A petrol station that ran out of gas for sale displays an out of service sign on the pump in Atlanta, Georgia. Photo / AP
A petrol station that ran out of gas for sale displays an out of service sign on the pump in Atlanta, Georgia. Photo / AP
OPINION:
The cyber attack on Colonial Pipeline, which transports 45 per cent of oil consumed on the east coast of the US, should be the event that finally wakes everyone up. Motorists queued to fill up with gas; the price of fuel started rocketing and President Joe Biden announced atemporary state of emergency.
If these consequences don't alert people to the seriousness of the rapidly-spreading plague of ransomware, then it is hard to conceive of what will. Hospitals, schools, companies, municipal governments and transport infrastructure — virtually every sector has suffered major breakdowns due to ransomware attacks in the past year.
Bitdefender, a cyber security firm, says that in 2020 there was an increase of 485 per cent in registered attacks over 2019. After tracking one criminal group, REvil, Dutch telecoms company KPN established it demanded an average of US$260,000 ($359,398) per attack. These days non-payers can expect their confidential data to be released online.
Beyond the damage caused and the money lost, these attacks reflect an even more serious issue to which there has been no systematic response. Over the past ten years, we have started to outsource our cars, our homes, our finance, our utilities, our factories, our everything to a dense jungle of ever more complex networked computer systems.
All this is built on an Internet infrastructure which was never developed with security in mind and now requires endless patches, fixes and bodges to prevent its collapse.
Hostile states are not responsible for most of this current wave of crippling attacks. Instead, they are the work of groups like DarkSide who produced the ransomware which led to the Colonial Pipeline shutdown.
DarkSide is a criminal group of Russian-speaking malware developers probably based in the former Soviet Union. Among their other recent victims was a Toshiba subsidiary. It proudly offers RaaS (Ransomware as a Service) on its website, accessed via the Dark Web, and uses breezy acronymic corporate language to rent out malware to other hackers, who then launch the actual attacks. These are sometimes carefully targeted, sometimes accidental victims. The attackers then pay DarkSide a percentage of any ransom they receive in exchange for unlocking their victims' data.
DarkSide's blog mocks the PR speak of the companies it hits. As soon as the extent of the chaos caused by the Colonial attack became clear, it noted almost apologetically that, "our goal is to make money, and not creating problems for society. From today we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future."
How very comforting. As is the other news that DarkSide has tried to donate tens of thousands of dollars to recognised charities in the past few months. Let no one say these criminals don't take their corporate social responsibility seriously.
Colonial Pipeline transports 45 per cent of oil consumed on the east coast of the US. Photo / AP
Bloomberg reported on Friday that Colonial paid nearly US$5 million dollars to have its data released. Given the enormous disruption caused by the attack that seems peanuts. But for a hacking group whose main challenge is entering the network, it is a very significant pay off for relatively little work.
This is why the issue is now urgent. The proliferation of devices and innovative software has collided with inadequate cyber security regimes, lowering the barriers to entry for criminal activity so that they scarcely exist. If a two-bit outfit can halt the flow of oil into half the US, just imagine what a state actor with real resources is capable of.
The successful hacking of SolarWinds last year didn't generate the same drama as Colonial. But SolarWinds, a Texas-based outfit whose software manages the security and administration of 300,000 companies worldwide, was the more dangerous start of the new era of US cyber vulnerability.
The US has repeatedly accused Russia of being behind the SolarWinds attack. Nobody has 100 per cent proof but the failure of the hacking group responsible to demand any money, preferring to exfiltrate secrets instead, certainly lends considerable credibility to the thesis. Similarly, the list of main targets included Microsoft, the US Treasury department and even the cyber-security company FireEye. They look much more interesting to an intelligence agency than a bunch of crooks.
Reversing this descent into digital chaos with real-world consequences has many aspects: tougher measures against criminal groups while protecting civil rights; better societal education; recognition that cyber security must be at the centre of companies' decision-making.
But the overarching problem concerns the near total absence of any regulatory agreement between the three cyber superpowers, the US, Russia and China. As a result, the internet is a free-for-all enabling all manner of actors to exploit the protection and deniability it affords. Although talks about establishing cyber norms have been going for years at the UN, they have made only limited progress.
Until the big three set down some rules, commercial, geo-political and military competition will continue to bleed into the more mundane world of cyber security. As the chance of any such regulation is close to zero, it is up to individuals, companies and governments to negotiate the ever thickening jungle of highly vulnerable networks.
- Misha Glenny wrote 'DarkMarket: How Hackers Became the New Mafia'.
