Colonial Pipeline Paid Hackers Nearly $5 Million in Ransom
Cybercrime pays after all.
Bloomberg has the scoop:
Colonial Pipeline Co. paid nearly $5 million to Eastern European hackers on Friday, contradicting reports earlier this week that the company had no intention of paying an extortion fee to help restore the country’s largest fuel pipeline, according to two people familiar with the transaction.
The company paid the hefty ransom in untraceable cryptocurrency within hours after the attack, underscoring the immense pressure faced by the Georgia-based operator to get gasoline and jet fuel flowing again to major cities along the Eastern Seaboard, those people said. A third person familiar with the situation said U.S. government officials are aware that Colonial made the payment.
Once they received the payment, the hackers provided the operator with a decrypting tool to restore its disabled computer network. The tool was so slow that the company continued using its own backups to help restore the system, one of the people familiar with the company’s efforts said.
One understands the payment. $5 million is a pittance compared to the lost revenue. But, of course, they’ve now demonstrated that cybercrime does pay and have invited more attacks.
What is to keep the hackers from doing this again six weeks from now?
Strikes me as it might be time for an unprecedented investment into America’s infrastructure, including IT security of our energy grid, pipelines, refineries, etc etc
Prevention or deterrence. The U. S. government needs to find and punish these people. If they’re protected by Russia we need to do the cyber equivalent of a horse head in Putin’s bed.
Imaginary conversation someone tweeted:
If Biden would kiss Putin’s arse we wouldn’t have these hacker problems.
If Trump had done anything about these hacker problems we wouldn’t have to kiss Putin’s arse.
I don’t endorse payment to these guys, but I’m willing to take a step back, from the distance we are at. We don’t know all the details, or what arrangements were made with law enforcement.
For instance, a decryption tool was handed over. How was that accomplished? The cryptocurrency may be untraceable – but then again it might be traceable if you’re the NSA. But the handover of a tool is probably a lot more traceable than the cryptocurrency. I’m sure they think they are very clever in how they do it.
Another thing to keep in mind is that they don’t run a schedule on these things, per se. They have to wait until they get a good enough penetration somewhere. I think it’s unlikely they could get at Colonial a second time. And if they did, I think anyone would understand that Colonial wouldn’t pay them. Particularly since the decrypt tool that cost them 5 million bucks isn’t that great and they are restoring from backups anyway. Next time they will do it faster, not to mention they are probably putting a few extra safeguards in place even now.
So, as an economist might say, this cyber extortion is an equilibrium phenomenon. If you push too hard, you will make less money.
If I were the hackers, I’d have held out for more. The Koch brothers are worth billions.
@EddieInCA: “What is to keep the hackers from doing this again six weeks from now?”
Cyber counter-action and possibly police work or less formal wet work.
I agree with Jay L Gischer. The literature says that these hackers cooperate with the payments because if they are perceived not to be trustworthy in unlocking the systems they will have trouble getting paid in the future. As Jay says, if you push too hard, you will make less money.
Why would they wait so long?
@Neil Hudelson: I hope my prior comment doesn’t make it sound like I don’t agree with you, because I do agree. With both you and @gVOR08
The tie to possible state actors (or terrorists, but terrorists generally aren’t capable of the technology and teamwork required to pull this stuff off) is the most chilling. A state actor might not be interested in getting a payment to unlock. They might be looking to create windows of opportunities. They might be just testing us to see how quickly we can get things back online.
Fortunately, I have every reason to think the DHS and FBI are already in the lead on this.
You’d likely be surprised at how common this is–both the ransomware attack, and the payment.
There’s even specialized business insurance lines that will reimburse companies for ransom payments, but you have to have purchased the insurance (and it isn’t cheap).
Any company can be vulnerable, and the weakest link are employees.
Another banner day for de-regulation.
Just got a text from the “County Vehicle Bureau” to collect my $2045 refund. Reply to http//ww***********@be******.com
Damn! I sure could use an extra $2000 right now!
Wait a minute! There is no “County Vehicle Bureau” in Illinois. How dumb do they think I am?
Of course the sad truth is that far too many people will buy into scams like this.
Maybe what’s needed is a vaccine against gullibility.
It may not have just been about the encryption keys.
Coverware recently released a report revealing that 77% of ransomware attacks now include a threat to leak stolen data.
This is the new big thing in ransomware. It’s called “double extortion.” Attackers don’t just lock up your system; they steal your data first, and they threaten to publish or sell it if you don’t pay up.
I’ve written reams about this issue.
Whether to pay ransomware ransoms is a matter of great debate in the infosec community, especially now that double extortion is so common.
@Nightcrawler: Yep–my understanding of it comes from a banking/insurance perspective, as I have several clients in that space.
I’ve learned just about enough to be very, very terrified. 😀
I read that they claimed to have the data of three other companies. Any word on whether that’s true?
The aim was made on their forum, I’m guessing an onion.
Has South Korea said anything about it? In conjunction with a private equity firm, their public pension fund is the second largest stakeholder in Colonial.
We need to make it a crime to pay ransoms.
That’s how they got Podesta and his IT guy–they just used Bitly to obscure bendover.
Well that and damn auto-correct omitting ‘il.’
Counterpoint: no we don’t.
I haven’t heard that one yet. I’m suffering from some serious FOMO today.
No, we shouldn’t. Absolutely not.
This is a highly complex issue. Even security experts can’t agree on whether paying ransom is a good idea. In some cases, particularly when human life or health is at stake, paying up may be the best of nothing but horrible options.
I’ve got to go put out some fires, but first…
The Colonial Pipeline attack wasn’t done directly by the DarkSide cybercrime cartel. It was a “ransomware-as-a-service” (RaaS) attack. Cybercriminals sell RaaS the same way legit devs sell software-as-a-service (SaaS).
Anyone, and I do mean anyone, can buy RaaS and launch a ransomware attack. You can have about zero technical ability and launch an attack. The “providers” even offer customer service to help you get your ransomware up and running. They have an incentive to ensure your success, because instead of charging a subscription fee for your RaaS, they take a percentage of whatever ransoms you manage to collect.
Here’s an article about RaaS. Read it and weep.
@Raoul: Absolutely not. That’s the wrong solution to this incredibly complex problem.
Companies need to invest more into their security defenses, and they need to train, train, train their employees.
The biggest security vulnerability in any company are the rank and file employees. These attacks have become incredibly sophisticated. Make it harder for the criminals to succeed.
@Raoul: Then only criminals would pay ransoms?
It also has the effect of shifting investigative and law enforcement focus on the victims. It’s easier to find, charge, and prosecute someone who pays the ransom, after all. The consequence of that, is to keep victims from seeking help from the authorities, as that is one way to be safe from prosecution.
Here is an extremely interesting take on cybersecurity in response to this incident from a long-time professional. It’s also funny, if your sense of humor leans dark.
@Jay L Gischer: Also, that link provides more detail about just how bad it would be for a truly malicious (likely state) actor to get control of a pipeline network.
This is a massive mistake paying the hackers gives them the incentive to attack other critical systems, critical infrastructure points like utilities.
To be fair, not paying would result in clear social disruption and economic damage meaning anyone who has that as their goal just got a great lesson on how to easily mess up a bunch of states. There’s always going to be an incentive and motivation to do this; the question is do we want the incentive to be wreck stuff or get paid? One’s more likely to be cooperative and not ruining things on purpose and one starts off wanting to watch the world burn. If I had to pick, I’ll take the extortionists any day since it’s simply a matter of negotiating how much.
@Doug Mataconis: I understand that sentiment, but there’s plenty of incentive to attack critical systems that go well beyond money. Terrorism, for instance.
As has been indicated in comments above, this is nowhere near as simple as “don’t pay ransoms to hackers.”
This isn’t going to be solved by “getting tough on hackers” or refusing to pay them.
Companies need to start spending on cybersecurity like it matters (because it does), and they need to train their employees to recognize spear phishing attempts, etc.
Bingo. A few visuals of US operators locating these people, dragging them from their holes with black bags over their heads back to the US for summary trials and summary public executions would be sufficient, I think. People do this sort of crap because they know they’ll more than likely get away with it and face little to no real consequences.
@Jay L Gischer: That is an excellent piece that should be required reading.
“I’ve seen companies spend millions of dollars to recover the damage caused by saving thousands of dollars.” <———-THIS. IS. THE. ISSUE.
@Doug Mataconis: They aren’t the first to pay the ransomers, not by a long shot. Just maybe the most visible.
Also, this isn’t what I would call their big mistake. It might well make sense for them. No, their big mistake was all the crappy shortcuts and ignorance they have been practicing, probably for the last 20 years or so.
@Jay L Gischer:
Legit question, since I am decidedly not a tech person. If this currency consist of nothing more than digital bits, and can be created out of thin air by doing some math, why can’t it just as easily be uncreated?
I personally would love to see that scenario unfold – bad guys get their digicoins, and then *pouf* – they magically no longer exist.
You know, we have lots of laws and regulations about the proper handling of explosives. Explosives have legitimate uses, in construction and mining, for instance. So it’s fine for private entities to have it. However, we demand, if I understand things correctly, that they engage in some expense to secure the explosives.
Why shouldn’t we make similar demands to pipelines that carry highly combustible materials? Doesn’t that make sense. Getting control of the microcontrollers on a gas pipeline could easily allow one to create a leak, which would very likely result in an explosion. Especially with a gasoline/natural gas pipeline.
A very big explosion.
So. Maybe this should be addressed?
@Mister Bluster: I read somewhere that the target of these scammers are people who may be edging into something like Alzheimer’s or otherwise not entirely mentally competent but still have control of their money. The Nigerian Prince emails supposedly deliberately have bad English or your non-existent County Vehicle Bureau to filter out the competent. They need people who will believe the IRS takes payments in gift cards.
@Jay L Gischer:
If the pandemic hasn’t thought us anything else, it taught us that taking preventive measures is tiresome.
At work, we constantly send and receive files by email to people in other departments, often at other locations. Things like price lists, scans of documents, product information, and a lot more. Usually it’s Word, Excel, PDF, or JPG.
We could have a common server for such things, but we don’t. Hell, Iv’e enough trouble not emailing files to people who have access to our department’s dedicated server.
I also constantly receive PDF and XML files from all sort of businesses. This is due to Mexico’s regulations on “electronic” accounting (digital, really). Invoices are done in these formats, and you need both for accounting purposes, though the official invoice is the XML file. Most businesses send them by email (you can download some from their websites, but not all)
During my recent (losing) skirmish with the insurance company, I had to send them all sorts of invoices in these formats. That meant obtaining them from doctors, pharmacies, and hospitals.
All that said, I don’t just download or open these files if I’ve any reason to be suspicious. For instance, if the return address seems generic, if it’s form a business I don’t recall doing any recent transaction with, if it’s not addressed to my work or personal email address, etc.
And I definitely don’t click on links from suspicious emails.
But while we do have an IT department, there’s been no training or even a written procedure on how to handle files through email, hos to spot phishing or spam, etc. Now and then they send short emails warning against these, but that’s it.
@Blue Galangal: You bring up a good point. In many ways, this is very much like the small-scale kidnapping rings that we sometimes read about in third world areas and/or deals between art thieves and insurers. A five million dollar ransom for a mulit-million or even possibly billion dollar venture is similar in scale to a private party rich person paying several thousand dollars for the return of a relative. Yeah. It’ll probably happen again–until we decide that we’ll do infrastructure improvement despite the fact that POC/poor will benefit from them–and they’ll be written off with the bribes and other “costs of doing business.”
@HarvardLaw92: There are functions – mathematical things sometimes called “hashes” that are easy to compute, but very hard to reverse. “hard” as in they would probably take a decade on a supercomputer.
For instance, if you take two very large prime numbers. Something like 20 digits each, and multiply them together, you would get a very large number. This could be accomplished in under a second on a computer. However, factoring this number – recovering those two prime numbers from their product – could take a year, or maybe more.
(Now, there is a theoretical algorithm to do this much more quickly on a quantum computer, but it’s still just theory yet, nobody has made a quantum computer that can solve the above problem for 5 digit numbers, let alone 20 digit ones.)
There are many other mathematical situations that are similar, but I use factoring because we all know from school that factoring a number is a lot harder than multiplying two numbers together.
All cryptology in the computer realm rests on one of these situations. Furthermore, it hasn’t been proven that it’s impossible to do it quickly. The NSA is full of people who are really good at math and computing (I’ve known a few). They could well have a way to do a few of these things that they aren’t telling anyone about. Or maybe they could do it in a month or so, just because they have so much computing resources at their disposal. But maybe this is the sort of case that is worth it? Lots of questions here…
@Jen: This too. Extortion is a business, just like off shore gambling ships and bookies. You can’t succeed in it if you rip people off; you have to engage in a consistent endeavor at a reasonable cost for restoration of status quo.
@Nightcrawler: It’s possible that double extortion will change the game significantly and provoke retaliatory action by industry. You can’t collect the ransom and shoot the kidnappee both–it’s bad for business.
Nationalize Colonial – it is a failed venture that has left the country less secure.
A new token gets added to a distributed data structure that is, by design, almost impossible to modify without detection, other than adding new transactions to the chain.
OTOH, about 20% of all the Bitcoin tokens that have been created have been lost — people have lost the encryption keys or the passwords to “wallets” containing keys. One guy supposedly has a wallet with $220M worth of Bitcoin encryption keys in it, but has lost the password.
@Doug Mataconis: ”
This is a massive mistake paying the hackers gives them the incentive to attack other critical systems, critical infrastructure points like utilities.”
You have a gun to your head – pay or not?
x company doesn’t pay, y company gets hacked. if y doesn’t pay, z gets hacked. if z doesn’t pay, return to a.
If they can hack the systems, they can also figure out which companies are likely to pay out based on the cost incurred by not paying out.
Moreover, stealing data isn’t just a chance to double dip, though that’s nice too. Threatening release of privileged information increases leverage in case a company decides not to pay.
Is that the guy who offered to pay so he could search a landfill for his HDD or flash drive or something?
As @Michael Cain explained, because the blockchain is public but not centrally located, one would have to modify the ledger simultaneously at all nodes on the network.
That may be somewhat confusing, so…
You know a bit about econ, right? One of the earliest form of currency was simply a ledger. Theoretically, one could modify that ledger.
Well, the blockchain is that ledger. But instead of residing in a palace chamber under heavy guard, it resides in countless nodes. That redundancy provides security. If one wanted to surreptitiously modify it, they would have to modify it at all those nodes simultaneously.
Cryptocurrencies leverage the features of the blockchain to create a fiat* currency based on the ledger. The value of the currency is based on supply and demand forces within a market.
*I don’t care what anyone says…it’s a fiat currency. It’s not backed by a tangible asset. Anyone who claims the blockchain itself is the underlying asset is silly, because anyone can create a new blockchain network.
@Kurtz: Not only can anyone create their own blockchain, they have done it.
There is nothing stopping bitcoin farmers from withholding their discoveries to get a better price. Well, there is fear that someone else might publish first, I guess. But how real is that? These are random discoveries, how much overlap is likely? Now imagine a cartel of bitcoin farmers formed, and there is collusion…
Thus currency manipulation is quite possible in this realm. With a government, at least you know who’s doing it, and why. There’s some political accountability. That’s not perfect, but it’s a lot better than the zero-accountability scheme that is advertised as a feature of cryptocurrencies.
No this is a different one, where the guy still had the hardware but lost the piece of paper that had the pass phrase written on it. There are people now who will undertake to brute-force crack lost pass phrases for a share of the value of any currency recovered. Some of their success rates are surprisingly high.
Or perhaps not surprising, given how bad people are about choosing passwords and pass phrases. Many years ago when I worked at Bell Labs and Unix was just coming out of research into wider use, someone wrote a little piece of code that tried the hundred most common boys and girls names followed by a digit against the password file. That alone broke at least one account on every machine in the company.
@Kathy: Thanks for the perspective. What you describe is the kind of procedures I use for my personal life.
Whether that is appropriate for one’s business/professional life depends greatly on just what’s at risk. What could happen, what would you do about it, and how much would it cost?
There are also structural answers that have little impact on the day-to-day behavior of front-office staff. Things like using separate networks, and completely different technology for operational servers and controllers. Things like a consolidated threat log, and other things that won’t be visible to office workers, but do cost money, and so often aren’t done. However, they will make a difference.
But a bit of training might well be good. The right person could make a great YouTube channel out of this – with weekly updates of one of the latest email scams going around.
@Jay L Gischer:
Not that knowledgeable on cryptography, but it seems like the public methods of attack are creeping up on SHA-2 families. I think it’s probably safest for agents of ill will to assume NSA is ahead of the public.
The truncated versions secured against one method of attack, but opened another avenue?
But it also looks like the replacement algorithms (SHA-3) are so far quantum resistant, are they close to being deployed or is the new family years away?
@Jay L Gischer:
There’s actually nothing in my home PC and personal laptop that is crucial that isn’t backed up in USB drives and the cloud. And not much of that to begin with.
The work stuff is more serious. there’s supposed to be an external HD backup, but I’ve no idea how effective it is.
@Jay L Gischer:
Exactly. I was thinking about that the prospect of manipulation the other day.
As the difficulty of hashing increases, it requires pooling resources. Power requirements and thermal management encourages two things:
-places with inexpensive cost/kwh
-cold ambient temperatures to reduce the need for powered liquid coolers, liquid nitrogen, and fans.
Which is why about 75% of BTC is mined in China. Plus, they have access to the plants that manufacture the equipment needed. I wonder how many of these technoutopian folks are bleating daily about how awful China is. Oh, nevermind…Mr. Libertarian himself realizes he didn’t foresee consequences, yet still manages to have is cake and eat it too.
I was looking at the Chia protocol. IIRC within ~6 weeks of release, one unofficial pool had reached a 50%+ share of the banked tokens. And Chia was supposed to be designed to resist these sorts of things and reduce power consumption by using space rather than processing power.
And of course, just like the distortion in the CPU and GPU markets caused by mining demands, the proof-of-space concept is distorting the market for SSDs and HDDs.
With all the talk of cryptocurrency and cybersecurity, I’m reminded of a conversation I had with my boss last year.
I explained that with very little effort, and some dough, I could:
1.) Anonymously purchase a qty. of narcotics that would trigger a trafficking charge.
2.) Have it sent to the home or workplace of a person I do not like.
3.) Tip off law enforcement.
Her response? “I hope I didn’t piss you off.”
My response, “You haven’t, but I would never do that to someone anyway.”
My point? With sufficient motivation, people will do a lot of bad things, even if it requires a high tolerance for personal risk. Money is a sufficient motivator for a lot of people.
“What can I say? Don’t piss off a motivated stripper.”
When USG imposes sanctions on nations for either not handing cyber hackers over to our Justice Dept or arresting and prosecuting the hackers themselves–you’ll know we are serious about lowering the threshold of brazenness. Until then, no one actually cares. Paying the money is cheaper than investing in the amount of cybersecurity needed to prevent the intrusion in the first place.
Yes, the visual of US FBI agents storming an apartment in the Moscow suburbs would certainly be…striking.
@Chip Daniels: We could always try nerve agents on the sly and see how that goes. Works for Putin, nobody’s really called him out on that shit.
Can I ask a stupid question? How did we refine oil and send it through pipes before we had computers?
$5 million is petty cash considering the enormity of the crime. Presumably the Russians didn’t understand how instantly queues for gas and a modest uptick in prices would be trumpeted by the media as EMPTY BOWSERS, UNCONTROLLED INFLATION RECALL CARTER PRESIDENCY!
How do you combat this kind of extortion? Same way you combat any other kind – with adequately resourced law enforcement agencies. How do you stop the media engaging in hair on fire what-is-the-president-doing-about-this-crisis hysteria? I’ve no idea.
FBI does domestic. There are better options, and you don’t storm the apartment. You quietly snatch the guys off of the street and put them on a plane. The visuals come once they’re on US soil. 🙂
@Chip Daniels: “Yes, the visual of US FBI agents storming an apartment in the Moscow suburbs would certainly be…striking.”
OK, we’d have to soften the place up a bit………….
Or start a hack war against senior Russian officials.