R-a-a-s Claut! Robin Hood's Apologized to the King!
by John Hawkins
There's Good News for Modern Man, after all. DarkSide has a silver lining side or light side or something. They've essentially apologized for allowing Colonial Pipeline to be hacked and ransomwared. Oops. We'll do a better job of "vetting" our "affiliates" next time, they lisped in a Press Release released by the Press, a couple of days after they were fingered by the FBI as the Colonial culprit. It's enough to make a Gideon Bible-pounder out of you.
Today, just hours ago, Colonial announced all is copacetic and that they are speedily getting back up to speed again on the pipeline front. Windfall Accomplished! Presumably, the speediness of their recovery is because DarkSide, in issuing the apology, released the encryption of the data being held ransom. (Why apologize otherwise?) Of course, nobody's heard from DarkSide since their mea culpa announcement, and so we don't know if someone was squeezing Robin Hood by his hairy walnuts to get him to squeal like that or not -- Colonial's not saying. But something's not right. In fact, something's daft about the whole thing.
I say, why apologize, if you're not going to hand over encryption key, but then I read in the Times that no ransom was paid. Well, then how did they decrypt the system? Then, when I was pondering that wonderment, I read in the same piece that "only the back office" system was affected, which usually means databases and file servers, but not the control system for the pipeline. Hmmmmmmm. Then, I'm reading that the Intrusion Security specialists, Mandiant, were helping Colonial to rebuild its presumed servers and databases from "back-ups." Hmmmmmm. Sounds unlikely. You'd bring in back-office specialists, not spear-phishing experts.
Another curious development was the discovery by "the FBI" that the server on which the data stolen from Colonial was stored on a server located in New York. And in a Wired story, an executive for CrowdStrike was quoted as saying that the cybersecurity company had been tracking DarkSide aka "Carbon Spider." But despite public statements that DarkSide does not attack Russians, that is contradicted in CrowdStrike's own listing of DarkSide/Carbon Spider adversaries. The Russian Federation is clearly listed a s a target.
Let's recall that DarkSide has been referred to as the Robin Hood of ransomwarers. They swear they won't harm education, medical, or government stuff. They happily put out that they're "in it for the money" (good cappies, no worries) and not to upset the money cart of capitalism ("no geologypolitics are us!"). DarkSide is just a ransomware-as-a-service (Raas); they're service providers. Thuposedly the way it works is that an otherwise "free-for-all" associate has a target in mind that the core DarkSide builds a ransomware kit for and the installation is carried out by the associates. The associate gets about 75% of the proceeds, DS the rest. And some of that "the rest" gets donated to Children's Services (who reject it). This led to a number of what seems to me commonsense questions, which I forwarded to a techie who writes about ransomware and stuff at their site. Here are the questions:
1. If affiliates can attack whoever they want, as your piece says, then why do they need to go to the core for ransomware?
2. Following from 1., how would the core implement their credo (do no harm), if it's a free-for-all that they develop ransomware for?
3. Following from 2., how could the core not have known that the affiliate was targeting Colonial, if the ransomware is built around the target?
4. I was under the impression that ransomware is tailored to a target. Is that wrong?
5. Is the ransomware generic then?
6. Why would DarkSide, IYHO, essential say, oops, and apologize, and agree to "vet" from now on. Dunno, sounds kind of girly.
7. But following from 6., Colonial is not the only oil and gas corporation that DarkSide targeted. I saw a list where they'd targeted 3 in total. Will they be issued apologies too?
8. GEOpolitical question: Technically speaking, what would be the advantage of storing data leaks on servers in Iran? Wouldn't the servers be on the Internet? Ergo, hackable by NSA agents, say? Why would Iran be okay with such an announcement now at such a politcally sensitive time?
(Note: You can view every article as one long page if you sign up as an Advocate Member, or higher).
