Coming soon to a computer near you ( like, maybe yours ? ).Per NYT today :
"The ransomware attack on Colonial Pipeline by the gang known as DarkSide cast a spotlight on a rapidly expanding criminal industry based primarily in Russia. Now, even small-time criminal syndicates and low-skilled hackers can pose a potential national security threat.
Ransomware is easily obtained off the shelf, and virtually anyone can load it into a compromised computer system using YouTube tutorials or with the help of groups like DarkSide. Customer support is included. A glimpse into DarkSide’s secret communications reveals a criminal operation that is pulling in millions of dollars in ransom payments each month."
Ransomware
Re: Ransomware
I read that complete article just a moment ago.
It's like shopping at Best Buy to get ransomeware now.
Chilling.
A few months ago I clicked on a link that I thought was the IRS to get some information, and within seconds a virus downloaded that redirected my Google browser to a phony Microsoft website. After wasting 45 minutes with a guy trying to establish trust, he suddenly began pitching a security program to keep my personal information safe for... (wait for it!) $500, all while asking for my credit card number.
By then I knew he wasn't from Microsoft, so I hung up on him and pulled the plug on my computer to regain whatever control I could, then called my security software who then deleted the virus.
Of course I changed all my passwords immediately.
Scared me to death.
There are lots of crooks in the world that are a lot smarter than I am, and we have no recourse if we fall into their traps.
It's like shopping at Best Buy to get ransomeware now.
Chilling.
A few months ago I clicked on a link that I thought was the IRS to get some information, and within seconds a virus downloaded that redirected my Google browser to a phony Microsoft website. After wasting 45 minutes with a guy trying to establish trust, he suddenly began pitching a security program to keep my personal information safe for... (wait for it!) $500, all while asking for my credit card number.
By then I knew he wasn't from Microsoft, so I hung up on him and pulled the plug on my computer to regain whatever control I could, then called my security software who then deleted the virus.
Of course I changed all my passwords immediately.
Scared me to death.
There are lots of crooks in the world that are a lot smarter than I am, and we have no recourse if we fall into their traps.
-
Holden Fourth
- Posts: 2201
- Joined: Fri Mar 25, 2005 5:47 am
Re: Ransomware
Despite what novels you read or movies you watch, there are levels of encryption that can't be hacked. I just wonder why big operations like the colonial pipeline haven't used them.
Also, my understanding is that regular backup of your computer is a way around the ransomware issue.
Also, my understanding is that regular backup of your computer is a way around the ransomware issue.
Re: Ransomware
Unless the ransomware freezes your operating system, so you cant download from your backup ? IF they can do that ? ( IF that makes sense ; I'm an old person.)Holden Fourth wrote: ↑Sun May 30, 2021 5:01 pmAlso, my understanding is that regular backup of your computer is a way around the ransomware issue.
I backup hourly both to an external hard drive and to a separate cloud provider. But, it's my understanding my OS is not backed up.
Re: Ransomware
When I threatened to just buy a new computer he got really flustered.Rach3 wrote: ↑Sun May 30, 2021 5:57 pmUnless the ransomware freezes your operating system, so you cant download from your backup ? IF they can do that ? ( IF that makes sense ; I'm an old person.)Holden Fourth wrote: ↑Sun May 30, 2021 5:01 pmAlso, my understanding is that regular backup of your computer is a way around the ransomware issue.
I backup hourly both to an external hard drive and to a separate cloud provider. But, it's my understanding my OS is not backed up.
Pulling the plug did the trick.
I back up to a cloud account every day. I also keep my major accounts off the computer or cellphone for safety 's sake. Can't be too careful.
-
Holden Fourth
- Posts: 2201
- Joined: Fri Mar 25, 2005 5:47 am
Re: Ransomware
I think the ransomware is aimed at people who don't do back ups (and there would be many of them) and are frightened about losing their data, etc. Cloud backup surely solves this problem and if it doesn't - unless there is a very good reason, reimage your computer and start again.
Re: Ransomware
what does reimage your computer mean? Not reboot?
Re: Ransomware
Yes, I am puzzled by that one too.
Also, I forgot to mention that I keep my computer in airplane mode so that no one in my building can even try to break in with Wi-Fi. Not applicable for those of us in private homes, but a sensible precaution for city dwellers.
I use only cable connections for everything.
Also, I forgot to mention that I keep my computer in airplane mode so that no one in my building can even try to break in with Wi-Fi. Not applicable for those of us in private homes, but a sensible precaution for city dwellers.
I use only cable connections for everything.
-
Holden Fourth
- Posts: 2201
- Joined: Fri Mar 25, 2005 5:47 am
Re: Ransomware
Dont know if this link will work, but a fascinating, and chilling, article in light of the JBS attack:
https://www.newyorker.com/magazine/2021 ... new-yorker
https://www.newyorker.com/magazine/2021 ... new-yorker
Re: Ransomware
Chilling is certainly an understatement here. 4000 attacks expected this year?Rach3 wrote: ↑Tue Jun 01, 2021 8:50 pmDont know if this link will work, but a fascinating, and chilling, article in light of the JBS attack:
https://www.newyorker.com/magazine/2021 ... new-yorker
I'll bet it will be. Putin's sure not helping things. Remember, it used to be phishing emails from Nigeria? Not to mention the small-time con jobs from phone banks in India asking for $500 to unlock your personal computer. This is a whole new ballgame.In 2018, the average payment was about seven thousand dollars, according to the ransomware-recovery specialist Coveware. In 2019, it grew to forty-one thousand dollars. That year, a large ransomware syndicate announced that it was dissolving, after raking in two billion dollars in ransom payments in less than two years. “We are a living proof that you can do evil and get off scot-free,” the syndicate wrote in a farewell message. By 2020, the average ransom payment was more than two hundred thousand dollars, and some cyber-insurance companies began to exit the market. “I don’t think the insurers really understood the risk they were taking on,” Reiner told me. “The numbers in 2020 were really bad, but, at the end of 2020, everyone looked around and said, 2021 is going to be even worse.”
Re: Ransomware
U.S. Seizes Share of Ransom From Hackers in Colonial Pipeline Attack
Investigators traced 75 Bitcoins worth more than $4 million through nearly two dozen cryptocurrency accounts.
By Katie Benner and Nicole Perlroth
June 7, 2021
WASHINGTON — The Justice Department said on Monday that it had seized much of the ransom that a major U.S. pipeline operator had paid last month to a Russian hacking collective, turning the tables on the hackers by reaching into a digital wallet to snatch back millions of dollars in cryptocurrency.
Investigators in recent weeks traced 75 Bitcoins worth more than $4 million that Colonial Pipeline had paid to the hackers as the attack shut down its computer systems, prompting fuel shortages, a spike in gasoline prices and chaos at airlines.
Federal investigators tracked the ransom as it moved through a maze of at least 23 different electronic accounts belonging to DarkSide, the hacking group, before landing in one that a federal judge allowed them to break into, according to law enforcement officials and court documents.
The Justice Department said it seized 63.7 Bitcoins, valued at about $2.3 million. (The value of a Bitcoin has dropped over the past month.)
“The sophisticated use of technology to hold businesses and even whole cities hostage for profit is decidedly a 21st-century challenge, but the old adage ‘follow the money’ still applies,” Lisa O. Monaco, the deputy attorney general, said at the news conference at the Justice Department.
Law enforcement officials highlighted the seizure in an effort to warn cybercriminals that the United States planned to take aim at their profits, which are often gained through cryptocurrencies like Bitcoin. It was also intended to encourage victims of ransomware attacks — which occur every eight minutes, on average — to notify the authorities to help recover ransoms.
For years, victims have opted to quietly pay cybercriminals, calculating that the payment would be cheaper than rebuilding data and services. Though the F.B.I. discourages ransom payments, they are legal and even tax deductible. But the payments — which collectively total billions of dollars — have funded and emboldened ransomware groups.
Justice Department officials said that Colonial’s willingness to quickly loop in the F.B.I. helped recoup the ransom portion, and they credited the company for its role in a first-of-its-kind effort by a new ransomware task force in the department to hijack a cybercrime group’s profits.
“We must continue to take cyberthreats seriously and invest accordingly to harden our defenses,” Joseph Blount, the chief executive of Colonial, said in a statement. Mr. Blount said that after his company contacted the F.B.I. and the Justice Department to notify them of the attack, investigators helped Colonial understand the hackers and their tactics.
The Justice Department’s announcement also came before President Biden’s scheduled meeting with President Vladimir V. Putin of Russia next week in Geneva, where Mr. Biden is expected to address what American officials see as the Kremlin’s willingness to provide protection for hackers. Russia typically does not arrest or extradite suspects in ransomware attacks.
The New York Times reported last month that Colonial Pipeline’s ransom payout had moved out of DarkSide’s Bitcoin wallet, though it was not clear who had orchestrated the move.
On Monday, the government filled in some of the blanks. DarkSide operates by providing ransomware to affiliates. In exchange, DarkSide reaps a cut of their profits.
Officials said they had identified a virtual currency account, often referred to as a wallet, that DarkSide used to collect payment from a ransomware victim — identified in court papers only as Victim X, but whose hacking details match Colonial’s. The officials said that a magistrate judge in the Northern District of California had approved a warrant on Monday to seize funds from the wallet.
The F.B.I. began investigating DarkSide last year and identified more than 90 victims across multiple sectors of the economy, including manufacturing, law, insurance, health care and energy, Paul M. Abbate, the deputy director of the F.B.I., said at the news conference.
DarkSide first surfaced in August and is believed to have started as an affiliate of another Russian hacking group, called REvil, before opening its own operation last year.
Weeks after DarkSide attacked Colonial, REvil used ransomware to try to extort money from JBS, one of the world’s largest meat processors. The attack forced the company to shutter nine beef plants in the United States, disrupted poultry and pork plants, and had significant effects on grocery stores and restaurants, which have had to charge more or remove meat products from their menus.
In recent weeks, ransomware has also crippled the hospital that serves the Villages in Florida, the largest retirement community in the United States; television networks; N.B.A. and minor league baseball teams; and even ferries to Nantucket and Martha’s Vineyard in Massachusetts.
The episodes have elevated digital vulnerabilities into the national consciousness. White House officials said last week that they were working to address issues with cryptocurrency, which has enabled ransomware attacks for years.
Last week, Christopher A. Wray, the F.B.I. director, likened the threat of ransomware attacks to the challenge of global terrorism in the days after the Sept. 11, 2001, attacks.
“There are a lot of parallels, there’s a lot of importance, and a lot of focus by us on disruption and prevention,” he said. “There’s a shared responsibility, not just across government agencies, but across the private sector and even the average American.”
Mr. Wray added that the F.B.I. was investigating 100 software variants used in ransomware attacks, demonstrating the scale of the problem.
Though U.S. officials have been careful not to directly tie the ransomware attacks to Russia, Mr. Biden, Mr. Wray and others have said that the country protects cybercriminals.
In many cases, Russia treats them as national assets. In a 2014 breach of Yahoo, for example, Russian intelligence officers worked side by side with cybercriminals, allowing them to profit off stolen data, while instructing them to pass email accounts to the F.S.B., the successor agency to the Soviet-era K.G.B.
Mr. Putin has likened hackers to “artists who wake up in the morning in a good mood and start painting.” The reality, U.S. officials say, is that they give Mr. Putin and Russian intelligence services a layer of plausible deniability.
Not only is Mr. Biden expected to address the issue with Mr. Putin, but the State Department is also in talks with some two dozen other countries on ways to mutually pressure Russia to address cybercrime.
“If the Russian government wants to show that it’s serious about this issue, there’s a lot of room for them to demonstrate some real progress that we’re not seeing,” Mr. Wray said last week.
Anne Neuberger, the deputy national security adviser for cyber and emerging technologies, warned American businesses last week that ransomware had taken a dark turn, noting a recent shift “from stealing data to disrupting operations.”
The hackers took direct aim at Colonial’s billing systems. With those frozen, executives found they had no way to charge customers and pre-emptively shut down operations. A confidential government assessment determined that if the pipeline had been shuttered for even two more days, the attack could have brought mass transit and chemical refineries, which rely on Colonial to transport diesel, to their knees.
The White House held emergency meetings to address the attack. The Biden administration announced that it would require pipeline companies to report significant cyberattacks and that the government would create 24-hour emergency centers to handle serious hackings.
Cybersecurity experts welcomed the Justice Department’s move.
“It has become clear that we need to use several tools to stem the tide” of ransomware, said John Hultquist, a vice president at the cybersecurity firm FireEye. “A stronger focus on disruption may disincentivize this behavior, which is growing in a vicious cycle.”
David E. Sanger contributed reporting.
https://www.nytimes.com/2021/06/07/us/p ... e=Homepage
Investigators traced 75 Bitcoins worth more than $4 million through nearly two dozen cryptocurrency accounts.
By Katie Benner and Nicole Perlroth
June 7, 2021
WASHINGTON — The Justice Department said on Monday that it had seized much of the ransom that a major U.S. pipeline operator had paid last month to a Russian hacking collective, turning the tables on the hackers by reaching into a digital wallet to snatch back millions of dollars in cryptocurrency.
Investigators in recent weeks traced 75 Bitcoins worth more than $4 million that Colonial Pipeline had paid to the hackers as the attack shut down its computer systems, prompting fuel shortages, a spike in gasoline prices and chaos at airlines.
Federal investigators tracked the ransom as it moved through a maze of at least 23 different electronic accounts belonging to DarkSide, the hacking group, before landing in one that a federal judge allowed them to break into, according to law enforcement officials and court documents.
The Justice Department said it seized 63.7 Bitcoins, valued at about $2.3 million. (The value of a Bitcoin has dropped over the past month.)
“The sophisticated use of technology to hold businesses and even whole cities hostage for profit is decidedly a 21st-century challenge, but the old adage ‘follow the money’ still applies,” Lisa O. Monaco, the deputy attorney general, said at the news conference at the Justice Department.
Law enforcement officials highlighted the seizure in an effort to warn cybercriminals that the United States planned to take aim at their profits, which are often gained through cryptocurrencies like Bitcoin. It was also intended to encourage victims of ransomware attacks — which occur every eight minutes, on average — to notify the authorities to help recover ransoms.
For years, victims have opted to quietly pay cybercriminals, calculating that the payment would be cheaper than rebuilding data and services. Though the F.B.I. discourages ransom payments, they are legal and even tax deductible. But the payments — which collectively total billions of dollars — have funded and emboldened ransomware groups.
Justice Department officials said that Colonial’s willingness to quickly loop in the F.B.I. helped recoup the ransom portion, and they credited the company for its role in a first-of-its-kind effort by a new ransomware task force in the department to hijack a cybercrime group’s profits.
“We must continue to take cyberthreats seriously and invest accordingly to harden our defenses,” Joseph Blount, the chief executive of Colonial, said in a statement. Mr. Blount said that after his company contacted the F.B.I. and the Justice Department to notify them of the attack, investigators helped Colonial understand the hackers and their tactics.
The Justice Department’s announcement also came before President Biden’s scheduled meeting with President Vladimir V. Putin of Russia next week in Geneva, where Mr. Biden is expected to address what American officials see as the Kremlin’s willingness to provide protection for hackers. Russia typically does not arrest or extradite suspects in ransomware attacks.
The New York Times reported last month that Colonial Pipeline’s ransom payout had moved out of DarkSide’s Bitcoin wallet, though it was not clear who had orchestrated the move.
On Monday, the government filled in some of the blanks. DarkSide operates by providing ransomware to affiliates. In exchange, DarkSide reaps a cut of their profits.
Officials said they had identified a virtual currency account, often referred to as a wallet, that DarkSide used to collect payment from a ransomware victim — identified in court papers only as Victim X, but whose hacking details match Colonial’s. The officials said that a magistrate judge in the Northern District of California had approved a warrant on Monday to seize funds from the wallet.
The F.B.I. began investigating DarkSide last year and identified more than 90 victims across multiple sectors of the economy, including manufacturing, law, insurance, health care and energy, Paul M. Abbate, the deputy director of the F.B.I., said at the news conference.
DarkSide first surfaced in August and is believed to have started as an affiliate of another Russian hacking group, called REvil, before opening its own operation last year.
Weeks after DarkSide attacked Colonial, REvil used ransomware to try to extort money from JBS, one of the world’s largest meat processors. The attack forced the company to shutter nine beef plants in the United States, disrupted poultry and pork plants, and had significant effects on grocery stores and restaurants, which have had to charge more or remove meat products from their menus.
In recent weeks, ransomware has also crippled the hospital that serves the Villages in Florida, the largest retirement community in the United States; television networks; N.B.A. and minor league baseball teams; and even ferries to Nantucket and Martha’s Vineyard in Massachusetts.
The episodes have elevated digital vulnerabilities into the national consciousness. White House officials said last week that they were working to address issues with cryptocurrency, which has enabled ransomware attacks for years.
Last week, Christopher A. Wray, the F.B.I. director, likened the threat of ransomware attacks to the challenge of global terrorism in the days after the Sept. 11, 2001, attacks.
“There are a lot of parallels, there’s a lot of importance, and a lot of focus by us on disruption and prevention,” he said. “There’s a shared responsibility, not just across government agencies, but across the private sector and even the average American.”
Mr. Wray added that the F.B.I. was investigating 100 software variants used in ransomware attacks, demonstrating the scale of the problem.
Though U.S. officials have been careful not to directly tie the ransomware attacks to Russia, Mr. Biden, Mr. Wray and others have said that the country protects cybercriminals.
In many cases, Russia treats them as national assets. In a 2014 breach of Yahoo, for example, Russian intelligence officers worked side by side with cybercriminals, allowing them to profit off stolen data, while instructing them to pass email accounts to the F.S.B., the successor agency to the Soviet-era K.G.B.
Mr. Putin has likened hackers to “artists who wake up in the morning in a good mood and start painting.” The reality, U.S. officials say, is that they give Mr. Putin and Russian intelligence services a layer of plausible deniability.
Not only is Mr. Biden expected to address the issue with Mr. Putin, but the State Department is also in talks with some two dozen other countries on ways to mutually pressure Russia to address cybercrime.
“If the Russian government wants to show that it’s serious about this issue, there’s a lot of room for them to demonstrate some real progress that we’re not seeing,” Mr. Wray said last week.
Anne Neuberger, the deputy national security adviser for cyber and emerging technologies, warned American businesses last week that ransomware had taken a dark turn, noting a recent shift “from stealing data to disrupting operations.”
The hackers took direct aim at Colonial’s billing systems. With those frozen, executives found they had no way to charge customers and pre-emptively shut down operations. A confidential government assessment determined that if the pipeline had been shuttered for even two more days, the attack could have brought mass transit and chemical refineries, which rely on Colonial to transport diesel, to their knees.
The White House held emergency meetings to address the attack. The Biden administration announced that it would require pipeline companies to report significant cyberattacks and that the government would create 24-hour emergency centers to handle serious hackings.
Cybersecurity experts welcomed the Justice Department’s move.
“It has become clear that we need to use several tools to stem the tide” of ransomware, said John Hultquist, a vice president at the cybersecurity firm FireEye. “A stronger focus on disruption may disincentivize this behavior, which is growing in a vicious cycle.”
David E. Sanger contributed reporting.
https://www.nytimes.com/2021/06/07/us/p ... e=Homepage
Re: Ransomware
Hopefully, this brilliant success will cause dissension among the criminal hackers who will now be concerned whether the facilitators or middlemen they often rely on , eg DarkSide, are themselves secure and/or raise the risks/costs of trying to improve their own capabilities ?
What is clear national governments need a "Department of Cybersecurity" as much as a Department of Commerce.
What is clear national governments need a "Department of Cybersecurity" as much as a Department of Commerce.
Re: Ransomware
Damn right!Rach3 wrote: ↑Tue Jun 08, 2021 8:51 amHopefully, this brilliant success will cause dissension among the criminal hackers who will now be concerned whether the facilitators or middlemen they often rely on , eg DarkSide, are themselves secure and/or raise the risks/costs of trying to improve their own capabilities ?
What is clear national governments need a "Department of Cybersecurity" as much as a Department of Commerce.
Re: Ransomware
Meat processor JBS paid $11 million in ransom to hackers.
The world’s largest meat processor said on Wednesday that it paid an $11 million ransom in Bitcoin to the hackers behind an attack that forced the shutdown last week of all the company’s U.S. beef plants and disrupted operations at poultry and pork plants.
The company, JBS, said in a statement that the decision to pay the ransom was made to protect its data and hedge against risk for its customers. The company said most of its facilities were back up and running when the payment was made.
The F.B.I. said last week that it believed REvil, a Russian-based group that is one of the most prolific ransomware organizations, was responsible for the attack.
JBS, which is based in Brazil, processes roughly a fifth of the United States’ beef and pork. News last week of the cyberattack on a producer so central to the U.S. meat supply spurred worries that the shutdown could shock the market, creating shortages and accelerating the rise of already-high meat prices.
The worst of those fears were not realized, in large part because JBS was able to resume its operations quickly.
The Wall Street Journal was first to report news of JBS’s ransom payment.
The breach was the latest in a string of attacks targeting critical infrastructure that have raised concerns about vulnerabilities of American businesses. Last month, a ransomware attack on the Colonial Pipeline, a vital artery that transports gasoline to nearly half the East Coast, caused gas and jet-fuel shortages and set off panic buying of fuel in several states.
The pipeline’s operator had also paid a ransom in Bitcoin to the attackers, the Russian hacking group DarkSide, which started as an affiliate of REvil. This week, the Justice Department announced that its investigators had traced and recovered much of the ransom, or some $2.3 million of the $4.3 million worth of Bitcoin paid. The revelation highlighted that the cryptocurrency, sometimes perceived as untraceable, can be quickly tracked down by law enforcement authorities.
White House officials have said they are reviewing issues with cryptocurrencies like Bitcoin, which for years have helped enable cyberattacks.
JBS said it learned on May 30 that it had been targeted by an attack affecting some of its servers powering its IT systems in Australia and North America. It moved to suspend those systems, shutting down the production plants.
The company announced, four days after it first learned of the attack, that its global facilities were again fully operational. It said that it lost less than one day’s worth of food production during the attack and that it would be able to make it up by the end of this week.
JBS said on Wednesday it was confident that none of its data or that of its customers was breached during the attack.
— Rebecca Robbins
https://www.nytimes.com/live/2021/06/10 ... arket-news
The world’s largest meat processor said on Wednesday that it paid an $11 million ransom in Bitcoin to the hackers behind an attack that forced the shutdown last week of all the company’s U.S. beef plants and disrupted operations at poultry and pork plants.
The company, JBS, said in a statement that the decision to pay the ransom was made to protect its data and hedge against risk for its customers. The company said most of its facilities were back up and running when the payment was made.
The F.B.I. said last week that it believed REvil, a Russian-based group that is one of the most prolific ransomware organizations, was responsible for the attack.
JBS, which is based in Brazil, processes roughly a fifth of the United States’ beef and pork. News last week of the cyberattack on a producer so central to the U.S. meat supply spurred worries that the shutdown could shock the market, creating shortages and accelerating the rise of already-high meat prices.
The worst of those fears were not realized, in large part because JBS was able to resume its operations quickly.
The Wall Street Journal was first to report news of JBS’s ransom payment.
The breach was the latest in a string of attacks targeting critical infrastructure that have raised concerns about vulnerabilities of American businesses. Last month, a ransomware attack on the Colonial Pipeline, a vital artery that transports gasoline to nearly half the East Coast, caused gas and jet-fuel shortages and set off panic buying of fuel in several states.
The pipeline’s operator had also paid a ransom in Bitcoin to the attackers, the Russian hacking group DarkSide, which started as an affiliate of REvil. This week, the Justice Department announced that its investigators had traced and recovered much of the ransom, or some $2.3 million of the $4.3 million worth of Bitcoin paid. The revelation highlighted that the cryptocurrency, sometimes perceived as untraceable, can be quickly tracked down by law enforcement authorities.
White House officials have said they are reviewing issues with cryptocurrencies like Bitcoin, which for years have helped enable cyberattacks.
JBS said it learned on May 30 that it had been targeted by an attack affecting some of its servers powering its IT systems in Australia and North America. It moved to suspend those systems, shutting down the production plants.
The company announced, four days after it first learned of the attack, that its global facilities were again fully operational. It said that it lost less than one day’s worth of food production during the attack and that it would be able to make it up by the end of this week.
JBS said on Wednesday it was confident that none of its data or that of its customers was breached during the attack.
— Rebecca Robbins
https://www.nytimes.com/live/2021/06/10 ... arket-news
Re: Ransomware
Pipeline Investigation Upends Idea That Bitcoin Is Untraceable
The F.B.I.’s recovery of Bitcoins paid in the Colonial Pipeline ransomware attack showed cryptocurrencies are not as hard to track as it might seem.
By Nicole Perlroth, Erin Griffith and Katie Benner
June 9, 2021
When Bitcoin burst onto the scene in 2009, fans heralded the cryptocurrency as a secure, decentralized and anonymous way to conduct transactions outside the traditional financial system.
Criminals, often operating in hidden reaches of the internet, flocked to Bitcoin to do illicit business without revealing their names or locations. The digital currency quickly became as popular with drug dealers and tax evaders as it was with contrarian libertarians.
But this week’s revelation that federal officials had recovered most of the Bitcoin ransom paid in the recent Colonial Pipeline ransomware attack exposed a fundamental misconception about cryptocurrencies: They are not as hard to track as cybercriminals think.
On Monday, the Justice Department announced it had traced 63.7 of the 75 Bitcoins — some $2.3 million of the $4.3 million — that Colonial Pipeline had paid to the hackers as the ransomware attack shut down the company’s computer systems, prompting fuel shortages and a spike in gasoline prices. Officials have since declined to provide more details about how exactly they recouped the Bitcoin, which has fluctuated in value.
Yet for the growing community of cryptocurrency enthusiasts and investors, the fact that federal investigators had tracked the ransom as it moved through at least 23 different electronic accounts belonging to DarkSide, the hacking collective, before accessing one account showed that law enforcement was growing along with the industry.
That’s because the same properties that make cryptocurrencies attractive to cybercriminals — the ability to transfer money instantaneously without a bank’s permission — can be leveraged by law enforcement to track and seize criminals’ funds at the speed of the internet.
Bitcoin is also traceable. While the digital currency can be created, moved and stored outside the purview of any government or financial institution, each payment is recorded in a permanent fixed ledger, called the blockchain.
That means all Bitcoin transactions are out in the open. The Bitcoin ledger can be viewed by anyone who is plugged into the blockchain.
“It is digital bread crumbs,” said Kathryn Haun, a former federal prosecutor and investor at venture-capital firm Andreessen Horowitz. “There’s a trail law enforcement can follow rather nicely.”
Ms. Haun added that the speed with which the Justice Department seized most of the ransom was “groundbreaking” precisely because of the hackers’ use of cryptocurrency. In contrast, she said, getting records from banks often requires months or years of navigating paperwork and bureaucracy, especially when those banks are overseas.
Given the public nature of the ledger, cryptocurrency experts said, all law enforcement needed to do was figure out how to connect the criminals to a digital wallet, which stores the Bitcoin. To do so, authorities likely focused on what is known as a “public key” and a “private key.”
A public key is the string of numbers and letters that Bitcoin holders have for transacting with others, while a “private key” is used to keep a wallet secure. Tracking down a user’s transaction history was a matter of figuring out which public key they controlled, authorities said.
Seizing the assets then required obtaining the private key, which is more difficult. It’s unclear how federal agents were able to get DarkSide’s private key.
Justice Department spokesman Marc Raimondi declined to say more about how the F.B.I. seized DarkSide’s private key. According to court documents, investigators accessed the password for one of the hackers’ Bitcoin wallets, though they did not detail how.
The F.B.I. did not appear to rely on any underlying vulnerability in blockchain technology, cryptocurrency experts said. The likelier culprit was good old-fashioned police work.
Federal agents could have seized DarkSide’s private keys by planting a human spy inside DarkSide’s network, hacking the computers where their private keys and passwords were stored, or compelling the service that holds their private wallet to turn them over via search warrant or other means.
“If they can get their hands on the keys, it’s seizable,” said Jesse Proudman, founder of Makara, a cryptocurrency investment site. “Just putting it on a blockchain doesn’t absolve that fact.”
The F.B.I. has partnered with several companies that specialize in tracking cryptocurrencies across digital accounts, according to officials, court documents and the companies. Start-ups with names like TRM Labs, Elliptic and Chainalysis that trace cryptocurrency payments and flag possible criminal activity have blossomed as law enforcement agencies and banks try to get ahead of financial crime.
Their technology traces blockchains looking for patterns that suggest illegal activity. It’s akin to how Google and Microsoft tamed email spam by identifying and then blocking accounts that spray email links across hundreds of accounts.
“Cryptocurrency allows us to use these tools to trace funds and financial flows along the blockchain in ways that we could never do with cash,” said Ari Redbord, the head of legal affairs at TRM Labs, a blockchain intelligence company that sells its analytic software to law enforcement and banks. He was previously a senior adviser on financial intelligence and terrorism at the Treasury Department.
Several longtime cryptocurrency enthusiasts said the recovery of much of the Bitcoin ransom was a win for the legitimacy of digital currencies. That would help shift the image of Bitcoin as the playground of criminals, they said.
“The public is slowly being shown, in case after case, that Bitcoin is good for law enforcement and bad for crime — the opposite of what many historically believed,” said Hunter Horsley, chief executive of Bitwise Asset Management, a cryptocurrency investment company.
In recent months, cryptocurrencies have become increasingly mainstream. Companies such as PayPal and Square have expanded their cryptocurrency services. Coinbase, a start-up that allows people to buy and sell cryptocurrencies, went public in April and is now valued at $47 billion. Over the weekend, a Bitcoin conference in Miami attracted more than 12,000 attendees, including Twitter’s chief executive, Jack Dorsey, and the former boxer Floyd Mayweather Jr.
As more people use Bitcoin, most are accessing the digital currency in a way that mirrors a traditional bank, through a central intermediary like a crypto exchange. In the United States, anti-money laundering and identity verification laws require such services to know who their customers are, creating a link between identity and account. Customers must upload government identification when they sign up.
Ransomware attacks have put unregulated crypto exchanges under the microscope. Cybercriminals have flocked to thousands of high-risk ones in Eastern Europe that do not abide by these laws.
After the Colonial Pipeline attack, several financial leaders proposed a ban on cryptocurrency.
“We can live in a world with cryptocurrency or a world without ransomware, but we can’t have both,” Lee Reiners, the executive director of the Global Financial Markets Center at Duke Law School, wrote in The Wall Street Journal.
Cryptocurrency experts said the hackers could have tried to make their Bitcoin accounts even more secure. Some cryptocurrency holders go to great lengths to store their private keys away from anything connected to the internet, in what is called a “cold wallet.” Some memorize the string of numbers and letters. Others write them down on paper, though those can be obtained by search warrants or police work.
“The only way to obtain the truly unseizable characteristic of the asset class is to memorize the keys and not have them written down anywhere,” Mr. Proudman said.
Mr. Raimondi of the Justice Department said the Colonial Pipeline ransom seizure was the latest sting operation by federal prosecutors to recoup illicitly gained cryptocurrency. He said the department has made “many seizures, in the hundreds of millions of dollars, from unhosted cryptocurrency wallets” used for criminal activity.
In January, the Justice Department disrupted another ransomware group, NetWalker, which used ransomware to extort money from municipalities, hospitals, law enforcement agencies and schools.
As part of that sting, the department obtained about $500,000 of NetWalker’s cryptocurrency that had been collected from victims of their ransomware.
“While these individuals believe they operate anonymously in the digital space, we have the skill and tenacity to identify and prosecute these actors to the full extent of the law and seize their criminal proceeds,” Maria Chapa Lopez, then the U.S. attorney for the Middle District of Florida, said when the case was announced.
In February, the Justice Department said it had warrants to seize nearly $2 million in cryptocurrencies that North Korean hackers had stolen and put into accounts at two different cryptocurrency exchanges.
Last August, the department also unsealed a complaint outing North Korean hackers who stole $28.7 million of cryptocurrency from a cryptocurrency exchange, and then laundered the proceeds through Chinese cryptocurrency laundering services. The F.B.I. traced the funds to 280 cryptocurrency wallets and their owners.
In the end, “cryptocurrencies are actually more transparent than most other forms of value transfer,” said Madeleine Kennedy, a spokeswoman for Chainalysis, the start-up that traces cryptocurrency payments. “Certainly more transparent than cash.”
https://www.nytimes.com/2021/06/09/tech ... pe=Article
The F.B.I.’s recovery of Bitcoins paid in the Colonial Pipeline ransomware attack showed cryptocurrencies are not as hard to track as it might seem.
By Nicole Perlroth, Erin Griffith and Katie Benner
June 9, 2021
When Bitcoin burst onto the scene in 2009, fans heralded the cryptocurrency as a secure, decentralized and anonymous way to conduct transactions outside the traditional financial system.
Criminals, often operating in hidden reaches of the internet, flocked to Bitcoin to do illicit business without revealing their names or locations. The digital currency quickly became as popular with drug dealers and tax evaders as it was with contrarian libertarians.
But this week’s revelation that federal officials had recovered most of the Bitcoin ransom paid in the recent Colonial Pipeline ransomware attack exposed a fundamental misconception about cryptocurrencies: They are not as hard to track as cybercriminals think.
On Monday, the Justice Department announced it had traced 63.7 of the 75 Bitcoins — some $2.3 million of the $4.3 million — that Colonial Pipeline had paid to the hackers as the ransomware attack shut down the company’s computer systems, prompting fuel shortages and a spike in gasoline prices. Officials have since declined to provide more details about how exactly they recouped the Bitcoin, which has fluctuated in value.
Yet for the growing community of cryptocurrency enthusiasts and investors, the fact that federal investigators had tracked the ransom as it moved through at least 23 different electronic accounts belonging to DarkSide, the hacking collective, before accessing one account showed that law enforcement was growing along with the industry.
That’s because the same properties that make cryptocurrencies attractive to cybercriminals — the ability to transfer money instantaneously without a bank’s permission — can be leveraged by law enforcement to track and seize criminals’ funds at the speed of the internet.
Bitcoin is also traceable. While the digital currency can be created, moved and stored outside the purview of any government or financial institution, each payment is recorded in a permanent fixed ledger, called the blockchain.
That means all Bitcoin transactions are out in the open. The Bitcoin ledger can be viewed by anyone who is plugged into the blockchain.
“It is digital bread crumbs,” said Kathryn Haun, a former federal prosecutor and investor at venture-capital firm Andreessen Horowitz. “There’s a trail law enforcement can follow rather nicely.”
Ms. Haun added that the speed with which the Justice Department seized most of the ransom was “groundbreaking” precisely because of the hackers’ use of cryptocurrency. In contrast, she said, getting records from banks often requires months or years of navigating paperwork and bureaucracy, especially when those banks are overseas.
Given the public nature of the ledger, cryptocurrency experts said, all law enforcement needed to do was figure out how to connect the criminals to a digital wallet, which stores the Bitcoin. To do so, authorities likely focused on what is known as a “public key” and a “private key.”
A public key is the string of numbers and letters that Bitcoin holders have for transacting with others, while a “private key” is used to keep a wallet secure. Tracking down a user’s transaction history was a matter of figuring out which public key they controlled, authorities said.
Seizing the assets then required obtaining the private key, which is more difficult. It’s unclear how federal agents were able to get DarkSide’s private key.
Justice Department spokesman Marc Raimondi declined to say more about how the F.B.I. seized DarkSide’s private key. According to court documents, investigators accessed the password for one of the hackers’ Bitcoin wallets, though they did not detail how.
The F.B.I. did not appear to rely on any underlying vulnerability in blockchain technology, cryptocurrency experts said. The likelier culprit was good old-fashioned police work.
Federal agents could have seized DarkSide’s private keys by planting a human spy inside DarkSide’s network, hacking the computers where their private keys and passwords were stored, or compelling the service that holds their private wallet to turn them over via search warrant or other means.
“If they can get their hands on the keys, it’s seizable,” said Jesse Proudman, founder of Makara, a cryptocurrency investment site. “Just putting it on a blockchain doesn’t absolve that fact.”
The F.B.I. has partnered with several companies that specialize in tracking cryptocurrencies across digital accounts, according to officials, court documents and the companies. Start-ups with names like TRM Labs, Elliptic and Chainalysis that trace cryptocurrency payments and flag possible criminal activity have blossomed as law enforcement agencies and banks try to get ahead of financial crime.
Their technology traces blockchains looking for patterns that suggest illegal activity. It’s akin to how Google and Microsoft tamed email spam by identifying and then blocking accounts that spray email links across hundreds of accounts.
“Cryptocurrency allows us to use these tools to trace funds and financial flows along the blockchain in ways that we could never do with cash,” said Ari Redbord, the head of legal affairs at TRM Labs, a blockchain intelligence company that sells its analytic software to law enforcement and banks. He was previously a senior adviser on financial intelligence and terrorism at the Treasury Department.
Several longtime cryptocurrency enthusiasts said the recovery of much of the Bitcoin ransom was a win for the legitimacy of digital currencies. That would help shift the image of Bitcoin as the playground of criminals, they said.
“The public is slowly being shown, in case after case, that Bitcoin is good for law enforcement and bad for crime — the opposite of what many historically believed,” said Hunter Horsley, chief executive of Bitwise Asset Management, a cryptocurrency investment company.
In recent months, cryptocurrencies have become increasingly mainstream. Companies such as PayPal and Square have expanded their cryptocurrency services. Coinbase, a start-up that allows people to buy and sell cryptocurrencies, went public in April and is now valued at $47 billion. Over the weekend, a Bitcoin conference in Miami attracted more than 12,000 attendees, including Twitter’s chief executive, Jack Dorsey, and the former boxer Floyd Mayweather Jr.
As more people use Bitcoin, most are accessing the digital currency in a way that mirrors a traditional bank, through a central intermediary like a crypto exchange. In the United States, anti-money laundering and identity verification laws require such services to know who their customers are, creating a link between identity and account. Customers must upload government identification when they sign up.
Ransomware attacks have put unregulated crypto exchanges under the microscope. Cybercriminals have flocked to thousands of high-risk ones in Eastern Europe that do not abide by these laws.
After the Colonial Pipeline attack, several financial leaders proposed a ban on cryptocurrency.
“We can live in a world with cryptocurrency or a world without ransomware, but we can’t have both,” Lee Reiners, the executive director of the Global Financial Markets Center at Duke Law School, wrote in The Wall Street Journal.
Cryptocurrency experts said the hackers could have tried to make their Bitcoin accounts even more secure. Some cryptocurrency holders go to great lengths to store their private keys away from anything connected to the internet, in what is called a “cold wallet.” Some memorize the string of numbers and letters. Others write them down on paper, though those can be obtained by search warrants or police work.
“The only way to obtain the truly unseizable characteristic of the asset class is to memorize the keys and not have them written down anywhere,” Mr. Proudman said.
Mr. Raimondi of the Justice Department said the Colonial Pipeline ransom seizure was the latest sting operation by federal prosecutors to recoup illicitly gained cryptocurrency. He said the department has made “many seizures, in the hundreds of millions of dollars, from unhosted cryptocurrency wallets” used for criminal activity.
In January, the Justice Department disrupted another ransomware group, NetWalker, which used ransomware to extort money from municipalities, hospitals, law enforcement agencies and schools.
As part of that sting, the department obtained about $500,000 of NetWalker’s cryptocurrency that had been collected from victims of their ransomware.
“While these individuals believe they operate anonymously in the digital space, we have the skill and tenacity to identify and prosecute these actors to the full extent of the law and seize their criminal proceeds,” Maria Chapa Lopez, then the U.S. attorney for the Middle District of Florida, said when the case was announced.
In February, the Justice Department said it had warrants to seize nearly $2 million in cryptocurrencies that North Korean hackers had stolen and put into accounts at two different cryptocurrency exchanges.
Last August, the department also unsealed a complaint outing North Korean hackers who stole $28.7 million of cryptocurrency from a cryptocurrency exchange, and then laundered the proceeds through Chinese cryptocurrency laundering services. The F.B.I. traced the funds to 280 cryptocurrency wallets and their owners.
In the end, “cryptocurrencies are actually more transparent than most other forms of value transfer,” said Madeleine Kennedy, a spokeswoman for Chainalysis, the start-up that traces cryptocurrency payments. “Certainly more transparent than cash.”
https://www.nytimes.com/2021/06/09/tech ... pe=Article
Re: Ransomware
How Should We Handle Ransom Payments to Hackers? Very Carefully.
June 17, 2021
By Josephine Wolff
Dr. Wolff is an assistant professor of cybersecurity policy at Tufts University.
The announcement last week that U.S. law enforcement officials had managed to recover $2.3 million of the roughly $4.4 million ransom that Colonial Pipeline paid hackers was a welcome development. But it also raised questions about who should bear the costs of ransom payments as the threat of online extortion grows.
The Colonial Pipeline ransom retrieval sends a strong message to American companies that are hacked that the government can help. This will, hopefully, encourage victims to report these attacks to the authorities. But it may also make companies more willing to pay ransom — and that would be good news for cybercriminals.
Any effort by the government to more aggressively reclaim ransom payments must, then, go hand in hand with a regulatory crackdown on insurance coverage for ransoms. We also need careful consideration of how much — if any — of the reclaimed ransoms should be returned to the victims who paid them. (In the case of Colonial, the U.S. government has not made a statement about who will receive the recovered funds.)
Insurance plays a significant yet often overlooked role in the ransomware economy. Most ransomware victims do not announce that they are making ransom payments, nor that those payments are covered at least in part by their insurers. It took questioning at a House Homeland Security Committee hearing for Joseph Blount, the chief executive of Colonial Pipeline, to acknowledge that, “I think there were consultations going on” with the company’s insurer before the ransom was paid. He also said Colonial had filed an insurance claim for the payment that he expected would be covered.
In many cases, insurers shoulder almost all of the financial burden for ransomware victims. When Lake City, Fla., paid hackers nearly $500,000 in 2019, its insurance policy with the Florida League of Cities covered all but $10,000. Another Florida city whose computer system was hacked the same year, Riviera Beach, agreed to an even larger ransom payment, nearly $600,000. The city itself was on the hook only for a $25,000 deductible.
Knowing insurance will cover ransoms can make it easier for companies to decide to pay, which only fuels future attacks. Knowing that the government may then effectively reimburse them adds further incentive for hacked companies to pay. A recent estimate by Kaspersky suggested that 56 percent of victims pay a ransom.
Because insurers have been forced to cover so many ransom payments in recent years, the industry seems to be on the cusp of trying to raise premiums and rethink its approach to ransomware. So far, though, only one major insurer, the French company AXA, has moved in that direction, announcing last month that it would suspend issuing policies that cover ransom payments in France until authorities clarified whether it was legal to do so.
Indeed, regulators in many countries have provided ambiguous guidance to insurers and ransomware victims about paying ransoms. Most law enforcement agencies, including the F.B.I., discourage but do not actually forbid payments. Christopher Wray, the F.B.I.’s director, said at a congressional hearing that companies infected with ransomware should quickly contact law enforcement to find ways to avoid paying hackers. Victims paid nearly $350 million worth of cryptocurrency in ransoms last year, emboldening attackers to take on more high-profile targets this year, like the meat processor JBS, whose slaughterhouses were knocked offline, and Colonial, whose fuel pipeline shutdown prompted long lines for gasoline throughout the Southeast.
Last year, the Treasury Department warned that ransom payments to certain sanctioned groups and individuals might be illegal. But for many victims, as well as their insurers, it’s not always immediately clear to whom they are paying ransoms, nor how the Treasury rules apply to their situations. At the same time, some regulators fear that a ban on ransom payments would drive more companies to pay off their hackers in secret and refuse to report incidents to law enforcement. (Currently, the percentage of attacks that go unreported is unclear.)
Retrieving ransom payments is an important element in making ransomware less profitable, and the U.S. government should continue to pursue this option as aggressively as possible. But the government should also specify that no more than a quarter of the recouped payments will be returned to the victims. That creates an incentive for companies to work with law enforcement, but not enough for them to make such payments without a second thought.
The rest of the recovered money could go to help fund investigations into ransomware incidents. That way it can be part of the solution to ransomware, not part of the problem.
At a time when attacks are targeting increasingly high-stakes infrastructure, including fuel pipelines and food supply chains, effectively insulating insurance companies from the full costs of ransom payments would be a serious mistake.
Josephine Wolff is an assistant professor of cybersecurity policy at the Tufts Fletcher School of Law and Diplomacy and the author of “You’ll See This Message When It Is Too Late: The Legal and Economic Aftermath of Cybersecurity Breaches.”
https://www.nytimes.com/2021/06/17/opin ... e=Homepage
June 17, 2021
By Josephine Wolff
Dr. Wolff is an assistant professor of cybersecurity policy at Tufts University.
The announcement last week that U.S. law enforcement officials had managed to recover $2.3 million of the roughly $4.4 million ransom that Colonial Pipeline paid hackers was a welcome development. But it also raised questions about who should bear the costs of ransom payments as the threat of online extortion grows.
The Colonial Pipeline ransom retrieval sends a strong message to American companies that are hacked that the government can help. This will, hopefully, encourage victims to report these attacks to the authorities. But it may also make companies more willing to pay ransom — and that would be good news for cybercriminals.
Any effort by the government to more aggressively reclaim ransom payments must, then, go hand in hand with a regulatory crackdown on insurance coverage for ransoms. We also need careful consideration of how much — if any — of the reclaimed ransoms should be returned to the victims who paid them. (In the case of Colonial, the U.S. government has not made a statement about who will receive the recovered funds.)
Insurance plays a significant yet often overlooked role in the ransomware economy. Most ransomware victims do not announce that they are making ransom payments, nor that those payments are covered at least in part by their insurers. It took questioning at a House Homeland Security Committee hearing for Joseph Blount, the chief executive of Colonial Pipeline, to acknowledge that, “I think there were consultations going on” with the company’s insurer before the ransom was paid. He also said Colonial had filed an insurance claim for the payment that he expected would be covered.
In many cases, insurers shoulder almost all of the financial burden for ransomware victims. When Lake City, Fla., paid hackers nearly $500,000 in 2019, its insurance policy with the Florida League of Cities covered all but $10,000. Another Florida city whose computer system was hacked the same year, Riviera Beach, agreed to an even larger ransom payment, nearly $600,000. The city itself was on the hook only for a $25,000 deductible.
Knowing insurance will cover ransoms can make it easier for companies to decide to pay, which only fuels future attacks. Knowing that the government may then effectively reimburse them adds further incentive for hacked companies to pay. A recent estimate by Kaspersky suggested that 56 percent of victims pay a ransom.
Because insurers have been forced to cover so many ransom payments in recent years, the industry seems to be on the cusp of trying to raise premiums and rethink its approach to ransomware. So far, though, only one major insurer, the French company AXA, has moved in that direction, announcing last month that it would suspend issuing policies that cover ransom payments in France until authorities clarified whether it was legal to do so.
Indeed, regulators in many countries have provided ambiguous guidance to insurers and ransomware victims about paying ransoms. Most law enforcement agencies, including the F.B.I., discourage but do not actually forbid payments. Christopher Wray, the F.B.I.’s director, said at a congressional hearing that companies infected with ransomware should quickly contact law enforcement to find ways to avoid paying hackers. Victims paid nearly $350 million worth of cryptocurrency in ransoms last year, emboldening attackers to take on more high-profile targets this year, like the meat processor JBS, whose slaughterhouses were knocked offline, and Colonial, whose fuel pipeline shutdown prompted long lines for gasoline throughout the Southeast.
Last year, the Treasury Department warned that ransom payments to certain sanctioned groups and individuals might be illegal. But for many victims, as well as their insurers, it’s not always immediately clear to whom they are paying ransoms, nor how the Treasury rules apply to their situations. At the same time, some regulators fear that a ban on ransom payments would drive more companies to pay off their hackers in secret and refuse to report incidents to law enforcement. (Currently, the percentage of attacks that go unreported is unclear.)
Retrieving ransom payments is an important element in making ransomware less profitable, and the U.S. government should continue to pursue this option as aggressively as possible. But the government should also specify that no more than a quarter of the recouped payments will be returned to the victims. That creates an incentive for companies to work with law enforcement, but not enough for them to make such payments without a second thought.
The rest of the recovered money could go to help fund investigations into ransomware incidents. That way it can be part of the solution to ransomware, not part of the problem.
At a time when attacks are targeting increasingly high-stakes infrastructure, including fuel pipelines and food supply chains, effectively insulating insurance companies from the full costs of ransom payments would be a serious mistake.
Josephine Wolff is an assistant professor of cybersecurity policy at the Tufts Fletcher School of Law and Diplomacy and the author of “You’ll See This Message When It Is Too Late: The Legal and Economic Aftermath of Cybersecurity Breaches.”
https://www.nytimes.com/2021/06/17/opin ... e=Homepage
Re: Ransomware
The company I work for got hit by ransomware twice this year. Fortunately, we have a fairly robust company back up procedure, and only lost about 2 days work time. For anyone concerned about data loss or cyberattacks, I would suggest the following: have cloud services to back up your data if possible. I recovered some of my data through drop box, as they have a nice roll back feature. If you feel something is wrong with your computer or other computers on the same network, you should cut the network connection as soon as possible. In order to do so, you can do one of the following: have your internet modem/router at your arm’s reach and know how to kill the power, always use an ethernet cable to connect to a network and unplug the cable if necessary, or if you have to use wifi, I would recommend using a USB-wifi dongle which is easily removable instead of a bulit-in wifi adapter.
Re: Ransomware
China Breached Dozens of Pipeline Companies in Past Decade, U.S. Says
The disclosure about the breadth of state-sponsored cyberattacks was part of a warning to pipeline owners to increase the security of their systems to stave off future intrusions.
By Nicole Perlroth and David E. Sanger
July 20, 2021
The Biden administration disclosed previously classified details on Tuesday about the breadth of state-sponsored cyberattacks on American oil and gas pipelines over the past decade, as part of a warning to pipeline owners to increase the security of their systems to stave off future attacks.
From 2011 to 2013, Chinese-backed hackers targeted, and in many cases breached, nearly two dozen companies that own such pipelines, the F.B.I. and the Department of Homeland Security revealed in an alert on Tuesday. For the first time, the agencies said they judged that the “intrusions were likely intended to gain strategic access” to the industrial control networks that run the pipelines “for future operations rather than for intellectual property theft.” In other words, the hackers were preparing to take control of the pipelines, rather than just stealing the technology that allowed them to function.
Of 23 operators of natural gas pipelines that were subjected to a form of email fraud known as spear phishing, the agencies said that 13 were successfully compromised, while three were “near misses.” The extent of intrusions into seven operators was unknown because of an absence of data.
The disclosures come as the federal government tries to galvanize the pipeline industry after a ransomware group based in Russia easily forced the shutdown of a pipeline network that provides nearly half the gasoline, jet fuel and diesel that flows up the East Coast. That attack on Colonial Pipeline — aimed at the company’s business systems, not the operations of the pipeline itself — led the company to shut off its shipments for fear that it did not know what the attackers would be capable of next. Long gasoline lines and shortages followed, underscoring for President Biden the urgency of defending the United States’ pipelines and critical infrastructure from cyberattacks.
The declassified report on China’s activities accompanied a security directive that requires owners and operators of pipelines deemed critical by the Transportation Security Administration to take specific steps to protect against ransomware and other attacks, and to put in place a contingency and recovery plan. The exact steps were not made public, but officials said they sought to address some of the huge deficiencies found as they conducted reviews of the Colonial Pipeline attack. (The company, which is privately held, has said little about the vulnerabilities in its systems that the hackers exploited.)
The directive follows another in May that required companies to report significant cyberattacks to the government. But that did nothing to seal the systems up.
The newly declassified report was a reminder that nation-backed hackers targeted oil and gas pipelines before cybercriminals devised new ways of holding their operators hostage for ransom. Ransomware is a form of malware that encrypts data until the victim pays. The attack on Colonial Pipeline led it to pay about $4 million in cryptocurrency, some of which the F.B.I. seized back after the criminals left part of the money visible in cryptocurrency wallets. But that was, as one law enforcement official said, a “lucky break.” Another ransomware attack a few weeks later extracted $11 million from JBS, a producer of beef products; none of it was recovered.
Nearly 10 years ago, the Department of Homeland Security said in the declassified report, it began responding to intrusions on oil pipelines and electric power operators at “an alarming rate.” Officials successfully traced a portion of those attacks to China, but in 2012, its motivation was not clear: Were the hackers trolling for industrial secrets? Or were they positioning themselves for some future attack?
“We are still trying to figure it out,” a senior American intelligence official told The New York Times in 2013. “They could have been doing both.”
But the alert on Tuesday asserted that the goal was “holding U.S. pipeline infrastructure at risk.”
“This activity was ultimately intended to help China develop cyberattack capabilities against U.S. pipelines to physically damage pipelines or disrupt pipeline operations,” the alert said.
The alert was prompted by new concerns over the cyberdefense of critical infrastructure, brought to the fore with the attack on Colonial Pipeline. That breach set off alarms at the White House and the Energy Department, which found that the nation could have afforded only three more days of downtime before mass transit and chemical refineries came to a halt.
Mandiant, a division of the security firm FireEye, said the advisory was consistent with the Chinese-backed intrusions it tracked on multiple natural gas pipeline companies and other critical operators from 2011 to 2013. But the firm added one unnerving detail, noting that it “strongly” believed that in one case, Chinese hackers had gained access to the controls, which could have enabled a pipeline shutdown or could potentially set off an explosion.
While the directive did not name the victims of the pipeline intrusion, one of the companies infiltrated by Chinese hackers over that same time frame was Telvent, which monitors more than half the oil and gas pipelines in North America. It discovered hackers in its computer systems in September 2012, only after they had been loitering there for months. The company closed its remote access to clients’ systems, fearing it would be used to shut down American’s infrastructure.
The Chinese government denied it was behind the breach of Telvent. Congress failed to pass cybersecurity legislation that would have increased the security of pipelines and other critical infrastructure. And the country seemed to move on.
Nearly a decade later, the Biden administration says the threat of a hacking on America’s oil and gas pipelines has never been graver. “The lives and livelihoods of the American people depend on our collective ability to protect our nation’s critical infrastructure from evolving threats,” Alejandro N. Mayorkas, the homeland security secretary, said in a statement on Tuesday.
The May directive set a 30-day period to “identify any gaps and related remediation measures to address cyber-related risks” and report them to the T.S.A. and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency.
Shortly after taking office, Mr. Biden promised that improving cybersecurity would be a top priority. This month, he met with top advisers to discuss options for responding to a wave of Russian ransomware attacks on American companies, including one on July 4 on a Florida company that provides software to businesses that manage technology for smaller firms.
And on Monday, the White House said that China’s Ministry of State Security, which oversees intelligence, was behind an unusually aggressive and sophisticated attack in March on tens of thousands of victims that relied on Microsoft Exchange mail servers.
Separately, the Justice Department unsealed indictments of four Chinese citizens on Monday for coordinating the hackings of trade secrets from companies in aviation, defense, biopharmaceuticals and other industries.
According to the indictments, China’s hackers operate from front companies, some on the island of Hainan, and tap Chinese universities not only to recruit hackers to the government’s ranks, but also to manage key business operations, like payroll. That decentralized structure, American officials and security experts say, is intended to offer China’s Ministry of State Security plausible deniability.
The indictments also revealed that China’s “government-affiliated” hackers had engaged in for-profit ventures of their own, conducting ransomware attacks that extort companies for millions of dollars.
Eileen Sullivan contributed reporting.
Nicole Perlroth is a cybersecurity and digital espionage reporter. She is the bestselling author of the book, “This Is How They Tell Me The World Ends,” about the global cyber arms race.
David E. Sanger is a White House and national security correspondent. In a 38-year reporting career for The Times, he has been on three teams that have won Pulitzer Prizes, most recently in 2017 for international reporting. His newest book is “The Perfect Weapon: War, Sabotage and Fear in the Cyber Age.”
https://www.nytimes.com/2021/07/20/us/p ... e=Homepage
The disclosure about the breadth of state-sponsored cyberattacks was part of a warning to pipeline owners to increase the security of their systems to stave off future intrusions.
By Nicole Perlroth and David E. Sanger
July 20, 2021
The Biden administration disclosed previously classified details on Tuesday about the breadth of state-sponsored cyberattacks on American oil and gas pipelines over the past decade, as part of a warning to pipeline owners to increase the security of their systems to stave off future attacks.
From 2011 to 2013, Chinese-backed hackers targeted, and in many cases breached, nearly two dozen companies that own such pipelines, the F.B.I. and the Department of Homeland Security revealed in an alert on Tuesday. For the first time, the agencies said they judged that the “intrusions were likely intended to gain strategic access” to the industrial control networks that run the pipelines “for future operations rather than for intellectual property theft.” In other words, the hackers were preparing to take control of the pipelines, rather than just stealing the technology that allowed them to function.
Of 23 operators of natural gas pipelines that were subjected to a form of email fraud known as spear phishing, the agencies said that 13 were successfully compromised, while three were “near misses.” The extent of intrusions into seven operators was unknown because of an absence of data.
The disclosures come as the federal government tries to galvanize the pipeline industry after a ransomware group based in Russia easily forced the shutdown of a pipeline network that provides nearly half the gasoline, jet fuel and diesel that flows up the East Coast. That attack on Colonial Pipeline — aimed at the company’s business systems, not the operations of the pipeline itself — led the company to shut off its shipments for fear that it did not know what the attackers would be capable of next. Long gasoline lines and shortages followed, underscoring for President Biden the urgency of defending the United States’ pipelines and critical infrastructure from cyberattacks.
The declassified report on China’s activities accompanied a security directive that requires owners and operators of pipelines deemed critical by the Transportation Security Administration to take specific steps to protect against ransomware and other attacks, and to put in place a contingency and recovery plan. The exact steps were not made public, but officials said they sought to address some of the huge deficiencies found as they conducted reviews of the Colonial Pipeline attack. (The company, which is privately held, has said little about the vulnerabilities in its systems that the hackers exploited.)
The directive follows another in May that required companies to report significant cyberattacks to the government. But that did nothing to seal the systems up.
The newly declassified report was a reminder that nation-backed hackers targeted oil and gas pipelines before cybercriminals devised new ways of holding their operators hostage for ransom. Ransomware is a form of malware that encrypts data until the victim pays. The attack on Colonial Pipeline led it to pay about $4 million in cryptocurrency, some of which the F.B.I. seized back after the criminals left part of the money visible in cryptocurrency wallets. But that was, as one law enforcement official said, a “lucky break.” Another ransomware attack a few weeks later extracted $11 million from JBS, a producer of beef products; none of it was recovered.
Nearly 10 years ago, the Department of Homeland Security said in the declassified report, it began responding to intrusions on oil pipelines and electric power operators at “an alarming rate.” Officials successfully traced a portion of those attacks to China, but in 2012, its motivation was not clear: Were the hackers trolling for industrial secrets? Or were they positioning themselves for some future attack?
“We are still trying to figure it out,” a senior American intelligence official told The New York Times in 2013. “They could have been doing both.”
But the alert on Tuesday asserted that the goal was “holding U.S. pipeline infrastructure at risk.”
“This activity was ultimately intended to help China develop cyberattack capabilities against U.S. pipelines to physically damage pipelines or disrupt pipeline operations,” the alert said.
The alert was prompted by new concerns over the cyberdefense of critical infrastructure, brought to the fore with the attack on Colonial Pipeline. That breach set off alarms at the White House and the Energy Department, which found that the nation could have afforded only three more days of downtime before mass transit and chemical refineries came to a halt.
Mandiant, a division of the security firm FireEye, said the advisory was consistent with the Chinese-backed intrusions it tracked on multiple natural gas pipeline companies and other critical operators from 2011 to 2013. But the firm added one unnerving detail, noting that it “strongly” believed that in one case, Chinese hackers had gained access to the controls, which could have enabled a pipeline shutdown or could potentially set off an explosion.
While the directive did not name the victims of the pipeline intrusion, one of the companies infiltrated by Chinese hackers over that same time frame was Telvent, which monitors more than half the oil and gas pipelines in North America. It discovered hackers in its computer systems in September 2012, only after they had been loitering there for months. The company closed its remote access to clients’ systems, fearing it would be used to shut down American’s infrastructure.
The Chinese government denied it was behind the breach of Telvent. Congress failed to pass cybersecurity legislation that would have increased the security of pipelines and other critical infrastructure. And the country seemed to move on.
Nearly a decade later, the Biden administration says the threat of a hacking on America’s oil and gas pipelines has never been graver. “The lives and livelihoods of the American people depend on our collective ability to protect our nation’s critical infrastructure from evolving threats,” Alejandro N. Mayorkas, the homeland security secretary, said in a statement on Tuesday.
The May directive set a 30-day period to “identify any gaps and related remediation measures to address cyber-related risks” and report them to the T.S.A. and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency.
Shortly after taking office, Mr. Biden promised that improving cybersecurity would be a top priority. This month, he met with top advisers to discuss options for responding to a wave of Russian ransomware attacks on American companies, including one on July 4 on a Florida company that provides software to businesses that manage technology for smaller firms.
And on Monday, the White House said that China’s Ministry of State Security, which oversees intelligence, was behind an unusually aggressive and sophisticated attack in March on tens of thousands of victims that relied on Microsoft Exchange mail servers.
Separately, the Justice Department unsealed indictments of four Chinese citizens on Monday for coordinating the hackings of trade secrets from companies in aviation, defense, biopharmaceuticals and other industries.
According to the indictments, China’s hackers operate from front companies, some on the island of Hainan, and tap Chinese universities not only to recruit hackers to the government’s ranks, but also to manage key business operations, like payroll. That decentralized structure, American officials and security experts say, is intended to offer China’s Ministry of State Security plausible deniability.
The indictments also revealed that China’s “government-affiliated” hackers had engaged in for-profit ventures of their own, conducting ransomware attacks that extort companies for millions of dollars.
Eileen Sullivan contributed reporting.
Nicole Perlroth is a cybersecurity and digital espionage reporter. She is the bestselling author of the book, “This Is How They Tell Me The World Ends,” about the global cyber arms race.
David E. Sanger is a White House and national security correspondent. In a 38-year reporting career for The Times, he has been on three teams that have won Pulitzer Prizes, most recently in 2017 for international reporting. His newest book is “The Perfect Weapon: War, Sabotage and Fear in the Cyber Age.”
https://www.nytimes.com/2021/07/20/us/p ... e=Homepage
Who is online
Users browsing this forum: No registered users and 9 guests