Unintended consequences: When a cyberattack goes wild

Courtesy of Brett Sayles

In 1988, a Harvard graduate began an experiment to see how many computers were connected to the Internet. Twenty-four hours later, 10% of all computers around the world had been taken down, and the damages soared into the millions. Robert Tappan Morris had inadvertently created the first ever computer worm. Once Morris realized the speed at which his program was replicating, he tried to send instructions to the victims to dismantle the worm and curb the cyberattack. But it was too late. He was indicted one year later and faced fines of more than $10,000.

Fast forward to the present day, and we’re facing the most recent example of a cyber-threat miscalculation, or a criminal group that simply did not understand the full impact their attack would have. The DarkSide ransomware group most likely only intended to hit the information technology (IT) system and corporate business operations of Colonial Pipeline and underestimated the full impact the malware would have. The consequences were disastrous, halting the supply of fuel across the East Coast, leading to gas shortages, hoarding and spikes in gasoline prices around the world.

In an apparent show of social responsibility, the DarkSide group issued a seemingly heartfelt apology for the cyberattack on social media:

“We are apolitical, we do not participate in geopolitics, do not need to tie us with a defined government and look for other our motives. From today, we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future.”

The motivation behind this statement is clear: self-preservation. The aftermath of the cyberattack affected not only Colonial Pipeline but the DarkSide group themselves. They fell into the direct firing line of the full force of the U.S. government, as well as became pariahs among other criminal groups for the attention they drew. It also appears they lost whatever formal or informal state supervision or protection they may have held.

As a result of the blowback and possible direct actions against them and their operating infrastructure, in less than a week, DarkSide announced that they would close their operations for good. They could, however, resurface under a different name or join another group, if allowed in.

Misjudging the impact and collateral damage of a cyberattack can lead to a range of unintended ramifications, from a cyber-crime group feeling increased heat from law enforcement to a nation-state escalating a conflict greater than they intended.

It is for this reason that many ransomware groups historically have tended to keep their affairs under the radar. More than 70% of ransomware attacks target small and midsize businesses (SMBs). Unfortunately, while many cyber-crime groups pledge to avoid larger bodies like hospitals and critical infrastructure, the allure of fast payouts for record-breaking ransoms has led to the health care sector, even vaccine efforts, being a heavy target for ransomware actors.

Following the incident at Colonial Pipeline — and no doubt in the fear of moving up the FBI’s Most Wanted list — a major ransomware-as-a-service (RaaS) group, REvil, announced the following policy:

  1. Work in the social sector (health care, educational institutions) is prohibited;
  2. It is forbidden to work on the gov-sector (state) of any country.

Organized cyber-crime groups often stress that they are apolitical and motivated solely by financial gain.

But when the boat is pushed too far, attacks can easily spill over into geopolitical tensions, encouraging governments to issue executive orders and pushing cyber-threats into the headlines — all bad business for criminal groups. And if threat actors get in over their head, they either need to lay low and rebrand in what is known as an “exit scam,” as ransomware groups such as Maze, Jokeroo and now REvil have done in the past, or they’re shut down completely, as seen in the disruption of the Emotet botnet at the beginning of this year.

The effects of cyberattacks are becoming increasingly difficult to predict and control. The reason for this is twofold. The first is this idea of interconnectivity. We live in a digitized world, which is so interlinked that an attack on one server can have global consequences, whether that’s reverberations down the supply chain, IT converging with operational technology (OT) or a cyber-threat against one country affecting the world.

More isolated than federal bodies, the private sector will most often take the brunt of this collateral damage. Just take NotPetya — where a targeted cyberattack against Ukrainian infrastructure went into the wild, paralyzing factories across the globe and costing shipping company Maersk $300 million.

The second reason is easier access to more sophisticated tools. The commercialization of cyber-crime has enabled less advanced actors to rent state-of-the-art malware and launch campaigns with speed and ease. In fact, the Colonial Pipeline attack was likely orchestrated by an affiliate who had paid for the DarkSide malware. This makes it far more challenging to monitor who is being targeted. When it comes to RaaS, even the developers probably do not know for certain how their malware will be used.

When preparing any kind of cyberattack, the intelligence that an actor has going into the target environment is rarely 100%. If the intention is to impact a single component of a bank, for example, but the attacker fails to realize that a nearby hospital relies on that same electrical grid, the situation can escalate very quickly. And when it’s a low-skilled attacker with little regard or understanding of what a high-powered tool can do, miscalculations become alarmingly easy.

As far as we know, DarkSide itself was not a state-sponsored advanced persistent threat (APT), merely a private criminal franchise. Yet they advertised their ransomware as the fastest in the world and managed to pull off one of the most disruptive critical infrastructure cyberattacks of all time. As history has shown, from the Morris worm to Colonial Pipeline, when malware is fast and designed to propagate, it is unpredictable. It is nearly impossible to put a highly destructive genie back in the bottle.

As automation and AI-powered attacks become a reality, these trends will increase exponentially and transform the threat landscape. Ransomware is no longer a human-scalable problem. Organizational resilience depends not on throwing more people into the mix, or even upskilling existing teams — machine-speed attacks need a machine-speed response that can adapt as fast as an attack propagates. Thwarting ransomware is both a board-level issue and a national security concern. As such, self-learning AI technology proves critical in tackling the unpredictability and speed of the threats of today, and of tomorrow.

– Thanks to Lucas Marsden-Smedley for his contributions. This article originally appeared on Darktrace’s blogDarktrace is a CFE Media content partner.

Original content can be found at www.darktrace.com.




Keep your finger on the pulse of top industry news