Written by: Dell Spry
Introduction: Before the Colonial Pipeline Attack
In earlier centuries wars were fought between nation states to acquire water and fertile land. Then came the quest for natural resources; gold, silver, oil. These wars were fought utilizing large armies requiring massive supplies to achieve their goal of conquest and colonization and probably, on at least some occasions, proved to be logistic nightmares.
Seemingly, today you can launch an attack against your enemy while sitting at your kitchen table drinking coffee. All you need is one of the simplest, yet most devastating weapons ever created: a laptop computer.
If you are educated in the ways of hacking and implanting malware on the computers of a person, a business, or a government, you have power indeed. You can operate from a dark place as part of a dark web in a dark world to unleash havoc on innocent people and innocent businesses. You can give your group or yourself a cute name and operate with autonomy and seeming impunity.
When did this all start?
According to an online article in “Infosec” dated March 9, 2016 by Pierluigi Paganini titled – Who is Ardit Ferizi, “In October 2015, for the first time, the US Justice Department has charged a suspect for terrorism and hacking. The US Government has charged a hacker in Malaysia with stealing the data belonging to the US service members and passing it to the members of ISIS with the intent to support them in arranging attacks against Western targets.”
The man charged by the Justice Department is Ardit Ferizi, a citizen of Kosovo, who was detained in Malaysia on a U.S. provisional arrest warrant. Ferizi comes from the Kosovo city of Gjakova, which has a large Albanian Catholic and spiritual Sufi population, in addition to its conventional Sunni Muslim. Ardit Ferizi was arrested in September 2015, according to the US intelligence (sic) the man provided the data to the popular IS militant Junaid Hussain, which disclosed it on the web. According to the investigators, Hussain and Ferizi started their collaborations months before, in April 2015.
Data stolen by the Kosovan hacker included names, e-mail addresses, passwords, locations and phone numbers of 1,351 U.S. military and other government personnel. Ferizi is accused of doxing (search for and publish private or identifying information about an individual on the Internet, typically with malicious intent) military personnel data with the specific intent to help the ISIS members to localize and hit the US soldiers.
This was the first time the DOJ charged an individual with hacking, but the issue of using a computer for malfeasance began long before. In fact, it’s origin, while a deliberate nuisance, came about in an almost whimsical way. In an undated article for “United States Cybersecurity Magazine” by staff writer Caleb Townsend titled – A Brief and Incomplete History of Cybersecurity, he writes, “Many people assume that cybersecurity is a new vector, relatively starting within the last decade. However, cybersecurity history dates back to the seventies, before most people even had a computer. We have covered hacking incidents that took place before computers, but for the purposes of this article, our timeline starts in 1971, with an experiment.”
A Brief History of Hacking in the U.S.
The First Computer Worm – 1971
In 1971, Bob Thomas made history by creating a program that is widely accepted as the first ever computer worm. The worm bounced between computers, which was groundbreaking at the time. The worm was not at all malicious. However, it would display a message on any infected screen stating, “I’m the creeper: catch me if you can.”
The First Denial-of-Service (DoS) Attack – 1988
In 1988, Robert Morris created a computer worm, which slowed the early internet down significantly. Thus, we have the first DoS attack in history. Surprisingly, Morris did not write the worm to cause damage. In contrast, Morris created it to highlight security flaws such as Unix sendmail and weak passwords. However, the code made the worm replicate excessively, causing damages estimated around $100,000 to $10,000,000. It also resulted in a partition of the internet lasting for several days.
AIDS Trojan – 1989
1989 also marked a grim day in history, with Joseph Popp creating the first ransomware attack. Joseph Popp created a Malware called the AIDS Trojan, which was distributed through his postal mailing lists using a floppy disk. Popp hoped to extort people out of money through this program, similar to modern ransomware attacks. AIDS Trojan suffered from poor design and was easily removable. This was due to the virus only scrambling the names of the files, instead of the file’s contents. Most computers were still usable and people quickly made programs like AIDS OUT to unlock the files.
So here we are with the Colonial Pipeline attack wondering what happened and what might happen next.
In a May 10, 2021 news report, ABC reporters Catherine Thorbecke and Luke Barr informed the public, “The Federal Bureau of Investigation confirmed in a statement Monday that Darkside ransomware was responsible for the compromise of the Colonial Pipeline networks. The FBI added that it will continue to work with the company and government partners on the ongoing investigation. The DarkSide criminal organization operates in Eastern Europe. While federal officials are still trying to determine whether a foreign nation could be involved in the cyberattack, Russian intelligence has been known to cooperate with Eastern European cybercriminals in the past.”
In a May 8, 2021 article in Cybersecurity titled – “Colonial Hackers Stole Data Thursday Ahead of Shutdown,” Jordan Robertson and William Turton reported, “The attackers who caused Colonial Pipeline to shut down the biggest U.S. gasoline pipeline on Friday, began their blitz against the company a day earlier, stealing a large amount of data before locking computers with ransomware and demanding payment, according to people familiar with the matter.”
The intruders, who are part of a cybercrime gang called DarkSide, took nearly 100 gigabytes of data out of the Alpharetta, Georgia-based company’s network in just two hours on Thursday, two people involved in Colonial’s investigation said.
The move was part of a double-extortion scheme that is one of the group’s hallmarks. Colonial was threatened that the stolen data would be leaked to the internet while the information that was encrypted by the hackers on computers inside the network would remain locked unless it paid a ransom, said the people, who asked not to be identified, because the information isn’t public. The company didn’t immediately respond to requests to comment on the investigation. It said earlier that it “proactively took certain systems offline to contain the threat, which has temporarily halted all pipeline operations, and affected some of our IT systems.”
Colonial’s decision late Friday to shut down a pipeline that is the main source of gasoline, diesel and jet fuel for the East Coast, without saying when it would reopen, represents a dangerous new escalation in the fight against ransomware, which President Joe Biden’s administration has identified as a priority.
It’s not clear how much money the attackers demanded or whether Colonial has paid. Despite the company’s stated intention not to pay the ransom, it was reported over the weekend that Colonial paid an estimated 75 bitcoin to DarkSide, underscoring the immense pressure Colonial likely found themselves under. Ransomware demands can range from several hundred dollars to millions of dollars in cryptocurrency. Many companies pay, often facilitated by their insurers.
AXA SA, one of Europe’s top insurance companies, said this week that it would break with that trend and stop offering policies in France that reimburse customers for payments made to ransomware hackers, which could be the first in the industry, the Associated Press reported.
Apparently a ransom of $5,000,000 was paid by Colonial Pipeline. This is alarming for so many reasons, not the least of which is the fact the payment might encourage DarkSide to attack them again or to attack others. The ransom payment might also be the impetus for additional computer attacks against other innocent companies by assorted thugs, geeks, and ne’er do wells.
In an April 12, 2021 blog by “RAND Corporation” titled – Supply Chains and National Security, writer Bradley Martin, in discussing effects from the COVID-19 pandemic, noted, “While the lessons learned from the COVID-19 pandemic will be sorted through for years in a variety of areas—from public health to governmental relations to military readiness—one thing seems very clear: The United States is not ready in a policy or infrastructure or even physical-capacity sense to respond to major shocks to its supply chains. This vulnerability stretches across whole sectors of the U.S. economy and is a national security issue in the broadest, but most basic sense: a set of interests which, if disrupted, threaten the security and well-being of the United States.”
Martin goes on to state, “ Meeting the challenge in a way that preserves security and mitigates conflict requires a broader view of supply chain security. Government actors—from the Department of Defense to the Department of Commerce to the Food and Drug Administration to local governments—understand the criticality of supply for parts of their operations. They typically do not understand how their actions affect other entities and, in particular, might not understand the incentives and operations of private suppliers. The U.S. Defense Logistics Agency is in the supply chain business, but it routinely runs into problems getting highly specialized military parts. Similarly, private industries understand their own supply chains intimately. But they do not have—indeed have no reason to have—awareness of how their actions affect the overall ability to respond to a national security challenge. Offshoring occurs, for example, because it may be a less expensive way for businesses to operate. The possibility that this could affect the U.S. ability to access critical material in time of crisis is not part of the calculation.”
President Biden has noted his opinion that the Russian government was not behind the Colonial Pipeline matter, but they do have some accountability. I am not a politician, and I am not a diplomat. I simply do not know what actions those words from the President are intended to evoke. Perhaps as a gesture of goodwill Vladimir Putin might share limited information as to what his law enforcement and intelligence services know about DarkSide. But I do not believe he intends on finding them, arresting them, and turning them over to the U.S. authorities. Maybe, but I don’t think so. Arguably, what weakens the U.S. strengthens, or at least emboldens, the Russians.
Again quoting Bradley Martin, “The Biden administration has made supply chain security a national priority. Carrying this out may require considerably more research and analysis on what these chains actually look like and how they affect one another.”
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) publishes security tips. I strongly encourage you to read CISA Security Tip (ST19-001) dated April 11, 2019; in which CISA offers crucial information pertaining to ransomware and how you can counter the threat it poses.
But it is not the exclusive job of the government to protect you or your company from computer threats. That is your job and your responsibility. A dangerously large number of U.S. companies, as well as the government, are underinvested in critical infrastructure cybersecurity.
Corporate America and the government must work together to mount a defense against the use of computers as a weapon against the United States. To this end, Chesley Brown International stands ready and willing to be your partner in protecting your company, your products, and your employees from those who would wish you harm and seek to profit, not by hard work and diligence, but by holding you and your company hostage with a proverbial gun to your head while they extort you and demand a ransom.
Luckily, there are some relatively simple steps every business can take right now to protect themselves. Have you conducted a threat assessment in the last two years and what were the results? Did you sufficiently fix the problems that were found? By simply conducting regular threat assessments, and engaging in an open and honest dialog with your stakeholders you can begin to craft a strategy that prioritizes your most valuable assets and honors your core business principles.
The truth is there is no silver bullet solution for establishing an organization’s posture when it comes to security risk management. Company size, culture, products, assets, regulatory and compliance requirements will all be major factors. With so many considerations it is a complicated and time-consuming process… and time is something business leaders never have enough of.
When you finally DO get a chance to think about the myriad of risks your business is exposed to today, you may find yourself completely overwhelmed or unable to focus on what really matters. Because you’re not a security expert, it’s difficult to plan for what you can’t imagine. Leaving you frustrated, stressed, and worried your strategy won’t be effective.
With a Chesley Brown expert by your side, you’ll never have that experience again. That’s why we’ve built a framework that teaches businesses how to anticipate and navigate risk before it becomes a crisis.
Our experts will:
- Solve your biggest security challenges…just schedule a meeting, answer a few simple questions about your company, and our experts will get to work for you
- Save you time, helping you get back to what matters most– running your business
- Make it easy for you to seize new opportunities and grow your business
For industry-leading guides and analysis sign up for our blog below.
Supreme Court Decision Personal Rights and the Expectation of Privacy in the Digital Age From Chesley Brown International Risk Management In Major Privacy Case, Court Rules Law Enforcement Must Obtain Warrant To Track Cellphone Data.…Read More
Bomb Threats and Suspicious Packages The recent bombing incidents in and around Austin, Texas serve as an unfortunate reminder that those responsible for all properties and facilities must remain vigilant and be prepared to respond…Read More