Spitfire List Web site and blog of anti-fascist researcher and radio personality Dave Emory.

News & Supplemental  

Don’t Drink the Water

Mr. Emory’s entire life’s work is avail­able on a 32GB flash dri­ve, avail­able for a con­tri­bu­tion of $65.00 or more (to KFJC). Click Here to obtain Dav­e’s 40+ years’ work, com­plete through Fall of 2020 [through FTR #1156].

WFMU-FM is pod­cast­ing For The Record–You can sub­scribe to the pod­cast HERE.

You can sub­scribe to e‑mail alerts from Spitfirelist.com HERE.

You can sub­scribe to RSS feed from Spitfirelist.com HERE.

Please con­sid­er sup­port­ing THE WORK DAVE EMORY DOES

COMMENT: With the explic­it threat of domes­tic fas­cist (yes, not “right wing”) ter­ror­ism loom­ing large in the wake of the Capi­tol Riot and the 2nd Trump impeach­ment pro­ceed­ings, a hack­ing attempt at poi­son­ing the water sup­ply of a town very near Tam­pa in the run-up to the Super Bowl war­rants scruti­ny.

Key Points of Analy­sis and Dis­cus­sion:

  • ” . . . . Some­one had tak­en remote con­trol of a plant operator’s machine – and in just a few min­utes, they increased the lev­el of sodi­um hydrox­ide in the city’s drink­ing water by a fac­tor of 100. After spik­ing the caus­tic sub­stance to unsafe lev­els, the hack­er imme­di­ate­ly left the sys­tem. . . .”
  • ” . . . . ‘The hack­er changed the sodi­um hydrox­ide from about 100 parts per mil­lion to 11,100 parts per mil­lion,’ [Pinel­las Coun­ty Sher­iff Bob] Gualtieri said on Mon­day, dur­ing a brief­ing about the attack. . . .”
  • ” . . . . At one point in the brief­ing, Gualtieri was asked if he would call the inci­dent an attempt­ed bioter­ror­ism attack. “‘It is what it is,’ he replied. ‘Some­one hacked into the sys­tem, not just once but twice,’ to take con­trol of the sys­tem and change the water chem­istry to unsafe lev­els. . . .”
  • ” . . . . Olds­mar is a small city north­west of Tam­pa, rough­ly 12 miles away from Ray­mond James Sta­di­um, which host­ed the Super Bowl two days after the hack­ing attack. . . .The intrud­er broke into the sys­tem at least twice on Fri­day, tak­ing con­trol of a plant operator’s com­put­er through the same meth­ods a super­vi­sor or spe­cial­ist might use. . . .”

“FBI Called In After Hack­er Tries To Poi­son Tam­pa-Area City’s Water With Lye” by Bill Chap­pell; Nation­al Pub­lic Radio; 02/09/2021

It start­ed with a cur­sor mov­ing on its own, slid­ing across a com­put­er screen at the water treat­ment plant in Olds­mar, Fla. Some­one had tak­en remote con­trol of a plant operator’s machine – and in just a few min­utes, they increased the lev­el of sodi­um hydrox­ide in the city’s drink­ing water by a fac­tor of 100. After spik­ing the caus­tic sub­stance to unsafe lev­els, the hack­er imme­di­ate­ly left the sys­tem.

The plant oper­a­tor quick­ly reset the sodi­um hydrox­ide lev­el back to nor­mal para­me­ters before the rogue action posed a threat to the water sup­ply, offi­cials say. But the inci­dent, which took place Fri­day, is now being inves­ti­gat­ed by local author­i­ties as well as the FBI and Secret Ser­vice, accord­ing to Pinel­las Coun­ty Sher­iff Bob Gualtieri.

“The hack­er changed the sodi­um hydrox­ide from about 100 parts per mil­lion to 11,100 parts per mil­lion,” Gualtieri said on Mon­day, dur­ing a brief­ing about the attack. “This is obvi­ous­ly a sig­nif­i­cant and poten­tial­ly dan­ger­ous increase. Sodi­um hydrox­ide, also known as lye, is the main ingre­di­ent in liq­uid drain clean­ers. It’s also used to con­trol water acid­i­ty and remove met­als from drink­ing water.”

At one point in the brief­ing, Gualtieri was asked if he would call the inci­dent an attempt­ed bioter­ror­ism attack.

“It is what it is,” he replied. “Some­one hacked into the sys­tem, not just once but twice,” to take con­trol of the sys­tem and change the water chem­istry to unsafe lev­els.

If the per­son who con­duct­ed the hack is iden­ti­fied, Gualtieri said, they would like­ly face state felony charges, with the poten­tial for fed­er­al charges depend­ing on the cir­cum­stances, such as the place where the hack orig­i­nat­ed.

Olds­mar is a small city north­west of Tam­pa, rough­ly 12 miles away from Ray­mond James Sta­di­um, which host­ed the Super Bowl two days after the hack­ing attack. Olds­mar draws its water from wells; its sys­tem is sep­a­rate from oth­er near­by com­mu­ni­ties, the offi­cials said.

The intrud­er broke into the sys­tem at least twice on Fri­day, tak­ing con­trol of a plant operator’s com­put­er through the same meth­ods a super­vi­sor or spe­cial­ist might use. The hack didn’t ini­tial­ly set off red flags, because remote access is some­times used to mon­i­tor the sys­tem or trou­ble-shoot prob­lems, Gualtieri said.

The first intru­sion was fleet­ing and didn’t cause con­cern. But hours lat­er, the hack­er returned. And as the oper­a­tor looked on, the sodi­um hydrox­ide set­tings were moved to dan­ger­ous ter­ri­to­ry. After reset­ting the sys­tem to nor­mal lev­els, the oper­a­tor raised the alarm. The sher­iff was called; soon, fed­er­al inves­ti­ga­tors were also involved.

“Obvi­ous­ly, these inves­ti­ga­tions are very com­pli­cat­ed right now,” Gualtieri said. “We do not have a sus­pect iden­ti­fied, but we do have leads that we’re fol­low­ing. We don’t know right now whether the breach orig­i­nat­ed from with­in the Unit­ed States or out­side the coun­try.”

The FBI’s field office in Tam­pa con­firms that its agents are work­ing with the city and the sheriff’s office to find the per­son respon­si­ble.

The hack was clear­ly the act of some­one try­ing to harm oth­ers, the sher­iff said. But he and offi­cials in Olds­mar also stressed that while the hack was a seri­ous intru­sion, pub­lic health was nev­er at risk. In addi­tion to the plant operator’s vig­i­lance, they said, the water sys­tem has sen­sors that would have raised the alarm if pH lev­els sud­den­ly sky­rock­et­ed. And it would have tak­en more than a day for the water to reach any cus­tomers, they added.

“We have pH alarms through­out the sys­tem,” City Man­ag­er Al Braith­waite said. “So obvi­ous­ly if you change the alka­lin­i­ty lev­el, the pH changes. That would have been an alarm through­out the entire sys­tem. So, even if we hadn’t noticed it right away, it would have alarmed to all our peo­ple to notice it quick­ly.”

The remote-access pro­gram that allowed the change to be made is now dis­abled, Braith­waite said, and the city is mak­ing fur­ther upgrades to its sys­tems. And he said the attack on Oldsmar’s infra­struc­ture didn’t come as a com­plete sur­prise. “We talk about it, we think about it, we study it,” he said. . . .

 

 

Discussion

2 comments for “Don’t Drink the Water”

  1. US ener­gy mar­kets have once again been gripped by an emer­gency after a rel­a­tive­ly new hack­er group, known as Dark­Side, suc­cess­ful­ly car­ried out a ran­somware attack that shut down the Colo­nial oil pipeline on Fri­day. The pipeline car­ries 45% of the East Coast’s fuel sup­plies.

    So unlike the last ener­gy cri­sis, the cul­prit isn’t the rigged nature of Tex­as­’s ener­gy mar­kets. But the iden­ti­ty and intent of that cul­prit still remains a mys­tery. The group is believed to be oper­at­ing in the for­mer Sovi­et Union, although that attri­bu­tion appears to be exclu­sive­ly based on the obser­va­tion that this group has only been found to attack com­pa­nies out­side of those coun­tries.

    Also note that the group only popped up in August of 2020, so to some extent it does­n’t real­ly make sense to focus on where the group has or has­n’t attacked. But, of course, the oth­er obvi­ous thing to keep in mind when read­ing these kinds of dig­i­tal tea leaves is that it’s triv­ial for a group to main­tain the appear­ance of oper­at­ing in the for­mer Sovi­et Union sim­ply by not attack­ing com­pa­nies in those coun­tries. If not attack­ing com­pa­nies in the for­mer Sovi­et Union caus­es the cyber­se­cu­ri­ty indus­try to con­clude that a group must oper­at­ing in that region of the world, it’s a pret­ty small price to pay for main­tain­ing addi­tion­al anonymi­ty to sim­ply lay off com­pa­nies in the for­mer Sovi­et Union. It’s a sta­tus quo that, iron­i­cal­ly, kind of dis­cour­ages hack­ing in the Sovi­et Union. Because why not just lay off those areas and let the rest of the world assume that’s where your group is oper­at­ing?

    Adding to the mys­tery is the fact that Dark­Side has an unusu­al pub­lic rela­tions approach to hack­ing. The group has already come out and claimed that it is sole­ly inter­est­ed in prof­its, has no geopo­lit­i­cal inter­ests, did­n’t intend to cause such a large dis­rup­tion in the US ener­gy mar­kets, and pledged to avoid such dis­rup­tions in the future. And this isn’t the first time Dark­Side has tried to come off as as rel­a­tive­ly benign, or even eth­i­cal, hack­ing group. Back in Novem­ber, the group made siz­able bit­coin dona­tions to two char­i­ties, Chil­dren’s Inter­na­tion­al and the Water Project. Each dona­tion was worth ~$10,000 at the time and con­duct­ed over The Giv­ing Block, a plat­form that facil­i­tates cryp­tocur­ren­cy dona­tions for non-prof­it orga­ni­za­tions. So that alone was pret­ty unusu­al for a hack­ing group. Espe­cial­ly one that only emerged months ear­li­er. But there was a poten­tial­ly sig­nif­i­cant sig­nal sent in those dona­tions that has tak­en on more poten­tial sig­nif­i­cance now that the world is try­ing to iden­ti­fy the group that locked up the east coast’s fuel sup­plies: those two ~$10,000 dona­tions were made in the form of 0.88 bit­coin dona­tions. And 0.88 is, of course, a clas­sic Nazi numero­log­i­cal sym­bol. So at the same time Dark­Side was send­ing a ‘we’re friend­ly’ sig­nal to the world it was also flash­ing neo-Nazi numero­log­i­cal gang signs.

    Beyond that, it sounds like Dark­Side isn’t even a dis­tinct hack­ing group. It’s more like a fran­chise oper­a­tion, where the core group devel­ops cut­ting edge hack­ing soft­ware and then licens­es it out to hack­ing groups who share a per­cent of their pro­ceeds with Dark­Side. It was a busi­ness mod­el reflect­ed by the state­ment issued by Dark­Side: “From today, we intro­duce mod­er­a­tion and check each com­pa­ny that our part­ners want to encrypt to avoid social con­se­quences in the future.” Those “part­ners” are the groups that receive and use Dark­Side’s cut­ting edge hack­ing soft­ware.

    So the soft­ware from an advance hack­ing tool devel­op­ment team was used to crip­ple one of the largest oil pipelines in the US, and the group issues a state­ment assur­ing the world that it is pure­ly inter­est­ed in prof­its nev­er intend­ed for such al large dis­rup­tion and is pledg­ing to avoid them in the future. This same for-prof­it group made two large dona­tions to two chil­drens’ char­i­ties that just hap­pened to be 0.88 bit­coins each. It’s a reminder that the con­tem­po­rary cyber approach of ‘read­ing the signs’ and mak­ing an ‘edu­cat­ed’ bet as to who is actu­al­ly behind these hacks is often the best we can do but also no where close to being ade­quate for mak­ing mean­ing­ful cyber­at­tri­bu­tions. Not that this ambi­gu­i­ty is will stop the world from sim­ply assum­ing this is a Russ­ian crim­i­nal group:

    NBC News

    Russ­ian crim­i­nal group sus­pect­ed in Colo­nial pipeline ran­somware attack
    The group, known as Dark­Side, is rel­a­tive­ly new, but it has a sophis­ti­cat­ed approach to extor­tion, sources said.

    By Ken Dilan­ian and Kel­ly O’Don­nell
    May 9, 2021, 6:37 PM CDT / Updat­ed May 9, 2021, 7:30 PM CDT

    WASHINGTON — A Russ­ian crim­i­nal group may be respon­si­ble for a ran­somware attack that shut down a major U.S. fuel pipeline, two sources famil­iar with the mat­ter said Sun­day.

    The group, known as Dark­Side, is rel­a­tive­ly new, but it has a sophis­ti­cat­ed approach to the busi­ness of extor­tion, the sources said.

    Com­merce Sec­re­tary Gina Rai­mon­do said Sun­day that the White House was work­ing to help Colo­nial Pipeline, the Geor­gia-based com­pa­ny that oper­ates the pipeline, to restart its 5,500-mile net­work.

    The sys­tem, which runs from Texas to New Jer­sey, trans­ports 45 per­cent of the East Coast’s fuel sup­ply. In a state­ment Sun­day, the com­pa­ny said that some small­er lat­er­al lines were oper­a­tional but that the main lines remained down.

    “We are in the process of restor­ing ser­vice to oth­er lat­er­als and will bring our full sys­tem back online only when we believe it is safe to do so, and in full com­pli­ance with the approval of all fed­er­al reg­u­la­tions,” the com­pa­ny said.

    ...

    On Sat­ur­day, Colo­nial Pipeline blamed the cyber­at­tack on ran­somware and said some of its infor­ma­tion tech­nol­o­gy sys­tems were affect­ed. It said it “proac­tive­ly” took “cer­tain sys­tems offline to con­tain the threat.”

    The com­pa­ny has not said what was demand­ed or who made the demand.

    Although Russ­ian hack­ers often free­lance for the Krem­lin, ear­ly indi­ca­tions sug­gest that this was a crim­i­nal scheme — not an attack by a nation-state — the sources said.

    But the fact that Colo­nial had to shut down the coun­try’s largest gaso­line pipeline under­scores just how vul­ner­a­ble the U.S. cyber infra­struc­ture is to crim­i­nals and nation­al adver­saries, such as Rus­sia, Chi­na and Iran, experts say.

    “This could be the most impact­ful ran­somware attack in his­to­ry, a cyber dis­as­ter turn­ing into a real-world cat­a­stro­phe,” said Andrew Rubin, CEO and co-founder of Illu­mio, a cyber­se­cu­ri­ty com­pa­ny.

    “It’s an absolute night­mare, and it’s a recur­ring night­mare,” he said. “Orga­ni­za­tions con­tin­ue to rely and invest entire­ly on detec­tion, as if they can stop all breach­es from hap­pen­ing. But this approach miss­es attacks over and over again. Before the next inevitable breach, the pres­i­dent and Con­gress need to take action on our bro­ken secu­ri­ty mod­el.”

    If the cul­prit turns out to be a Russ­ian crim­i­nal group, it will under­score that Rus­sia gives free rein to crim­i­nal hack­ers who tar­get the West, said Dmitri Alper­ovitch, a co-founder of the cyber com­pa­ny Crowd­Strike who is exec­u­tive chair­man of the Sil­ver­a­do Pol­i­cy Accel­er­a­tor, a think tank.

    “Whether they work for the state or not is increas­ing­ly irrel­e­vant, giv­en Rus­si­a’s obvi­ous pol­i­cy of har­bor­ing and tol­er­at­ing cyber­crime,” he said.

    Accord­ing to a top Reuters cyber­se­cu­ri­ty reporter, Dark­Side has its own web­site on the dark web that fea­tures an array of leaked data from vic­tims who it claims failed to pay ran­som. It claims that the group has made mil­lions from cyber extor­tion.

    ————

    “Russ­ian crim­i­nal group sus­pect­ed in Colo­nial pipeline ran­somware attack” by Ken Dilan­ian and Kel­ly O’Don­nell; NBC News; 05/09/2021

    The sys­tem, which runs from Texas to New Jer­sey, trans­ports 45 per­cent of the East Coast’s fuel sup­ply. In a state­ment Sun­day, the com­pa­ny said that some small­er lat­er­al lines were oper­a­tional but that the main lines remained down.”

    45 per­cent of the US east coast’s fuel sup­ply. You have to won­der if the hack­ers ini­tial­ly rec­og­nized the poten­tial impact of their hack. But that’s the crazy nature of con­tem­po­rary hack­ing: you don’t real­ly need to rec­og­nized the impli­ca­tions of your hack in order to pull it off. You just need to exploit the same hack­ing tech­niques that work on busi­ness­es large and small.

    And note how we already have Crowd­Strike’s Dmitri Alper­ovitch — the main cham­pi­on of the cyber­se­cu­ri­ty indus­try’s con­tem­po­rary ‘pat­tern recog­ni­tion’ approach to pub­licly attribut­ing hacks based on vague infer­ences — declar­ing that this hack should be treat­ed as if it was a Russ­ian gov­ern­ment hack whether or not the gov­ern­ment was behind the hack because Rus­sia gives free reign to hack­ers who tar­get the West:

    ...
    If the cul­prit turns out to be a Russ­ian crim­i­nal group, it will under­score that Rus­sia gives free rein to crim­i­nal hack­ers who tar­get the West, said Dmitri Alper­ovitch, a co-founder of the cyber com­pa­ny Crowd­Strike who is exec­u­tive chair­man of the Sil­ver­a­do Pol­i­cy Accel­er­a­tor, a think tank.

    “Whether they work for the state or not is increas­ing­ly irrel­e­vant, giv­en Rus­si­a’s obvi­ous pol­i­cy of har­bor­ing and tol­er­at­ing cyber­crime,” he said.
    ...

    And at the same time we have the cyber­se­cu­ri­ty indus­try primed to some­how attribute this hack to the Russ­ian gov­ern­ment, it’s also pret­ty notable that the hack­ers them­selves have been pub­licly pro­mot­ing this idea of being exclu­sive­ly prof­it-ori­ent­ed and not “cre­at­ing prob­lems for soci­ety”. Beyond that, the group claims it had no idea one of its ‘affil­i­ates’ (recip­i­ents of its advanced hack­ing tools) had tar­get­ed Colo­nial and would put a stop to such behav­ior in the future. It’s a fas­ci­nat­ing pub­lic rela­tions play. Almost like tak­ing a page from the NRA’s pub­lic rela­tions play­book after a mass shoot­ing and declar­ing “don’t blame us! blame the bad shoot­er!”:

    BBC News

    US fuel pipeline hack­ers ‘did­n’t mean to cre­ate prob­lems’

    By Mary-Ann Rus­son
    Busi­ness reporter, BBC News
    Pub­lished 05/10/2021

    A cyber-crim­i­nal gang that took a major US fuel pipeline offline over the week­end has acknowl­edged the inci­dent in a pub­lic state­ment.

    “Our goal is to make mon­ey and not cre­at­ing prob­lems for soci­ety,” Dark­Side wrote on its web­site.

    The US issued emer­gency leg­is­la­tion on Sun­day after Colo­nial Pipeline was hit by a ran­somware cyber-attack.

    The pipeline car­ries 2.5 mil­lion bar­rels a day — 45% of the East Coast’s sup­ply of diesel, petrol and jet fuel.

    The oper­a­tor took itself offline on Fri­day after the cyber-attack. Work to restore ser­vice is con­tin­u­ing.

    On Mon­day, the FBI offi­cial­ly con­firmed that Dark­Side was respon­si­ble for com­pro­mis­ing Colo­nial Pipeline’s net­works, say­ing that it was con­tin­u­ing to work with the firm and oth­er gov­ern­ment agen­cies on the inves­ti­ga­tion.

    Dur­ing a speech about the econ­o­my at the White House on Mon­day, US Pres­i­dent Joe Biden said that he was being “per­son­al­ly briefed” on the sit­u­a­tion with the pipeline each day.

    “The agen­cies across the gov­ern­ment have act­ed quick­ly to mit­i­gate any impact on our fuel sup­ply,” he said.

    “We’re pre­pared to take addi­tion­al steps depend­ing on how quick­ly the com­pa­ny is able to bring its pipeline back up to capac­i­ty.”

    A num­ber of cyber-secu­ri­ty researchers, includ­ing firms con­tact­ed by the BBC, have spec­u­lat­ed that the cyber-crim­i­nal gang could be Russ­ian, as their soft­ware avoids encrypt­ing any com­put­er sys­tems where the lan­guage is set as Russ­ian.

    Mr Biden said that the US gov­ern­ment was con­cerned about this aspect of the cyber-attack.

    “I’m gonna be meet­ing with Pres­i­dent Putin and so far there is no evi­dence, based on our intel­li­gence peo­ple, that Rus­sia is involved,” he said.

    “Although, there’s evi­dence that the actors’ ran­somware is in Rus­sia — they have some respon­si­bil­i­ty to deal with this.”

    Dark­Side post­ed a state­ment on its web­site on Mon­day, describ­ing itself as “apo­lit­i­cal”.

    “We do not par­tic­i­pate in geopol­i­tics, do not need to tie us with a defined gov­ern­ment and look for... our motives,” the group said.

    The group also indi­cat­ed it had not been aware that Colo­nial was being tar­get­ed by one of its affil­i­ates, say­ing: “From today, we intro­duce mod­er­a­tion and check each com­pa­ny that our part­ners want to encrypt to avoid social con­se­quences in the future.”

    Impact on fuel prices

    ...

    Sources said the ran­somware attack was like­ly to have been caused by a cyber-crim­i­nal gang called Dark­Side, who infil­trat­ed Colo­nial’s net­work and locked the data on some com­put­ers and servers, demand­ing a ran­som on Fri­day.

    The gang stole almost 100 giga­bytes of data hostage, threat­en­ing to leak it onto the inter­net, but the FBI and oth­er gov­ern­ment agen­cies worked with pri­vate com­pa­nies to respond. The cloud com­put­ing sys­tem the hack­ers used to col­lect the stolen data was tak­en offline on Sat­ur­day, Reuters report­ed.

    On Sun­day, Colo­nial said that although its four main pipelines remained offline, some small­er lines between ter­mi­nals and deliv­ery points were now oper­a­tional.

    “Quick­ly after learn­ing of the attack, Colo­nial proac­tive­ly took cer­tain sys­tems offline to con­tain the threat. These actions tem­porar­i­ly halt­ed all pipeline oper­a­tions and affect­ed some of our IT sys­tems, which we are active­ly in the process of restor­ing,” the firm said.

    It added it would bring its full sys­tem back online “only when we believe it is safe to do so, and in full com­pli­ance with the approval of all fed­er­al reg­u­la­tions”.

    Ran­somware as a ser­vice

    The inci­dent high­lights the risk ran­somware can pose to crit­i­cal nation­al indus­tri­al infra­struc­ture, not just busi­ness­es.

    In addi­tion to a notice on their com­put­er screens, vic­tims of a Dark­Side attack receive an infor­ma­tion pack inform­ing them that their com­put­ers and servers are encrypt­ed.

    The gang lists all the types of data it has stolen, and sends vic­tims the URL of a “per­son­al leak page” where the data is already loaded, wait­ing to be auto­mat­i­cal­ly pub­lished, should the com­pa­ny or organ­i­sa­tion not pay before the dead­line is up.

    Dark­Side also tells vic­tims it will pro­vide proof of the data it has obtained, and is pre­pared to delete all of it from the vic­tim’s net­work.

    Accord­ing to Dig­i­tal Shad­ows, a Lon­don-based cyber-secu­ri­ty firm, Dark­Side oper­ates like a busi­ness.

    The gang devel­ops the soft­ware used to encrypt and steal data from com­pa­nies.

    It then pro­vides ran­somware to “affil­i­ates” who pay Dark­Side a per­cent­age of their earn­ings from any suc­cess­ful attacks.

    When it released new soft­ware in March that could encrypt data faster than before, the gang issued a press release and invit­ed jour­nal­ists to inter­view it.

    It even has a web­site on the dark web where it lists all the com­pa­nies it has hacked and what was stolen, and an “ethics” page where it says which organ­i­sa­tions it will not attack.

    Dark­Side also works with “access bro­kers” — nefar­i­ous hack­ers who work to har­vest the login details for as many work­ing user accounts on var­i­ous ser­vices as they can find.

    Rather than break into these accounts and alert users or the ser­vice providers, these bro­kers sit on the user­names and pass­words and sell them off to the high­est bid­ders — cyber-crim­i­nal gangs who want to use them to car­ry out much larg­er crimes.

    How did the attack occur?

    Dig­i­tal Shad­ows thinks the Colo­nial attack was helped by the coro­n­avirus pan­dem­ic, with more engi­neers remote­ly access­ing con­trol sys­tems for the pipeline from home.

    James Chap­pell, co-founder of Dig­i­tal Shad­ows, believes Dark­Side could have bought account login details for remote desk­top soft­ware such as TeamView­er and Microsoft Remote Desk­top.

    He says it is pos­si­ble for any­one to look up the login por­tals for com­put­ers con­nect­ed to the inter­net on search engines like Shodan, and then “have-a-go” hack­ers just keep try­ing user­names and pass­words until they get some to work.

    “We’re see­ing a lot of vic­tims now, this is seri­ous­ly a big prob­lem,” said Mr Chap­pell.

    “The amount of small busi­ness­es that are falling vic­tim to this... It’s becom­ing a big prob­lem for the econ­o­my glob­al­ly.”

    Dig­i­tal Shad­ows’ research shows the cyber-crim­i­nal gang is like­ly to be based in a Russ­ian-speak­ing coun­try, as it avoids attack­ing com­pa­nies in post-Sovi­et states includ­ing Rus­sia, Ukraine, Belarus, Geor­gia, Arme­nia, Moldo­va, Azer­bai­jan, Kaza­khstan, Kyr­gyzs­tan, Tajik­istan, Turk­menistan and Uzbek­istan.

    ————

    “US fuel pipeline hack­ers ‘did­n’t mean to cre­ate prob­lems’ ” by Mary-Ann Rus­son; BBC News; 05/10/2021

    ““Our goal is to make mon­ey and not cre­at­ing prob­lems for soci­ety,” Dark­Side wrote on its web­site.”

    Inno­cent extor­tion­ists. That’s how Dark­Side appears to want to mar­ket itself to the world. All they want to do is make mon­ey. Not dis­rupt. And then the group blamed it all on one of its ‘part­ners’ and pledged to keep a clos­er eye on these part­ners in the future. All in all, it’s bizarre:

    ...
    Dark­Side post­ed a state­ment on its web­site on Mon­day, describ­ing itself as “apo­lit­i­cal”.

    “We do not par­tic­i­pate in geopol­i­tics, do not need to tie us with a defined gov­ern­ment and look for... our motives,” the group said.

    The group also indi­cat­ed it had not been aware that Colo­nial was being tar­get­ed by one of its affil­i­ates, say­ing: “From today, we intro­duce mod­er­a­tion and check each com­pa­ny that our part­ners want to encrypt to avoid social con­se­quences in the future.”

    ...

    Adding to the bizarre nature of this pub­lic rela­tions cam­paign is that the group appears to actu­al­ly be shock­ing­ly evil, even by hack­er stan­dards. They oper­ate like a busi­ness and dis­trib­ute their advanced soft­ware to these “part­ners” for a cut of the prof­its. Like hand­ing out advanced weapons to groups of crim­i­nals, let­ting them choose the tar­gets, and tak­ing a cut. It’s the exact oppo­site of the ‘eth­i­cal hack­er’ pub­lic image the group is try­ing to cul­ti­vate. At the same time, when the group devel­oped faster encryp­tion soft­ware — a key tool for ran­somware attacks — they sent out a press release and invit­ed jour­nal­ists to inter­view them. the group wants pub­lic atten­tion for advanc­ing hack­ing tech­nol­o­gy while also brand­ing itself as eth­i­cal. It has the feel of a fas­ci­nat­ing Psy­Op designed to almost pop­u­lar­ize ran­somware attacks:

    ...
    Accord­ing to Dig­i­tal Shad­ows, a Lon­don-based cyber-secu­ri­ty firm, Dark­Side oper­ates like a busi­ness.

    The gang devel­ops the soft­ware used to encrypt and steal data from com­pa­nies.

    It then pro­vides ran­somware to “affil­i­ates” who pay Dark­Side a per­cent­age of their earn­ings from any suc­cess­ful attacks.

    When it released new soft­ware in March that could encrypt data faster than before, the gang issued a press release and invit­ed jour­nal­ists to inter­view it.

    It even has a web­site on the dark web where it lists all the com­pa­nies it has hacked and what was stolen, and an “ethics” page where it says which organ­i­sa­tions it will not attack.
    ...

    And note what is per­haps the most alarm­ing aspect of this sto­ry: it’s pos­si­ble the group that hacked into Colo­nial did­n’t even need to do any hack­ing them­selves. The dark web mar­ket­place for login cre­den­tials is so vast it’s pos­si­ble Dark­Side’s part­ners sim­ply pur­chased some login details for remote­ly access­ing Colo­nial’s com­put­ers. It’s a par­tic­u­lar­ly omi­nous detail com­ing on the heels of the great Microsoft Exchange Serv­er hack from ear­li­er this year. The kind of omi­nous detail that rais­es ques­tions about just how many cre­den­tials for oth­er crit­i­cal infra­struc­ture sys­tems are float­ing around in these mar­ket­places right now:

    ...
    Dark­Side also works with “access bro­kers” — nefar­i­ous hack­ers who work to har­vest the login details for as many work­ing user accounts on var­i­ous ser­vices as they can find.

    Rather than break into these accounts and alert users or the ser­vice providers, these bro­kers sit on the user­names and pass­words and sell them off to the high­est bid­ders — cyber-crim­i­nal gangs who want to use them to car­ry out much larg­er crimes.

    ...

    Dig­i­tal Shad­ows thinks the Colo­nial attack was helped by the coro­n­avirus pan­dem­ic, with more engi­neers remote­ly access­ing con­trol sys­tems for the pipeline from home.

    James Chap­pell, co-founder of Dig­i­tal Shad­ows, believes Dark­Side could have bought account login details for remote desk­top soft­ware such as TeamView­er and Microsoft Remote Desk­top.

    He says it is pos­si­ble for any­one to look up the login por­tals for com­put­ers con­nect­ed to the inter­net on search engines like Shodan, and then “have-a-go” hack­ers just keep try­ing user­names and pass­words until they get some to work.
    ...

    And then there the char­i­ta­ble dona­tions from back in Novem­ber. A pair of dona­tions of to chil­drens char­i­ties that came just a few months after the group seemed to first emerge. 0.88 bit­coin Dona­tions that just hap­pen to dou­ble as neo-Nazi numero­log­i­cal gang signs:

    CPO Mag­a­zine

    When Hack­ers Have PR Depart­ments: Tens of Thou­sands in Stolen Bit­coins Donat­ed To Char­i­ty Orga­ni­za­tions

    Scott Ike­da
    Novem­ber 6, 2020

    An unknown ran­somware group is on some sort of a pub­lic rela­tions offen­sive, donat­ing thou­sands of dol­lars in stolen Bit­coins to var­i­ous char­i­ta­ble caus­es. While it’s unclear what the true motives of the hack­ers are, the fact that the mon­ey was obtained ille­gal­ly will like­ly ren­der the move noth­ing more than an emp­ty and self-serv­ing ges­ture.

    Self-styled “Robin Hood” hack­ers make dona­tions to devel­op­ing coun­tries

    The dona­tions, which amount to at least $20,000 of stolen Bit­coins in total, were made by a group of hack­ers that call them­selves “Dark­side.” Dark­side made news back in August for post­ing a start­up-like launch announce­ment on the dark web, offer­ing the ran­somware-for-hire ser­vice with the trap­pings of legit­i­mate busi­ness­es such as cus­tomer ser­vice con­tacts, tech­ni­cal sup­port and a series of press releas­es. The group has only been active since late August, but is already cred­it­ed with rack­ing up over $1 mil­lion in paid ran­soms. In addi­tion to its appar­ent focus on cus­tomer ser­vice and PR, the group has pledged to only attack tar­gets that are large enough to afford ran­somware pay­ments in the range of $200,000 to $2 mil­lion.

    The hack­ers post­ed receipts for two sep­a­rate dona­tions of 0.88 of their stolen Bit­coins (about $10,000 each) on a dark web forum, appar­ent­ly giv­ing gen­er­ous­ly of the pil­fered funds to two US-based char­i­ties: Chil­dren Inter­na­tion­al and The Water Fund. Chil­dren Inter­na­tion­al has already issued a state­ment indi­cat­ing that it does not intend to keep the mon­ey, and pre­sum­ably The Water Fund will fol­low. Any char­i­ty fool­ish enough to keep dona­tions that can be traced back to ran­somware could fall afoul of a vari­ety of fed­er­al laws.

    The hack­ing group, which is thought to be based some­where in the Com­mon­wealth of Inde­pen­dent States due to a seem­ing avoid­ance of any tar­gets in the ter­ri­to­ry, released this state­ment about the dona­tions: “”We think that it’s fair that some of the mon­ey the com­pa­nies have paid will go to char­i­ty. No mat­ter how bad you think our work is, we are pleased to know that we helped changed someone’s life. Today we send­ed (sic) the first dona­tions.”

    Some secu­ri­ty experts, such as Brett Cal­low of Emsisoft, say that this is the first time they have seen a group of out­law hack­ers open­ly donate the pro­ceeds of their crimes to char­i­ty. The dona­tion was made through The Giv­ing Block, a plat­form that facil­i­tates cryp­tocur­ren­cy dona­tions for non-prof­it orga­ni­za­tions. The Giv­ing Block issued a “whale alert” via Twit­ter cel­e­brat­ing the dona­tions when they were made, appar­ent­ly not aware at the time that hack­ers were involved. The plat­form has issued a state­ment indi­cat­ing that it is work­ing to deter­mine if the donat­ed funds were obtained ille­gal­ly, and if so how to return them. It is unclear if that means that the Giv­ing Block will sim­ply reverse the dona­tion back to Dark­side, or if they will attempt to get author­i­ties involved to return the stolen Bit­coins to the par­ties they were ini­tial­ly tak­en from.

    Stolen Bit­coins don’t equate to eth­i­cal hack­ing

    There is a long tra­di­tion of “eth­i­cal hack­ing” that dates back almost four decades, in which crimes are com­mit­ted in what is at least osten­si­bly the name of the greater pub­lic good. Darkside’s actions do not resem­ble this dynam­ic at all. Not only does Dark­side appear to not dis­crim­i­nate in the orga­ni­za­tions that it tar­gets with ran­somware, it was also among the first wave of groups to begin exfil­trat­ing data from vic­tims and threat­en­ing to pub­licly post it if the ran­som is not paid.

    Even if one does not quib­ble with the nature of the busi­ness of Darkside’s vic­tims, the group’s data dumps (span­ning hun­dreds of giga­bytes of data) can include the sen­si­tive per­son­al infor­ma­tion of employ­ees and cus­tomers. The impact can also lead to lay­offs or even busi­ness shut­downs. As Jav­vad Malik, Secu­ri­ty Aware­ness Advo­cate for KnowBe4, points out: “When­ev­er an orga­ni­za­tion is extort­ed via ran­somware or oth­er means, that mon­ey impacts actu­al indi­vid­u­als. Many peo­ple have lost their jobs over the years, there have been orga­ni­za­tions that have ceased to exist, and there has even been some talk recent­ly of the role ran­somware had to play in the unfor­tu­nate death of a patient trans­port­ed to a dif­fer­ent hos­pi­tal.”

    ...

    A clum­sy attempt at PR is one pos­si­bil­i­ty for donat­ing stolen cryp­to, but there are oth­ers that are even more nefar­i­ous. The hack­ers might also be test­ing var­i­ous char­i­ties to see if they make for usable mon­ey laun­der­ing out­lets for their stolen Bit­coins, or may believe that the pre­tense of hav­ing some sort of eth­i­cal code will lead to high­er rates of pay­ment in future ran­somware attacks. Hack­ers might also work a “long con” in which they devel­op a rep­u­ta­tion for char­i­ty dona­tions, only to begin donat­ing to fake char­i­ties that they con­trol in the hopes that the pub­lic­i­ty will lead oth­ers to make dona­tions to those char­i­ties as well.

    ———–

    “When Hack­ers Have PR Depart­ments: Tens of Thou­sands in Stolen Bit­coins Donat­ed To Char­i­ty Orga­ni­za­tions” by Scott Ike­da; CPO Mag­a­zine; 11/06/2020

    The hack­ers post­ed receipts for two sep­a­rate dona­tions of 0.88 of their stolen Bit­coins (about $10,000 each) on a dark web forum, appar­ent­ly giv­ing gen­er­ous­ly of the pil­fered funds to two US-based char­i­ties: Chil­dren Inter­na­tion­al and The Water Fund. Chil­dren Inter­na­tion­al has already issued a state­ment indi­cat­ing that it does not intend to keep the mon­ey, and pre­sum­ably The Water Fund will fol­low. Any char­i­ty fool­ish enough to keep dona­tions that can be traced back to ran­somware could fall afoul of a vari­ety of fed­er­al laws.”

    So did Dark­Side decide to donate $10,000 in bit­coins to two char­i­ties and just coin­ci­den­tal­ly choose to make these dona­tions on the same day that 0.88 bit­coins was ~$10,000? Because if that was­n’t coin­ci­den­tal, the 0.88 bit­coin was a very delib­er­ate choice. Whether or not it was a delib­er­ate choice intend­ed to sig­nal the ide­o­log­i­cal ori­en­ta­tion of the group (or just troll the world) is an inter­est­ing ques­tion that we don’t have answers for. But since every­one is try­ing to deduce the iden­ti­ty of this group based on the var­i­ous clues delib­er­ate­ly left by the group, this seems like a clue worth incor­po­rat­ing into our analy­sis.

    And then there are the clues that are maybe unin­ten­tion­al­ly left by the group. Clues like gen­uine­ly uneth­i­cal hacks that involve mas­sive indis­crim­i­nate data dumps filled with per­son­al infor­ma­tion:

    ...
    There is a long tra­di­tion of “eth­i­cal hack­ing” that dates back almost four decades, in which crimes are com­mit­ted in what is at least osten­si­bly the name of the greater pub­lic good. Darkside’s actions do not resem­ble this dynam­ic at all. Not only does Dark­side appear to not dis­crim­i­nate in the orga­ni­za­tions that it tar­gets with ran­somware, it was also among the first wave of groups to begin exfil­trat­ing data from vic­tims and threat­en­ing to pub­licly post it if the ran­som is not paid.

    Even if one does not quib­ble with the nature of the busi­ness of Darkside’s vic­tims, the group’s data dumps (span­ning hun­dreds of giga­bytes of data) can include the sen­si­tive per­son­al infor­ma­tion of employ­ees and cus­tomers. The impact can also lead to lay­offs or even busi­ness shut­downs. As Jav­vad Malik, Secu­ri­ty Aware­ness Advo­cate for KnowBe4, points out: “When­ev­er an orga­ni­za­tion is extort­ed via ran­somware or oth­er means, that mon­ey impacts actu­al indi­vid­u­als. Many peo­ple have lost their jobs over the years, there have been orga­ni­za­tions that have ceased to exist, and there has even been some talk recent­ly of the role ran­somware had to play in the unfor­tu­nate death of a patient trans­port­ed to a dif­fer­ent hos­pi­tal.”

    ...

    A clum­sy attempt at PR is one pos­si­bil­i­ty for donat­ing stolen cryp­to, but there are oth­ers that are even more nefar­i­ous. The hack­ers might also be test­ing var­i­ous char­i­ties to see if they make for usable mon­ey laun­der­ing out­lets for their stolen Bit­coins, or may believe that the pre­tense of hav­ing some sort of eth­i­cal code will lead to high­er rates of pay­ment in future ran­somware attacks. Hack­ers might also work a “long con” in which they devel­op a rep­u­ta­tion for char­i­ty dona­tions, only to begin donat­ing to fake char­i­ties that they con­trol in the hopes that the pub­lic­i­ty will lead oth­ers to make dona­tions to those char­i­ties as well.
    ...

    All in all, it would appear that the one thing we can con­clude about the Dark­Side group is that it has an unusu­al inter­est try­ing to present itself as an eth­i­cal hack­ing enti­ty but looks more like a high­ly ambi­tious crim­i­nal enter­prise. The group has lit­er­al­ly cre­at­ed a “part­ner” sys­tem that revolves around cre­at­ing an army of hack­ers armed with is edge nov­el hack­ing tools and then tak­ing a cut. That is a super-vil­lain kind of accom­plish­ment. The kind of accom­plish­ment that just might explain the groups bizarre, con­tra­dic­to­ry inter­est in com­ing off as benign: if you’re a hack­ing group with the capac­i­ty to lock up crit­i­cal infra­struc­ture at will, hav­ing the pub­lic rec­og­nized the exis­ten­tial threat your group pos­es exist real­ly is your biggest risk.

    Posted by Pterrafractyl | May 10, 2021, 5:08 pm
  2. There was an inter­est­ing update on the ran­somware attack against the Colo­nial Pipeline by the ‘Dark­Side’ hack­ing group. First, recall how Dark­Side is more of a hack­ing fran­chise than a sin­gle group. It cre­ates the hack­ing soft­ware licensed out to oth­ers, and keeps a share of the ran­somware prof­its. Also recall how Dark­Side has been char­ac­ter­ized as a Russ­ian hack­ing group, a con­clu­sions seem­ing­ly based sole­ly on the loca­tion of the Dark­Side hack­ing vic­tims (i.e., if they don’t hack Russ­ian com­pa­nies, it must be a hack­ing group either oper­at­ing at the behest of the Russ­ian gov­ern­ment or with its bless­ing). Next, recall how Dark­Side made the curi­ous deci­sion to make twin dona­tions of 0.88 bit­coins to two chil­drens char­i­ties last year in what appeared to be a pub­lic rela­tions stunt. Final­ly, recall how Colo­nial ulti­mate­ly paid ~75 Bit­coins in ran­som to free up its pipeline. So we have a hack­ing group described by author­i­ties as being Russ­ian-based while flash­ing neo-Nazi numero­log­i­cal gang signs with its bit­coin dona­tions.

    Here’s the update: the FBI man­aged to seize 63.7 of those 75 bit­coins. The oper­a­tion is being tout­ed as a means of dis­cour­ag­ing ran­somware oper­a­tors by demon­strat­ing the abil­i­ty to dis­rupt the ran­somware pay­ment sys­tem. The catch is that the FBI isn’t say­ing pre­cise­ly what it did to seize those bit­coins so it remains unclear if the tech­nique used can be repli­cat­ed or not for oth­er ran­somware attacks. As the fol­low­ing arti­cle describes, there are three sce­nario experts are look­ing at:
    1. Dark­Side used poor oper­a­tional secu­ri­ty that revealed the phys­i­cal loca­tion of the serv­er host­ing the Bit­coin wal­let, allow­ing the FBI to seize the com­put­er and retrieve the pri­vate keys for the bit­coins.

    2. Some­one in Dark­Side flipped and hand­ed the FBI access to the wal­let

    3. The FBI uti­lized a zero-day exploit that caused Dark­Side to inad­ver­tent­ly reveal the loca­tion of the serv­er host­ing its Bit­coin wal­let, giv­ing the FBI the infor­ma­tion it need­ed to seize the serv­er.

    At this point we don’t know which of those three sce­nar­ios we’re look­ing at. But what we do know is that the seized serv­er was in North Cal­i­for­nia because that’s where the judge issued the seizure war­rant. And we also know that the 63.7 bit­coins seized by the FBI is ~85% of the 75 bit­coin ran­som. And that sug­gests those 63.7 bit­coins where the bit­coins ‘earned’ by the peo­ple who actu­al­ly car­ried out the ran­somware attack using Dark­Side’s hack­ing tools. Because we know that Dark­s­Side gives the hack­ers a default 75% of the cut, but that cut ris­ing to 90% for hacks that pay ran­soms worth more than $5 mil­lion. When Colo­nial paid that 75 bit­coin ran­som that would have been worth just around $5 mil­lion. Based on the above facts, it’s rea­son­able to sus­pect that the 63.7 bit­coins sit­ting on that North­ern Cal­i­for­nia serv­er rep­re­sent the cut from the actu­al hack­ers to car­ried out the attack.

    Now, as is the case with all hacks, we can’t con­clude too much based on the loca­tion of a serv­er used in a hack. The per­son using that serv­er could have been locat­ed any­where on the plan­et and remote­ly access­ing it. But giv­en the com­mon assump­tion in the cyber­se­cu­ri­ty indus­try that hack­ers oper­ate out of serv­er farms in Rus­sia because the Russ­ian gov­ern­ment will go easy on them, it rais­es the ques­tion of how we should inter­pret the fact that this hack­er was will­ing to run the ran­somware bit­coin trans­ac­tion soft­ware on a North­ern Cal­i­for­nia serv­er. Why make that deci­sion when it obvi­ous­ly leaves the Bit­coin wal­let vul­ner­a­ble to exact­ly the kind of seizure the FBI car­ried out? Noth­ing pre­vent­ed them from choos­ing a Russ­ian serv­er to host that soft­ware. So why was this curi­ous deci­sion made? Did some­one desire phys­i­cal access to the serv­er so they could retrieve the keys in per­son, with­out leav­ing a dig­i­tal trail for the final step, per­haps? These are the kinds of ques­tions raised by this report. The kinds of ques­tions that raise more ques­tions about who is actu­al­ly behind Dark­Side:

    CSO Online

    Feds seize $2.3 mil­lion in cryp­tocur­ren­cy wal­let report­ed­ly used in Colo­nial Pipeline ran­somware attack
    The suc­cess­ful seizure could encour­age oth­er vic­tims to bet­ter coop­er­ate with fed­er­al agen­cies and cause ran­somware gangs to rethink their oper­a­tions.

    By Cyn­thia Brum­field
    Jun 8, 2021 5:10 am PDT

    The Jus­tice Depart­ment announced yes­ter­day that it had seized 63.7 bit­coins cur­rent­ly val­ued at approx­i­mate­ly $2.3 mil­lion that alleged­ly rep­re­sents some por­tion of a May 8 pay­ment by the Colo­nial Pipeline com­pa­ny to Dark­Side ran­somware attack­ers. Colo­nial Pipeline admit­ted pay­ing the cyber­crim­i­nals a total ran­som of around $4.4 mil­lion in bit­coin to restore full func­tion­al­i­ty to its sys­tems fol­low­ing the crip­pling ran­somware attack announced by the com­pa­ny on May 7.

    The Spe­cial Pros­e­cu­tions Sec­tion and Asset For­fei­ture Unit of the US Attor­ney’s Office for the North­ern Dis­trict of Cal­i­for­nia seized the bit­coin wal­let after a mag­is­trate judge for the North­ern Dis­trict of Cal­i­for­nia autho­rized a seizure war­rant. News of the wal­let seizure came as lit­tle sur­prise giv­en that the Dark­Side attack­ers them­selves fore­shad­owed it when they announced in mid-May that the group lost con­trol over some of its servers, includ­ing a pay­ment serv­er, and was shut­ting down due to “pres­sure” from the Unit­ed States. At that time, Dark­Side also stat­ed that some of its funds had been with­drawn to an unknown account.

    The adage of “fol­low the mon­ey” still applies

    Lisa Mona­co, a deputy attor­ney gen­er­al of the Jus­tice Depart­ment, said dur­ing a press brief­ing that “the old adage ‘fol­low the mon­ey still applies.’ And that’s exact­ly what we do. After Colo­nial Pipeline’s quick noti­fi­ca­tion to law enforce­ment and pur­suant to a seizure war­rant issued by the Unit­ed States Dis­trict Court for the North­ern Dis­trict of Cal­i­for­nia ear­li­er today, the Depart­ment of Jus­tice has found and recap­tured the major­i­ty of the ran­som Colo­nial paid to the Dark­Side net­work in the wake of last mon­th’s ran­somware attack.”

    The tar­get­ed seizure of the wal­let aims to under­cut the cur­rent wave of increas­ing­ly destruc­tive ran­somware attacks, par­tic­u­lar­ly those tar­get­ed at high­ly crit­i­cal infra­struc­ture such as oil and gas pipelines. “We turned the tables on Dark­Side by going after the entire ecosys­tem that fuels ran­somware and dig­i­tal extor­tion attacks, includ­ing crim­i­nal pro­ceeds in the form of dig­i­tal cur­ren­cy,” Mona­co said. “We will con­tin­ue to use all of our tools and all of our resources to increase the cost and the con­se­quences of ran­somware attacks and oth­er cyber-enabled attacks.”

    FBI is vague on how it iden­ti­fied the attack­er’s wal­let

    Pre­cise­ly how law enforce­ment iden­ti­fied the attack­er’s wal­let is unclear. Dur­ing the brief­ing, FBI Deputy Direc­tor Paul Abbate said that the Bureau has been inves­ti­gat­ing Rus­sia-based cyber­crime gang Dark­Side since last year. Dark­Side is only one of 100 ran­somware vari­ants affect­ing 90 iden­ti­fied vic­tims that the FBI is inves­ti­gat­ing, Abbate said.

    “We iden­ti­fied a vir­tu­al cur­ren­cy wal­let that the Dark­Side actors use to col­lect a pay­ment from a vic­tim using law enforce­ment author­i­ties. Vic­tim funds were seized from that wal­let, pre­vent­ing Dark­Side actors from using it,” Abbate said while offer­ing few details on how the oper­a­tion worked. In an affi­davit accom­pa­ny­ing an appli­ca­tion for the seizure war­rant, an FBI field agent, whose name was redact­ed, said that Colo­nial Pipeline informed the FBI on May 8 of the cryp­tocur­ren­cy address it used to make its ran­som pay­ment.

    From there, the FBI reviewed the bit­coin pub­lic ledger to trace the bit­coins to the ulti­mate­ly seized wal­let. “The pri­vate key for the [wal­let] is in the pos­ses­sion of the FBI in the North­ern Dis­trict of Cal­i­for­nia,” the agent said in the affi­davit.” Pri­vate keys, which are 256-bit secret num­bers that allow bit­coin to be unlocked and sent, are crit­i­cal com­po­nents of how the cryp­tocur­ren­cy is kept anony­mous and secure.

    Know­ing how the FBI obtained the Dark­Side actor’s pri­vate key is crit­i­cal to deter­min­ing whether law enforce­ment might be able to fol­low the mon­ey again and remove the eco­nom­ic incen­tive for oth­er ran­somware attack­ers in the future. Accord­ing to reports of an FBI press call on the wal­let seizure, the Bureau said it is delib­er­ate­ly vague regard­ing how it obtained the pri­vate key to avoid tip­ping off hack­ers. Accord­ing to one agent, the method the FBI used is “replic­a­ble,” which means author­i­ties could use it against the next ran­somware attack­er. The FBI also revealed it received sub­stan­tial help from the Microsoft Threat Intel­li­gence Cen­ter (MSTIC) in seiz­ing the wal­let.

    Three the­o­ries on how law enforce­ment found the wal­let

    “The FBI court doc­u­ments leave much to spec­u­la­tion, but one thing that is cer­tain is that they did take pos­ses­sion of the hack­er group’s pri­vate key and the 63.7 bit­coin asso­ci­at­ed with it,” Adri­an Bednarek CISO of vir­tu­al econ­o­my com­pa­ny Over­flow Labs, tells CSO. Bednarek spec­u­lates that one of three sce­nar­ios explain how the FBI obtained the hack­ers’ pri­vate key.

    First, “slop­py oper­a­tional secu­ri­ty by Dark­Side led to the FBI dis­cov­er­ing the phys­i­cal loca­tion of any com­put­ing devices that were used to col­lect ran­somware pay­ments,” he says, with the seizure of those devices lead­ing to the foren­sic recov­ery of Dark­Side’s pri­vate keys. This notion fits with Dark­Side’s mid-May state­ment that it lost con­trol over its servers.

    Under anoth­er, less like­ly, sce­nario, a Dark­Side insid­er coop­er­at­ed and cut a deal with the FBI to turn over any pri­vate key, Bednarek says.

    Bednarek’s third sce­nario holds that the FBI used non-pub­lic zero-day exploits in either oper­at­ing sys­tems or soft­ware (or both) used by Dark­Side to either “reveal the real inter­net pro­to­col (IP) address of Dark­Side com­put­ing devices and work with ISPs to get their phys­i­cal loca­tion or exe­cute mali­cious code to recov­er any bit­coin pri­vate keys foren­si­cal­ly,” Bednarek says. “From pre­vi­ous expe­ri­ence, I can say that they even seek out and hire firms to specif­i­cal­ly dis­cov­er exploits in soft­ware used by adver­saries.”

    Mona­co said this lat­est action is not the first time the US gov­ern­ment has seized cryp­tocur­ren­cy con­nect­ed with ran­somware attacks. In Jan­u­ary, author­i­ties seized approx­i­mate­ly $454,530.19 in cryp­tocur­ren­cy ran­som pay­ments in a mul­ti-part offen­sive against the Net­Walk­er ran­somware gang.

    Colo­nial Pipeline’s col­lab­o­ra­tion could encour­age oth­er vic­tims to work with the feds

    Colo­nial Pipeline acknowl­edged its col­lab­o­ra­tion in work­ing with the FBI to seize the wal­let and share knowl­edge with field offi­cers and pros­e­cu­tors. “When Colo­nial was attacked on May 7, we qui­et­ly and quick­ly con­tact­ed the local FBI field offices in Atlanta and San Fran­cis­co, and pros­e­cu­tors in North­ern Cal­i­for­nia and Wash­ing­ton DC to share with them what we knew at that time,” Colo­nial said in a state­ment.

    The FBI hopes that this suc­cess­ful seizure would encour­age oth­er ran­somware vic­tims to work with law enforce­ment to deprive ran­somware attack­ers of finan­cial gain. “The mes­sage we are send­ing today is that if you come for­ward and work with law enforce­ment, we may be able to take the type of action that we took today to deprive the crim­i­nal actors of what they’re going after here, which is the pro­ceeds of their crim­i­nal scheme,” Mona­co said.

    “This was an attack against some of our most crit­i­cal nation­al infra­struc­ture in the form of the Colo­nial Pipeline. This rep­re­sents the swift whole of gov­ern­ment response rep­re­sent­ed in the work of this [FBI ran­somware] task force and our deter­mi­na­tion to go after the entire ran­somware crim­i­nal ecosys­tem used by these types of crim­i­nal net­works and their affil­i­ates.”

    ...

    ————-

    “Feds seize $2.3 mil­lion in cryp­tocur­ren­cy wal­let report­ed­ly used in Colo­nial Pipeline ran­somware attack” by Cyn­thia Brum­field; CSO Online; 08/08/2021

    Know­ing how the FBI obtained the Dark­Side actor’s pri­vate key is crit­i­cal to deter­min­ing whether law enforce­ment might be able to fol­low the mon­ey again and remove the eco­nom­ic incen­tive for oth­er ran­somware attack­ers in the future. Accord­ing to reports of an FBI press call on the wal­let seizure, the Bureau said it is delib­er­ate­ly vague regard­ing how it obtained the pri­vate key to avoid tip­ping off hack­ers. Accord­ing to one agent, the method the FBI used is “replic­a­ble,” which means author­i­ties could use it against the next ran­somware attack­er. The FBI also revealed it received sub­stan­tial help from the Microsoft Threat Intel­li­gence Cen­ter (MSTIC) in seiz­ing the wal­let.”

    Does the FBI have a new capac­i­ty to seize Ran­somware funds? Or did Dark­Side just f*ck up? The FBI is being inten­tion­al­ly vague. But there’s no vague­ness about where the serv­er was phys­i­cal­ly locat­ed because it had to be under the juris­dic­tion of the North­ern Cal­i­for­nia judge who issued the seizure war­rant. Hence the spec­u­la­tion that Dark­Side may have some­how screwed up and revealed the loca­tion of the serv­er host­ing the soft­ware used to col­lect the ran­somware pay­ments:

    ...
    “The FBI court doc­u­ments leave much to spec­u­la­tion, but one thing that is cer­tain is that they did take pos­ses­sion of the hack­er group’s pri­vate key and the 63.7 bit­coin asso­ci­at­ed with it,” Adri­an Bednarek CISO of vir­tu­al econ­o­my com­pa­ny Over­flow Labs, tells CSO. Bednarek spec­u­lates that one of three sce­nar­ios explain how the FBI obtained the hack­ers’ pri­vate key.

    First, “slop­py oper­a­tional secu­ri­ty by Dark­Side led to the FBI dis­cov­er­ing the phys­i­cal loca­tion of any com­put­ing devices that were used to col­lect ran­somware pay­ments,” he says, with the seizure of those devices lead­ing to the foren­sic recov­ery of Dark­Side’s pri­vate keys. This notion fits with Dark­Side’s mid-May state­ment that it lost con­trol over its servers.

    Under anoth­er, less like­ly, sce­nario, a Dark­Side insid­er coop­er­at­ed and cut a deal with the FBI to turn over any pri­vate key, Bednarek says.

    Bednarek’s third sce­nario holds that the FBI used non-pub­lic zero-day exploits in either oper­at­ing sys­tems or soft­ware (or both) used by Dark­Side to either “reveal the real inter­net pro­to­col (IP) address of Dark­Side com­put­ing devices and work with ISPs to get their phys­i­cal loca­tion or exe­cute mali­cious code to recov­er any bit­coin pri­vate keys foren­si­cal­ly,” Bednarek says. “From pre­vi­ous expe­ri­ence, I can say that they even seek out and hire firms to specif­i­cal­ly dis­cov­er exploits in soft­ware used by adver­saries.”
    ...

    And regard­less of which of these three sce­nar­ios we are look­ing at, all three raise the ques­tion: why did they choose a North­ern Cal­i­for­nia serv­er to host the ran­somware soft­ware. They lit­er­al­ly hacked the most cru­cial pipeline sup­ply­ing fuel to the East Coast and one of the servers they used to car­ry out this oper­a­tion was locat­ed in the same coun­try, mak­ing it read­i­ly avail­able for seizure by law enforce­ment. That’s beyond being just an OpSec f*ck up. It’s the kind of deci­sion where the only obvi­ous com­pelling ratio­nale for it is if the per­son car­ry­ing out this hack need­ed to have phys­i­cal access to the serv­er. Don’t for­get: if the serv­er host­ing this ran­somware soft­ware was locat­ed in Rus­sia, it prob­a­bly would­n’t have mat­tered if the FBI iden­ti­fied the loca­tion of the serv­er or not. All of this was pos­si­ble because the per­son who licensed Dark­Side’s soft­ware and actu­al­ly exe­cut­ed this hack some­one decid­ed to locate that serv­er in North­ern Cal­i­for­nia. So we have to ask, why did this hack­er choose a North­ern Cal­i­for­nia serv­er to hack a US pipeline? Along with the oblig­a­tory ques­tion of why these obvi­ous ques­tions don’t seem to get actu­al­ly asked.

    Posted by Pterrafractyl | June 10, 2021, 4:52 pm

Post a comment