On Monday afternoon, the U.S. Department of Justice said it had confiscated much of the cryptocurrency ransom that U.S. pipeline operator Colonial Pipeline paid to a Russian hacker collective called DarkSide last month by tracking the payment as it passed through various Hacker group accounts hiked, and eventually broke into one of those accounts with the blessing of a federal judge.
It’s a feel-good twist on a saga that began with a cyberattack on Colonial and resulted in a fuel shortage made worse by panic buying of gasoline last month after the company closed one of its major pipelines (and later a second pipeline had suffered). Shutdown due to an overloaded internal server). But Christopher Alhberg, a successful serial entrepreneur and founder of Recorded Future, a security firm that tracks down threats to government and corporations and runs its own media arm, suggests Americans have overestimated DarkSide all along. He explained a lot about how the company works last week in an interview you can hear here. Shorter excerpts from this conversation follow, which have been edited slightly because of the length.
TC: Overall, how does your technology work?
CA: We’re trying to index the internet. We’re trying to get in the way of data on everything that’s written on the internet, right down to the electrons that move, and we’re trying to index it so that it can be used by people who defend businesses and organizations. . . We’re trying to get inside the bad guys, get where the bad guys hang out, and understand that side of the equation. We’re trying to understand what’s going on in the networks that the bad guys operate on, where they do their stuff, where they basically transfer data, where they run the illegal infrastructure – all of those things. And we’re also trying to get in the way of the traces left by the bad guys, which can be in all sorts of interesting places.
TC: Who are your customers?
CA: We have about 1,000 of these in total, and they range from the Department of Defense to some of the largest companies in the world. Probably a third of our business is business [with the] Government, a third of our business is in the financial sector, then the rest [comprise] quite a few verticals, including the transport, which was large.
TC: Do you help them predict attacks or understand what happened when it’s too late?
CA: It can go either way.
TC: What are some of the indications that influence your work?
CA: You understand the enemy, the bad guys, and they mostly fall into two buckets: you have cyber criminals and you have opposing intelligence agencies.
The criminals here that the world and we have focused on for the last month or two are these ransomware gangs. So these are Russian gangs, and when you hear ‘gang’ you tend to think of large groups [but] it’s usually a man or two or three. So I wouldn’t overestimate the size of these gangs.
[On the other hand] Secret services can be both very well equipped and [involve] large crowds. So one piece is about following them. Another piece is about tracking the networks on which they operate. . In the end, [our work involves] Understand the targets where we get data on the potential targets of a cyber attack without having access to the actual systems on site, and then automatically merge the three buckets.
TC: Do you see a lot of cross-pollination between secret services and some of those Russian cutouts?
CA: The short answer is that, in our view, these groups are not hired by Russian intelligence on a daily, monthly, or maybe even yearly basis. But in a number of countries around the world – Russia, Iran, North Korea is a bit different, to some extent in China – we have seen the government encourage a growing hacker population that has been able to do so in an uncontrolled manner in order to be able to pursue their interest – largely in Russia – in cybercrime. Then over time you will see that intelligence agencies in Russia – FSB, SVR and GRU – are able to poach people from these groups or actually hire them. You can read about how these guys mixed and matched each other over a long period of time in official documents.
TC: What did you think when DarkSide came out shortly after the cyber attack and said that it could no longer access its bitcoin or payment server and that it was going to shut down?
CA: If you did this hack, you probably had no idea what Colonial Pipeline was when you were doing it. You think, ‘Oh shit, I’m all over the American papers.’ And there are probably a couple of phone calls in Russia that basically say, “What the hell did you just do? How are you going to cover that up? ‘
Basically, one of the easiest first things you’ll do is either say, “It wasn’t me” or you’re trying to say, “We lost the money; we lost access to our servers. ‘ So I think that was probably a fake of the whole thing [and that] What they did was just try to cover their tracks [given that] we found her back later and tried other things. I think we overestimated the U.S. government’s ability to fall back on these guys quickly. It doesn’t go that fast, even though it’s pure incantation. I’m not saying this with access to any inside government information or anything like that.
TC: I just read that DarkSide works like a franchise where individual hackers can get software and use it like a turnkey process. Is this new and does it mean that hacking is accessible to a much wider range of people?
CA: That’s right. One of the beauties of the Russian hacker underground lies in its dispersed nature. I say “beauty” with a little sarcasm, but some people will write the actual ransomware. Some will use the services these people provide and then be the people who do the hacking to break into the systems. Some other people might be the ones doing the bitcoin transactions through the bitcoin tumbling needed. . . One of the interesting points is that in order to get the money out in the endgame these guys have to go through one of those exchanges that ended up being more civilized businesses and there might be money mules involved, and there are people who run the money mules. Many of these people commit credit card fraud; They also have a whole range of services out there, including testing that a card is alive and being able to find out how you can make money on it. There are probably 10, 15, maybe 20 different types of services involved. And they are all very specialized, which is why these guys were so successful and it’s also difficult to make it.
TC: Do you share the booty and if so, how?
CA: They do. These guys run pretty effective systems here. Obviously, Bitcoin was an incredible pioneer in this because there is a way to make payments [but] These guys have whole systems of ranking and rating themselves, much like an eBay seller. There are quite a few of these underground forums that have been the places these guys worked in the past and they will have services there to be able to tell someone is a scam [meaning in relation to the] Thieves who are cyber criminals. It’s similar to the internet. Why does the internet work so well? Because it is well distributed.
TC: What is your advice to those who are not your customers but want to defend themselves?
CA: A colleague made a pie chart to show which industries are affected by ransomware, and the amazing thing is that it was just super spread over 20 different industries. At Colonial Pipeline, a lot of people thought, ‘Oh, it’s from the oil.’ But these guys couldn’t care. They just want to find the slowest target. So make sure that you are not the easiest target.
The good news is there are plenty of companies out there that will do the basics and make sure your systems are patched [but also] Hit that damn update button. Get so much of your stuff off the internet that it doesn’t show the outside world. Keep as little surface as possible to the outside world. Use good passwords, use multiple two-factor authentication on anything and everything you can get your hands on.
There is a checklist of 10 things you must do to avoid being an easy target. For some of these guys – the really nifty gangs – that’s not enough. You have to work harder, but the basics are going to make a world of difference here.