Monday, June 07, 2021

OUCH
U.S. seizes most of Colonial Pipeline's $4.4M ransom payment

The successful operation underscores the need for companies to cooperate with investigators after a hack, federal officials said.



“The sophisticated use of technology to hold businesses and even whole cities hostage for profit is decidedly a 21st-century challenge, but the old adage ‘follow the money’ still applies,” Deputy Attorney General Lisa Monaco said during a news conference. | Jonathan Ernst-Pool/Getty Images


By ERIC GELLER

06/07/2021 

Federal investigators were able to recover more than half of the $4.4 million ransom payment that Colonial Pipeline made to the hackers who froze its computers and forced the shutdown of its massive fuel distribution system, the Biden administration announced on Monday.

By tracing the payment across the ostensibly anonymous cryptocurrency ecosystem, the government was able to locate and seize $2.27 million from a virtual currency account used by the hackers.

“The sophisticated use of technology to hold businesses and even whole cities hostage for profit is decidedly a 21st-century challenge, but the old adage ‘follow the money’ still applies,” Deputy Attorney General Lisa Monaco said during a news conference.

The announcement represents a rare bit of good news for the Biden administration as it rushes to fix digital weaknesses in the United States’ critical infrastructure, most of which is run by companies that have scant cyber expertise and are subject to little, if any, regulation.

It also bolsters federal officials’ argument that companies can help fight back against a rising tide of ransomware attacks if they cooperate with government investigations.

May's five-day shutdown of Colonial’s pipeline — one of the East Coast’s biggest fuel suppliers — led to gasoline hoarding that produced widespread, albeit short-term, shortages and helped drive up the price at the pump. The incident refocused attention on the threat of ransomware, prompting new cyber rules for pipeline operators, a bipartisan congressional push for a hack notification law and a parade of hearings, including two this week.

The Colonial hack, and a subsequent attack last week on the world’s largest meat supplier, forced the steadily growing threat of ransomware onto the front-burner for the Biden administration

The DarkSide ransomware used to hack Colonial is one of more than 100 variants that the FBI is tracking, Deputy Director Paul Abbate said Monday. DarkSide, which is developed by a Russian criminal group that licenses it out to less sophisticated hackers, has struck more than 90 U.S. critical infrastructure companies in sectors ranging from manufacturing and health care to energy and insurance, Abbate said.


DOJ has created a task force on ransomware attacks, and the department recently announced that it was elevating the issue to the same severity level as terrorism, creating greater coordination between U.S. attorneys’ offices and prosecutors in Washington about which cases to charge. FBI Director Christopher Wray described the ransomware epidemic as a modern version of the Sept. 11, 2001, terrorist attacks.

Wray’s analogy, which was about the importance of public-private cooperation, underscored why ransomware has continued to plague society. For years, U.S. officials have urged companies to be more forthcoming when they are hacked, both so the government can help them recover and so federal experts can analyze the attacks and warn other potential victims. But many companies still refuse to disclose their breaches, fearing the legal, financial and reputational consequences of doing so.

Monaco used Monday’s announcement as an opportunity to hammer home the government’s message about preparing for and reporting breaches. “We are all in this together,” she said.

President Joe Biden recently signed an executive order that requires federal contractors to report cyber incidents to the government, and bipartisan draft legislation would extend that obligation to critical infrastructure operators and major IT service providers.

Colonial faced criticism for its initial reluctance to share information with the federal government. It alerted the FBI to the breach, but it did not notify DHS’ Cybersecurity and Infrastructure Security Agency, the government’s primary cyber defender. It took several days for Colonial to share breach data with CISA so the agency could prepare guidance for other potential targets, and even then, CISA’s acting director said he was in the dark about Colonial’s ransom payment.

That Colonial even paid the ransom was another source of controversy, as U.S. officials routinely warn against doing so, saying it fuels more attacks. “You are encouraging the bad actors,” Energy Secretary Jennifer Granholm said on NBC’s “Meet the Press” on Sunday.

Asked on Monday whether companies could feel better about paying ransoms given the possibility of their recovery, Monaco said doing so always entailed a risk.

“We may not be able to do this in every instance,” she said.

An affidavit filed by an FBI special agent to obtain the seizure warrant reflects the challenges facing investigators as they try to recover ransom payments.

Thanks to the transparent, decentralized nature of the technology underpinning Bitcoin, it was fairly easy for the FBI to use public tools to trace Colonial’s payment as it left the digital address that the hackers provided to the company and moved from one virtual wallet to another.

But the FBI was able to recover the money only because it had separately obtained the private key for the wallet where the money ended up. Without that key, the money would have remained locked away, as is true in many other ransomware cases. Officials did not say how they obtained the key in this case.



SEIZURE —
US seizes $2.3 million Colonial Pipeline paid to ransomware attackers

Funds seized after Justice Department IDs Bitcoin wallet and obtains its private key.

DAN GOODIN - 6/7/2021


The FBI said it has seized $2.3 million paid to the ransomware attackers who paralyzed the network of Colonial Pipeline and touched off gasoline and jet fuel supply disruptions up and down the East Coast last month.

In dollar amounts, the sum represents about half of the $4.4 million that Colonial Pipeline paid to members of the DarkSide ransomware group following the May 7 attack, The Wall Street Journal reported, citing the company's CEO. The DarkSide decryptor tool was widely known to be slow and ineffective, but Colonial paid the ransom anyway. In the interview with the WSJ, CEO Joseph Blount confirmed that the shortcomings prevented the company from using it and instead had to rebuild its network through other means.

Cutting off the oxygen supply


On Monday, the US Justice Department said it had traced 63.7 of the roughly 75 bitcoins Colonial Pipeline paid to DarkSide, which the Biden administration says is likely located in Russia. The seizure is remarkable because it marks one of the rare times a ransomware victim has recovered funds it paid to its attacker. Justice Department officials are counting on their success to remove a key incentive for ransomware attacks—the millions of dollars attackers stand to make.

"Today, we deprived a cyber criminal enterprise of the object of their activity, their financial proceeds and funding," FBI Deputy Director Paul M. Abbate said at a press conference. "For financially motivated cyber criminals, especially those presumably located overseas, cutting off access to revenue is one of the most impactful consequences we can impose."Advertisement


The Justice Department officials didn't say how they obtained the digital currency other than to say they seized it from a bitcoin wallet through court documents filed in the Northern District of California. The seizure is a badly needed victory by law enforcement in its uphill effort to curb the ransomware epidemic, which is hitting governments, hospitals, and companies—many providing critical infrastructure or services—with increasing regularity.

FURTHER READING

The seizure is consistent with statements from almost four weeks ago attributed to a DarkSide team leader. Without providing evidence, the post claimed that the group’s website and content-distribution infrastructure had been seized by law enforcement, along with all the cryptocurrency it had received from victims.

If true, the seizure would represent a small fortune. According to recently released figures from cryptocurrency tracking firm Chainalysis, DarkSide netted at least $60 million in its first seven months starting last August, with $46 million of it coming in the first three months of this year. While corroborating that law enforcement has, in fact obtained that much is not possible, Monday’s disclosure shows it did receive at least some digital assets from DarkSide.

During Monday's conference, Justice Department officials said they had tracked 90 victims who have been hit by DarkSide.

Paying by bitcoin rather than monero

FURTHER READING

Over the past year, ransomware has evolved from representing a financial risk to one that has the potential to disrupt critical services and cause loss of life. On several occasions, infections hitting hospitals caused outages that required the hospitals to cancel elective surgeries or reroute emergency patients to nearby facilities. Last week, JBS, the world's biggest producer of meat, temporarily shut facilities throughout the US and elsewhere after it lost control of its network to a ransomware group known as REvil.

The law enforcement success intensifies speculation that Colonial Pipeline paid the ransom not to gain access to a decryptor it knew was buggy but rather to help the FBI track DarkSide and its mechanism for obtaining and laundering ransoms.Advertisement

The speculation is reinforced by the fact that Colonial Pipeline paid in bitcoin, despite that option requiring an additional 10 percent added to the ransom. Bitcoin is pseudo-anonymous, meaning that while names aren't attached to digital wallets, the wallets and the coins they store can still be tracked.

It's possible that Colonial Pipeline chose to pay the higher ransom at the behest of law enforcement because bitcoin could be tracked and monero—the other currency accepted by DarkSide—is completely untraceable. Even if that is the case, it's not clear how law enforcement gained possession of the cryptographic key needed to empty the wallet.

"As alleged in the supporting affidavit, by reviewing the Bitcoin public ledger, law enforcement was able to track multiple transfers of bitcoin and identify that approximately 63.7 bitcoins, representing the proceeds of the victim's ransom payment, had been transferred to a specific address, for which the FBI has the 'private key,’ or the rough equivalent of a password needed to access assets accessible from the specific Bitcoin address," Monday's release stated. “This bitcoin represents proceeds traceable to a computer intrusion and property involved in money laundering and may be seized pursuant to criminal and civil forfeiture statutes."

With most of the ransomware groups headquartered in Russia or other Eastern European countries without extradition treaties with Western nations, US officials have largely been hamstrung in their efforts to bring the attackers to justice. It’s too early to know if the techniques that allowed the officials to track the funds Colonial Pipeline paid to DarkSide can be used in investigations of other ransomware attacks. If they do, law enforcement may have gained a powerful tool when it was needed most.

No comments:

Post a Comment