On Friday 7 May, Colonial, the quaintly named operator of the pipeline that brings 45% of the US east coast’s gasoline and jet fuel from Texas to New York, announced that it had been hacked. My initial assumption was that this was Russian retaliation for the Biden administration’s punitive cyber-attacks on Russia in response to the SolarWinds hack. After all, if a pipeline like this isn’t “critical infrastructure”, what is? If so, were we not witnessing a significant escalation in information warfare between two nuclear-armed powers?
Fortunately, my overheated imagination turned out to be wrong, but the reality – in a way – is almost as interesting. On 10 May, the FBI announced that the attack on Colonial was caused by an outfit called DarkSide, which specialises in ransomware, and that the bureau had forced the company to halt its pipeline’s operations so that it could carry out a full investigation into the breach.
So who or what is DarkSide? According to Intel 471, a security company that surveys the teeming cybercriminal ecosystem of the internet, DarkSide was first spotted in November 2020 on a Russian-language hacker forum, advertising for partners for a ransomware service. What it was pitching was a platform that “approved” cybercriminals could use to infect companies with ransomware and carry out negotiations and payments with victims. “We are a new product on the market,” it burbled, “but that does not mean that we have no experience and came from nowhere. We received millions of dollars profit by partnering with other well-known cryptolockers. We created DarkSide because we didn’t find the perfect product for us. Now we have it.” Not long afterwards, its software was found to be behind several ransomware attacks on manufacturers and legal firms in Europe and the US.
According to Intel 471, in March 2021, DarkSide “rolled out a number of new features in an effort to attract new affiliates. These included versions for targeting Microsoft Windows- and Linux-based systems, enhanced encryption settings, a fully fledged and integrated feature built directly into the management panel that enabled affiliates to arrange calls meant to pressure victims into paying ransoms and a way to launch a distributed denial of service (DDoS).”
Note the reference to a “management panel”. In conventional software packages, this would be called a “dashboard”, a visual tool to enable non-technical managers to run a complex program without knowing anything about the code. The panel also seems to provide scripts for conducting negotiations with victims. Intel 471 monitored one of these conversations. “This is a lot of money,” the victim writes. “My management needs a better understanding of what data you may have taken. Can you provide proof that you have our data?” Answer: “Yes will provide a sample for you.” The victim continues: “When you receive payment you will not publish the attack or sell exfiltrated data?” Answer: “Of course not, you will get access to a server with data and will delete it yourself. Also we can provide you with a pentest [penetration test] report how you have been breached and what [you] need to improve.”
In these ransomware marketplaces, the traders seemed anxious to establish reputations for reliability and quality
You get the picture. This is awfully like the kind of dialogue you would see in a conventional business negotiation. What it shows is what the security expert Ross Anderson has been pointing out for years: that cybercrime has been industrialised and that one can analyse it using the methods and economic concepts that one would use if studying any burgeoning line of business.
In that sense, public discourse about cybercrime and its practitioners is way behind the curve. As Ross and his colleagues have shown, criminals are rational actors, not lone hackers with poor hygiene and a penchant for pizza. They see what they do as a low-risk activity with very high profit margins. And they operate in a networked world in which even large and wealthy companies are still failing to take computer security seriously. The significance of the Colonial hack is its confirmation of cybercrime as a major new industry.
Many years ago, I got my first insight into this underworld when a senior police officer took me on a virtual tour of this netherworld. We looked at the online markets in which stolen personal details were traded and the different prices at which various “products” were bought and sold. (PayPal logins attracted premium prices at the time; maybe they still do.) What it looked like was eBay for crooks. And the most striking thing was that in these marketplaces the traders seemed as anxious as you or I would be to establish reputations for reliability and quality. In some cases, there were even star rating systems like you’d see on Uber or, for that matter, on eBay. There may be honour among thieves, as the saying goes, but they still fretted about their online reputations. And DarkSide’s claim that it has occasionally donated some of its profits to charity suggests an interesting new interpretation of “corporate responsibility”. It’s time we wised up to this new reality.
What I’ve been reading
Obscura No More is a lovely essay in the American Scholar by Andy Grundberg on the rise of photography as an art form.
The origin of Covid: Did people or nature open Pandora’s box at Wuhan? is a great piece of analysis by Nicholas Wade in the Bulletin of the Atomic Scientists.
Ready for future shocks?
What Is Ours Is Only Ours to Give is an excellent essay by Maria Farrell on the Crooked Timber blog triggered by Kim Stanley Robinson’s new novel, The Ministry for the Future.