Mr. Emory’s entire life’s work is available on a 32GB flash drive, available for a contribution of $65.00 or more (to KFJC). Click Here to obtain Dave’s 40+ years’ work, complete through Fall of 2020 [through FTR #1156].
WFMU-FM is podcasting For The Record–You can subscribe to the podcast HERE.
You can subscribe to e‑mail alerts from Spitfirelist.com HERE.
You can subscribe to RSS feed from Spitfirelist.com HERE.
Please consider supporting THE WORK DAVE EMORY DOES
COMMENT: With the explicit threat of domestic fascist (yes, not “right wing”) terrorism looming large in the wake of the Capitol Riot and the 2nd Trump impeachment proceedings, a hacking attempt at poisoning the water supply of a town very near Tampa in the run-up to the Super Bowl warrants scrutiny.
Key Points of Analysis and Discussion:
- ” . . . . Someone had taken remote control of a plant operator’s machine – and in just a few minutes, they increased the level of sodium hydroxide in the city’s drinking water by a factor of 100. After spiking the caustic substance to unsafe levels, the hacker immediately left the system. . . .”
- ” . . . . ‘The hacker changed the sodium hydroxide from about 100 parts per million to 11,100 parts per million,’ [Pinellas County Sheriff Bob] Gualtieri said on Monday, during a briefing about the attack. . . .”
- ” . . . . At one point in the briefing, Gualtieri was asked if he would call the incident an attempted bioterrorism attack. “‘It is what it is,’ he replied. ‘Someone hacked into the system, not just once but twice,’ to take control of the system and change the water chemistry to unsafe levels. . . .”
- ” . . . . Oldsmar is a small city northwest of Tampa, roughly 12 miles away from Raymond James Stadium, which hosted the Super Bowl two days after the hacking attack. . . .The intruder broke into the system at least twice on Friday, taking control of a plant operator’s computer through the same methods a supervisor or specialist might use. . . .”
It started with a cursor moving on its own, sliding across a computer screen at the water treatment plant in Oldsmar, Fla. Someone had taken remote control of a plant operator’s machine – and in just a few minutes, they increased the level of sodium hydroxide in the city’s drinking water by a factor of 100. After spiking the caustic substance to unsafe levels, the hacker immediately left the system.
The plant operator quickly reset the sodium hydroxide level back to normal parameters before the rogue action posed a threat to the water supply, officials say. But the incident, which took place Friday, is now being investigated by local authorities as well as the FBI and Secret Service, according to Pinellas County Sheriff Bob Gualtieri.
“The hacker changed the sodium hydroxide from about 100 parts per million to 11,100 parts per million,” Gualtieri said on Monday, during a briefing about the attack. “This is obviously a significant and potentially dangerous increase. Sodium hydroxide, also known as lye, is the main ingredient in liquid drain cleaners. It’s also used to control water acidity and remove metals from drinking water.”
At one point in the briefing, Gualtieri was asked if he would call the incident an attempted bioterrorism attack.
“It is what it is,” he replied. “Someone hacked into the system, not just once but twice,” to take control of the system and change the water chemistry to unsafe levels.
If the person who conducted the hack is identified, Gualtieri said, they would likely face state felony charges, with the potential for federal charges depending on the circumstances, such as the place where the hack originated.
Oldsmar is a small city northwest of Tampa, roughly 12 miles away from Raymond James Stadium, which hosted the Super Bowl two days after the hacking attack. Oldsmar draws its water from wells; its system is separate from other nearby communities, the officials said.
The intruder broke into the system at least twice on Friday, taking control of a plant operator’s computer through the same methods a supervisor or specialist might use. The hack didn’t initially set off red flags, because remote access is sometimes used to monitor the system or trouble-shoot problems, Gualtieri said.
The first intrusion was fleeting and didn’t cause concern. But hours later, the hacker returned. And as the operator looked on, the sodium hydroxide settings were moved to dangerous territory. After resetting the system to normal levels, the operator raised the alarm. The sheriff was called; soon, federal investigators were also involved.
“Obviously, these investigations are very complicated right now,” Gualtieri said. “We do not have a suspect identified, but we do have leads that we’re following. We don’t know right now whether the breach originated from within the United States or outside the country.”
The FBI’s field office in Tampa confirms that its agents are working with the city and the sheriff’s office to find the person responsible.
The hack was clearly the act of someone trying to harm others, the sheriff said. But he and officials in Oldsmar also stressed that while the hack was a serious intrusion, public health was never at risk. In addition to the plant operator’s vigilance, they said, the water system has sensors that would have raised the alarm if pH levels suddenly skyrocketed. And it would have taken more than a day for the water to reach any customers, they added.
“We have pH alarms throughout the system,” City Manager Al Braithwaite said. “So obviously if you change the alkalinity level, the pH changes. That would have been an alarm throughout the entire system. So, even if we hadn’t noticed it right away, it would have alarmed to all our people to notice it quickly.”
The remote-access program that allowed the change to be made is now disabled, Braithwaite said, and the city is making further upgrades to its systems. And he said the attack on Oldsmar’s infrastructure didn’t come as a complete surprise. “We talk about it, we think about it, we study it,” he said. . . .
US energy markets have once again been gripped by an emergency after a relatively new hacker group, known as DarkSide, successfully carried out a ransomware attack that shut down the Colonial oil pipeline on Friday. The pipeline carries 45% of the East Coast’s fuel supplies.
So unlike the last energy crisis, the culprit isn’t the rigged nature of Texas’s energy markets. But the identity and intent of that culprit still remains a mystery. The group is believed to be operating in the former Soviet Union, although that attribution appears to be exclusively based on the observation that this group has only been found to attack companies outside of those countries.
Also note that the group only popped up in August of 2020, so to some extent it doesn’t really make sense to focus on where the group has or hasn’t attacked. But, of course, the other obvious thing to keep in mind when reading these kinds of digital tea leaves is that it’s trivial for a group to maintain the appearance of operating in the former Soviet Union simply by not attacking companies in those countries. If not attacking companies in the former Soviet Union causes the cybersecurity industry to conclude that a group must operating in that region of the world, it’s a pretty small price to pay for maintaining additional anonymity to simply lay off companies in the former Soviet Union. It’s a status quo that, ironically, kind of discourages hacking in the Soviet Union. Because why not just lay off those areas and let the rest of the world assume that’s where your group is operating?
Adding to the mystery is the fact that DarkSide has an unusual public relations approach to hacking. The group has already come out and claimed that it is solely interested in profits, has no geopolitical interests, didn’t intend to cause such a large disruption in the US energy markets, and pledged to avoid such disruptions in the future. And this isn’t the first time DarkSide has tried to come off as as relatively benign, or even ethical, hacking group. Back in November, the group made sizable bitcoin donations to two charities, Children’s International and the Water Project. Each donation was worth ~$10,000 at the time and conducted over The Giving Block, a platform that facilitates cryptocurrency donations for non-profit organizations. So that alone was pretty unusual for a hacking group. Especially one that only emerged months earlier. But there was a potentially significant signal sent in those donations that has taken on more potential significance now that the world is trying to identify the group that locked up the east coast’s fuel supplies: those two ~$10,000 donations were made in the form of 0.88 bitcoin donations. And 0.88 is, of course, a classic Nazi numerological symbol. So at the same time DarkSide was sending a ‘we’re friendly’ signal to the world it was also flashing neo-Nazi numerological gang signs.
Beyond that, it sounds like DarkSide isn’t even a distinct hacking group. It’s more like a franchise operation, where the core group develops cutting edge hacking software and then licenses it out to hacking groups who share a percent of their proceeds with DarkSide. It was a business model reflected by the statement issued by DarkSide: “From today, we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future.” Those “partners” are the groups that receive and use DarkSide’s cutting edge hacking software.
So the software from an advance hacking tool development team was used to cripple one of the largest oil pipelines in the US, and the group issues a statement assuring the world that it is purely interested in profits never intended for such al large disruption and is pledging to avoid them in the future. This same for-profit group made two large donations to two childrens’ charities that just happened to be 0.88 bitcoins each. It’s a reminder that the contemporary cyber approach of ‘reading the signs’ and making an ‘educated’ bet as to who is actually behind these hacks is often the best we can do but also no where close to being adequate for making meaningful cyberattributions. Not that this ambiguity is will stop the world from simply assuming this is a Russian criminal group:
“The system, which runs from Texas to New Jersey, transports 45 percent of the East Coast’s fuel supply. In a statement Sunday, the company said that some smaller lateral lines were operational but that the main lines remained down.”
45 percent of the US east coast’s fuel supply. You have to wonder if the hackers initially recognized the potential impact of their hack. But that’s the crazy nature of contemporary hacking: you don’t really need to recognized the implications of your hack in order to pull it off. You just need to exploit the same hacking techniques that work on businesses large and small.
And note how we already have CrowdStrike’s Dmitri Alperovitch — the main champion of the cybersecurity industry’s contemporary ‘pattern recognition’ approach to publicly attributing hacks based on vague inferences — declaring that this hack should be treated as if it was a Russian government hack whether or not the government was behind the hack because Russia gives free reign to hackers who target the West:
And at the same time we have the cybersecurity industry primed to somehow attribute this hack to the Russian government, it’s also pretty notable that the hackers themselves have been publicly promoting this idea of being exclusively profit-oriented and not “creating problems for society”. Beyond that, the group claims it had no idea one of its ‘affiliates’ (recipients of its advanced hacking tools) had targeted Colonial and would put a stop to such behavior in the future. It’s a fascinating public relations play. Almost like taking a page from the NRA’s public relations playbook after a mass shooting and declaring “don’t blame us! blame the bad shooter!”:
““Our goal is to make money and not creating problems for society,” DarkSide wrote on its website.”
Innocent extortionists. That’s how DarkSide appears to want to market itself to the world. All they want to do is make money. Not disrupt. And then the group blamed it all on one of its ‘partners’ and pledged to keep a closer eye on these partners in the future. All in all, it’s bizarre:
Adding to the bizarre nature of this public relations campaign is that the group appears to actually be shockingly evil, even by hacker standards. They operate like a business and distribute their advanced software to these “partners” for a cut of the profits. Like handing out advanced weapons to groups of criminals, letting them choose the targets, and taking a cut. It’s the exact opposite of the ‘ethical hacker’ public image the group is trying to cultivate. At the same time, when the group developed faster encryption software — a key tool for ransomware attacks — they sent out a press release and invited journalists to interview them. the group wants public attention for advancing hacking technology while also branding itself as ethical. It has the feel of a fascinating PsyOp designed to almost popularize ransomware attacks:
And note what is perhaps the most alarming aspect of this story: it’s possible the group that hacked into Colonial didn’t even need to do any hacking themselves. The dark web marketplace for login credentials is so vast it’s possible DarkSide’s partners simply purchased some login details for remotely accessing Colonial’s computers. It’s a particularly ominous detail coming on the heels of the great Microsoft Exchange Server hack from earlier this year. The kind of ominous detail that raises questions about just how many credentials for other critical infrastructure systems are floating around in these marketplaces right now:
And then there the charitable donations from back in November. A pair of donations of to childrens charities that came just a few months after the group seemed to first emerge. 0.88 bitcoin Donations that just happen to double as neo-Nazi numerological gang signs:
“The hackers posted receipts for two separate donations of 0.88 of their stolen Bitcoins (about $10,000 each) on a dark web forum, apparently giving generously of the pilfered funds to two US-based charities: Children International and The Water Fund. Children International has already issued a statement indicating that it does not intend to keep the money, and presumably The Water Fund will follow. Any charity foolish enough to keep donations that can be traced back to ransomware could fall afoul of a variety of federal laws.”
So did DarkSide decide to donate $10,000 in bitcoins to two charities and just coincidentally choose to make these donations on the same day that 0.88 bitcoins was ~$10,000? Because if that wasn’t coincidental, the 0.88 bitcoin was a very deliberate choice. Whether or not it was a deliberate choice intended to signal the ideological orientation of the group (or just troll the world) is an interesting question that we don’t have answers for. But since everyone is trying to deduce the identity of this group based on the various clues deliberately left by the group, this seems like a clue worth incorporating into our analysis.
And then there are the clues that are maybe unintentionally left by the group. Clues like genuinely unethical hacks that involve massive indiscriminate data dumps filled with personal information:
All in all, it would appear that the one thing we can conclude about the DarkSide group is that it has an unusual interest trying to present itself as an ethical hacking entity but looks more like a highly ambitious criminal enterprise. The group has literally created a “partner” system that revolves around creating an army of hackers armed with is edge novel hacking tools and then taking a cut. That is a super-villain kind of accomplishment. The kind of accomplishment that just might explain the groups bizarre, contradictory interest in coming off as benign: if you’re a hacking group with the capacity to lock up critical infrastructure at will, having the public recognized the existential threat your group poses exist really is your biggest risk.
There was an interesting update on the ransomware attack against the Colonial Pipeline by the ‘DarkSide’ hacking group. First, recall how DarkSide is more of a hacking franchise than a single group. It creates the hacking software licensed out to others, and keeps a share of the ransomware profits. Also recall how DarkSide has been characterized as a Russian hacking group, a conclusions seemingly based solely on the location of the DarkSide hacking victims (i.e., if they don’t hack Russian companies, it must be a hacking group either operating at the behest of the Russian government or with its blessing). Next, recall how DarkSide made the curious decision to make twin donations of 0.88 bitcoins to two childrens charities last year in what appeared to be a public relations stunt. Finally, recall how Colonial ultimately paid ~75 Bitcoins in ransom to free up its pipeline. So we have a hacking group described by authorities as being Russian-based while flashing neo-Nazi numerological gang signs with its bitcoin donations.
Here’s the update: the FBI managed to seize 63.7 of those 75 bitcoins. The operation is being touted as a means of discouraging ransomware operators by demonstrating the ability to disrupt the ransomware payment system. The catch is that the FBI isn’t saying precisely what it did to seize those bitcoins so it remains unclear if the technique used can be replicated or not for other ransomware attacks. As the following article describes, there are three scenario experts are looking at:
1. DarkSide used poor operational security that revealed the physical location of the server hosting the Bitcoin wallet, allowing the FBI to seize the computer and retrieve the private keys for the bitcoins.
2. Someone in DarkSide flipped and handed the FBI access to the wallet
3. The FBI utilized a zero-day exploit that caused DarkSide to inadvertently reveal the location of the server hosting its Bitcoin wallet, giving the FBI the information it needed to seize the server.
At this point we don’t know which of those three scenarios we’re looking at. But what we do know is that the seized server was in North California because that’s where the judge issued the seizure warrant. And we also know that the 63.7 bitcoins seized by the FBI is ~85% of the 75 bitcoin ransom. And that suggests those 63.7 bitcoins where the bitcoins ‘earned’ by the people who actually carried out the ransomware attack using DarkSide’s hacking tools. Because we know that DarksSide gives the hackers a default 75% of the cut, but that cut rising to 90% for hacks that pay ransoms worth more than $5 million. When Colonial paid that 75 bitcoin ransom that would have been worth just around $5 million. Based on the above facts, it’s reasonable to suspect that the 63.7 bitcoins sitting on that Northern California server represent the cut from the actual hackers to carried out the attack.
Now, as is the case with all hacks, we can’t conclude too much based on the location of a server used in a hack. The person using that server could have been located anywhere on the planet and remotely accessing it. But given the common assumption in the cybersecurity industry that hackers operate out of server farms in Russia because the Russian government will go easy on them, it raises the question of how we should interpret the fact that this hacker was willing to run the ransomware bitcoin transaction software on a Northern California server. Why make that decision when it obviously leaves the Bitcoin wallet vulnerable to exactly the kind of seizure the FBI carried out? Nothing prevented them from choosing a Russian server to host that software. So why was this curious decision made? Did someone desire physical access to the server so they could retrieve the keys in person, without leaving a digital trail for the final step, perhaps? These are the kinds of questions raised by this report. The kinds of questions that raise more questions about who is actually behind DarkSide:
“Knowing how the FBI obtained the DarkSide actor’s private key is critical to determining whether law enforcement might be able to follow the money again and remove the economic incentive for other ransomware attackers in the future. According to reports of an FBI press call on the wallet seizure, the Bureau said it is deliberately vague regarding how it obtained the private key to avoid tipping off hackers. According to one agent, the method the FBI used is “replicable,” which means authorities could use it against the next ransomware attacker. The FBI also revealed it received substantial help from the Microsoft Threat Intelligence Center (MSTIC) in seizing the wallet.”
Does the FBI have a new capacity to seize Ransomware funds? Or did DarkSide just f*ck up? The FBI is being intentionally vague. But there’s no vagueness about where the server was physically located because it had to be under the jurisdiction of the Northern California judge who issued the seizure warrant. Hence the speculation that DarkSide may have somehow screwed up and revealed the location of the server hosting the software used to collect the ransomware payments:
And regardless of which of these three scenarios we are looking at, all three raise the question: why did they choose a Northern California server to host the ransomware software. They literally hacked the most crucial pipeline supplying fuel to the East Coast and one of the servers they used to carry out this operation was located in the same country, making it readily available for seizure by law enforcement. That’s beyond being just an OpSec f*ck up. It’s the kind of decision where the only obvious compelling rationale for it is if the person carrying out this hack needed to have physical access to the server. Don’t forget: if the server hosting this ransomware software was located in Russia, it probably wouldn’t have mattered if the FBI identified the location of the server or not. All of this was possible because the person who licensed DarkSide’s software and actually executed this hack someone decided to locate that server in Northern California. So we have to ask, why did this hacker choose a Northern California server to hack a US pipeline? Along with the obligatory question of why these obvious questions don’t seem to get actually asked.