In this episode of the Futurum Tech Webcast, Cybersecurity Shorts series, my colleague Fred McClimans and I cover major happenings in the world of cybersecurity over the course of the past week. Our discussion centered on:
- The Colonial Pipeline cyberattack and the targeting by threat actor DarkSide of the IT system housing Colonial’s corporate and business data. This is a prime example of how targeting the weakest link can take down the whole system.
- DarkSide’s Ransomware-as-a-Service offering and why that’s so attractive for the hacker community.
- The surprise shut down of DarkSide’s servers, which caused the group to lose access to its blog, payment processing capability, and denial of service (DoS) operations.
- The Biden Administration signing of a new executive order aimed at strengthening the Federal government’s cybersecurity defenses.
- The FBI’s court-ordered effort to disrupt exploitation from Microsoft Exchange Servers.
You can watch the full episode here:
Or grab the audio here:
and if you’d like just the short vignettes on specific topics, you’ll find them on the same channels, so be sure and subscribe once you’re there.
Disclaimer: The Futurum Tech Webcast is for information and entertainment purposes only. Over the course of this podcast, we may talk about companies that are publicly traded and we may even reference that fact and their equity share price, but please do not take anything that we say as a recommendation about what you should do with your investment dollars. We are not investment advisors and we do not ask that you treat us as such.
More Insights from Futurum Research:
Shelly Kramer: Hello, and welcome to this episode of the Futurum Tech Webcast, this is our Cybersecurity Shorts series. I am your host Shelly Kramer, and I’m joined today by my fellow analyst and colleague here at Futurum, Fred McClimans. And today, we’re going to talk about a variety of different topics, including the Colonial Pipeline hack. And no, we’re not going to talk about the same things that everyone else has been talking about, we’re going to talk about its IT and OT issue, and really the challenges of the weakest link in the system, and the ramifications of that. And, we’re going to talk a little bit about DarkSide and it’s ransomware as a service offering. And, some other things in the news, as it relates to DarkSide. And, we’re going to touch on some new executive orders from the Biden Administration, and some action that the FBI has taken with the Microsoft Server Exchange attack. So, all that and more, you’ll want to hang around because this is going to be an interesting episode.
So, Fred, great to see you this afternoon.
Fred McClimans: Great to see you, Shelly.
Shelly Kramer: Always a pleasure. So, let’s talk about the Colonial Pipeline hack, and your thoughts, which I think are really interesting and different than some of what we’ve seen, about this situation.
Fred McClimans: First off, I just want to say that this is probably one of the, potentially, most severe attacks that we’ve seen in our Nation’s history, or just in global history of cyber attacks and the recent cyber conflicts out there. Shutting down an oil pipeline, a piece of critical infrastructure for a country, in this case, the Colonial Pipeline serving about 45+% of the gasoline, oil, and jet fuel used on the East Coast of the United States, that’s a huge wake up call for everybody. I know we’re going to talk about some of the different aspects of the attack, and about DarkSide, and their business models, and so forth. But, I want to just step back a little bit here, just do a quick review, and then talk about that It, OT issue that we’ve seen coming, and is now pretty much just here staring us in the face, and we need to take some type of action on that.
So, back on May 8th, Colonial Pipeline issued a very basic statement saying that they had become aware that they had been the victim of a cyber attack. That, they were proactively shutting down their operational systems, their pipeline. And, that it had impacted their IT systems in some way. The way it was worded was a little bit vague, it didn’t really indicate that the pipeline itself had been attacked. It seemed to kind of indicate that it was more an IT system that had been attacked. And, because the IT system had been taken offline, or because of this being a ransomware attack, essentially locked and encrypted that they could not access, they probably didn’t have the visibility into their OT systems.
So, just to set the playing field here, within an organization we have IT, Information Technology, and we have OT, Operational Technology. In the case of a pipeline like this, that’s the IoT sensors, it’s your industrial control systems, everything that makes the pipeline work itself and controls the pipeline. Very often in organizations, what we see is… And, Shelly, our research has backed this up consistently over the past half decade or longer, organizations that are implementing new operational technologies, the manufacturing, the pipelines, all of those technology systems. They very often cite as one of their most significant factors in limiting the success of their technology implementations a disconnect between the OT team and the IT team.
Why is that? Well, very often Operational Technology teams will say, “Here’s a piece of technology that you need”. In this case of the pipeline, all of the industrial switches, everything that goes into making that work, they need those systems. But very often, it comes down to IT to actually implement and manage those systems, and that’s a big challenge for a couple of reasons. One, it puts IT in a situation where they’re not necessarily involved in the planning process of the technologies. And number two, when they manage that technology, it kind of forces the IT infrastructure to support OT systems. There has to be a linkage or a connection there.
That’s important because, in this case, if it’s true that they actually were attacked by DarkSide on the IT side, and the IT systems compromised and locked, that would have potentially left Colonial Pipeline completely in the dark about their OT systems, which would explain why they took those systems offline. So, it indicated that they were doing it because they couldn’t control the spread of this attack.
And, that’s also possible as well. Again, if the systems are linked, you have one attack vector coming in through the weakest link here, IT, impacting the critical component, OT. So, a number of issues come to bear here.
But, I think it’s really important to just understand that at the crux of this here is the behavioral system that we have in place that says, “It’s okay for OT to select, and IT to implement and manage”. And, it’s not. That has to be a joint process all the way through.
I think there’s also some bigger ramifications here. If you look at this, there’s a behavioral mindset that we see consistently in organizations, and we are quite frankly surprised to see it as prevalent here with Colonial Pipeline as we did, that says, “We’re willing to take these risks with our system”. When it comes to critical infrastructure in the oil pipeline, that is a system that is too big and too important to fail. And yet, the weakest link attack through IT, impact OT, and the pipeline was shutdown. This, in turn, impacts everything throughout the ecosystem, from the oil extraction units that are out there upstream actually pulling the oil out of the ground and then shipping it to the refineries, to all of the companies that rely on the refineries for all the oil by-products from that process there. All the petrochemical companies, everything from fragrances to oils and paints, everybody relies upon the oil industry here in some way for this.
So, the impact is just massively huge here. The fact that their systems were setup in such a way that they didn’t have a continuity of operations plan in place that would say, “Here’s how we run our OT side if IT goes down”, is extremely telling. And, we can only hope at this point that the changes that the administration is making, and that cybersecurity professionals are making, have addressed this in a very efficient manner. But even then, what I’ve seen so far, and we’ll talk about what Biden Administration is doing, I think still falls a little bit short here, in terms of the actual impact that it has.
Shelly Kramer: What I think is interesting is that when we’ve had big cybersecurity incidents, the Target breach was one of the first ones, and all this consumer data was affected, and it was a third-party vendor that was the weakness there, the vulnerability there. And then, we had the Equifax data breach, biggest data breach I think there was of personal information of consumers. And, by the way, I don’t think people even care about that. But, my point is that those were big deals, that unless it was something that affected you personally as a human being, people just didn’t pay any attention, other than people in the industry. But, when you’re talking about an incident like the Colonial Pipeline, and you have people in multiple States up and down the East Coast putting gasoline in trash bags or whatever… And, I’m not making fun of the gasoline shortage, I am making fun of the ridiculousness of our tendency as humans to feel like we need to hoard things, like toilet paper or gasoline. But, it’s a whole different situation there.
These attacks on critical infrastructure, we’ve talked about them here before, the situation in Belgium that we covered on our last podcast, it literally shut the government down. These kinds of things stop life in its tracks for thousands, and thousands, and thousands of people. And, my hope is that… I’ve had guests before that I’ve done interviews with that have been in the oil and gas industry, and talking with them about their digital transformation journeys. And, in many instances, a lot of these organizations are in the nascent stages of their digital transformation, their security operations. We talk about this on this show all the time, in terms of the lack of highly skilled tech talent, cybersecurity talent is really in demand.
And, companies like Colonial are truly competing against the Google’s, and the AWS’s, and gigantic tech companies of the world, so it is really a big problem. But, I hope that with every instance like this, and I certainly don’t hope for any more of them, but of course we know that this is not going to end anytime soon, I do hope that this causes an, “Oh shit”, moment. And, “We can use this a textbook case of what the risk is, what happened, what worse case scenarios are, and start to get a cybersecurity plan in place that takes care of the disconnect between IT and OT.” And, really is focused on, “What do we do to make sure that this doesn’t happen to us?”
Fred McClimans: Yeah. If you think about it, all of these organizations, all of the critical infrastructure sectors, and everybody that feeds that, they all have plans in place for, “When X happens, we do Y”.
Shelly Kramer: Right.
Fred McClimans: Look at weather events, they know they’re going to have a certain number of days when employees can’t get in. They know they’re going to have disruptions, in this case to a pipeline, something breaks [inaudible], they have to reroute something, maybe something big… They’ve got a hurricane plan in place, or an earthquake plan in place that says, “When this happens, we have continuity of operations plan”. But, there’s nothing that’s sitting out there that says, “When we’re attacked and our system goes down through a cyber attack, or a ransomware attack in this case, here’s what we’re going to do”. That’s what’s was just so amazingly missing in this whole equation here.
And, the impact up and downstream, like we mentioned earlier, it’s the refineries themselves slowing down production, it’s the oil extraction process having to slow down, it’s refineries shipping product back on to tankers to hold the product because they can’t move it through the pipeline. And then, on the other end, it’s the disruption to the pipeline ecosystem around that. It’s the truck drivers, the routes, it’s the ships that are called in, rerouted from other services to handle this. But then, it’s also the local disruption, people trying to put gasoline into plastic bags and so forth.
The economic impact of this is, I think, probably much more severe than anybody is really thinking of in this point in time. But, the sheer fact that they were able to take this system down, and you know that this particular group DarkSide… And, we’ll talk in other segments here about how they’re really a business operation, not necessarily a terrorist or a nation state group. But, you know that every other group out there is watching this attack and going, “You know what? They were able to do it. They were able to shut down a massive piece of critical infrastructure, because their systems aren’t designed from the ground up to prevent that type of [inaudible].” And, that’s the scary thought.
You know this is going to happen again. And, in fact, you can probably say right now moving forward, this is unfortunately the new normal, until IT, OT systems get together, figure out how to segment their systems properly, how to secure and build them properly from the ground up to prevent this from happening again, and that’s going to take a while.
Shelly Kramer: That’s going to take a while. And, the reality of it is, this is a money grab, and organizations often don’t talk a lot about ransomware. And, with that, we’re going to pivot a little bit, we’re going to move on from Colonial Pipeline, and we’re going to talk about DarkSide, and ransomware as a service offering by DarkSide.
It’s interesting, because DarkSide is a threat actor group, and they’re kind of a small group in the big scheme of threat actors out there. And, they are in the money business, they’re only after profit, they have a ransomware as service offering that’s available on their website. It’s available probably through the dark web, I would imagine. So, a hacker, that’s part of the DarkSide group, can go in and can say, “I want to target such and such an organization, and I want to buy this ransomware as a service offering from DarkSide”. And, DarkSide, as you said, they’re a business, they have employees, they have operating expenses. They are a for-profit business, and this is part of what they sell, ransomware as a service.
And, when this attack happened, DarkSide came out and said, “Our bad, we’re just in this for the money, we never had any intention of handicapping a nation’s infrastructure. We’ll do a better job of vetting our customers in the future.” And, following the attack, DarkSide actually said, and this is a quote from something they published, “From today, we introduce moderation and check each company that our partners want to encrypt, to avoid social consequences in the future.” So, it was indeed a very big, “Oops”. I think that you mentioned that Colonial supplies about 45% of the liquid fuel used in the South, in the Eastern US, so this was a very critical piece of infrastructure, and a pretty big hack.
But, the thing that was interesting to me here… And as I said, DarkSide is kind of a small player in the ransom industry as a whole, there are much bigger organizations out there. What DarkSide does is, and they’re not the only ones I’ve mentioned to offer ransomware as a service, they rent out their malware to other hackers who then launch the attacks. And… I cannot remember, I had some information on another group that’s actually bigger, but I can’t remember the name of it.
Fred McClimans: REvil.
Shelly Kramer: That’s it, REvil, absolutely.
Fred McClimans: Yeah, precursor to DarkSide. They share some commonalities in their code.
Shelly Kramer: They do. So, I don’t think that people realize that just like all of us, our companies utilize various service offerings all the time, you can also buy ransomware as a service offering. And, that is kind of a big deal.
Fred McClimans: It is. It’s a huge deal.
Shelly Kramer: It is a huge deal. We’ll move on from that, to just touch briefly on the Biden Administration signing an executive order that is aimed at hardening federal cybersecurity defenses. Much needed, right? This executive order was signed on Wednesday, and it directs the Commerce Department to create new standards for software vendors wanting to do business or supplying the Federal Government in any way. And, these standards will essentially be a rating system, and it mandates multi-factor user verification to new technology, adds some required encryption. This is modeled after the National Transportation Safety Board, this new Cybersecurity Safety Review Board. And, it includes members from both the public and the private sector, and it shows the intent to moving the Federal Government to Cloud systems that are more secure, and certainly a much needed step.
There’s much more ahead that we have to do, but I think this is an important move by the current administration. Chris Krebs, whose name we hear a lot and talk about a lot, the former Director of the Cybersecurity and Infrastructure Security Agency, was on a podcast on CBS earlier this week. And, he was saying that, “This move by the administration is a dramatic game-changer, and it showed a commitment by the administration of prioritizing cybersecurity concerns, which we very much need.” And, he also mentioned that he, “Felt like this process of standardizing systems would have a cascading effect for products that were sold to others.” So, for instance, if because you’re doing business with the Federal Government, you’re required to have certain things in place with regard to the software that you sell, then those protections will cascade down to other entities beyond the Government. So, that’s a good thing.
Fred McClimans: I think it’s a very good move, yes. And, definitely needed, considering the lack of guidance and coordination that we have between companies that are out there. We’ve kind of moved into the digital age with this, “Do it now, ask later”, kind of mentality, “Put it out there, we’ll secure it later”. As we know…
Shelly Kramer: We’ll secure it later, after something bad happens and we get caught.
Fred McClimans: … It doesn’t work. It clearly doesn’t work. And, we’ve seen that in our own research as well, where organizations… In fact, we did a study on customer service and customer experiences back in 2020. This was with about 2000 global brands, we asked the question, “Do you ever implement technology knowing it’s not quite secure, but pushing it out there because you need to get into the market?”
Shelly Kramer: I hated that answer.
Fred McClimans: Yeah, it was surprising. They actually said, “Yeah, we occasionally might do that”, and that’s a mentality that just has to change. It’s got to be a privacy first mentality. If nothing else, if the administration can put something in place that starts to put some teeth behind that, that would be definitely a positive thing. But, we’ve got a ways to go here on that.
Shelly Kramer: We do. And, we’ve talked in other shows in this series about some other proposed legislation about requiring notification of breaches. The problem is that these things happen and companies are quiet about it. Colonial didn’t have a choice not to be quiet about it, but a lot of companies don’t say anything about it, and so then you don’t know about it. There’s pros and cons to required reporting, but…
And, we talk about this all the time, security has to be foundational in everything that every organization does, and we’re not there yet. So, hopefully these kinds of things that are happening, and the fact that these incidences are just speeding up so much… I have some data in front of me that I was writing a separate post about, I wasn’t going to cover this here, but I think it’s interesting to know that BitDefender, a cybersecurity firm, said that in 2020 there was an increase of 485 registered attacks in 2019. And, those are the ones we know about.
Data from SonicWall shows that ransomware attacks rose more than 60% to 305 million, with 3.8 million encrypted threats, 4.8 trillion intrusion attempts, 5.6 billion malware attacks, 56.9 million IoT malware attacks. Those numbers.
Fred McClimans: Staggering.
Shelly Kramer: Those numbers are staggering. So, it is not a matter of if you will be hacked, it is a matter of when you will be hacked. And, we touch on this all the time, in terms of the importance of the security operations centers and dashboards, and working with vendor partners that can help provide those cybersecurity services. They’re out there. People need to be using them.
Fred McClimans: Yeah. It is good to see the administration moving forward, and hopefully that can be turned into a global effort that spans Government and private sector. I really hate that phrase, “Public-private partnership”. It’s not really a partnership, they just need to think together on this and be a bit more proactive. Including, going after some of these threat actors, which is the case with DarkSide, they are being pursued by somebody out there, and we’ll talk about that as well in the later segment here.
Shelly Kramer: Absolutely. So, now we’re going to move on, and we’re going to talk a little bit about something new that the Justice Department has done, as it relates to trying to mitigate damage from the Microsoft Exchange Server hack. So, tell us a little bit about that.
Fred McClimans: If you recall, there was an attack, the Hafnium attack, on Microsoft Exchange Servers back late last year, earlier this year. And, that attack was similar to the SolarWinds attack, in that it used access into a core system and the distribution of software updates to spread throughout the Microsoft Exchange Server environment. It’s been very well publicized, there are patches that are out there to fix one of the ongoing persistent issues with this particular threat. And, that was that when the breach occurred, the threat actors went in and they actually installed web shells on a lot of the exchange servers. That would allow them after the attack, and even after the attack had been cleaned up a bit and stopped, it would allow them to go back in and control the server. So, there was a lot of emphasis made to educate companies out there that, “Here’s the software patch, here’s what you need to do to remove this web shell from your server”. Well, unfortunately, that hasn’t worked very well.
Shelly Kramer: People don’t do it.
Fred McClimans: …there and saying, “Hey, corporate America, do your thing”, was not that effective. So, the FBI has stepped in, in kind of a unique way here. They have obtained a search warrant that essentially allows them to go in, with some very mild notification, essentially an email to a company… And, there are at least 100s of companies out there that still have not patched their systems according to the FBI. So, what they’re doing, the FBI, and court approved, they have the right now, after sending an email notification to a company, to go in and to actually access that company’s servers. Without actually saying, “Hey, by the way, we are here now”. Apparently they can just, after notification, do it. But, they have the ability to go in to the servers, to copy the web shell code, and then actually modify and execute a command on a private company’s server to delete the web shell.
Big move here. All of sudden you have the FBI saying, “Look, not only are we going to pursue organizations that are out there that are causing these threats, but we’re actually going to take an active effort in remediating the impact of this.” I think the big issue here really for me is that they’re going into a privately held company’s hardware.
Shelly Kramer: And, this is a warrant. This is like somebody showing up and knocking on your door with a search warrant.
Fred McClimans: It goes beyond that. Imagine somebody knocking on your door and saying, “Hey, we have a search warrant, and while we’re here, we’re going to replace some of the plumbing in your house”.
Shelly Kramer: Right.
Fred McClimans: “We’re going to rewire the back room here”.
Shelly Kramer: And, by the way, I will say that I can’t imagine what it would be like to have somebody show up at my door with a search warrant. I can’t imagine what it would be like to have the FBI show up with this court ordered warrant, is what it’s called, and to do this. And, I think this is so unusual. It’s such an unusual move by the Department of Justice. Because, it is really taking this extreme, aggressive step to go in and protect these companies. But the reality of it is, these companies have not taken the steps they need to take to protect their exchange servers. So, what do you do?
Fred McClimans: This kind of speaks a bit to the issues that we face with the Colonial Pipeline attack here. When something is this important or this critical, at what point does the Government assert itself in the national interest and say, “This is a national security matter here”.
Shelly Kramer: And it is.
Fred McClimans: And, that appears to be kind of what they’re doing. The security is almost nationalizing cybersecurity response functions here, saying, “If you can’t do it we will step in, and we will fix the systems the way we see fit to fix the systems”. That is a bit of an issue here, because if you’re a private company and you’re still investigating the software or you have other systems in place, you don’t want somebody just going in and executing code without you actually participating in that process. So, maybe the bigger issue here is just the way they’re doing it without actually saying, “We’re going to set up a specific time and a coordination team here”. And, maybe that evolves out of it at some point, but this has got to be something that will ultimately be challenged by somebody.
Shelly Kramer: Yeah, I agree.
Fred McClimans: Or, it’s like you’re overstepping.
Shelly Kramer: Do you really know what’s happening. We’re saying, “Oh, somebody just shows up, knocks on your door”. I’m looking at the Justice Department’s announcement of this court authorized effort to help mitigate these server vulnerabilities. I’m reading the order. We don’t know exactly what is happening. Maybe they are calling or sending an email and scheduling a time, so we can’t assume that we know what the process it. But, I do think that it is very much a question that we’ll have to answer moving forward as our public officials, our legislators, the Administration in control, whether it’s this one or the subsequent… This is a huge issue, and we cannot allow a wild west of ransomware and all of these other threats that are out there to just happen and be chasing after them. We have to be proactive.
And, I think what the Government is saying here is that, “This is a critical problem, and we don’t see companies solving it on their own”. And, there are people still running old unsupported versions of Microsoft Exchange Server software. That’s the problem in many instances.
Fred McClimans: Sure. Now you get to the really delicate matter here. Do we, as a nation, or just as a society in general, have the ability or even the right to tell a private company, “You’re doing it wrong. Here’s what you have to do. And, if you want to participate in the digital ecosystem, here are the things you need to have in place.”? There a lot of people that would push back on that and say, “That’s overreaching Government control”.
Shelly Kramer: For a society who can’t agree on masking or not masking, or anything else really, it is a big deal. But, the reality of it is, it’s yes, it is Government stepping into a private company, but the reality of it is, it’s protecting data. Generally speaking, it’s protecting customer data, and all other information that is a part of the organization. So, it’s employee data, it’s customer data, it’s so many things. So, it’s not just, “I’m going to knock on your door and look under your bed”. The data protection issue is a big thing. And, the impact of that down the line, throughout the company as a whole, is really bigger than I think most people realize.
Fred McClimans: There’s a line of thought here that says, one of the big fundamental issues we have, and I believe this, we have a backwards approach to data ownership and data privacy. And, it’s starting to be corrected here, you’re seeing companies like Apple and others flipping the model around to make it an opt-in to data sharing. Because, the traditional model has been, you don’t own, as an individual, your data. If you interact with a system, with a company, with a service, they own your data. And, that really needs to be reversed the other way. We need to start thinking, when we’re conducting a transaction, when we’re sending an email, or doing anything, that communication, that data, everything that comes off of that, that belongs to the user who’s actually creating that and generating that. And, does that mean our business models potentially need to change? Absolutely. But, we have to start thinking about that privacy right first. And, from that perspective, if you go down that road, it’s very easy to say, “The Government has the right and the ability, on behalf of its citizens, to protect their data”.
Shelly Kramer: Yeah. It’s an interesting topic, and one I’m sure we’re going to be talking more about as time goes on, for sure. Okay, I think I’m ready to wrap up this show. Speaking of governments, I wanted to wrap up the show with just a couple of quick highlights, and a nod to the fact that it’s not just the US Government that has issues with cybersecurity.
I saw earlier today that a subsidiary of Toshiba’s European operations were the victim of a cyber attack, perpetuated by DarkSide, our friends DarkSide, on May 4th. And, the attack appears to be limited to Toshiba’s European operations, and focused on part of the company called Toshiba Tec, which sells point-of-sale systems for retailers. Think lots of personally customer identification that goes through point-of-sale systems. There hasn’t been a confirmation yet of the scope of the leaked information, an investigation is still underway. This is the second attack in recent times aimed at Toshiba, an earlier one happened in France. DarkSide took responsibility for the France attack, and claimed to have accessed over 700 gigs of data, including data around projects, human resources, senior executives, passports, and personal information of employees, sales, new business and trade information. So, when you think about, this is an example of what we’re talking about when we say Government goes in to protect all of this data, because there’s so much data involved.
The thing that I thought was really interesting, coming out of the Toshiba attack, was that a cybersecurity expert that was interviewed about this said that, “Attacks on Japanese companies are at their highest ever. And, the Japanese are very attractive targets for threat actors as a whole because they don’t properly estimate that time and resources needed to put the right security protections and protocols in place.” I don’t think the Japanese are alone here, by the way.
Fred McClimans: No, I don’t.
Shelly Kramer: “And, when they are advised, what they need to do, they don’t tend to take the advice.” So, I thought that was really interesting on a number of fronts related to these conversations. And also, I’m sure you saw this as well, Ireland’s health system was the victim of a ransomware attack, and it is completely shutdown. [inaudible] reported today that the health service was shutting off all IT, after they experienced a significant ransomware attack. And, that, “Significant”, was their wording. The attack was blamed on threat actors targeting healthcare records. Again, very robust areas of personally identifiable information. The attack has completely shutdown all COVID-19 testing, hospitals have canceled all not-urgent appointments, all diagnostic services, and they’re only accepting emergency room appointments, and seeing women who are 36 weeks pregnant or more.
The attack actually targeted computers that were storing patient records. The hospital in Dublin was the one that was shutting down services. And, this is on the heels of what you talked about in our show last week, the attack on Belgium.
Fred McClimans: Right.
Shelly Kramer: So, the world over, we are seeing cyber attacks and threat actors shutting down hospitals, governments, pipelines.
Fred McClimans: There’s possibly a good side of that here, moving here. I say, “Possibly”. Because, we’ve been talking about the DarkSide, they recently, I think just yesterday, announced that they had some of their servers actually confiscated. Law enforcement have gone in and…
Shelly Kramer: Shutdown.
Fred McClimans: … Shutdown their blog server, their payment processing server, and their denial of service attack service. So, they had been seized based on a court order. We don’t know who. But, it is interesting because DarkSide, as we’ve talked about previously, they have gone out of their way to say, “Look, we’re a business operation. We’re not the bad guys here.” They’ve donated to charitable causes.
Shelly Kramer: Whatever. That doesn’t make them good guys.
Fred McClimans: Right. But, now you see them and you see others, like REvil that we mentioned previously, stepping up and saying, “As part of our crime ink, or our cyber collaborative here of attackers, we’re not going to do work in the social sector for healthcare, education etc. We’re not going to do work on government sites, we’re not going to sanction that. We’re not going to sanction anything that is really that important that people’s lives could be at risk coming out of it.” That’s a couple of organizations saying that. And unfortunately, while that may set a tone moving forward, which is a bizarre thing to say, that we have organized crime saying, “Look, here are the rules of conduct that we’re going to put in place”. The reality is that there are so many rogue actors out there, and people that don’t have security. Clearly, the group that targeted Ireland’s healthcare system, that’s a different beast. And, we need to find a way to combat that, to stop that in its tracks. It’s gone too far.
Shelly Kramer: And, the good and terrible about the DarkSide servers being shutdown, what’s interesting, they didn’t share what law enforcement agency or from which country seized control of their servers. I think that was a wake up call for them. But, as you said, REvil made changes in their operations, and they forbid people to work on government sector, the State of any country, as you said, work in the social sector, healthcare, educational institutions. And, they said they are requiring more information about the target be submitted by people who want to use their ransomware as a service offering so that it can be approved before they go and hack somebody. So, I thought that was interesting.
But, here’s the terrible part of this, though. DarkSide said that they were going to do, as a result of their servers being taken down, is that they were going to go into dark mode. And, they were going to refrain from posting in underground forums, and they were going to instead communicate in more private ways. Now, one of the things that we talked about earlier was that Kaspersky operatives, cybersecurity operatives, saw postings from DarkSide in their forums. And that, when they post things in forums that are generally populated by threat actors, it does make that information available to be picked up by other organizations and people that are monitoring that. When they go into even more dark mode, that’s not necessarily a good thing.
Fred McClimans: No, it’s not. Think of the government and law enforcement here as an enterprise that’s collecting all this data that they in turn are going to put through a machine learning model to figure out, “What are the patterns? What are the behaviors?”. The more posts we see by a particular group, a threat actor, the more likely it is that we can identify the traits, the characteristics, and predict what their future post actions and attacks may be, based on their past behaviors.
So, going dark is fitting for a group called DarkSide, but it is unfortunate. But hey, maybe they’ll come back and they’ll really get that Robin Hood flag going and say, “Look, we’re actually doing a service here for everybody, because after we attack you and after we get a ransom, we’re actually going to tell you where your security lapses are. So, we’re sort of the white hat guys.” Which is, again, just a bizarre thought. I would not be surprised if they went down that path, from a PR perspective. Again, we’re talking about this organized crime group as a company with PR and operations.
Shelly Kramer: Yeah, but these are mostly Russian-based. Isn’t DarkSide Russian-based?
Fred McClimans: Russian-based, yes. They’re based in Russia, or Eastern European.
Shelly Kramer: No offense, but I don’t really want Russians… And, these are all part of the Russian… What is it? SDF or FSD? What’s it called, the acronym for their foreign services? FSD organization, which is all about doing dirty deeds, and espionage, and all that sort of thing. So yeah, I don’t really want somebody from Russia advising corporations anywhere in the world on what to do to fix their systems. Do you?
Fred McClimans: Not particularly. It becomes a question of whose best interests? The fact that somebody has been devious enough and bold enough to outright attack your organization, the credibility, in my mind, goes out the window. And, that’s different. If you really want to be a white hat actor out there, there are a lot of companies that offer…
Shelly Kramer: Absolutely.
Fred McClimans: …rewards and so forth. They would love to engage with people to figure out where the shortcomings in their systems are. But, this approach, “Yeah, we’re going to take you for two, four, five million dollars. And, then as an afterthought, we’ll tell you where your data is. And, we’ll also agree not to attack you again, after we’ve taken your money.”
Shelly Kramer: Sorry, can’t be trusted.
Well, on that note, we’re going to wrap our show. Thank you for hanging out with us today, to our audience. And, Fred, thank you for talking the cyber talk, it’s always my favorite part of the week.
Fred McClimans: Mine as well, Shelly.
Shelly Kramer: All right. Thanks everybody, and we’ll see you next time.