On Monday afternoon, the US Justice Department said it had seized the majority of the cryptocurrency ransom that US pipeline operator Colonial Pipeline paid last month to a Russian hacking collective called Darkside by tracking the payments as it belonged to the hacking group. was transferred through various accounts and finally breaking into one of those accounts With the blessing of a federal judge.
It’s a feel-good twist to the saga that began with a cyber attack on Colonial and resulted in fuel shortages made worse by panic-buying of petrol after the company closed one of its major pipelines last month (and later suffered a second pipeline shutdown due to it being described as an overworked internal server). But Christopher Alhberg, a Successful Serial Entrepreneur and Founder of recorded future, a security intelligence company that tracks threats to governments and corporations and operates its own media branch, suggests that Americans have forever underestimated the Darkside. He explained a lot about how it operates in an interview last week that you can hear here. Short excerpts from that conversation follow, lightly edited for length.
TC: Broadly speaking, how does your technology work?
CA: What we do is try to index the Internet. We try to get in the way of data from everything written on the Internet, down electrons, and we try and index it in such a way that it can be used for people who are interested in companies and companies. defending organizations. . . We try to get into the minds of the bad guys, where the bad guys hang out, and figure out that side of the equation. We try to understand what happens on the network where the bad guys operate, where they execute their stuff, where they basically transmit data, where they run illegal infrastructure – all these things. . And we also try to get in the way of the trail that bad guys leave behind, which can be in all kinds of different interesting places.
TC: Who are your customers?
CA: We have about 1,000 in total, and they range from the Department of Defense to some of the biggest companies in the world. probably a third of our business [with the] government, a third of our businesses are in the financial sector, then the rest [comprise] A whole set of verticals, including transportation, which has been large.
TC: You’re helping them predict attacks or understand what happened in cases where it’s too late?
CA: It can go both ways.
TC: What are some clues that inform your work?
CA: An adversary is understanding the bad guys, and they largely fall into two buckets: You have cybercriminals, and you have anti-intelligence agencies.
The world and the criminals we have been focusing on in the last month or two are ransomware gangs. So these are Russian gangs, and when you hear ‘gang’, people think of large groups of people. [but] It’s usually one boy or two or three. So I will not overestimate the size of these gangs.
[On the other hand] intelligence agencies can be very well equipped and [involve] large group of people. So One Piece is about tracking them down. Another piece is about tracking the networks they operate on. . After all, [our work involves] Understanding targets, where we receive data on potential targets of cyberattacks without access to the actual systems on campus, then tying the three buckets together in an automated way.
TC: Do you see a lot of cross pollination between intelligence agencies and some of these Russian cutouts?
CA: The short answer is that these groups, in our view, are not being acted upon by Russian intelligence on a daily or monthly or maybe even yearly basis. But in a range of countries around the world – Russia, Iran, North Korea is a bit different, in China to a lesser extent – what we have seen is that the government encourages a growing hacker population that acts in an uncontrolled way. is enabled. , in Russia, on a large scale – to be able to pursue their interest – in cybercrime. Then over time, you see intelligence agencies in Russia – FSBhandjob SVR and Tower crane — being able to take people out of these groups or actually assign tasks to them. You can see in official documents how these people mixed and matched for a long time.
TC: What did you think when Darkside came out shortly after the cyberattack and said it could no longer access its bitcoin or payment servers and it was To close?
CA: If you did this hack, you probably had zero idea what Colonial Pipeline was really like when you did it. You’re like, ‘Oh shit, I’m all in the American newspaper.’ And there’s probably going to be some phone calls in Russia where it’s basically, again, ‘What did you just do? How will you try to hide it?’
One of the simplest first things you’re going to do is to basically either say, ‘It wasn’t me’ or you’re going to try to say, ‘We lost the money; We have lost access to our servers. So I guess maybe that whole thing was fake [and that] What they were doing was just trying to cover their tracks, [given that] We found that they come back later and try to do other things. I think we underestimated the ability of the US government to immediately fall back on these people. it just won’t happen that fastAlthough it is pure magic. I’m not saying that with access to any government information or anything like that.
TC: I was just reading That Darkside acts like a franchisee Where individual hackers can come and get the software and use it as a turnkey process. Is this new and does that mean it opens up hacking to a much wider pool of people?
CA: That’s right. One of the beauties of the underground Russian hacker lies in its distributed nature. I’m saying ‘beauty’ with a bit of sarcasm, but few people will write real ransomware. Some people will use the services that these people provide and then there will be people who can do hacking to get into the system. There may be others who conduct bitcoin transactions through bitcoin tumbling which is required. . . One of the interesting points is that in order to cash out in the final game, these people need to go through one of these exchanges that have become a more civilized business, and can involve money mules, and There are people who run money mules. Many of these people commit credit card fraud; There’s also a whole set of services out there, including testing whether a card is alive and being able to find out how you get money from it. It includes maybe 10, 15, maybe 20 different types of services. And they are all highly specialized, which is why these people are able to be so successful and also why it’s hard to go on.
TC: Do they distribute the loot and if so, how?
CA: They do. These people run very effective systems here. Obviously, bitcoin has been an incredible enabler in this as a way to get paid. [but] These guys have a whole system for ranking and rating themselves like an eBay seller. There’s a whole set of these underground forums that have historically been places where these people are working and they’ll include services to be able to say that someone is a scammer [meaning in relation to the] Thieves involved in cybercriminals. It is a lot like the Internet. Why does the Internet work so well? Because it’s super distributed.
TC: What is your advice to people who are not your customers but want to defend themselves?
CA: A colleague created a pie chart to show which industries are being harmed by ransomware and it was amazing that it was super distributed in 20 different industries. With the Colonial Pipeline, a lot of people were like, ‘Oh, they’re coming from oil.’ But these people could care less. They just want to find the slowest moving target. So make sure you are not the easiest target.
The good news is that there are plenty of companies out there doing the basics and making sure your system is patched. [but also] Hit that damn update button. Get as much of your stuff off the internet so it doesn’t turn out to be outlandish. Keep as little surface area as possible for the outside world. Use good passwords, use multiple two-factor authentication on everything and anything you can get your hands on.
A checklist of 10 things you need to do to not be an easy target. Now, for some of these guys – really sophisticated gangs – that’s not enough. You’ll have to do more work, but the basics will make a big difference here.