Why Russia needs to pay for the Colonial Pipeline hack

Two weekends ago Colonial Pipeline, a company that operates a pipeline that transports gasoline, diesel fuel and natural gas over 5,500 miles from Texas to New Jersey was shut down due to a ransomware attack widely being attributed to a sophisticated ransomware criminal group known as Darkside. The Colonial Pipeline provides 45 percent of the East Coast’s diesel, gasoline and jet fuel. While the first documented ransomware attack occurred back in 1989, this threat to national infrastructure is a relatively new development in the use of ransomware by criminal groups.

Unlike the recent cyberattacks involved with SolarWinds which has been attributed to Russian state sponsored hackers and the attack on Microsoft designed systems attributed to Chinese government hackers, ransomware is generally perpetrated by cybercriminal gangs interested in profit rather than intelligence gathering or causing damage. However, since 2019 ransomware attacks have expanded to include attacks that focused less on encrypting data and more on crippling industrial control systems with the initial development of the ransomware strain Ekans. In early 2020 the Cybersecurity and Infrastructure Security Agency (CISA) warned about such attacks on a natural gas pipeline.

Darkside is a sophisticated organization with its own website on the Dark Web in which it brags about the many victims it has attacked and even displays stolen data from more than 80 targeted companies that refused to pay the ransom. Darkside is also quite unusual in that it engages in substantial public relations, regularly communicating with journalists and claiming that they make substantial charitable donations from the money they extort. Darkside, which has only been operating since last summer, specifically states that it does not attack hospitals, schools, nonprofits and even government agencies, but rather focuses its attention on corporations. Unfortunately, there are many private corporations that operate critical elements of our national infrastructure that Darkside considers legitimate targets.

Despite only being in existence since last August, according to a report by the security firm Cybereason, Darkside has initiated more than 40 ransomware attacks.

Ransomware attacks have increased dramatically during the pandemic and have hit health care providers and others. Last September a ransomware attack on a hospital in Germany resulted in a fatality when the hospital was forced to turn away a patient who came to the hospital’s emergency room because its computers were unusable. The patient died on the way to the next nearest hospital 20 miles away.

Ransomware is easily accomplished by relatively unsophisticated criminals who are able to obtain the necessary software and technological support to launch such an attack on the Dark Web, where criminals buy and sell goods and services. A business model has evolved where developers of complex ransomware lease out their ransomware and support services in return for a percentage of the ransom money thus enabling large numbers of less sophisticated cybercriminals to get involved with complex ransomware attacks.

Ransomware has evolved from threatening companies by encrypting their data, to threatening to publicly expose such data, and now by threatening essential infrastructure. The danger to pipelines, the electrical grid, water supplies and even Wall Street and the economic system cannot be exaggerated. Essentially, any institution which uses the Internet is vulnerable.

The need for international cooperation to combat ransomware is critical, but will be difficult due to the fact that many of the ransomware gangs presently operating do so from Russia and are tolerated by the Russian government so long as they do not target Russian institutions. In April a number of private companies including Amazon, Microsoft and FireEye joined with the United States Justice Department in a report calling for an international coalition to fight ransomware. One of the recommendations in the report was to increase efforts, such as through sanctions, to persuade Russia to take a stronger position in prosecuting cybercriminals.

In addition, efforts to establish cybersecurity standards through legislation to protect critical infrastructure in the United States have been unsuccessful, primarily due to corporate pushbacks.

While many computer systems were not designed with security built in, but rather focus on security as an add-on, there are many basic steps that companies, individuals and agencies can take to protect themselves from ransomware, yet too many institutions fail to take these necessary steps, leaving all of us in danger and feeling the consequences.

Steve Weisman is a Senior Lecturer in Law, Taxation and Financial Planning at Bentley University in Waltham, Mass. He is also the author and creator of www.scamicide.com.