I got downvoted for saying that maybe it's time to treat serious ransomware attacks (infrastructure, security, health, etc.) as terrorism - as in the sense that they're a threat to the national security. But this kinda shows the response I was referencing to.
A lot of people like to think of ransomware attacks as the ultimate stress test as far as security goes, and thus a good thing - but let's not get too blinded by our professions (most probably in tech), these kinds of attacks can have serious consequences: Imagine if some foreign state agency (masquerading as hackers) launches a multiheaded attack on, say, utilities plants - in the middle of the winter. The victims/targets will pay whatever us necessary.
With that said, I understand that many people will recoil at such things - we saw what the patriot act did, and how easy it is to overstep and abuse such laws, in the name of "national security". But it is a serious problem, in the same way actual piracy thrived in the gulf of Aden, as soon as the shipping companies started paying.
Maybe people didn't like your use of the term "terrorism" for national security threats?
A common understanding is that terrorism is intended to frighten people or make them feel unsafe, while various official definitions of terrorism include the idea that it's intended to coercively achieve some particular political goal.
If attackers just intend to get money, they're probably well-described as extortionists (or in some cases, as you said, akin to pirates). If they just intend to damage a particular society without demanding anything from it or getting it to change its behavior, they might be saboteurs.
Attacks with these motives or that pretend to have these motives could still be considered national security threats (and taken very seriously), but maybe shouldn't be described specifically as terrorism.
On the high seas of the Internet there is a thin line between pirates and state actors. There could even be "privateer" (https://en.wikipedia.org/wiki/Privateer) attackers who work for a nation and for profit at the same time.
From the victim's perspective it matters less who is attacking you or why they are attacking you and much more what the results of the attack are, how you can mitigate and recover from the damage, and what needs to be done to prevent future attacks.
For the case of DarkSide and Colonial Pipeline, the attackers did not claim to have a political motive, but the resulting fuel shortages and panic buying might as well have been a form of terrorism.
Yes. Its an important distinction because they are fundamentally different motives. If the motive is money, various strategies can drive up the cost until the behavior is no longer profitable and the bad actors stop. Religion and ideology are completely different beasts and most strategies that work on profiteers only entrench the others.
Wealth is the primary means of expanding ones political influence. It’s a primitive tool like a talking stick to coerce all the other monkeys to do shit for you. Trying to gain money is absolutely political
I think you just defined yelling at someone over money to be terrorism.
You can make a reasonable argument that "nothing is apolitical" but but that's not the definition of political being used when people say what terrorism is.
You are correct; that is the consequence of taking the definition to its ultimate conclusion. Either our definition of terrorism is incomplete or our idea of money is.
You could call it unintentional terrorism I suppose. The timing with what's going on in Ukraine along with Putin's repeated threats makes it look political even if it wasn't. It's entirely possible they just happened to be a group of Russians who picked the wrong target at the wrong time. It's also entirely possible they were doing the Kremlin's work and just not announcing it publicly because that's not really how Putin plays the game.
I have to believe that played a role in the response they received as well.
Money is pure politics. The attacker becoming rich can legally be considered a political goal as the nature of money is political. If they endanger an entity or someone else’s resources to gain that political goal they are guilty of terrorism as they used fear to enact political change.
These are the same types of people that claim "there are no good books" with a smirk on while suggesting books to read on white privilege after just telling you it's not his job to educate you on such matters even though he's literally being paid to sit there and educate you.
> It is created by governments and its value is driven by taxation.
How does taxation drive value? Which taxation? There are governments that don't charge income taxes, there are governments that don't charge property taxes, there are governments that don't charge sales taxes.
This idea comes from Modern Monetary Theory (MMT). Most mainstream economists do not agree with it. But the MMT claim is that at base, people only need USD because it’s how taxes are denominated. The notion is that without the driving force of compelled taxation, no one would use USD or other sovereign currencies. MMT also claims, through similar logic, that a monetary sovereign can print an extreme amount of currency without causing inflation. Which MMT’ers use to justify massive government spending programs.
The idea isn't exclusive to MMT. Critics from across the spectrum recognize that taxation supports the USD. Buttresses such as legal tender laws, the petrodollar system and other barriers serve to support the USD.
Tally sticks are an early example of monetized debt as a taxation medium.
The words “extreme” and “massive” are subjective. MMT claims that the best way for a monetarily sovereign government to maintain aggregate spending at full employment levels is to hire anyone willing to work but who cannot find work in either the private sector or the permanent government sector.
Also note that the work of legal historians such as Christine Desan who are not affiliated with MMT economists concurs with this analysis.
Also note that most mainstream economists do actually agree with the tenets of MMT when individually stated but base their disagreement on a deliberate misreading/misstatement of MMT which they then proceed to criticise.
That taxation is sufficient to drive demand for a currency is not contentious, that it is necessary is unconfirmed.
There are many different types of taxation, but there is no currency that doesn’t derive its value from taxation. People call things like Bitcoin currency but until a sovereign runs their financial system of federal settlement payments on the Bitcoin blockchain it is only a commodity like gold or silver or corn.
I think Evil Corp falls under the definition of privateer:
>As noted in previous stories here, during times of conflict with Russia’s neighbors, Slavik was known to retool his crime machines to search for classified information on victim systems in regions of the world that were of strategic interest to the Russian government – particularly in Turkey and Ukraine.
>“Cybercriminals are recruited to Russia’s national cause through a mix of coercion, payments and appeals to patriotic sentiment,” reads a 2017 story from The Register on security firm Cybereason’s analysis of the Russian cybercrime scene. “Russia’s use of private contractors also has other benefits in helping to decrease overall operational costs, mitigating the risk of detection and gaining technical expertise that they cannot recruit directly into the government.
>On the high seas of the Internet there is a thin line between pirates and state actors
maybe in as far as their capabilities go, but the important characteristic of a state actor is that retaliating against them is construed as a retaliation against the state that backs them. Darkside is very different to a state actor, as demonstrated here - retaliation has no significant geopolitical implications, so it can be swift and harsh.
They may have just intended to get money, but they definitely spread terror. I had to have like an hour long phone call with my mother on Monday explaining why she had to go to 4 gas stations before she could get any gas, and that no the pipeline was not going to explode.
From the satire site that shall not be named: "People in the Middle East head to bomb shelters after learning that Americans are experiencing gasoline shortages."
Money can certainly help influence someone to wear a bomb vest, they don't need to actually believe in the cause. There could be someone out there that specializes in finding people in vulnerable financial situations that wouldn't mind blowing themselves up if it meant that their family was well taken care of.
FWIW in June of 2011 the Pentagon issued a report that defined how 'cyber attacks' can be classified as an act of war. Part of the defense department review of threats against the US. However, they have to be plausibly tied to a state actor such as Russia or North Korea (to give two examples) The net result was that the Pentagon considers military response (both kinetic and cyber) as legal and sanctioned ways to respond to cyber attacks.
Generally though, the Justice department defines terrorism to be "the unlawful use of force and violence against persons or property to intimidate or coerce a government, the civilian population, or any segment thereof, in furtherance of political or social objectives"
These ransomware attacks fall in the middle. They are 'deniable' by state actors as just crooks who happen to be within their borders. They certainly don't push any social objective other than to enrich the criminals. So that leaves them under the jurisdiction of law enforcement.
I have read anecdotal evidence that there are the equivalent to "Letters of Marque"[1] for Russian criminals who attack enemies of the Kremlin. They wouldn't completely qualify as the Russians aren't actually in a declared state of war (this works fine for North Korea) but conceptually if you accept that criminals are gonna crim, then pointing them at people you don't like at least keeps the damage outside of your area of concern.
In this particular case, the fairly rapid take down of these guys gives me pause. One wonders if the FBI and Interpol had Colonial pay with Bitcoin that they then traced to the destination wallets. And then working backward from there to the server infrastructure. That would be an interesting capability if it exists.
I'd like to lean towards keeping terrorism defined essentially by intent--namely, the intent to use asymmetrical, threateningly or actually destructive, and emotionally activating ("terrorizing") means to manipulate a body politic or society towards a desired change.
If serious ransomware attacks are being conducted by state actors with the sole intent of causing damage, and we want to use powerful terminologies to describe them, "acts of war" seems a reasonable start.
Yes, this is semantics--but some of my concern here is that just freely tossing around "terrorism" gives cover for organizations not to be diligent in at least attempting to secure their networks and digital assets.
You could treat ransomware attacks with the same seriousness as terrorism since the practical effects are similar, but the key point of terrorism is that it is politically motivated. So a terrorist group could launch a ransomware attack, but not all ransomware campaigns are terrorism.
The meanings of words is important; rational discussion is impossible when people shift commonly-accepted meanings and definitions to suit their agenda. It's an extremely common strategy in politics. And the word "terrorism" already received more than its fair share of this treatment quite thoroughly in the decade following 9/11.
IMO terrorism is a "waffle word" that doesn't really have any meaning anymore. Originally a use of violence and intimidation against civilians in pursuit of political ideology, it's come to mean "people we don't like, who aren't state actors and don't fit conventional organized crime narratives."
I don't think it's necessary to staple the term to the action in order to take it seriously. It should, however, be taken seriously as the national security threat it is. For instance, climate change is a national security issue but oil executives, while distasteful, aren't terrorists.
I agree that many folks in the tech community (and especially here, though I don't know if they're overrepresented here) treat technology as platonic. That's not going to cut it moving forward. Technology that enables bad things in the world should be curtailed even if its "neat."
To your point these folks seem pretty well defined as organized crime. Or possibly foreign military if appropriate.
I'm not sure leaving infrastructure hanging out in the breeze can be compensated for by cracking down on personal liberty, however. Unless you're proposing cutting off international computer network integration.
It’s a scare word and has always been. Like “conspiracy theory” it’s purpose is to stop thought and prevent thinking. It’s easily replaced with real words with concrete meanings. Are mass shootings terrorism? Since it’s widely used scare word to describe generally “bad acts towards groups of people” I think ransomware fits, but so does a lot of graffiti. Maybe it’s better to quibble over terms than to talk about how Bitcoin is responsible.
That reasoning is really dumb. It's like saying school shootings are the ultimate stress test on a local police department. They sure are, but nobody in their right mind should ever argue that getting real world experience with one is ever a good thing.
> I got downvoted for saying that maybe it's time to treat serious ransomware attacks (infrastructure, security, health, etc.) as terrorism - as in the sense that they're a threat to the national security.
A precise definition of terrorism tends to be difficult to pin down (mostly due to the difficulty of considering what is a legitimate asymmetrical warfare tactic by a nascent liberation movement versus an illegitimate terrorist act). But a general rule of thumb is that terrorism is a) violence b) directed at civilian populations c) to effect policy.
However, there are threats to national security that are not terrorist in nature; gang warfare in Mexico and Central America would be an example of such a threat.
> I got downvoted for saying that maybe it's time to treat serious ransomware attacks (infrastructure, security, health, etc.) as terrorism - as in the sense that they're a threat to the national security.
Well... yes? That isn't a sense of the word "terrorism".
As far as I'm concerned, ransomware attacks essentially fall into the same classification as highwaymen, bandits, and pirates. We tend to take those pretty seriously. Or at least, we did once they've robbed the wrong people.
Sounds like the ransomeware people finally robbed the wrong people.
We have only DarkSide's word for what happened to them. No corroboration.
Not saying it's false, but the story doesn't ring true to me.
They appear to be sophisticated, yet they made the newbie error of keeping all the funds in a network accessible device, rather than a cold wallet. Really?
One of the things that criminal gangs always need to be aware of is being defrauded by their own collaborators. So they often have to make sub-optimal choices on OpSec because they have to work with hostile actors.
I will never understand why people link to paid articles in a public forum. There are too many other reliable sources for that exact info for anyone who isn’t wealthy to pay for dumb sites like that.
You need to consider the motivation. Were the hackers just looking for a victim with deep pockets that would want to just hand over the money as soon as possible or were they actually looking to bring down a major pipeline? Giving the victim the chance to recover once the ransom is paid seems like it was more about the money. The attack could just have easily deleted everything from the network and totally crippled Colonial.
> I got downvoted for saying that maybe it's time to treat serious ransomware attacks (infrastructure, security, health, etc.) as terrorism - as in the sense that they're a threat to the national security. But this kinda shows the response I was referencing to.
Terrorism has a legal definition, and something affecting national security is not the determining factor in calling something terrorism.
"Terrorism includes the unlawful use of force and violence against persons or property to intimidate or coerce a government, the civilian population, or any segment thereof, in furtherance of political or social objectives." [1]
I'd say ransomware is much closer to "piracy" than terrorism, but totally agree that this incident shows there's not much distance between this and cyber terrorism. (Even if it's just criminals accidentally throwing themselves into the spotlight.)
For say a nation engaging in cyber war, this could be flipped around: attacking basic infrastructure but disguising it as smaller groups of criminals trying to make a buck. Not sure how effective the disguise would be, but it could obviously do some serious damage.
The definition of terrorism isn't a "threat to national security". For example, your country could do something evil and wrong, grievously and unjustifiably violating the interests of an entity with a military, and be deservedly subject to military action, constituting a threat to national security. That wouldn't be "terrorism", it would just be "military action".
Treating more and more attacks "as terrorism" has it's limits. The US may have awesome offensive cyber attack abilities but stopping widespread ransom wear requires systematic security, not threatening the bad guys, since there will always be more bad guys.
> I got downvoted for saying that maybe it's time to treat serious ransomware attacks (infrastructure, security, health, etc.) as terrorism - as in the sense that they're a threat to the national security
Um. Terrorism is basically never a threat to national security.
Threats to financial centers and satellite offices of major intelligence offices that are part of the US intelligence apparatus such as in 9/11 are definitely threats to national security. Not sure if you were being sarcastic?
Serious side effects, yes. I am homeless and live in my van in North Carolina and having to ration my gasoline waiting for the idiots to stop hoarding.
These people thought they were sticking it to the man but they were actually sticking it to people like me.
I am getting close to homeless, and know people who never thought they would be without a home very scared.
I wish Biden realized how hard homeliness can be. Cities, and towns, need to stop ticketing vechicles that are parked overnight, and used as residences. I would like to see any federal, state, or local land, set aside for the homeless.
Some downvoting can be truly surprising, and one factor may be because HN is much more international, while I think of it as "American". It is Y-Combinator, after all.
Funny fact - one way to get down votes on HN is to say something negative about that shit-tier human Peter Thiel. Apparently becoming rich off of venture capital makes you automatically a good human being.
There’s a well known phenonenom of a certain large nation harbouring cybercrime gangs and keeping them on the government leash. Their economic activity benefits the governments political agenda. Ergo all conditions are true.
There's also a well-known phenomena of large nations harboring multi-national corporations that break the law in other nations they operate in.
That doesn't mean that the large, developed nations in question are engaging in organized crime.
Taking advantage of regulatory arbitrage does not mean that their government is in collusion with them.
If it did, then we could pile a lot of crimes at the feet of Western governments. Some mining firm violently puts down a strike in Central America? Clearly, we can conclude that Canada/the US is engaging in terrorism! [1]
There is no sense to your comparison when you’re putting a criminal enterprise (which exists to do harm and harm only) and legitimate business into the same bucket.
Are there no ransomware operations linked to North Korea? I was under the impression that there was some level of activity there to maintain supplies of globally-usable currency.
The fact that their coins were apparently easily stolen also debunks another favourite talking point of the crypto people that it secures your money from government access. Clearly, ways and means have been developed to do just that if necessary.
Or one of the members of the criminal gang ran off with all the cryptocurrency and then made a public post claiming some form of law enforcement seized the crypto.
According to the blog post, they said their payment server had been seized. The payment server must hold or have send-access to a Bitcoin wallet if it can make payments. By seizing their payment server, they also siezed the Bitcoins.
Oh, somehow failed to see your post before writing mine. The perpetrator of the "all for myself" starting the state actor claim themselves makes even more sense! Why anger your partners when you can just point a finger elsewhere?
> debunks another favourite talking point of the crypto people that it secures your money from government access
In order to seize someone's cryptocurrency, the government has to literally seize the private keys used to sign transactions. This could be as easy as seizing computers containing the key but it could also be as hard as torturing people until they reveal their seed phrase.
They can't simply order the banks to freeze people's assets. They have to physically go there and try to seize them. This puts a limit on the scope of their operations. It's just like surveillance: encryption makes dragnet espionage harder but it's still perfectly possible for a target to be attacked directly.
There are other possibilities - for example they can maintain a list of tainted coins, and declare them illegal to transact. This can then be enforced at the level of exchanges.
I don't see anywhere that the coins where stolen by the government. It could have been done by an insider from the group who had access to the wallet and 1. transferred to himself or 2. the damage and attention was to much for one of them and some ethics kicked in and ratted out the group to government. gave them his access. 3. the group got scared from the attention and stopped their operation and lying about the seizure, because at this point we don't even know if anything was seized at all, that info comes from the criminals which is hard to trust and wasn't confirmed by official reports yet.
This is the most puzzling part of the story. These guys were evidently pretty skilled. I can see their servers being seized but I am struggling to figure out how they lost their currency. Did the Kremlin put a gun to their head and say “unlock the wallet”? This seems especially fishy.
It takes less skill than you might imagine to buy ransomware on the black market and deploy it. You don’t need to write it yourself, you just need to handle the extortion side of things.
Someone got a little sloppy on their payment processing server (also seized) or with maintaining separate wallets and control of that server allowed sending of payments to an account specified by whoever was in control - likely since the server was for paying affiliates.
There is something called the "gun test". The crypto on an encrypted hard drive is not more secure than the gold bars in a locked safe. Its security is a function of how the secret holder response to gun-on-their-head events. In this case, since the government is directly involved (and angry), a lot of criminals may pick personal safety over assets.
Frankly, I think a large portion of cryptocurrency proponents are overly confident in its "decentralization" and "safety". Cryptocurrency is only as safe as gold bars in a locked safe; and worse if you use a public exchange.
Also perhaps a fair reason for some part of taxation. Owning millions in .*coin, and the ability to freely wander around in a first world country while not getting hit with a wrench has a whole lot of value.
Indeed, something I've tried to communicate to wealthy friends and family is that a higher tax rate,used halfway effectively, means you don't have to live in a gated community, in fear. You can roll around in your Ferrari, live where you want, and be reasonably safe.
This is commonly referred to as Rubber-hose cryptanalysis:
In cryptography, rubber-hose cryptanalysis is a euphemism for the extraction of cryptographic secrets (e.g. the password to an encrypted file) from a person by coercion or torture[1]—such as beating that person with a rubber hose, hence the name—in contrast to a mathematical or technical cryptanalytic attack.
Julian Assange and a couple of others developed a file stem called Rubberhose to avoid this problem. All of the filesystem structures, data, and free space are indistinguishable from noise without the decryption key. The system always sets up some portion of the filesystem as unusable space that's initialized to noise. This space may contain another Rubberhose instance, which would also have some unusable space in it.
If you're tortured to keep revealing keys to deeper and deeper volumes, eventually you're going to hit a point where there are no more volumes, but you can't prove it.
I think the original threat model was someone willing to torture you, but willing to accept plausible deniability once you'd revealed some moderately sensitive information.
In reality, if someone is willing to torture you a couple volumes deep, there's a good chance they're going to just keep torturing you forever. Rubberhose may still work in this model, since in theory the promise of avoiding torture loses most of its power. The downside is that once you format a partition with Rubberhose, you're resigning yourself to being tortured forever.
While I tend to agree with your argument, there is a difference: crypto is safe if no one knows it exists, or rather no one can link ownership to owner.
I think you're missing the point entirely. The government can't seize your virtual coins, but the only point of money is to spend it on actual goods, which the government definitely can seize.
A. You can store redundant copies in various secret locations.
B. To bury gold you must transport the valuable property in meat space to your hiding spot after acquiring it. With cryptocurrency, you hide the secrets before they have value and transfer the funds to them without new data actually traveling to the hiding spot, electronically or physically.
The hiding crypto from government entails im large part avoiding taxes, yet it seems like the government does not do much to recover lost taxes on current schemes such as fiscal paradises and so on. I doubt the governemnt would go as far as locating a harddrive, seizing it just for tax purposes. Something else must raise their flags for them to go that route. Also this route is very hit and miss in my oppinion and on a case by case basis
> They would need your private key and your hard drive?
Most people serious about cryptocurrencies do not trust computers/harddrives anymore since years. They use "hardware wallets", which are HSMs with a very small attack surface. It's not impossible that hacks happen but there's a gap so wide between "a Windows 10 computer running some Bitcoin software wallet" and "a Ledger Nano S" hardware wallet that it's basically two different worlds.
Think a Yubikey (with a tiny screen) to cryptographically sign your transaction.
$5 wrench attack still works but compromising your private key(s) by "logging every OS keystroke in the name of telemetry" or "using one of the tens JavaScript 0-day from today" doesn't.
The idea behind these cryptocurrencies hardware wallets is that ANY computer you connect them to is compromised (which is precisely why you're using an hardware wallet) and that, yet, that's not a problem.
I have to say: it's not a bad way to think about computer (in)security.
Note that hardware wallet attacks tend to get published at least once per year, but so far most/all of them have relied on physical access. Not just sending some buffer overflow via the USB link, but actually opening up the device and messing with capacitors or something.
How can one trust the hardware keys though? The manufacturer/supplier could have installed a backdoor (very reasonable to do, as people paying for these keys are likely to have sth valuable).
In general, you store the keys of your coins, not the coins themselves. Everything is inside the blockchain and the blockchain makes possibile to be sure that you have what you should have, thanks to consensus.
Based on Snowden's stories you can assume that they went ahead as fbi/CIA national security threat which could mean fast access to isps and using zero days they do have.
If that's not enough and anyone of them is in the USA they do have access
Can your wallet be hard to crack? Yes but either use your zero day to get all data including a Password or book a little bit of supercomputer time for brute forcing.
They might have linguists available to help out with a dictionary attack.
As aluminum foil hat this might have sound in pre Snowden that's how it could have been played out.
As someone else said, you do not store coins anywhere, they are derived from the public ledger (block chain).
What you store is your private key.
Your private key was generated together with your public key, and your public key is, well, public.
So the question is, can someone re-generate your private key?
In theory, yes, it is possible. In practice, it takes a very very long time.
But sometimes flaws are found in the generation process, like a weak pseudo-random number generated used, which significantly reduces the solution space, and then it becomes feasible.
iF you store your coins on a storage device not connected to a computer, maybe. As long as the government does not have access to the computer/phone the storage gets connected to, at any one time.
With state actors, you have to assume they have access/backdoors to most modern computing devices, and that device has to connect to the internet only twice - feds activate the backdoor and give it instructions, and have the device send the requested info back to the fed.
Minix being the most popular operating system, thanks to Intel-backdoor-on-a-chip, is only the tip of the iceberg.
aes 256 is as strong as the decryption key . even as few as 7 words from a 2000-word dictionary should thwart any attackers. A slow KDF makes it all but impossible.
Actually this ignores the fact that bitcoin uses ASICs now, and every ASIC built for bitcoin hashing is probably already hashing.
Semiconductor production can't be scaled up instantly, so 51% attacks require seizure of assets.
Even if the USA purchased every single CPU, GPU, FPGA, and ASIC made in the next month, it's unlikely they will have more than 10% of the network or so.
To seize the majority of the hashpower, they'd have to seize Chinese miners, which require either US-China cooperation or a world war.
I mean it doesn’t require ASICS, it’s just inefficient not to, right? Shouldn’t it be theoretically possible to mount a 51% attack with conventional CPUs (or GPUs), just a lot more of them? I have no idea what kind of computing resources various major states have, but I wouldn’t completely write off the possibility that they have enough CPUs to throw at the problem.
That's the point that got me thinking about the likelihood of a very different real story that might be going on. What if some individual or subgroup just ran away with the hoard? Some subcontractors/mid-level data henchmen could have tried to press compensation by threatening to release victim keys, and then a combination of disbelief, unwillingness to accept having gotten fooled by a peer and dreams of spy story grandeur conjuring up a fantasy about state involvement that they eventually believe themselves. Or at least like better than the alternative.
I don't consider that the most likely scenario, but something in the willingness to declare defeat got me into "what if" mode.
As the old xkcd comic notes, no amount of mathematically-proven security protects your encrypted data if the private keys can be beaten out of you with a lead pipe (or, the cleaner version of that, "If you can be incentivized to hand them over given the alternative of jail time that lasts until you divulge your computer's password to the authorities").
I think it's both: people who have something to hide for the government can make it pretty hard (but not impossible) for the authorities to track them down. On the other hand average people who don't have "anything to hide" have no reason to bother implementing these counter-measures, making it fairly easy to track their transactions on the public blockchain.
In this case even the pros messed it up, but this is a very high profile case with undoubtedly a massive amount of manpower thrown at it in various agencies. You don't mess with USA's oil.
And even then it's unclear if the money was actually confiscated.
A talking point to the dangers of Bitcoin and cryptocurrency is that it can be hard to trace bad actors using the network to launder money. The comment I replied too was stating "debunks another favourite talking point of the crypto people that it secures your money from government access."
Both of those seem pretty hard to be true at the same time
> Both of those seem pretty hard to be true at the same time
That’s what doesn’t seem to follow.
Cash, for example is hard to trace if the serial numbers haven’t already been recorded, and good for money laundering, for example, but it doesn’t secure your money from government access if the government puts resources into it.
> Surely someone will point out both can be true but the point is the anti-btc folks seem to be talking out both sides of the mouth
The most beautiful being: "The cryptocurrencies scam should all stop but, please, let us collect all the due taxes on the gains you made".
From that standpoint which one is it: are they legal or illegal? Because it's funny that they both want it to be illegal, yet they want people to pay taxes on the gains they made.
Not hypocritic at all. From a legal perspective even illegal made money is money made and therefore subject of taxation. Tecnically you even have to describe the means by that you have come to it. Otherwise you are commiting tax evasion. For example if you sell 100k worth of access to documented child abuse, you have to pay taxes on those 100k. Thats why you have to launder money made from illegal activities
This doesn't really improve the optics. If anything it makes it worse: if very technical people who clearly want to escape government oversight can't, what hope would my 60yo "I think Windows and Word are the same thing" father have to use them correctly?
Beyond all the technical discussion about the value of cryptocurrencies I never believed that the idea that everybody would carry their cryptocurrency wallet with them at all time was in any way realistic. People would get their wallet stolen, destroyed or lost all the time, locking them away from their savings. The vast majority of people will prefer having the peace of mind of entrusting their coins to a third party who'd handle the technical details and provide insurance against lost and theft. And just like that we've reinvented banks.
The more cynical part of me thinks the key is not which side of the company was attacked, rather the fact that it was an OIL company. The US has basically an unlimited budget and resources to go after organizations that mess with its oil supply.
I think the question is, how come an attack on a hospital does not have the optics of an attack on infrastructure?
(It almost seems oil does not require infrastructure - you can, theoretically, prep for an oil infrastructure outage by storing it containers, same as you do with water and food. But you can't really prep for a medical infrastructure outage. Is it just that, as a result, there were no photos of people hoarding medical care and so there was less political will?)
> I think the question is, how come an attack on a hospital does not have the optics of an attack on infrastructure?
An attack on a hospital affects someone if they work there or are using that hospital. A pipeline attack affects people who drive cars places and need gas. The latter group is much larger than the former.
Hospital affects workers who work there and people using that hospital VS Pipeline affects workers who work there and people currently refilling their cars with gas from there
Or
Hospital affects workers who work there and everyone within a radius who could need it at any moment VS Pipeline affects works who work there and people who generally rely on that gas to drive
Suddenly the groups seems much similarly sized, while one being important for staying alive VS the other being a nice-to-have, if we consider it being offline for a week or two only.
I know which one I would consider being worse if I was a country. But then we're also talking about a country who's fascination for oil is like no other, so this is hardly surprising.
I mean, the pipeline in question provides half of the gas to the US East coast. You don’t have to love oil to see that losing 40% of the supply to more than 100m people overnight would be a public safety (what if emergency vehicles can’t buy fuel?) and economic risk.
The number of people reliant on this pipeline is several orders of magnitude greater than would be impacted by taking a single hospital offline. You’d need to have many hospitals impacted to create a similar level of risk. The only big difference is that taking out hospital infrastructure can kill people immediately whereas the impact of a pipeline failure won’t generally be felt for days or weeks.
Edit: Based on your other response it sounds like we are on the same page.
Yeah, I understand this and agree with you. Compare one of the biggest oil pipelines in the country with one hospital, of course one will be worse than the other.
But if you instead compare 40% of the hospitals going offline VS 40% loosing access to gas, with similar conditions, I think the mortality will be higher by attacking hospitals. I think the government could probably somehow logistically ration oil if shit really hits the pan too, so essentials can keep running. Probably worse situation with hospitals, even though the military could probably help out there a bit.
That's why it's weird to not react when people are attacking hospitals, vs oil pipelines. But as said before in my other comment, maybe not too weird.
I guarantee if a ransomware attack shut down 40 percent of the hospitals in the United States at the same time, we'd have an Iraq War situation on our hands.
If 40% of the hospitals shutdown the majority of people would not notice if you somehow kept it out of the news. It would be a disaster for those who need a hospital right then, but the average person doesn't even visit a hospital once a year.
The average person fills their gas tank once a month, so they are much more likely to notice personally.
Sure it's "nice to have" unless it does go on longer and suddenly nobody can get to the stores to buy food and the stores don't have any food to sell because the trucks that deliver it can't get fuel.
Thanks for expanding, that was exactly what I meant. Ok for smaller duration, while a hospital without functioning equipment is almost useless (compared to it's original status) immediately.
Oil is flowing constantly and continuously into every corner of the country. The storage capacity is negligible and the need is critical. Unlike a single hospital there is very little room to shift excess capacity relative to usage and the knock on effects are potentially catastrophic (we lose power to every hospital in 500 miles and nobody can run the generator).
Destroying logistic infrastructure is how you defeat a country. Petroleum is critical to the functioning of modern economies, if you cut that off things go badly. They really kicked the hornets nest on this one.
Indeed: I have to think it was not a planned or desirable outcome to anybody.
If the intended situation is to be able to (for instance) set up a coup attempt on the target country, have it come off well enough to produce chaos, and THEN have your tame cybercriminals knock out key infrastructure, that would be an extremely effective act of war.
Freaking people out while not destroying the target country is a bad, bad misstep. They did indeed kick the hornets' nest, but so ineffectively that the best response would be to try and cover the whole thing up and pretend it was nothing. Might work for some, but I doubt the US government is amused.
I think the point people are missing is that hospitals don't just stop providing services when they are hit by ransomware, at least not in my admittedly limited experience. There's a ton of paper involved even today and life could move on with ballpoint pens and forms.
The game was changed when Colonial closed the valves and services were impacted.
There is actually a counterexample to this that is happening right now. The Scripps hospital system in San Diego was hit with ransomware about two weeks ago and has been more or less down since then. Patients are not able to make new appointments, medical records are unavailable. My understanding is that doctors are still seeing patients if they have existing appointments, but surgeries are getting performed at other hospitals in other health systems.
Hospitals themselves aren't really "infrastructure." All hospitals can operate independently from each other, so holding one for ransom only affects the one. If you can actually shut down a pipeline, you affect everywhere it ships to.
Hospitals obviously do rely on infrastructure, so you'd see much more panic if someone could disrupt a national supply of blood plasma or insulin or something.
In addition to the other comments, there's a difference in scale here. Shutting down _a_ hospital would be like shutting down, say, several dozen gas stations in one part of a city. That would not have a lot of national visibility either. If they simultaneously shut down every hospital between Texas and New Jersey, it would have national optics.
I think the parent's point was that if oil infrastructure is completely disrupted, consumers won't even be affected for a few days and the short-term consequences will be somewhat minor (some percentage of drivers won't be able to drive, deliveries may be delayed).
If a hospital is shut down, then people will start dying immediately. The consequences are much more direct and severe.
At least in the cities I've lived in, there tends to be a lot of internetworking in the local hospitals. If my local hospital, CRMC, were to be hit by ransomware or otherwise taken down it's likely that a good chunk of the city's health infra would be out or at least at risk too. Not to mention the damage an attacker could do to the data stored in an EHR system like Epic.
My point (which wasn't well made, admittedly) is that a closed hospital has immediate and material effects. Disrupted petroleum infrastructure isn't going to affect consumers for days.
What if you attack the hospital in the middle of, lets say a covid outbreak, where no excess capacity is available. Now you've likely caused a significant number of deaths.
hospitals without IT don't just kill all their patients and shut down. They slow down and loose capacity and capability while the realtively low-tech business of doctoring continues.
I'm not sure what point this comment is trying to make, according to CISA emergency services are a critical infrastructure sector. Therefore attacks on hospitals are attacks on critical infrastructure just like a pipeline.
I agree with you that an attack on a hospital is an attack on infrastructure, though I disagree with your arguments regarding oil infrastructure.
The difference is response is a matter of impact scale. Usually, the infrastructure of a small group of hospitals is at stake. This time an entire state is hoarding gasoline. Both are infrastructure but the latter is causing nationwide effects.
A single hospital is not major infrastructure. We can operate medical services out of tents if necessary.
Oil pipelines that serve everything from energy to transportation to manufacturing are far more integral to keeping all aspects of society running for magnitudes more people.
Implicit in your question is the idea that the reason there was a stronger response here was because of optics—because a large mass of US citizens demanded it.
I think a more likely answer is that optics had little to do with it. Attack a hospital and you've got angry hospital administrators mad at you. Attack an oil pipeline and you've got billionaire oil executives and shareholders who have much of the US government in their pocket mad at you.
You really don't want to anger people who can buy US elections.
Because when you attack oil it will be considered as an act of war and they will counter with their war powers. Which they did. No civilian police action against Sergey followed, but military style seizures, bitmix closure and Bitcoin retrieval. This was not the FBI, but their criminal higher ups. Military style, with no civilian oversight.
Which is somewhat disturbing, because first the industry is still considered more important than civil services (city councils, hospitals). And second they will still continue using Windows services in their backbones. I have nothing against using Windows as frontends, but in the backbone of a critical company it's criminal negligence. Easy to hack, no backups, untrained admins with no idea about security. Wasting billions on money on theatre, and not working servers, groupware and email.
I hate Windows with a firey passion and use linux top to bottom on all my projects and devices, but I have to disagree with you. Windows can be quite secure, as is evidenced by the last several decades of most corporate and military IT systems using it. Not having backups and untrained admins are platform agnostic security issues.
It was an attack on infrastructure. Motives don't matter. This is no different than physically breaking the pipeline and saying you were just testing the material strength, it's the same outcome and will have similar consequences.
I think parent may mean infrastructure side. If it had just attacked the office side of things, it would be the usual 'company infected with ransomware' story without affecting the public.
The truly cynical take is that they managed to take down Colonial's billing. In response, Colonial shut down the pipeline - because obviously delivering oil without getting paid is out of the question.
> New details from within Colonial Pipeline have come to light surrounding the decision to shut off supply. Those briefed on the matter have suggested that fuel flows were shut down due to the company's billing system being compromised. Company officials were reportedly concerned that they would not be able to accurately bill customers for fuel delivered, and chose to stop delivery instead.
I hope they will be hit with massive fines. That sort of reasoning should be absolutely unacceptable... Billing system going down should not take down critical infra...
When you become critical national infrastructure, the calculus changes. For any company in that position, their NUMBER ONE priority is to keep operating and providing their deemed essential service.
Colonial obviously have done well in certain ways: their business side and operational side are decoupled. Business side got hit with a major IT problem - and the damage was contained. Pipelines kept working as intended. That's good operational planning, and they deserve credit for it. They were perfectly capable of, quite literally, keeping the lights on for 100M people.
> It’s a privately financed, constructed and operated pipeline. I don’t see why they should be obligated to operate without getting paid.
Because they are critical infrastructure. Colonial are entitled to their profits as long as they keep their side of the bargain: supply oil and fuel for those 100M people who critically depend on them.
This is where role of a regulation comes in. Make it the critical supplier's responsibility to ensure that they supply. If they lose their billing capability, that's their problem. Not their customers'.
The more charitable take on this is that if one system is compromised, there's a high chance others may be, so if you have safety-critical systems and you're not absolutely certain they were properly air-gapped from the compromised system, shutting them down may be the safest course of action.
In truth both factors probably played a role in this case, perhaps also with a hefty dose of "our software literally can't run if billing is down because it was never designed to handle that".
They don't actually own the oil they're pumping, right? So if their billing was compromised to the point that they don't know what oil needs to be pumped where, they had a legal duty to refrain from pumping it willynilly.
Shouldn’t they have a paper-based/offline downtime procedure for this?
(Oh shit, everything just went down, turn on the generator, go plug that printer and laptop in, and print off all the reports of where we were from the offsite/offline/whatever backup).
What did they do before computers?
Failing to plan is planning to fail and all.
I like the idea of monthly planned downtimes where possible so people don’t run around like a headless chicken when things go down. No different than a fire drill.
> Shouldn’t they have a paper-based/offline downtime procedure for this?
If they did, I would expect their employees to be out of practice with such methods since they weren't working that way day-to-day. Unless they're running regular "all computers are down"-drills to keep their employees sharp, downtime was probably inevitable.
Hence the monthly planned downtimes. Some organizations require you to take your vacation time every year, and it’s partly because they want to make sure they know how to operate without you.
While watching the USSR collapse in real time, I noted a reporter say the core of the breakdown was inability to issue paychecks to bureaucrats. No pay = no bureaucracy = no government.
I've long wondered if that really was the case, seemed absolutely sensible...
My understanding is they did limit the attack to the office side:
> After Colonial Pipeline reported that its corporate computer networks were hit by the ransomware attack, the company shut down the pipeline as a precaution due to a concern that the hackers might have obtained information allowing them to carry out further attacks on vulnerable parts of the pipeline.
Yup. This falls under the idea of “optics”. Often HN tends to dismiss it in favor of logics “well, the problem is actually quite small”. What matters is the perception of the problem.
Just like with The Silk Road. Once it became large enough and Ross started to taunt the authorities to find him, the police had no choice. It’s continuing existence chipped away the legitimacy of the authorities, they had to shut it down just to maintain appearances.
Just like this ransom ware. Keep it small, it’s not worth going after. Start screwing with the economy and the govt goes from 0 to 10 very quickly.
There’s a huge network of financial controls to prevent and detect this sort of thing, it’s one of the foundations of the fields of accounting. Often there are departments looking for fraud regularly.
I suspect small or medium organizations rather then megacorps would be easier targets if they haven’t invested money in accounting controls.
The hacker group attacked resources considered "critical infrastructure"; this was closer to an act of war than any other cyber attack has come. The US Cyber Command responded swiftly.
> "governments take advantage of crises to gain power"
Please, elaborate? I fail to see how the US Govt is taking advantage of this crisis for more power.
Without breaking down my reasoning (which was pretty half-baked and underthought)--I was just trying to understand the OP's point.
OP used all kinds of language we associate with governments doing sketchy stuff: "what could be sold as reasonable doubt to shut down the pipeline"; "created the impetus" ("impetus" is often used to claim the real motivations were something else); "political cover"; etc.
I just didn't know how else to interpret all the cloak-and-dagger language about the US's behavior. Personally, it seems to me like our response was pretty reasonable. I think the "government takes advantage of crises" line of argument only goes so far, and at its extreme leads to dumb stuff like 9/11 truthers.
Russia allows their FSB operatives to moonlight on the side. Darkside hackers could be government operatives and an attack on critical infrastructure is an act of war. It is the same as bombing the pipeline if infrastructure is disabled. I am sure the cyber insurance provider won’t pay and say it was an act of war by a foreign government. It always a grey area.
Why have them moonlight as hackers when you can get third parties to do what you want? I don't believe for a second that it's an elaborate conspiratorial scheme directed from the top.
It's the same as domestic operations here in the USA: GRU comes up with ways to run loosely controlled groups that are accomplishing roughly the same ends. It's about making the battle space more confusing and unpredictable, and it's been going on for quite some time, very successfully. The soldiers don't report back to central control: they're NOT controlled, they're just loosely directed.
This would be the same. The hackers doing this don't have to be direct agents here, they're sheltered by the Russian state and only need to have some indication of where and what to strike. It's one-way communication, and it's possible to get the desired feedback through things like Facebook and Google Analytics (by paying for it like any ordinary customer).
It's pretty clear that the Russian Gov is not actively prosecuting cyber criminals, provided they attack foreign competition. On top of that, there is a fair amount of forensic data indicating shared resources between hacker groups and GRU operatives.
You could start to look at the spread of Diskcoder.C across several attacks and the shared code with ExPetr and NotPetya... This forms the basis for the DOJ indictment against 6 officers of GRU Unit 74455.
There is much more if you care to go down that rabbit hole.
Oh nonsense, that was well established to be an edit of the binary. It’s obvious the GRU didn’t have the source code. The idea that this was an example of the GRU working with criminal hackers is plainly ridiculous.
There's plenty of evidence that the USSR engaged in espionage activities. There's plenty of evidence that the Russian Federation has engaged in the same thing. Neither of those is what is being alleged here.
It's not possible to bring "extraordinary" evidence of a 3 letter agency doing this kind of shit the way some HN user would want without ending up as a political prisoner somewhere learning all about the meaning of the word "pain". Never-the-less, I have no doubt that FSB operatives are allowed to moonlight.
The United States Department of Justice has not exactly been shy about charging operatives of foreign governments for their illegal activities online (e.g. OlympicDestroyer, Solarigate). As far as I've been able to determine, neither their prosecutors nor the FBI agents doing the investigating have had the problems you so colorfully describe. If it were the case that this type of moonlighting was happening, I think the FBI would have been bringing cases to court. That would constitute evidence.
They have. Here is a well known example from 2017 [1]:
During the conspiracy, the FSB officers facilitated Belan’s other criminal activities, by providing him with sensitive FSB law enforcement and intelligence information that would have helped him avoid detection by U.S. and other law enforcement agencies outside Russia, including information regarding FSB investigations of computer hacking and FSB techniques for identifying criminal hackers. Additionally, while working with his FSB conspirators to compromise Yahoo’s network and its users, Belan used his access to steal financial information such as gift card and credit card numbers from webmail accounts; to gain access to more than 30 million accounts whose contacts were then stolen to facilitate a spam campaign; and to earn commissions from fraudulently redirecting a subset of Yahoo’s search engine traffic.
Here's what the Treasury had to say about it in April [2]:
To bolster its malicious cyber operations, the FSB cultivates and co-opts criminal hackers, including the previously designated Evil Corp, enabling them to engage in disruptive ransomware attacks and phishing campaigns.
> The REvil representative said its program was introducing new restrictions on the kinds of organizations that affiliates could hold for ransom, and that henceforth it would be forbidden to attack those in the “social sector” (defined as healthcare and educational institutions) and organizations in the “gov-sector” (state) of any country. Affiliates also will be required to get approval before infecting victims.
Statements like this seem to point to ransomware activities being far more coordinated and "business-like" than they often get credit for.
I do wonder if ransomware is (in a strange way) a(n illegal) free-market response to what is perceived to be an under-valuation of tech skills - aggrieved people who can carry out attacks and gain access to deploy ransomware are likely to be able to earn more through this route, even factoring in their "risk of being caught".
If a market correction occurs (ransomware becomes a real fear, organisations rapidly start to value security skills more and pay "megabucks" for the skills and hire them at-scale), the risk/reward of being caught starts to mean access brokers reduce in number, and the compensation reaches a free market equilibrium (accounting for the "getting caught" risk of criminal activity).
A lot of the time I still see people trying to hire entry-level people into live/ operational security roles, without the experience they'd need. I wonder if this is partly due to a desire to cut costs, rather than accept the need to pay rock-star compensation?
> seem to point to ransomware activities being far more coordinated and "business-like" than they often get credit for.
This is a business that actually provides better support than a regular business.
From conversations with friends in the Infragard side of this, and the agencies that collaborate, they have 24/7 English support available before and after payment, as well as decryption remote support if you can't get your files decrypted... there are also instances of refunds if they can't decrypt your files due to technical issues.
Unlike regular businesses, support is a sales channel since it's the way to ensure you get paid so a lot of resources go to support activities in these "organizations".
> This is a business that actually provides better support than a regular business.
The thing I find fascinating from a sociology perspective about ransomware is that they have to. To be a successful ransomware company, you have to simultaneously be:
1. Completely immoral enough to attack companies, hold their data ransom and potentially put them out of business and reveal the private details of thousands of people.
2. Create enough trust in the company you attacked that they believe you will give the data back once you pay them.
It is crazy that they are psychologically savvy enough to simultaneously attain those directly conflicting goals.
In a cynical telling this is how you start a government or any organization with a monopoly on violence, ala mafia. First you make it clear that you can cause damage, then you make it clear that tax payers are safe.
The next step for ransomware companies is to offer cyber security services, whether you want them or not. We've hacked you. We fixed your crappy unpatched software, if you try to remove us you lose all your data, so now we're your cyber security partners.
or any self-identified 'disruptive' business model really.
step 1: "join my disruptor gang and we'll protect your lifestyle/income/status in exchange for tribute, or at least not becoming a disruptee yourself."
step 2: end up eventually recapitulating the exact same system you disrupted, but now you get all the spoils of the incumbent power
I don't think these goals are very conflicting. It's not hard to imagine a criminal unwilling to lie and/or break their promise, as a matter of fact it is a common trope in works of fiction (https://tvtropes.org/pmwiki/pmwiki.php/Main/IGaveMyWord).
Yeah apparently in addition to their white label ransomware software, if you licensed their software you could also have DarkSide handle negotiations for you. 10%-25% of the ransom and in exchange you get people who have real experience handling the negotiations and have the infra in place already to remain anonymous while supporting 24/7 English language service.
Ransomware-As-A-Platform. I wonder if they got the criminal-underground equivalent of VC-funding, or if they have something like Y-combinator to fund innovative criminal approaches and promote networking -- like evil-Kirk from the mirror universe, there could be a Saul Graham with a mustache writing essays about unlocking value and what you are not allowed to say in the ransomware community.
From my (admittedly shallow) understanding, all of that does kind of exist and has for at least a few years, now. It's also existed for longer for the DDoS-as-a-Service industry. Most of it's in Russian and takes place on private and semi-private Russian forums and chat rooms/groups.
There's definitely a hierarchy to it. Any particular group may not necessarily develop or own the software or infrastructure they're using. You can probably liken it to drug markets, where there are some top-level central players and many tiers below that make up the whole supply and distribution chain. (And potentially, the absolute top-level / "The Commission" may be certain elements of certain nations' governments, in some cases, or at least closely associated with them, which further complicates matters.)
There is investment infrastructure. Mostly informal and enforced via smart contract and multisignature transactions. Organized on forums and chat rooms.
Not much capital is needed though and the affiliate and licensing model is better, which also just means an address is hardcoded that splits payment, or a server controls the private key (or master private key for infinite unique address creation) to addresses and automatically splits received payments to the RaaS service
I get that was supposed to be a joke, its exactly the same or even more streamlined than the licit economy. There is no major distinction except the kinds of “risk factors” one might list.
I can tell you that on the same day I opened a support case with both a ransomware operator and Microsoft premier support. One of those vendors took my money went dark. Guess which one?
> there are also instances of refunds if they can't decrypt your files due to technical issues.
I would like to hear more about this, that sounds kind of hilarious.
"Ah, apologies, we'll get that back to you within 3 business days. Have a nice day, I hope you had backups"
Yeah. If you're dealing with a ransomware org with a reputation, you can pretty much be assured you're getting your files back minutes after paying, or a refund and apology.
Maybe with Darkside, but they account for a very small amount of activity. Back in the Gandcrab days, anyone with a credit card could fire up their own tenancy, and they mostly sucked at it. They would lose the decryption keys or send non functional decryptors. They were not interested in talking and just thought the RaaS platform would be a passive income for them.
I mostly dont do ransomware housecalls anymore, but my teammates tell me the situation has mostly not improved.
That's not support. You're not a customer. They're not providing any value. This isn't some glorified version of business, it's just organized crime.
They're available for their interests, not yours. They're actively robbing you and will be highly available to keep things moving efficiently, the same way physical bank robbers used to make sure staff were comfortable enough to open the safe and provide cover.
If someone kidnaps your family member and asks you to pay $5M, do you think you're a customer now?
A customer willingly pays to get value in return. Having your resources stolen (even with the option to choose between data or money) just makes you a victim.
$5M on AWS gets you $5M of services. If they didn't have to actually provide anything then they could have an entire team to talk to you 24hrs a day. But these comparisons are beyond ridiculous and you know it.
When I heard that this pipeline company started advertising a job opening for CyberSecurity Advisor in the last few days, and heard today the ransom of about $5 million was paid, my first reaction was to say "I bet the salary for that position is a lot less than $5 million, and I bet the budget for that department will be less, too..."
I think you're spot-on here - the ransom is seen as a "cost of doing business", and until recently security was seen as "a problem that happens to other people".
Sadly my experience is that organisations like this will take their $5m ransom (or other remediation cost), assume it's a one-off, then divide it by their number of ransom-free years, and proclaim it was better value for money than hiring 2 or 3 senior security gurus on $300k /yr with 60 vacation days, and letting them bring in a team to deliver meaningful security.
Beyond taking security out of the hands of bean-counters though, I'm not sure how you address this. Pursuing organisations that pay ransoms and prosecuting senior CEO/CFO-type executives for conspiracy to commit money laundering (and pushing for criminal convictions) could discourage paying ransoms. If it's left to businesses as something they can write down as a "cost", I don't see it getting better - there has to be a risk to the liberty of the CEO/CFO before they'll take security seriously in my experience. 90 days in federal prison would certainly sharpen their focus in future.
Well, sometimes they're right. The hit company will likely call in some consultancy to institute a bunch of newer and better security protocols, then call it a day. If they really aren't hit again for another decade and staffing a department would cost $500k a year or more, were they wrong?
It's a gamble. It's easy to point fingers at the company that was caught out, but for the hundreds or thousands that aren't ransomed and aren't paying the extra money for security, they took that gamble and so far they've come out ahead not having spent all that money on prevention.
I'm not advocating that these companies to have less security or not do better on security, but the fact is a lot of them have made the objectively correct decision for themselves, which will continue to be correct right up until they're hit, if they ever are. The whole situation is analogous to health insurance in a way, and the same incentives are at play, along with similar consequences for individual companies and all of us as a whole, as providing easy targets for these groups allows them to thrive and grow and target others.
They paid $5 million, if "it was cheaper for them," that's solid math that ignores some really important stuff though, LOL. What is the externalized cost of this crisis on the entire country? The $5 million dollar ransom is a worse deal if you can convince your board to consider that externality.
The criminal penalties for executives in leadership and board positions (and I'm not saying this is my preferred approach) would certainly go a long way toward changing the calculus of this exchange.
> What is the externalized cost of this crisis on the entire country?
One natural solution would be to subsidize cyberdefense. The political difficulty is that a rational subsidy would be proportional to the harm of an attack, which would mean giving the most money to the biggest corporations.
The best solution would be for the firm to raise their prices the very small amount necessary to cover the expense, and for consumers to tolerate the expense because they know it's worth it. But a pipeline is a natural monopoly, presumably charging a monopoly-optimal price that (correctly) assumes a populace ignorant of such concerns until it's too late.
> If a business externalizes the cost, does it matter to them?
I mean, yes? Maybe not before next quarter's revenue statement, but eventually it will have to start to matter?
If your dog goes and craps in the yard every day, you eventually have to clean it up or you will get flies in the yard, and if you have to open the door or leave the house at all then sooner or later you will have flies in the house, it matters, yes. It's really not any more complicated than that.
If you are responsible for dumping toxic waste out the back door of your factory, it's only a matter of time before it's in your drinking water at your house, a couple of miles down the road. Externalizing a problem doesn't really get rid of it, just makes it someone else's problem (for now at least.) Those other people are real people, and they will find you.
But if you're a monopoly (a competing pipeline isn't likely to spring into existence any time soon) and the courts aren't inclined to impose particularly harsh penalties, business as usual will remain your optimal moneymaking strategy.
SOX. SOX mandates that you have reasonable controls to secure financial information and it appears they didn't. Every SOX audit I've been through has a IT security portion.
Interestingly, it looks like (some) insurers may be responding to this.
> In an apparent industry first, the global insurance company AXA said Thursday it will stop writing cyber-insurance policies in France that reimburse customers for extortion payments made to ransomware criminals.
And DarkSide has stated they target businesses with that insurance. It's smart. They were hosed the moment Colonial's infosec (or whomever) recommended closing the valves on the pipelines. Until that moment they'd been doing reasonably well (for criminal scum).
The cost of shutting down this pipeline for a week is a lot more than 5 million. At 3 million barrels per day going through it, in 6 days that's 18 million barrels. At $65/barrel that's 195 million worth of oil that didn't transit and it probably has huge knock-on effects throughout the affected regions (things that didn't ship, trips not taken, etc).
I know you're saying this in jest, but that's the calculus.
The outcome here shows that executives made the right call. The $5MM fee was easily paid, less than the costs of security, and the insurance company will probably cover it anyway. And the government/people were so outraged that the attackers were met with fucking swift justice.
The company will probably get some grants or something to cover the cost of "securing their infrastructure." Never let a good crisis go to waste.
I wasn't really saying it in jest. The ";)" was more of an "oh, the horror" signifier, meaning I don't really think it's great that the cost-benefit analysis here is so short-sighted.
Any employee choosing to spend millions to avoid the cost of a heretofore unencountered cyberattack would be making a strategic decision, while probably not being empowered to make decisions at that level. So they do not take action.
Bureaucracies do not take visionary action. They stay the course.
This is why it's a problem. What's the point is the business side, but when taken as a whole, this type of infrastructure is too important to the country as a whole.
Everyone want's to make the calculation and hope it's not them, but if it's everyone at once, or there is no ransom option it's a completely different ball game. This is a situation where we are asking private companies to take responsibility for something outside of a profit motive and the results are some what less than surprising.
Until the attacks get more expensive. Some companies never settle law suits even when it is obvious they will lose in court. As a result they only have to deal with courts in cases where it is obvious they will lose since no lawyer will bother a with a case that isn't obvious. (the end result is about the same lost overall - when they lose they tend to be punished in court for not settling)
They did get some free help from the US amplifying all of this and the media essentially tying DarkSide to the pipeline shutdown (even though they likely only set out for the business side).
Maybe now utilities going to the US for a similar reason will be in everyone's DR/IR plan (even if Colonial didn't reach out to the US admin).
I think you're right - as I said on a sibling comment, if beans are all you count, and bean-counters rule the roost, you can write this off as a one-off, and point out you had 30 years without a ransomware, and therefore we don't need to do anything...
That's surely how it would be represented in order to retroactively justify negligence.
But a more precise calculus would take into account that (1) the proliferation in ransomware is recent and explosive, and (2) getting hit by one ransomware group doesn't mean a second group won't strike soon. (Although I'm guessing the second wouldn't be allowed to use the same ransomware-as-a-service platform, as that would harm the platform's reputation.)
Now that they've outed themselves as an easy mark, should be simple to hit them again and demand more money. At some point it'll be less expensive to improve their security infrastructure.
Their stuff may have been seized, but their business model has not to my knowledge been invalidated. Ransomware is not a capital-intensive business. A new generation of ransomware groups will quickly spring up to replace DarkSide.
Or, so they say... We really don't know enough to say anything here. It might just as well be that whoever controls the funds at Darkside pulled an exit scam.
"OK, now that you have our attention, and the eyes of the entire international media apparatus are on us, here's how we're going to do this. We're going to send some integer number of million money dollars down this pipe, and you're going to turn that gas pipe back on like you said you would.
Then here's what happens next... we're going to give you an integer number of minutes running head start before the drone strikes start raining down on these 12 sites we've identified as likely candidates for your location, ... now how many millions was it that you were asking for from us again?"
Doesn't really matter how much it was, either, if it has really been seized already in less than 24 hours. Was it enough to convince the boss guy or gal to take the bait and risk revealing themselves? (Probably not, but IMHO that wasn't likely to happen anyway, at least not since the heat started getting turned up on them all.)
It's easy to say "basically zero chance" when we're armchair quarterbacks and not the ones in the hot seat.
I'm inclined to agree that our cyber-security apparatus is not up to the task, but it's also true that nobody has perfect OpSec, (and I'd guess there are few out there have deeper pockets to track down and make sure the perpetrators regret this, than the combination of US government + oil companies.)
This isn't the first such attack. You can bet the big agencies worldwide have been aware of ransomware and investigating. They have been putting evidence together. It only takes a few of the right mistakes on the part of the criminals for them to be figured out. In the long run the advantage is to the police because they can keep looking.
If you want to be a criminal who gets away with it you really need exactly one big action, and at most a few tiny practice runs before the big one. Choose your target well because once the big one is done you have to be done. (and don't do anything copycat - investigations to get the first guy might find you instead)
Yep. Compromised people on the inside, informants, "intensive interrogation" etc. are more likely the way, as has always been the case.
Also the agencies that would know who these people are would not want to reveal what they know in order to save random XYZ Corp's bacon. With this being seen as a "critical infrastructure" attack and something closer to an act of war/terrorism, the stakes got higher.
> “We are apolitical, we do not participate in geopolitics, do not need to tie us with a defined government and look for other our motives [sic],” reads an update to the DarkSide Leaks blog. “Our goal is to make money, and not creating problems for society. From today we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future.”[1]
Sounds like they're about to get rolled up by law enforcement as well. As someone who's had the full force of a three letter agency come down on me, this is not something you want to deal with on any level. I was lucky. I was young and dumb and got a slap on the wrist.
Times have changed and when govt agencies see this as an attack on critical infrastructure, you're looking at some serious jail time. I would say its only a matter of time until they're tracked down. When you're being hunted like that, the govt works 24/7 and never stops. People on the run don't have that luxury.
Thanks for sharing your experience. Not to dig too deep into details, but what would you say your primary motivation was in your 'young and dumb' days? Were you curious about it, was it a statement, was there an allure?
I had gotten into an argument with a professor on a discussion board. He used derogatory terms to refer to me, which pissed me off. I sent him a virus that was supposed to just damage files and delete some random files. It turns out it propagated onto their main network and crashed the entire universities network.
Suddenly, you feel untouchable (even though the virus had gotten out of control, which I didn't mean it to do). You feel like you can do anything and are beyond the reach of law enforcement. I'd never done anything like that and you felt really powerful, in control. You now had this idea if someone slights you, you have something to shut them down and they can't reach you.
Then the feds show up in your class, bring you to a windowless room on campus you didn't even know existed and start threatening you with jail time while they question you. This happened in the late 90's and the CFAA was still really new and DA's really didn't know how to apply it. I was pretty lucky for sure. The stuff they were threatening me with was like interference with interstate commerce, identity theft, stuff like that. They gave me the old, "You have a bright future kid, don't fuck it up." speech at the end. That was enough to scare me straight so to speak. I lost my campus network access for a year, which sucked, but the whole experience was enough for me to stop doing what I was doing.
It was just in time too, because you saw during the early aughts, the feds really started going after hackers. They started using the broad powers of the CFAA to put some really high profile people in jail with some pretty hefty prison times. To this day, I still look back and feel like I dodged a bullet there.
A stupid mistake a script kiddie makes when playing with malware you're not familiar with.
I copied an existing virus someone had given me. The last part of the virus was to multiply and seek out any other computers attached to the network and delete and damage the files on those computers as well. I didn't know that. When it damaged the professors PC, he was using it on his home network, so he said there was only one PC it infected.
When he got back to campus, he sent the email to the network team (a group of students and professors) and they tried testing it out on a group of PC's. They thought the PC's were sandboxed. Turns out they weren't. The next 24 hours the virus rampaged and pillaged PC's attached all over the network. I'm still not sure how it eventually crashed the network. All the people involved refused to tell me exactly how it crashed their network - they said they didn't want me encouraging others to do it, so I was never told the full story.
To this day, I'm still not sure what happened, but it had to be bad enough to call in the Feds, right?
> I do wonder if ransomware is (in a strange way) a(n illegal) free-market response to what is perceived to be an under-valuation of tech skills - aggrieved people who can carry out attacks and gain access to deploy ransomware are likely to be able to earn more through this route, even factoring in their "risk of being caught".
Sure. In the same way the mugging people is a response to undervaluing “beating the crap out of people and taking their money” skills.
"When the system fails you, you create your own system."
Which relates to what you're saying. When clever, intelligent people are ostracized and marginalized, they then use those skills to get illegally what society has prevented them from getting legally.
At some point, the idea of getting caught doesn't even register anymore.
We probably will never know. A lot of hackers turn to hacking because of various reasons - some ideological, others because they felt they didn't fit in anywhere else.
>> If we just paid engineers more would this type of crime disappear?
Probably not. You cannot get rid of one type of crime by simply paying people NOT to do it. It is what is - at no time in human history has any civilization had zero crime. That's regardless of punishments and financial incentives.
>> Or is greed, ego, arrogance also a part of their actions?
I think its different things at different times. When I was hacking, it was arrogance, thinking I was smarter than others and trying to prove it. That leads to thinking you are beyond law enforcement when you get away with it (ego). If you're into it solely for financial gain, then the other two feed your greed. Get one nice payout for your ransomware and now you think its easy to do and you'll never be caught - increasing your greed to get more.
They all kind of play into each other:
arrogance: "I'll never get caught."
ego: "They'll never catch me, my ops sec is too good for law enforcement."
greed: "This was too easy, next time I'll target a bigger company for a bigger payout."
> When clever, intelligent people are ostracized and marginalized, they then use those skills to get illegally what society has prevented them from getting legally
Ehh, maybe. Or maybe they’re just bored sociopaths who get thrills looking for a big score.
I thought privateers were state sponsored (i thought that was the distinction from piracy?). Which sort of makes the comparison to ransom ware potentially more apt/thought provoking?
In anycase disparity of oppourtunity is what breaks trust and therefor collaboration. The world needs to universally operate in the ballpark of fairness or we are all at risk in the long term. (This comment is also influenced by the under valued tech resources thought).
Edit (sorry some more thought while fixing typos):
When the disparity of oppourtunity is at state level there are privateers and wars, when at a personal level there are muggings and burglaries etc.
*this is all probably stupidly obvious.. but as its against uncontrolled capitalism or classist segregation we dont seem to want to say it too much maybe?
I think you're on to something in the context of globalization. There are many incredibly talented tech workers globally who can't get paid what they're worth because they lack access to employment with the wealthiest employers (because of strict border policies and the lack of visa sponsorship). If they had the freedom to migrate, then they might choose to seek employment in another country with a supply shortage, rather than enter the black market.
I was thinking replacing hacker with scammer. After all, Scammers scamming old folks are just showing a gap in online education and regulations.
Ransomware gangs aren't the vigilante heroes/embodiment of the undervalued IT security worker. They're a group of people looking to make a quick buck and don't give a damn about the harm they cause or who they cause it to.
>I do wonder if ransomware is (in a strange way) a(n illegal) free-market response to what is perceived to be an under-valuation of tech skills - aggrieved people who can carry out attacks and gain access to deploy ransomware are likely to be able to earn more through this route, even factoring in their "risk of being caught".
Almost all crime syndicates work this way. There is a balancing point where the crime you do does enough damage to make you money, but not so much money that the government dedicates elites to come knocking on your door. What DarkSide did was veer too far in the wrong direction.
> Statements like this seem to point to ransomware activities being far more coordinated and "business-like" than they often get credit for.
They only don’t get credit for that in mainstream media. In the Cyber Security world, Ransomware as a Service (and various other malware-aaS) groups have been discussed as well organized, customer-focused entities for quite some time.
I swear this is the first time it seems the world is hearing about RaaS, which feels weird since it’s a pretty dominant model today.
> “There’s too much publicity,” the XSS administrator explained. “Ransomware has gathered a critical mass of nonsense, bullshit, hype, and fuss around it. The word ‘ransomware’ has been put on a par with a number of unpleasant phenomena, such as geopolitical tensions, extortion, and government-backed hacks. This word has become dangerous and toxic.”
I am... flabbergasted. What? Ransomware has always been a brand of extortion; it's right there in the name. Extortion has become dangerous and toxic? You have got to be kidding me. I wonder what's next for these folks. A life of simple, honest, pleasant and non-toxic crime?
I'm interpreting the statement to mean that ransomware very rapidly lost its reputation as a nuisance-crime this week.
Misplaced ransomware runs a far more substantial risk of triggering enforcement action now. Or at least that's the perception I'm deriving from the quote.
Others seem to suspect that this is a ploy. It does kinda fit the melodrama on display...
Otoh, as a kid I was into small-time mischief (pilfering candy from teacher's desk kinda stuff). I had a good sense of what would go unnoticed, but I was a bit too trusting of my friends. They'd go overboard, get caught, and I'd take the blame. So, I can sympathise with this a bit
Without external proof, I wouldn't hazard a guess as to which it is
It's maybe a tiny bit like SWATing before the police shot and killed one of the victims. Before, SWATers rationalized it as a prank, generally. (Of course, in reality it always was a potentially murderous prank, as most people recognized.) Once someone was killed and the SWATer was arrested and sentenced to life in prison, they got a wake-up call to the magnitude and potential consequences of their actions.
Unfortunately, in this case the ransomers will probably rarely ever face any repercussions (as long as they never travel internationally), since they live under a government that shields and permits their activities as long as the victims are far away.
They might risk getting hacked, like what ostensibly happened here, though this could easily also just be a cover story for them to disappear (and maybe retire for good) so the heat can die down. Could indeed potentially be a legitimate breach by a government or vigilante or rival though, though, due to how much this story blew up.
It's absolutely that, yeah. These guys were making fat stacks licensing out their Ransomware-as-a-Service package; now, since a customer flew too close to the sun/U.S. government, they're fucked.
> The crime gang announced it was closing up shop after its servers were seized and someone drained the cryptocurrency from an account the group uses to pay affiliates.
If so, this is either:
1. one heckuva Mickey Mouse operation
2. a smokescreen
The statement never mentions Bitcoin, but let's assume that this is the "cryptocurrency" being referred to.
That Bitcoin private keys were being stored on a "server" strains credulity. There's very little reason to do so, and every reason not to.
Payments can be received and orders fulfilled by a server - without private keys. Multiple addresses can be watched in read-only mode.
The only reason for a server to hold private keys is if that server is capable of making automated payments, and that capability is a crucial part of the operation.
Bitcoin's history is littered with the corpses of people who messed up the management of their own cryptographic keys. Any reasonably competent operator would know about them and would never, under any circumstances hold private keys on a server.
Which leaves Option 2. Smokescreen. Make it look like all the loot was lost, try to throw investigators off the trail.
If so, it's a lame attempt.
One other possibility comes to mind. The ransom itself was the smokescreen.
The amount of the ransom was nothing for a company the size of Colonial. And it's about 1/10 of the annual salary of some developers. Why risk the prospect of life in prison for such as small payoff?
The reason is, of course, to make this operation look like something it's not. A Mickey Mouse band of idiots who can't manage their own private keys or servers. Lots of reasons to do this, starting with the notion that the attackers are trying to conceal their identities. And maybe that this was a test operation. Throw in the trinkets of ransom to make it look believable to the public.
More like a $250,000 salary + benefits. Medical coverage is hideously expensive for example. Plus retirement, dental, insurance, and taxes. Still a cushy salary for a dev, but not completely out of the realm of reason.
That's definitely a high salary except for the biggest companies in the richest parts of the richest countries.
I do thin the parent's point still stands though, my current salary is not nearly that high but you'd have to pay me a lot more than $500k for me to risk hacking an American pipeline. That's an insane amount of risk for a few years worth of salary (that I'll probably have to be very careful laundering if I don't want to raise suspicions).
That's incentive for someone living in silicon valley to not do it, but outside of the hubs most of the United States has miniscule demand for tech workers (using that term very loosely), and the majority of the world would average out to something like "30k, but the job only exists if you live in the capital".
Senior/Staff developers/architects etc at FAANGs can command as much or more. It's a routine topic of conversation on hn. Netflix specifically is known for paying much more of it as cash than the others.
For experienced seniors and principal/staff engineers, this is pretty close if not below market rate. But presumably most of these engineers are globally distributed and 500k for eastern Europe is an immense sum.
> A 500k isn't all that unusual in tech I feel like..
> Like a senior engineer at a FANG
Becoming a Senior Engineer at FAANG is very unusual, across all tech workers.
It's doable with the right amount of work, dedication, and willingness to relocate to the right locations, of course. But it's nowhere near guaranteed or common.
It's not common but all of these aspects are within your control. Luck is surely involved too, but it's not like FAANG uses random() to pick senior engineers.
If you get your foot in the door into FAANG and work very hard, you have a decent shot. If you don't want to relocate, that's your problem. There are trade off's in life. If you can't relocate, that's unfortunate.
> If you don't want to relocate, that's your problem.
It's not a problem, it's a choice.
HN some times acts like FAANG is the only acceptable goal for a software engineer, and that all other choices are somehow wrong or inferior. We really need to get past this idea that there's only, single correct decision.
Once I had the fortune of seeing the three cups and a ball scam live, on the street. One guy does the trick, another encourages the victim, and a third one watches the crowd disguised as a random onlooker. If something makes the onlooker nervous, he will signal the others and they will grab their things and disappear in less seconds than your hand has fingers.
This sudden quit seems similar, specially with the withdrawal of funds to an "unknown address", as if they closed shop and disappeared.
Ball gets placed under one of three cups. Cups get mixed around and people guess where the ball is for money. The ball isn’t under any of them though. The scammer palmed it.
Each round is double or nothing. The victim wins the first few rounds, but he starts losing after the scammer starts hiding the ball instead of putting it under a cup. The victim keeps doubling on, thinking they will eventually win, but it never happens.
I guess people let their guards down when the plant in the audience gets it right and win some money, they pay less attention to the scammer's sleight of hand.
In my case, they got spooked after my wife and I moved to the side, discreetly trying to see how the guy was hiding the ball. The false onlooker tried to block our view, and when we moved a little further to the right, he signaled the others and they flew. They moved so fast that if one of them had punched me for ruining their game, I wouldn't have known what hit me.
Maybe they were ready to go anyway, but since they work in tourist traps, they probably avoid violence to attract as little attention as possible.
They know that they can and will be found, and are running scared. In general ransomware works because it takes a lot of resources to find the criminals behind it. And generally there's not enough resources to do this. But once it hits a level where it creates a widespread national problem, it becomes more of an act of war. Then you get people involved that aren't just law enforcement and have tools that aren't available to law enforcement with large budgets.
Not to mention diplomatic channels to apply pressure on local governments that may have previously lacked the impetus to do anything about these groups.
Running scared though? I see this as the dash from 2nd plate to 3rd. If you're going to ditch your servers and wash your coins you might as well make it seem like you were compromised. I don't think there's any fear here as they surely must have anticipated the consequences.
I don’t understand how ransom ware works at all. The address is known well in advance, so a miner knows they might face sanction of their own coins for including it in their block. Not worth it.
It's plausible that this is all a scheme to evade capture. Disband the current organization, (get rid of a few people who you've wanted to jettison anyway), and then set up shop afresh elsewhere. It sends the message to whoever's looking for you that the whole thing has been burned to the ground and there's nothing to raid or seize or shut down.
Possible, but there is too much a chance that the cops already know who you are and just need to gather evidence in a form they can take to court. By shutting down they ensure that no more evidence is gathered. By starting a new organization they can't be sure that they aren't still being watched.
I’m skeptical as well. They know they built up a little too much notoriety and want to exit the game, is my guess. A core set of people can live pretty comfortably off of the ransom here, though they’ll have a hard time laundering it.
Agreed, except why bother pop up again? They just got a big fat payment of $5m. Plenty to split with a small team. It's a good time to cash out and disappear.
Seriously! It's FIVE MILLION. That's "I don't ever have to work again" money. What is wrong with people! Probably they want Mercedes, and Rolexes, and Mont Blanc pens and all that showy consumer garbage.
$5million spread between an unknown number of people and that need to be laundered before it's turned into Rolexes and Mercedeses. Given the high risks it doesn't sound like a great deal to me especially since competent hackers can usually command a fairly high salary in legit companies.
The median lifetime earnings in the US is 1.7 million, and that’s equivalent to... $20 an hour or so. 5 million is “never work again” money for a couple of people who want middle class incomes the rest of their lives... it is not really that much when spread over more than a few people.
My friend, you need to [1] travel, and [2] learn a tiny bit about investing.
First, you can live like a fucking KING for $2000/mo in southeast asia and most of central/south america. 24k/yr is 208 years. Bonus! The food is awesome, the people are great, the climate is ... nice most of the year, and the pollution is a little awful in the cities, but damn the beaches are gorgeous, and there are loads of them.
Second, ETF index funds for DJIA/NASDAQ/SP500, easily clear 5-7% per 5/yrs in BAD times; bluechip/bellweather stocks & municipal funds pay dividends that would easily clear that after taxes. Investing like a grown adult versus /r/stonks are two completely different things. I recommend you hire a CFPA (or RIA) for at least a few years as soon as you can afford it, bonus if you can do it in your 20's, it will at least set you on the right track.
Of course, once you get old and medical conditions bankrupt you that's a problem. But then you swan dive off of Machu Picchu and go out in style!!
And you need to check your assumptions if you think the likely outcome of extorting five million out of a major piece of infrastructure with your buddies would be collecting dividends on a tropical beach.
If you do everything perfectly you have a target painted on your back for life, a group of friends that all want to be the first to save their skins by giving the rest of you up, and a huge chunk of that change given away trying to launder that money well enough that you don’t get caught. Not to mention the foolishness that comes with suddenly finding yourself with a big pile of money which is easy to pretend wouldn’t affect you when there’s no chance of it actually being a challenge you’ll ever have.
Your advice to high tech thieves is to hire an accountant?
Best to find a job tending bar in a country not too friendly for an extradition and keeping the money under your mattress to hire the best lawyer you could afford to avoid spending the rest of your life in prison hoping that the CIA doesn’t make you disappear.
These people likely do not live in the US. Also, how big do you think the core team is? I would assume they're freezing out anyone who can't identify the culprits.
They're also going to lose a big chunk of that to money laundering losses. But since it is in Bitcoin it's probably going to appreciate over time. The problem is that if they fuck it up just once the record will be on the blockchain forever and they'll never be safe.
Since they aren't in the US, it is probably more of a proactive step by the DOJ to build a case for sanctions. Assuming they know what country the perps are from, which doesn't seem all that clear.
There are only a handful of countries that won't accept the US arrest warrants and turn over whoever. A few countries will demand something first, but this means no death penalty, not something that is in anyway a big deal for the other country. It is semi-routine for most countries to capture and turn over criminals within the borders to another country.
That is why people bring up Russia and North Korea. Those are the two most likely countries that wouldn't. There are a few others, but not many.
Even China which in general I wouldn't trust would in this case. If China did an attack like this it would be much more targeted and they wouldn't be looking for ransom money - See the attacks on the Iran nuclear program for example: attack a target that actually matters. (those attacks were probably US or Israel, but it is the type of thing China might do).
Just like the mob there are some targets that just aren't worth it because they bring too much heat. They are learning this is bad for business all around so they are stepping back and encouraging others to do the same.
One thing that impressed me about this situation was the speed at which this was dealt with. A few hours after the attack, an executive order was signed reducing regulations around truck transport of fuel. But the next day, service was being restored. And by the end of the week, the attackers were disbanded and their assets seized.
There's a pretty clear message here that the US isn't fucking around.
If I'd just collected enough ransom to retire and never work again, I'd also put out a press release announcing I was out of business and someone seized all my shit and etc.
Darkside was a legit business. They routinely collected ransoms ten or twenty times larger than what they got from Colonial. if they were going to retire, they would have done it a long time ago
I can't find evidence of this "routinely collected ransoms ten or twenty times larger than what they got from Colonial" claim. Colonial is rumored to have paid out ~$4mm. Every source about Darkside seems to cite a "between $200,000 and $2 million for the file decryption key" range. This would put the Colonial ransom far above their typical payout.
This is it. Governments have cyber abilities that far outstrip individual organizations. And when cyber fails, there are still other diplomatic and less diplomatic tools.
I wouldn't be surprised if the US Government here reached out to foreign governments for assistance in dismantling their infrastructure (it almost certainly was not on US soil).
An individual hospital probably couldn't garner that kind of backing, but oil pipelines? The US would probably be willing to use military strikes to keep the oil flowing. A small country would be very willing to help out to maintain good will.
Small countries routinely help out for cases like this. I expect the US has reached out to whatever ones were involved long ago - it is just that until now things were still in the evidence gathering stage. While the police are sometimes willing to make an example of the wrong guy - that is the exception - most of the time they try to be right which means long investigations over many attacks.
Exactly. Also not sure why everyone says Bitcoin is anonymous. It's as anonymous as how deep someone is willing to spend to uncover your address. If we are talking multiple nation states who are interested in tracking you down you are pretty much screwed.
The problem is the US doesn't have any jurisdiction over Russia, and the Russian government turns a blind eye to these activities (and sometimes works with certain cybercriminals) as long as Russian citizens aren't victimized. Not only will they not extradite, they won't do anything at all to address it. So another government would have to resort to extralegal methods like what ostensibly happened in this case, if it isn't a smokescreen. (I think either scenario is plausible.)
(This isn't some anti-Russian screed or anything; this is just one particular point where the Russian government is IMO behaving improperly. I could elaborate if needed.)
Can crypto actually be non-traceable? I remember currencies like Monero or ZCash advertising privacy from the last crypto craze.
I mean if you have 100M in some account, can you actually run it trough "private" currencies to remove traces? BTC, ETH etc. all seems super traceable, even more so than in regular banking.
Also how are criminals getting their money out with no one noticing, does Panama/Malta etc. have Kraken/Bittrex equivalents with no questions asked?
It's super trivial to withdraw, say, 1M. You can use https://tornado.cash/ to mix 100 ETH, there's currently around 10k such deposits, so you could do that 2-3 times to move 1M in ETH to an address that can't be tied to your previous addresses.
It's possible but no longer trivial to withdraw 10M. You could use the above method over a period of time, and some other methods.
It becomes much more difficult at much higher values. You could probably get 100M out disguised as trading profits or something. If I spent a few days thinking about it I could probably figure out ways to mix that much money on ETH, filter through DeFi apps, etc. Seems doable.
You could also just work with large exchanges that don't care. I don't know which ones are like that now, probably fewer than years ago.
You don't need to. You can send the ETH to tornado.cash. Their anonymity set is such that 100 million would take a long time, but on the order of months to withdraw. Tornado.cash has millions in total locked value in different ETH denominated pools.
Yeah I guess, as long as ETH stays around the current level.
But if you do hundreds of withdrawals from tornado, it's less anonymous, because the set of people that have deposited that range to tornado is much smaller than the set of people who did a handful of deposits. Instead of 10k, you might be one of a few dozen or less.
You could always send a million to a friend (through tornado) and have them cash out for a cut, and repeat that 100 times, if you have 100 friends. That would kill on-chain analysis.
The fact that everyone's first answer when prompted "how do we wind down this huge pile of cryptocurrency?" is convert it to fiat makes me skeptical on all the long-term ambitions from promoters.
Well you could take the ETH and stake in the beaconchain and get 8% more ETH per year (depending on staking rates). Or you could use the ETH to get a loan in DAI on Compound or Maker. Or you cn buy synthetic assets like stocks on Synthetix. Plenty of things to do in the Ethereum ecosystem.
You dont do it that way. Just drop it in Tornado.cash and a few days later withdraw to a virgin crypto address. The virgin crypto address just pumps a token that you bought in another clean address with clean money prior.
You sell the token in the clean address at a massive profit and cash out under your real name and ID and even pay taxes.
Go look at any highly pumped token on Uniswap/Sushiswap/Pancakeswap and you’ll find plenty of addresses that either bought or added to the liquidity pool using funds that begin with Tornado.cash, there is no way to distinguish the nature of the transaction from simple observation. All blockchain technology is heading to parity with the privacy afforded by traditional banking, without the financial intermediary to question anything for the state.
Yes, even better because the smart contract execution is private and all the variables (receiver, quantity) are only temporarily stored with the validator’s SGX chips and not onchain.
Less liquidity there, for now. Meaning the exits would more likely be the same beneficial owner, but definitely an additional route for liquidity.
Similarly, I think there should be a version of Tornado.cash that stores notes in SGX and Secure Enclaves, as enough devices have this now. (Although that forces only one device to have the note. Instead of a transferable IOU)
How well does Keplr or Cosmos wallets work over Tor? Are their any onion nodes that can resolve broadcasted transactions?
Also note: I would still say having a record of trading gains would still be better whether using an EVM+Tornado or Secret Network, as this is much easier to account for than never accounting for the obfuscated funds or trying to further obfuscate and reintegrate with front businesses
One (of many) ways: Monero -> bitcoin -> localbitcoins with stolen identity.
Each localbitcoins account can trade up to $200k a year without any kind of in-person verification.
Also a lot of exchanges let you cash out via western union so... you could theorically send yourself say 10k or 20k a a month with that, there's no need to just withdraw it all at once.
Crypto currency itself can be completely anonymous, but the difficulty is in the on-ramp and off-ramps to and from state fiat money.
For example, I want to buy ZCash that is untraceable to me. I need to exchange ownership of a hardware wallet (like a physical USB device) for a pre-determined amount of state fiat, lets say USD in this case. In order to facilitate this I need to find a trusted seller, arrange a meeting, verify the actual value of the physical wallet, and make the exchange. There are non-physical means of making it harder to trace state fiat back to you, but not impossible. The state has simply had too much influence over these places of transaction for too long for anybody to be truly un-findable given a long enough period of time.
Assuming I can find someone willing to on-ramp me like this I will need to take steps to ensure that our communications are encrypted and untraceable. This means not only do I need a decentralized encrypted messaging service, I also need to conduct this communication in a way that does not give away my geographical location and is not vulnerable to security logs (say by checking the cafe's video feed from the time I was messaging my seller). Then I need to go to the meet, exchange the physical wallet for cash, and verify the amount in it is accurate (and also preferably not stolen). I need to do this without revealing my identity to my seller and avoiding security logs once again. This is all now possible whereas before Satoshi it was impossible, but it is still difficult.
Alternatively, I could just sell some kind of digital asset in exchange for ZCash to begin with. Now I do not have to worry about an on-ramp. If I control my distribution server then I can erase or encrypt my sales logs in order to prevent any estimation of my total sales for the year.
Off-ramping is much harder. I either need to become a seller of a physical wallet which has all the same problems that plagued me before, or I need to live in an economy where off-ramping is not required. This would be a physical location where all transactions are conducted in secure, anonymize, cyrpto-currency transactions. Similar to my earlier problem, this is now possible but extremely difficult. An individual or a group of individuals is going to have to bootstrap an entire local economy.
Being localized is also an issue since there is nothing preventing the USG from simply rolling in the tanks to break up this localized tax haven.
it can be harder to trace, but the bigger problem is trying to turn it into cash, which is hard to do anonymously regardless of the currency used (BTc, XMR, etc). THe FBI,Secret Service, are mostly focused on the conversion of crypto to cash, not the intermediary steps.
There are few jurisdictions where the US Government can't easily get at you, either physically or financially. China, Venezuela, North Korea, Russia the list is super thin and almost exclusively places you either don't want to be or where you better be a protected local (otherwise they'll just hang you out to dry for their own benefit or amusement).
Most authorities around the world will want to nail you - and or your money - in cooperation with the US authorities (or otherwise for their own benefit). Once they know the US wants you, you become a toy to be used to some end, you're toast, your life is over.
Maybe. This isn't a political target though, this is criminals wanting money. At most the governments gets a bit of tax money: it just isn't worth it even before you consider that the gangs who can pull this off may turn against the governments. Governments may want the types of people on staff who can pull off these attacks, but they are careful on who gets targeted, and money isn't the goal.
Vietnam doesn't like the US for historical reasons, but overall they want to play on the world stage. Also US relations have been thawing over the years. I'm inclined to think they see it as to their advantage to help out.
Similar with China - they want the ability to get at the US, but they are more likely to reserve it for something that matters to them. Money doesn't really matter as much as they get plenty sending the US cheap plastic toys. Though if China declares war next week this could be their first attack (highly unlikely, it is possible though)
Governments are faillible. Corruption and organized crime exists.
Vietnam has a complicated relationship with the US. Don't trust western media too much on it, there is quite a bit of propaganda and extrapolation from conflict with China that doesn't carry over. Relations with the US appear to thaw but this is mainly limited to trade. Strategically Vietnam is solidly allied with Russia and otherwise independent. There is no scenario in which Vietnam extradites to America or allows American intelligence to operate on their soil.
The same is with China. There is zero political cost, they will simply ignore the hackers until they leave the country. US intelligence is quite weak in terms of real assets in China, so uncertainty would be very high.
Is there a technical reason that makes use of a tumbler legally safe? My concern would be that putting in a clean bitcoin would result in me getting a fraction of a stolen bitcoin and I would be receiving stolen property. The fact that they are fully traceable means that it would be easy for someone innocent to be caught up in something like that.
Yeah Zcash provides good privacy for the most part, as long as you use it correctly. Once you cash out, it's a typical money laundering problem. How do you get money into circulation without raising suspicions of where it came from?
Plenty of solutions. Mules using exchanges, buying NFTs from yourself, "lucky" investment picks in low liquidity alts, etc
One way I've seen discussed on HN is by sending varying amounts to N different accounts, where some are owned by you / affiliates and others are not. In a sense, paying for obfuscation of which accounts are actually owned by you.
Until one of those people buys a Tesla with bitcoin (yeah, I know they just stopped doing that) from a wallet that can be traced to that payment, and then its just the authorities following up the chain.
People like to seem like all these crypto's are totally anonymous, but every transaction ends up in some sort of public blockchain. So unless you have air-tight OPSEC and people that will never talk, no matter what kind of jail time they are facing, its always going to be traceable with enough interest.
I think it's still just pseudo-anonymity, even for monero. Which means, practically, that I don't think it would have done more for these guys than just delay the seizure.
How many times are we going to learn that that's just not true.
There is no safe, only shades of safer.
Is the mathematical underpinnings of Monero sound? That's a good starting point. There are still implementation bugs, compiler bugs, architecture bugs, supply chain vulnerabilities, and state actors with unlimited $.
Until someone cracks it, that is. If it becomes the crypto of choice for some of the bigger fish, you can bet the government will find a way to trace it.
There is at least $625,000[1] on the table already. Not to mention how many blockchain analytics companies and other actors would pay millions to have such a capability.
There are ways to crack encryption that have nothing to do with math. It doesn't matter how good your crypto is. You could probably get by plain text as far as the FBI's effort to crack your crypto are concerned as they won't waste their time checking if you are that stupid.
This doesn't really make sense. In the case of a criminal laundering crypto, they don't know who the criminal is, so the rubber hose attack doesn't work.
Monero, ZCash, and mimblewimble-based cryptos (grin, beam) are certainly not pseudo-anonymous, and tracking is darn near impossible if the users don't do anything stupid.
Seems like they should invest more into cybersecurity, if someone was able to “steal” their Bitcoin and take over their infrastructure ;).
But honestly, this only shows that IT systems are nowadays so complex that you cannot get them right and be able to truly protect you, no matter if you’re good or bad guy.
I was thinking more about the soft targets and people based parts of the system, but you raise an interesting point. Zero trust systems might be solvable from a tech perspective, but zero trust organizations from a social perspective are a whole lot harder to design and enforce, maybe impossible.
In accounting systems, which are targets of fraud and malfeasance (e.g. Enron), there is a "4 eyes" principle. It takes at least 2 people to change something that impacts the financials. But that can't stop 2 people from colluding.
Back to the topic, if one agent or informant builds trust with one actor in the target group, and they collude or if one slip is made, it could be game over. Once the org is compromised, how do you know who to trust?
I was thinking something along these lines. Any admin access to any critical/secure system can only be made thought a channel that will record the session. Perhaps such things exist.
For example, use open source more. Minimize the amount of data and information you have that needs to be closed source.
Avoid Windows. Use Gmail over Outlook. Have offline backups with sneakernet disaster planning. Get a cheap safety deposit box for storing keys. Use 2FA. There are lots of free/low cost ways to have better security.
AFAIK, Gmail has suffered on the order of 100x+ fewer security incidents than Outlook. However, I am unclear on the distinction between cloud Outlook and the Exchange/Outlook combo. So me saying "Outlook" may be a mistake, and the correct term may be Exchange.
It’s not 2001 anymore. You can have both secure windows and Linux infrastructure.
Telling people to just use Linux as a remedy doesn’t help. If you don’t invest into securing your Windows infra, your Linux infra will be also full of holes.
In 2016, while I was still working at Microsoft, they gave us cloud engineers a separate laptop for accessing customer data (they called them SAWS, for Secure Access Workstation), because they decided that our normal everyday Windows 10 machines with root privileges could not be trusted. This was in 2016, not 2001.
I do not think you can have secure Windows infrastructure today. In the future, a few years after it's fully open source, perhaps.
This sounds more like a policy decision. Any serious company is heavily limiting how customer data is accessed. Lots of them have special rooms, with heavy physical security, where you cannot even bring electronic watch, not even talking about your work phone or normal work laptop. And those companies often run on Linux.
Open source doesn’t make stuff magically secure. Remember heartbleed? Or how easy it’s was proven (by sketchy research, sure, but that’s secondary point) to bring malicious code into THE open source project, Linux kernel?
Believing that by simply using open source you have secure infra, and that by using Windows is naive view by people who never seriously worked on security for big companies.
I say all of that as a heavy Linux supporter. Linux is better, yes. But it’s not a magic bullet. I’ve worked in Windows shops that had extremely good security, and Linux shops that could’ve been hacked by someone after one day classes of how to be a hacker.
That doesn't make a lot of sense. If they thought that they could take a golden exit, they wouldn't be continuing to setup the business again under new rules to avoid government scrutiny.
They'd just take the money and disappear. The fact that they are continuing means that they want to continue the business.
And if they are doing that, then why would they suddenly break all existing contracts? Surely that would ruin a lot of their reputation, and hurt their ability to get clients. Can you imagine what kind of amazing free PR they would be getting if they continued the attack? Surely other criminals would be amazed at their ability to resist counter hacks. That would mean more clients and more money.
No, no. While I'm sure there is theft in the ransomware world, I don't think you make this kind of play from a position of strength.
If they are scared but want to continue the "business" then they are stuck between a rock and a hard place. Getting hacked is a nice "out" from their contracts without losing money to reimbursements. Remember, they won't be accepting as wide a clientele anymore, so presumably a fair bit of that money they wouldn't get back from re-signups. On the flip side, they now have extra money they can use for incentives to the clients they really want to sign back up.
So, I think there's a good case to be made that this is the best course of action, given they are scared but don't want to quit entirely (which seems clear). It isn't nearly as bad a hit to their reputation as just taking the money and running, so they don't have to hide their identities and rebuild new ones to start over in crime, and they don't lose nearly as much money, and they probably won't lose the clients they actually care about.
Yes. I doubt any other organization has the capabilities to break Tor anonymity. They don't want to reveal their hand so you will only see their tools used in extreme circumstances. At most we will get some official parallel construction nonsense.
“Ransomware has gathered a critical mass of nonsense, bullshit, hype, and fuss around it. The word ‘ransomware’ has been put on a par with a number of unpleasant phenomena, such as geopolitical tensions, extortion, and government-backed hacks. This word has become dangerous and toxic.”
Imagine feeling hurt that your low-key mob activities are equalled to high-stakes mob activities, so much that your consider it "dangerous" and "toxic". Really love the irony here.
I think this roughly answers a question that I've been wondering about: Why don't cyber criminals hack into the energy grid, water, or other utilities? Surely their cyber security is outdated right?
Well, their cyber security may not be the most advanced, but traditional security (i.e. military strength) likely dissuades criminals from choosing those targets that are likely to put them on the short list.
I think DarkSide addressed this. They don't want to be viewed as a threat to society. They are thieves, they go after soft targets with deep pockets and ideally insurance, and they don't want to have the public or nation-states interested in them.
The game changed when the valves to the pipeline were closed as a precaution. They just went from thief to threat.
For some reason, this comment immediately made me think of an alternate history where ransomware groups hack infrastructure and then improve and monitor their security for them.
"Look guys, yeah, it's really easy to hack the power plants that supply electricity to the white house, but then we'll all have military ninjas showing up in our bedrooms at 3 in the morning. So if you try that little stunt again, then we're going to get our own ninjas to give you a visit. Go hack a cereal company or something."
Lots of opining about motives and reasoning for the shutdown, but this seems like the most likely scenario:
>“However, a strong caveat should be applied to these developments: it’s likely that these ransomware operators are trying to retreat from the spotlight more than suddenly discovering the error of their ways”
DarkSide's English is incredibly good for some supposed Russians. It even has the correct use of the apostrophe in "clients'". I know nothing, but my hunch is that this was written by a well-educated person who grew up in the US or Canada.
I am just saying that it is idiomatic North American English. I, for instance, could not write in idiomatic British English if I tried. For instance, your use of "state" in your username and "anglosphere" in your one sentence strongly hints to me that your English is not purely North American. (I see your profile, too.) The vast majority of Americans would use different terms.
Looking only at the parts quoted in krebs’s post, it doesn’t really stick out to me as either American or British English. They use double quotation marks, for example - American - but leave the trailing comma outside, which is British.
Other than that, there are no giveaway spellings or idioms. It could just as easily be someone whose exposure to English is dominated by technical documentation, which tends to use mostly American style.
You have a good point about the comma. I am not sure what the use of the word "funds" tells me. I think in the US, only the highly-educated or those in the financial industry would use that term instead of "money" (bitcoin?). It very well could be much more common in other parts of the, umm, anglosphere.
I think anyone who’s worked in any kind of corporate environment would distinguish “funds” from “money” when writing formally, but maybe that’s just me.
I grew up in the US but lived most of my adult life abroad, and the only thing I can tell you for sure is that you should never stereotype anyone based on the way they use their second or third language.
I've noticed that central Europeans have pretty stellar grammar in general. I was doing some work on an open source project created by a Polish team and was surprised by how many obscure grammar rules they obeyed.
Might have something to do with many of these rules being derived from Latin and their native language is probably closer in structure to Latin than English is.
As a native Russian speaker living in New York, I concur. I work in Ad Tech and deal with clients from Eastern Europe quite often. Russians' English is _always_ recognizable.
Nope, it's not. I always try to polish my English as much as I can, but after more than 8 years living in US, I still occasionally get messages from co-workers saying like, "hey dude, not to be pedantic, but ..."
If I were to write a long piece, you'd almost certainly notice that I'm not a native speaker. I'm subscribed to a few Telegram channels led by Russian speaking people and I always spot minor mistakes in their messages. Even when the text is grammatically correct, the way sentences are structured is what usually reveals them. I observe similar pattern with the partners I work with. Heck, even my English teacher's English (she is my friend on FB) is different from a typical writing style of a native speaker.
It obviously doesn't mean that Russians cannot learn a more "traditional" English, but when it comes to Russian hackers...meh, the chances are low, imho.
I think a native English speaker would have written either "I observe a similar pattern" or "I observe similar patterns". Your choice of words in that sentence feels russian to me (although I may be influenced knowing what you told earlier).
There is a theory floating about that some ransomware attacks were done purely to damage a country's infra and making money was a bonus, but not the main aim. So the perpetrators used ransomware as a front and the real goal is to destroy and disrupt a country's computer infra.
But then we could argue ransomware is just going to bolster and make our systems antifragile and resilient against such attacks in the future, so the ransomware attacks could backfire since in the future it would be much harder to attack the US for example with other types of malware.
It also means people are going to be storing mission critical and crown-jewels type data in airgapped systems and making filesystems read-only. The data would also be encrypted and compartmented into separate containers so attacks can't affect the whole filesystem if the airgap was breached.
Statements like "money of advertisers and founders was transferred to an unknown account" don't make sense to me. Why is the money held on a server at all? Surely it's more secure to keep wallets receiving money locally on a laptop or in a paper wallet, no? Why would they put the gold in the munitions depot if they don't have to?
I'm seeing statements about the payments server and the money associated with the payments server, but (at the risk of using an analogy) it seems like they've lost their "petty cash" box, not their main account. Surely they were wise enough to only put a small amount of money in the payments server. The bulk of their cash would be in a separate account (which wasn't lost).
Oh well then I take it these guys will be back in some form or another in the coming weeks. With enough cash and time they can replace their seized infrastructure without too much effort. Probably with a non-American target next time. I don't understand why so many hackers target America when the USA has the strongest offensive cyber capabilities of any nation on earth. Surely there is less blowback from hacking an Argentinian pipeline.
When I was doing anti-cheat stuff for a game company I was able to leverage their attempts at avoiding being hacked by a third party who kept stealing their cheats and reselling them. Even criminals have criminals trying to steal from them.
If I were these guys (I am glad I am not),
You have just brought down far more interest
and heat from now just law enforcement but probably
at least a couple of intelligence services.
Arranging your own death would seem like a reasonable
thing to do.
All our money is gone, stolen.
All our servers are gone, grabbed by law enforcement.
We have nothing left.
Bye.
It would be interesting to follow the Bitcoins traversal
around the network.
Having done something so idiotic as inadvertently taking down critical infrastructure for a superpower with global military & espionage capabilities (that nearly all nations will cooperate with) - the problem is, the people chasing you do not give a shit about your money and whether it's gone, and they do not care about your servers. Bye won't work, and faking your death won't be believable. If you're these people, you're going to be hunted to the ends of the planet and most likely they're royally screwed with no way out (unless they're under the direct protection of eg China or Russia).
"So for instance if you run a ransomware business and shut down, like, a marketing agency or a dating app or a cryptocurrency exchange until it pays you a ransom in Bitcoin, that’s great, that’s good money. A crime, sure, but good money. But if you shut down the biggest oil pipeline in the U.S. for days, that’s dangerous, that’s a U.S. national security issue, that gets you too much attention and runs the risk of blowing up your whole business"
This just seems like the group is just closing the storefront and will spin up another at some other point. Almost like it's a show seizure of drugs to show "something was done" but really nothing was done.
Too much attention and too brazen attack tactics. XSS shut down ransomware discussion and ransomware groups are having a market correction moment as of now. Shutting funds was easier, probably Kremlin asked gents at whitebit to hand off things before anyone loses fingers. Ultimately, this would simply mean that the targets would be carefully chosen, affiliates screened and new ransomware would be announced in coming months (or weeks even) which would target enterprise/ businesses.
Key lesson as summed up beautifully by an old timer in our team "You don't mess with big oil."
Lets not forget a lot of the images they were showing of plastic bags in car trunks were stock photos from Mexican fuel smugglers etc, media was used to fuel panic to protect the oil company, and justify retaliation.
Pretty easy to identify what is Critical Infrastructure.
The bigger reason for more coverage is optics. People take money out of their wallet on a regular basis to pay for gas. Gas gets them to their job, where they can then make more money to pay for gas, food, and so on. If Gas is affected, their job, their routine and their wallet is affected.
Why should anyone believe them? This sounds like a cover to take the money and change a fake name. "Don't look over here, all the money and servers are gone!"
Either the founder stole the money himself, or the NSA showed the world just how powerful they are when they flex. If it’s the latter, I’m really impressed by their skills.
The guys developing the ransomware are not necessarily the guys behind this group. Even if the developers were in-house, they may not be managing the money. So hack may be not be as difficult as we might think.
It is kind of ironic actually, the ransomware targeted billing systems of colonial, however they didn't really secure their own money.
I'm interested to understand the psychology of ransomware types who go after these enormous and important targets. That includes the pipeline, which obviously claimed at least a few lives of its own via people not being able to drive to get medical care, etc.
Are they armchair criminal masterminds who don't really have a visceral understanding of how much damage they're doing? Or just straight up psychopaths? I can't think of any other options.
"The REvil representative said its program was introducing new restrictions on the kinds of organizations that affiliates could hold for ransom, and that henceforth it would be forbidden to attack those in the “social sector” (defined as healthcare and educational institutions) and organizations in the “gov-sector” (state) of any country. Affiliates also will be required to get approval before infecting victims."
They aren't trying to cause this kind of harm.
Additionally: "DarkSide organizers also said they were releasing decryption tools for all of the companies that have been ransomed but which haven’t yet paid."
This people have more morals then most rich businessman, IMO.
Well, maybe they learned they did the wrong thing. Other reasons seem plausible: maybe they just thought it would make them look better if they're caught. Maybe they wanted to look better to their clients/allies who are currently like "whoa Nelly, these guys are basically Gus Fring. Maybe we'll work with someone a little less evil."
I don't know nearly enough to guess, but it doesn't seem cut-and-dried to me that this is a case of them realizing what they did was wrong.
In any case, the same question still applies for what happened before: why were they in a psychological state that made them try this in the first place?
Even if we grant that they've changed their tune for moral reasons, that would rule out straight psychopaths, but would include people who had severe antisocial traits but still started to have some feelings about it once they saw the real-life consequences. We see this with repentant murderers.
As far as rich businessmen who do evil stuff, there's a literature on that, and it seems to be a complicated mix. There's "just filling my role" (for those not at the very top of their organizations), thinking you'd be replaced by someone else doing the same thing, dissociation/denial about what you're doing, and -- yeah -- straight up antisocial/psychopath types. And more. It's a fascinating topic.
> “There’s too much publicity,” the XSS administrator explained. “Ransomware has gathered a critical mass of nonsense, bullshit, hype, and fuss around it. The word ‘ransomware’ has been put on a par with a number of unpleasant phenomena, such as geopolitical tensions, extortion, and government-backed hacks. This word has become dangerous and toxic.”
You've finally figured out that extortion is bad, well done.
Seems just as likely that domestic industrial sabotage and/or members of a 3 letter agency were behind this. Much more que bono for corporations/3 letter agency than the Russians. For example, train freight will be the logical alternative to the pipeline.
"Dark Side" is a silly name & I know of many silly security folk. Seems like a cultural fit somewhere...
Idiots. They have every arm-chair analyst saying “cryptocureency is the cause of ransomware!” and they don't even use multisig to leverage the cryptocurrency technology preventing that prevents its unilateral seizure?
Looking forward to the day when someone proves there is nothing the state can do. But for now we have to watch these lackadaisical shit shows.
"So Sergey has pulled the inevitable exit scam, proving yet again, that there really is no honour amongst thieves.
I sincerely hope that no companies had paid the Tsar’s ransom before Sergey headed off for his dacha in the Urals. Forking out millions and still having your network out would be a bitter pill indeed to swallow."
The way the article talks about these cybercrime gangs makes them sound like a benevolent government or non profit. They're putting up restrictions? Gang representatives are talking to the press? What kind of world is this?
The idea is to narrow who's going to chase after you, based on how you're perceived in terms of being a threat.
They want a certain type of police/authority chasing them for financial crimes, not special forces cutting their throats in the middle of the night because they're perceived to be terrorists attacking a superpower's critical infrastructure and trying to harm large numbers of people.
This is more like the situation when US companies restructure, collapse or seek Chapter 11 bankruptcy when they are hit with huge fines they don't want to pay.
I would wager a foolish sum that Colonial had a complete shit security posture and had many opportunities to improve but chose to accept this risk at the executive level. I have zero sympathy for Colonial.
I still can't wrap my head around how can such a critical infrastructre is not air gapped. This is just so... basic. You will never be secure enough, this is not what internet is for.
This is an extremely important detail which seems overlooked.
The pipeline did not need to be shutdown because of a danger to infrastructure, it was a corporate management decision to protect the company’s interests.
Colonial used a ransomeware attack on their company to do their own form of retaliatory blackmail on the entire southeast US to get a state level response and avoid the payout.
The above is not a defense of ransomeware, and I understand why Colonial acted as they did/it seems to have worked. They likely would not have gotten state level help had they not shut down the pipeline. But they have a larger level of responsibility for the damage caused by the pipeline shutdown than is being portrayed.
They learned the hard lesson who is the boss. Fighting government with military power is never a good idea, even if you are fully prepared. The consequences would surely follow.
I would expect only Bitcoin markets to have the liquidity and depth where one can easily buy 5 million worth of coins. Similarly when the hackers want to sell the coins again.
Nah there are dozens of options where you could easily move 5 million a day. They are probably using bitcoin because it's easiest for the victim to pay in. I assume they would rotate it through zcash/monero before they spend it
Ease of access for the victims, I imagine. Going from owning 0 bitcoin to hundreds of thousands seems easier giving it's popularity than say, monero (or whatever the anonymous centric coin of the day is). And the ransomware guys can still wash it later by passing it through intermediate exchanges/selling it for a different crypto.
It's easier to launder and transfer the BTC than to do the same with real money. According to the article, the people behind Darkside were also behind a bitcoin "mixing" service that was recently shut down.
Check out Monero. I'm a lay person when it comes to cryptography and cryptocurrency, but supposedly an innovation in that currency, known as ring signatures, keeps the blockchain private.
Because even though the transactions can be traced, the accounts holding them are arbitrary. You can observe a Bitcoin transaction propagate through the blockchain, but you'll never really see any personal identifiers besides the address.
It actually sounds like what someone does when the mob boss is coming after you. Your car catches fire and there’s a charred body inside with your watch on it. The money you took from him is gone. It probably caught fire.
Going after oil companies strikes me as no different than going after the mafia. It’s the kind of thing you do if you want to end up with your head in a box.
The pipeline thing was just a pretext to open the can of whupass. It could have been an electrical grid, chemical plant, whatever. The hospitals the the past few months would have been the catalyst for the dept. of whatever TLA that pulled off this operation. It takes a while to get authorization, staff up the team etc.
Perhaps part of the difference was that it took longer for the victim to pay this time. Presumably Hospitals cave before the impacts make the headlines.
I’ve got colleagues who have had radiology hardware that got locked - CT scanners specifically. The NHS paid and they were back to work in a couple of hours.
I'd guess that it's entirely the other way around - govt wanted to act, so they drummed up the bad media coverage to justify removing any restrictions they had to (re)act quickly, instead of through the usual law enforcement process which takes months or years.
It's an interesting point. I think there is a big difference between hitting decentralized targets and disabling fuel transport for the entire east coast, BUT
if it was this possible before, why wait until now?
Or, if it isn't true - perhaps they're deflecting attention.
Everyone freaks out about oil. Japan attacked the United States in World War 2 because the United States stopped exporting oil to Japan. It was the primary motivator behind Pearl Harbor.
Why are you being down voted? Every major war and international crisis in my lifetime has been directly or indirectly related to US prioritizing oil above pretty much all else. From the Iranian revolution to the Gulf wars, to the terrorism our involvement in the middle east has caused, to the climate crisis and our lack of efforts to reduce consumption.
Whoever called this an insult isn't paying attention.
thank God for dr Moses Buba for helping me with pills for penis enlargement and cure my friends diabetes, he has been putting smile on my face, and on the faces of my loved ones, I got his email address via facebook platform on a penis size forum on facebook so I decided to contact him directly on his email address, and my encounter with this herbal doctor is a lifetime mind blowing testimony, so to all the other men out there about little penis , and other people that are sick of all other deadly diseases such as kidney problems, diabetes, leukemia, herpes and those that needs pills or creams for erectile dysfunction, premature ejaculation, kindly contact him directly on his email address via: buba.herbalmiraclemedicine@gmail.com or WhatsApp him on +2349060529305 or call me for more details +15019914802
He is the best herbal doctor I have ever came across during my search for a cure,
Good luck to all the sick people out there, I love you all
If this is the US taking action, they should go after distributed denial of secrets next (https://en.m.wikipedia.org/wiki/Distributed_Denial_of_Secret...). This group is doxxing people for their donations, which isn’t “hacktivism” - it’s just a criminal breach of privacy. Crime doesn’t become a non-crime just because it is left-biased. Enough with the unchecked rise of cyber crimes.
So they have a public representative living in the US and are associated with Harvard University. I don‘t think there‘s much shadowy cybercrime to investigate there.
How do you feel about Wikileaks and the prosecution of Julian Assange?
Having a "Harvard affiliation" doesn't legitimize illegal activities. Leaking private messages, passwords, and so on from social networks is an unacceptable breach of privacy. Exposing people's private donations is also unacceptable. This is a group looking to create a chilling effect on others' speech, particularly moderates and conservatives, through illegal cyber crimes. I am not sure how you can possibly see that as anything other than "shadowy cyberycrime" given their identities are anonymous and they're committing cyber crimes.
As far as I can tell from wikipedia they are not anonymous (at least the leader) and not working in the shadows (bc they are working together with serious public organizations).
As a result, the ransom had the optics of an attack on infrastructure. As evidenced by the coverage of Americans desperately filling up containers.
This created the impetus for the US to treat this as an incident far and above the ambient ransomware activities leading up to this.
It also gave the US an opportunity to show how effective it could be when it had the political cover to do so.