Blackmail in division of labor

The hacker attack on an American pipeline shows that cyber criminals are professionalizing their business models. You invest in software and public relations.

Targeted by the hackers: the Colonial Pipeline in Texas

Dhe cyber attack on the gasoline supply on the American east coast throws a spotlight on the differentiated business models of criminal hackers, the problems of investigators and the permeability of the IT systems that control important parts of the infrastructure not only in the United States. The American Federal Police FBI confirmed on Monday: “The DarkSide blackmail software is responsible for damaging the colonial pipeline network.” DarkSide is a gang that, according to investigative authorities, has been active since August 2020 and operates from Russia.

Information from the security advisor of the White House Anne Neuberger and messages from the group itself reveal the contours of a business model based on the division of labor: The gang lends its services to criminals who bid the highest bid and shares the ransom with them. Your malware blocks the computer system and data of the attacked company and clears the block after receipt of the extorted payment.

According to information from IT security experts, this business model based on the division of labor is becoming more and more popular: One group develops the malicious software, a second looks for weak points in the IT systems of targeted companies and authorities in order to infiltrate the software. Neuberger called the development particularly worrying.

DarkSide itself seems to be surprised by the consequences of the attack. The gang said in a statement that they would exercise restraint in the future and check every company that wants to attack the partners with encryption software in order to avoid socially damaging consequences in the future. The gang protested that she was only after money. She claims to have broken into the networks of more than 80 companies since August last year. DarkSide threatens to publish details of victims who refuse to pay on “leaks” sites on the Internet and to sell inside information from listed companies.

No information as to whether the ransom was paid

The FBI usually recommends that companies refuse to pay ransom money. Security advisor Neuberger admitted at a press conference that companies are often in a difficult position if they have no alternative to accessing their data. The pipeline company attacked did not want to comment on questions about whether it had paid ransom. She says she wants to reopen the pipeline system by the weekend.

Neuberger also drew attention to another trend. As a result, the hackers are increasingly attacking companies that have cybersecurity insurance and large financial resources. The increasing number of ransomware attacks is already causing considerable upheaval in the young cyber insurance market. The policies are becoming more and more expensive year after year. According to surveys by the industrial insurance broker Marsh, the premiums for cyber policies have increased by an average of 30 to 40 percent in the past year. The result: a number of companies can no longer or no longer want to afford protection against cyber risks.

Anne Neuberger
Anne Neuberger : Image: EPA

The insurers justify their premium increases on the one hand with the fact that the risk of a cyber attack is difficult to calculate for them. On the other hand, they point out that the number of claims in the still young business is increasing dramatically. The first insurance companies are withdrawing from the business, Munich Re is talking about rising case numbers, rising premiums and increasing market capacities.

A new trend could exacerbate the threat: Security expert Jon DiMaggio has registered the increasing use of automated attacks. The gangs spent time and money shortening their attack times and adding programs to software that automatically looked for loopholes. Attacks that used to take weeks now last a few hours, says DiMaggio. The result is more attacks.

Because the hackers usually cash out in crypto currencies, the already difficult investigations are made even more difficult. No banks are involved in cryptocurrency transactions. Treasury Secretary Janet Yellen recently announced that she would work with other authorities to regulate currencies more to make it harder for criminals to use them. The recent attacks have given new impetus to these efforts.

Many hackers, like DarkSide, operate from Russia based on intelligence. According to the White House, there are no indications that they are being coordinated by Russian espionage services. However, the American government holds Russia against benevolently tolerating the hackers’ activities. The US Department of Justice set up a task force in April to identify the cooperation between hackers and governments and to formulate recommendations. DarkSide emphasized in its statement that it does not work with governments and does not pursue geostrategic goals. In addition, the gang tried to stylize itself as Robin Hood of the Internet: They do not attack hospitals or charitable organizations and donate part of their proceeds, they wrote.