How Russian hackers reaped a $4.4 million windfall by holding your gasoline hostage, and why it probably won’t be the last time, either.
Last month, the Colonial Pipeline which supplies fuel to a decent swath of the eastern US was temporarily shut down for five days following a ransomware attack from a hacker group known as Darkside operating out of Russia. The brief but acute fuel shortage in 14 states lead to a full-on panic among consumers who rushed en masse to local gas stations to full up their tanks. Amid reports of price gouging and long lines there were reports of individuals loading up all manner of inappropriate vessels with petrol, resulting in at least a handful of vehicles busting into flames. This led to the sadly predicable admonition of the US Consumer Safety Commission warning citizens against filling plastic bags with gasoline.
Within a few days, Colonial paid the hackers a ransom of $4.4 million dollars’ worth of cryptocurrency, service was restored, and people went back to putting gas in actual gas cans. While the immediate crisis is over, the high-profile hack raises serious questions about the vulnerability of critical infrastructure to a raising wave of ransomware attacks, state sponsorship of such hacking activities, and the lack of regulations surrounding cryptocurrencies that make the whole thing profitable.
Over the past year and a half, there has been a major uptick in instances of ransomware attacks on US institutions. Temple University data found there were at least 250 such attacks on critical infrastructure and institutions in the US including schools, hospitals, jails, utilities, and rail systems to name just a few. Some 2,500 such instances were reported by private companies to the FBI in the last year. Homeland Security Secretary Alejandro Mayorkas estimates that upwards of $350 million dollars was paid out last year to hackers holding data and computer systems hostage. Currently, institutions like the DC metropolitan police and Illinois Attorney General’s office are suffering from ransomware attacks. Just this past Monday, in a hack directly reminiscent of the Colonial Pipeline attack, meat processing giant JBS reported their systems had been compromised.
Perhaps most troublesome of all, many such attacks on the private sector go unreported. The companies simply pay the ransom to get their data or their access back. Why? Many companies would rather keep things quiet and avoid damaging their reputations by making an epic IT disaster public.
Prior to the Colonial Pipeline hack, federal regulations were largely absent in the case of privately owned and operated infrastructure. While electrical grid and nuclear power facilities have strict security standards, many others, including oil and gas pipeline companies do not. That is until now. This past week, the Department of Homeland Security announced new cybersecurity regulations for oil and gas pipelines. One of the new requirements includes the designation of a cybersecurity coordinator(s) to be on duty 24/7/365 to monitor for and report any network intrusions to both the Transportation Security Administration (TSA) and the Cybersecurity and Infrastructure Security Agency (CISA). Current operators will also have the next month to present the above agencies with their current security practices, perceived gaps, and potential remediations.
What makes the rising tide of ransomware attacks possible is cryptocurrencies. You may be aware that digital currencies like Bitcoin and Dogecoin are all the rage among asset speculators. Indeed, more than AMC or GameStop stock, crypto has gotten wild and woolly over the last 18 months as armchair traders make small, and in some cases no so small, fortunes. Cryptocurrencies maybe be speculative assets, but they still have more real-world utility than the Dutch tulips of yore.
Though highly volatile, cryptocurrencies are being used as actual currencies. Recently, Tesla announced they’d be accepting payment in Bitcoin for their cars only to reverse course weeks later. And while a minority of regular businesses are willing to shoulder the risk of taking Bitcoin as payment, a whole host of less than legitimate actors are happy to take advantage of the anonymity the blockchain technology affords. The rise of cryptocurrencies has been an enormous boon to black markets and money launderers the world over. Most significantly for our story, anonymous cryptocurrency payments are what has made ransomware attacks both possible and highly profitable for hackers like the Darkside group.
Turning back to the Colonial Pipeline, it should be noted that it wasn’t Colonial’s physical infrastructure that had been hacked but rather the company’s operational network, including their billing system. It’s hard to expect a company like Colonial to throw caution to the wind and keep pumping fuel for the common good with no guarantees as to who will pay for it. On the other hand, the leaving the security of critical infrastructure like Colonial’s pipeline up to the myopic imperatives of capitalism isn’t likely to get us better results than we had last month.
The DHS’s new regulatory moves are welcome, and one would hope that companies would look to be more proactive in light of the Colonial Pipeline hack, but more is likely needed. Many of the hacker collectives like Darkside operate with the tacit approval of the nation states in which they reside. Russia, China, North Korea and others appear more than happy to look the other way when US infrastructure is up for ransom. In their statement concerning the JBS hack, the White House said they were “engaging directly with Russia” in investigating the latest attack. Assiduously avoiding an escalating tit-for-tat cyberwar might seem like wise policy when the US doesn’t yet have either the defensive capabilities or an articulated end game. But it may also be emboldening US adversaries to turn a blind eye or even facilitate such attacks.
And then there’s regulating cryptocurrencies. A recent Wall Street Journal editorial called for their outright banning in light of their ability to conceal and abet criminal activity. And while an all-out ban is probably not in the offing, don’t be surprised if we see Congressional hearings addressing the confluence of cybersecurity and cryptocurrencies in the near future. Because if you thought cyberattacks look bad for corporations, just imagine how bad fuel shortages and long lines at gas stations look for politicians.