Deciding to pay ransom - the cases of JBS and Colonial Pipeline. Gangland branding. Constituent management system hit. Notes on the FBI’s partial recovery of DarkSide’s ransom take.
Elliott Peltzman: JBS discloses that it paid REvil roughly $11 million in ransom. REvil not only had a good haul, but the gang made a few points about its brand, too. Colonial Pipeline explains and defends its decision to pay ransom. The U.S. Congress has a third-party problem that constituents may or may not notice. Dan Prince from Lancaster University on the science of cybersecurity. Our guest is Kris McConkey from PwC on their "Cyber Threats 2020: Report on the Global Threat Landscape." And the FBI's recovery of some of the ransom Colonial Pipeline paid to the DarkSide was good, but it doesn't necessarily represent a new normal.
Elliott Peltzman: From the CyberWire studios at DataTribe, I'm Elliott Peltzman, filling in for Dave Bittner with your CyberWire summary for Thursday, June 10, 2021.
Elliott Peltzman: The Wall Street Journal reported in an exclusive last night that JBS paid its REvil attackers $11 million in bitcoin to restore the systems and data affected by the gang's ransomware attack. That makes the $4.4 million Colonial Pipeline paid look like chump change, especially now that the FBI has recovered 2.3 million of the pipeline operator's payment. Andre Nogueira, chief executive of Brazilian meat company's U.S. division, described his decision to pay. He told the Journal, it was very painful to pay the criminals, but we did the right thing for our customers. The payment was made after most of JBS' plants had returned to operation. The company says it had all of its data backed up and that as far as it could tell, no customer, supplier or employee data had been compromised.
Elliott Peltzman: So why pay, especially when recovery seemed to be well-organized and making good progress? Nogueira said it represented a kind of insurance. The company's IT experts couldn't guarantee that REvil couldn't find its way back in. Nogueira said, quote, "We didn't think we could take this type of risk that something could go wrong in our recovery process. It was insurance to protect our customers," end quote. Thus, payment appears to have been a way of hedging against the possibility of re-attack. It's worth noting that JBS used an outside consultant to negotiate with the extortionists. Payment was apparently one of the options on the table from the outset.
Elliott Peltzman: For all of its high-minded posturing about its operations being as proportionate and discriminating as one could wish of any well-behaved privateer or socially conscious hood straight out of Sherwood Forest, REvil wasn't shy about attacking a company headquartered in Brazil when it hit JBS with ransomware. We heard from ZeroFOX on the matter, and they think the evidence confirms what they've thought more or less all along. Quote, "REvil did not conduct much vetting of JBS as a target, relying simply on the fact that the parent company was headquartered in Brazil. It is a common practice in the cybercriminal underground to associate targets with the geographic location, industry types and revenue numbers listed on their open source business profiles," end quote. A side benefit for REvil's branding was that the attack seemed to be motivated by simple greed, a point REvil has taken some pains to drive home in its communiques. They're crooks, not spies, and they'd like you to appreciate the distinction.
Elliott Peltzman: So JBS was a target of opportunity. It was available because it was in Brazil, a country not on the Kremlin's do-not-touch list. All of this is good for their bad business. As ZeroFOX observed, REvil also gets to show that they're not afraid of Uncle Sam, and that's equally good for attracting new affiliates as it is for frightening prospective customers, as they call their victims. ZeroFOX says, quote, "REvil has previously used public-facing interviews to amplify their mystique and to attract more affiliate talent to their team. They want to build their brand, but also stay in business," end quote.
Elliott Peltzman: Colonial Pipeline CEO defended paying ransom. It was a tough crowd, but he stuck to his point. BloombergQuint reports on the reception Colonial Pipeline CEO Joseph Blount Jr. received from Congress during his testimony. It was chilly. The company's failure to have adopted a stronger security posture was criticized, as was its decision to pay ransom, the FBI's recovery of much of the money notwithstanding.
Elliott Peltzman: Two things are noteworthy. First, the heat Colonial took from its congressional inquisitors renders implausible the speculation that the company paid the DarkSide's ransom in cooperation with the FBI, the better to help the Bureau cripple the DarkSide's infrastructure.
Elliott Peltzman: Colonial Pipeline CEO Joseph Blount took responsibility for the decision, which he presented to both the House and Senate as the result of a tough cost-benefit calculation. Effectively, he had no choice, he said, in view of the severe consequences of protracted disruption of fuel delivery. Blount said, quote, "I know how critical our pipeline is to the country, and I put the interests of the country first. I made the decision to pay, and I made the decision to keep the information about the payment as confidential as possible. It was the hardest decision I've made in my 39 years in the energy industry," end quote.
Elliott Peltzman: When asked how much worse things could have become had Colonial not paid the ransom, Blount answered, "That's an unknown we probably don't want to know, and it may be an unknown we probably don't want to play out in a public forum."
Elliott Peltzman: The second interesting thing about the testimony is the extent to which congressional attitudes about paying ransom have hardened and how willing members of both houses are to criticize the private sector for lax security.
Elliott Peltzman: It's only fair to mention, after the high dungeon on display around Capitol Hill this week, that Congress itself has also had some cybersecurity issues. TheHill reports that iConstituent, a vendor that provides constituent management services - the elected officials' equivalent of CRM - to some 60 offices of both parties, was hit by ransomware, leaving members of Congress unable to contact their constituents for several weeks. Even Solons grapple with third-party risk. Good thing constituent service isn't really critical infrastructure.
Elliott Peltzman: And finally, the FBI's recovery of about $2.3 million of the approximately $4.2 million Colonial Pipeline paid the DarkSide is encouraging and a good thing. But as an email from Databarracks, the U.K.-based business continuity and IT recovery shop, warned us this morning, you'd be unwise to assume that the feds or anyone else can be relied upon to do the same for you should you become an unwilling customer of a ransomware gang.
Elliott Peltzman: For one thing, whatever the FBI did to recover the money - and it probably had to do with their ability to obtain a private key for the wallets whose contents the bureau retrieved - you can't count on that being possible every time. For one thing, the crooks also learn from the school of hard knocks and are less likely to repeat whatever mistakes made the FBI's recovery operation possible.
Elliott Peltzman: Databarracks' managing director, Peter Groucutt, said, quote, "These interventions by authorities are still new, so it takes awhile for them to become properly established. There's also no guarantee the highest echelons of law enforcement will come to your aid if ransomware strikes. So it's dangerous to rely on it as a way out," end quote.
Elliott Peltzman: It's better to prepare to defend yourself. We heard as much yesterday from FBI Special Agent Doug Domin of the Bureau's Boston field office during a Cato Networks webinar. You want to let the local FBI know when you've been attacked, but remember that they're not an incident response team. Incident response is fundamentally the affected organization's responsibility. And while the FBI will go after the bad guys, you should be prepared to do your own remediation and local, on-site investigation. So be prepared, scout.
Dave Bittner: The team at PwC recently published their "Cyber Threats 2020: A Year in Retrospect" annual report. Kris McConkey leads PwC's cyberthreat operations practice, and he joins us to share their findings.
Kris Mcconkey: Like, it's a really interesting thing for us to do every year because we have a whole bunch of different services that basically put us in direct contact with some of the threat activity that's happening. So we do a lot of incident response work around the world every year, several hundred cases in about 40 different countries. We have some managed security services, and we also have a full-time threat research team that provides threat intelligence services to clients. So the "Year In Retrospect" report is really the thing that we try to do every probably February, March time, consolidating everything that we see across all of those different services and trying to link that together with the sort of big-picture rationale for, why is it happening? Who's behind it? What do we think is going to happen next? And try to distill that down in a way that's actually something that we can publish and that's easily digestible by clients and other people that want to read stuff like that.
Dave Bittner: You know, based on the information that you've gathered in this report, what's your outlook for the coming year? Where do you suppose we stand?
Kris Mcconkey: Oh (laughter) I can't really - a really hard one to pin down just given how much stuff's happening at the minute. I know we saw a lot of stuff in 2020, but 2021 already looks like it's shaping up to be a year full of zero-days. And so having had a year where there's a lot of really interesting threat activity that hasn't involved any exploits, we're back to seeing a load of zero-days and VPN solutions and firewalls and email servers and things like that that can be exploited on a mass scale.
Kris Mcconkey: And actually, even - the Exchange one recently is a really good example where that was privately held by a bunch of threat groups before it became publicly known. And as soon as it became publicly known, then you had the whole world and their dog piggybacking on it. So it doesn't really take long for people to look at what's being patched, pivot that 'round and actually turn it into a useable exploit. And for internet-facing systems, that basically means you've got everybody trying to scan the whole internet to find vulnerable systems.
Kris Mcconkey: So I think we will start seeing more and more of that stuff happening and obviously the criminals getting in and the ransomware game is going to continue. The supply chain side of things I think we will see more of. And obviously there have been some really sophisticated espionage stuff in that space, but we've seen previous instances of financially motivated groups doing the same thing as well, with the likes of Fin7 and Fin9 targeting supply chains before. And so, again, we might see more of that.
Kris Mcconkey: And then on the software supply chain side of things, I think we may see more of that as well. I don't know whether we'll see it on the same level of profile as the likes of SolarWinds. But for example, at the minute, there's one of the Chinese espionage actors that's inside a Russian software organization that's used by about 20% of Russian companies. So obviously from an espionage perspective rather than anything destructive, but, again, that sort of stuff is happening, I think, more and more frequently.
Kris Mcconkey: So from a threat perspective, I think we'll probably see a bit more of the same. From a defender's perspective, I guess one thing that was really interesting to see in 2020 was just the level of both cooperation and willingness from both government and private sector to start kind of naming and shaming some of the groups behind this. And so I think that sort of lean-forward posture in terms of being able to get some of the stuff in the public domain, follow it up with sanctions, those sorts of things, is actually going to be really helpful in future as well.
Dave Bittner: That's Kris McConkey from PwC.
Dave Bittner: And I'm pleased to be joined once again by Daniel Prince. He's a senior lecturer in cybersecurity at Lancaster University. Daniel, great to have you back. We wanted to touch today on the science of cybersecurity. What do you have to share with us?
Daniel Prince: Well, as you'd expect, being an academic in an academic institution, in a science and technology faculty, you know, I'm quite passionate about the scientific discipline and also exploring its role within cybersecurity, which is obviously my other research area. And one of the challenges that I see is actually the application of the scientific disciplines to many of the cybersecurity challenges that we see today.
Daniel Prince: A lot of cybersecurity has almost grown up in an ad hoc or organic fashion around the problems and trying to solve the immediate problem - firefighting. And I think there's a lot to be learned from the application of scientific methodology to practices like penetration-testing. And obviously, we see a lot of scientific rigor in terms of practices around digital forensics. But there are some areas that I think we can really look at in terms of applying and understanding the different research methods that we have available from science and other disciplines and apply to some of the cybersecurity challenges that we have today.
Dave Bittner: Tell me about that. What do you propose?
Daniel Prince: So if we take, for example, penetration-testing, which is a module that I'm kind of working on revising at the moment, you know, so much of the material that we see at the moment is, how do we break into a system? How do we, you know, run a port scan? How do we get to the endpoint of whatever the penetration test is? And we've traditionally taken the approach of teaching the underlying technologies and the sort of main concepts of each of these types of attacks, so they can be broadly applied. But if you think about what a penetration test is, it's a series of developing theories and then testing hypotheses. And you develop a theory about where there might be a weakness in the system, and you need to then test against that system. And what I think the sort of scientific rigor can bring to some of this is some formal methodologies, both in terms of quantitative and qualitative analysis of how do we apply these research methods to these particular problems so that we can learn and we can inform. And that's, I think - the important part is one of the key things around the scientific approach is that formal feedback part to help develop our knowledge base more broadly.
Dave Bittner: So is this a matter of having a certain type of discipline overlaid onto the process?
Daniel Prince: Yes. I think discipline is the right word, and I think it's also, again, tied with this idea of professionalism around cybersecurity. And by that, I don't mean that people in the industry aren't and haven't been professional. I mean it's about the increasing maturity within cybersecurity as a discipline. You know, when I go back 10, 11 years, cybersecurity wasn't really a concept, except in science fiction. And now it is a big industry. And I think the important part for us is to say, well, if we are creating these professional bodies to actually recognize professionalism - and we see that happening in the U.K. and in other countries - how do we ensure that those professionals are applying appropriate techniques, understanding the discipline? And what does that discipline mean? We can't just take, you know, existing research techniques and methods and just apply them directly. We have to understand how they need to be adapted for the particular research and practical applications that we do within cybersecurity, and we have to situate it within that context.
Dave Bittner: Could we see things like peer review come into play?
Daniel Prince: Well, I mean, we do start - we are seeing that. You know, when we see - think about things like bug reports and vulnerability reports, they do get peer reviewed. And so we do have aspects of it. And, you know, we certainly see a lot of these kind of academic, if you like, disciplines being applied in the industry. I think there's just more that we can do. And, you know, this was recognized back in, you know, five or six years ago in the U.K. when there was a national investment into a research institute for the science of cybersecurity deliberately to start to really transform the practice of cybersecurity from best practice to kind of scientifically accurate and rigorous approaches. And I think that's the other important thing. You know, as professions increase in their professionality and their maturity, they go from a best practice to a discipline. And I think understanding how we can take the best of scientific disciplines and apply them to this emergent industry and a significant growth industry will add a significant amount of benefit for everybody involved.
Dave Bittner: All right. Well, Daniel Prince, thanks for joining us.
Dave Bittner: Thanks to all of our sponsors for making the CyberWire possible.
Elliott Peltzman: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. Listen for us on your Alexa smart speaker, too.
Elliott Peltzman: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Puru Prakash, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Elliott Peltzman filling in for Dave, who will be back tomorrow. Thanks for listening.