-Ignored, as Russian authorities are unlikely to act against groups that are only a threat outside of Russia. Or, given Russian History with criminal cyber operations, and Darkside’s selection of targets, it may be possible to assess these operations as even State-Encouraged. 

This means that Russia could stop this criminal activity, but has chosen not to. Unlike most countries who understand that international crime can only be stopped collaboratively, through international investigations and extradition, Russia has chosen to ignore and benefit from the activity. 

This means that Russia should ultimately be held responsible - even if the Kremlin did not orchestrate the attack.

About author: Simone Neads


Tento web používá k analýze návštěvnosti soubory cookie. Používáním tohoto webu s tím souhlasíte. Další informace