Colonial Pipeline Paid Hackers Nearly $5 Million in Ransom (bloomberg.com) 141
Colonial Pipeline paid nearly $5 million to Eastern European hackers on Friday, contradicting reports earlier this week that the company had no intention of paying an extortion fee to help restore the country's largest fuel pipeline,
Bloomberg reported Thursday, citing two people familiar with the transaction. From the report: The company paid the hefty ransom in untraceable cryptocurrency within hours after the attack, underscoring the immense pressure faced by the Georgia-based operator to get gasoline and jet fuel flowing again to major cities along the Eastern Seaboard, those people said. Once they received the payment, the hackers provided the operator with a decrypting tool to restore its disabled computer network. The tool was so slow that the company continued using its own backups to help restore the system, one of the people familiar with the company's efforts said.
Bloomberg reported Thursday, citing two people familiar with the transaction. From the report: The company paid the hefty ransom in untraceable cryptocurrency within hours after the attack, underscoring the immense pressure faced by the Georgia-based operator to get gasoline and jet fuel flowing again to major cities along the Eastern Seaboard, those people said. Once they received the payment, the hackers provided the operator with a decrypting tool to restore its disabled computer network. The tool was so slow that the company continued using its own backups to help restore the system, one of the people familiar with the company's efforts said.
Fantastic Job (Score:5, Insightful)
Fantastic Job there Colonial.
When you give them what they want, they keep doing it. You should probably shore up your network because after getting a $5M payout, they, or someone else, will likely be visiting your networks again in the near future. :|
Re:Fantastic Job (Score:5, Funny)
Re: (Score:2)
There was any sympathy for them in the first place?
I guess probably from politicians they have bribed to ignore their complete lack of security.
Re:Fantastic Job (Score:4, Funny)
Fantastic Job there Colonial. When you give them what they want, they keep doing it. You should probably shore up your network because after getting a $5M payout, they, or someone else, will likely be visiting your networks again in the near future. :|
I sense that the sympathy for Colonial Pipeline is slowly dissipating.
Their mistake was not hiring https://www.cyberninjas.com/ [cyberninjas.com]
I particularly like this image: https://www.cyberninjas.com/st... [cyberninjas.com] The real set of people who pulled this off are likely greasy haired, over weight, wearing a Star Wars T-shirt and subsist on Diet Coke and Mars bars.
Re: (Score:2)
Well, thank god I have an alibi. I wash my hair daily. I'm not fat. I'm not *currently* wearing a StarWars shirt, phenylalanine gives me horrible headaches, and I'm allergic to the milk (chocolate) in any candy bar..
Re: (Score:2)
The real set of people who pulled this off are likely greasy haired, over weight, wearing a Star Wars T-shirt and subsist on Diet Coke and Mars bars.
They'll be getting a lot more over weight. With that $5 million courtesy of Colonial, they can start buying their Mars bars by the pallet.
Re: (Score:3, Funny)
Remember when cybercriminals turned off the wind and blocked out the sun...
Re: (Score:2)
Re: (Score:3)
Solar panels and wind turbines don't have the same scaling problems fossil fuels do. You can put solar panels on your roof that are pretty much as efficient as the ones in a gigawatt solar farm. Digging an oil well and setting up a refinery in your back yard is considerably less practical. We could use that to make a more robust energy system.
We won't of course, we'll wire everything together and hook it up to the Internet, but we *could*.
Re: (Score:2)
Re: (Score:2)
I expect you just wanted to say something bad about wind and solar, but if that comment relates in some way to the topic under discussion in this thread, could you please state it clearly?
Re: Fantastic Job (Score:2)
Re: (Score:3)
Their mistake was getting hacked in the first place, and not then having a good enough recovery plan. Once they were in that situation, if paying the ransom was the fastest way to get back up and running again, it was pretty much the only move.
Re: (Score:3)
And now that they've paid 5million in ransom the problem doesn't exist anymore so they can go back to not doing the first two things.
Re: (Score:3, Informative)
Re:Fantastic Job (Score:4, Insightful)
Governments need to start classifying paying ransomware operators as funding terrorism, because, well, it is.
Re: (Score:3)
Even if it is illegal, which in a lot of cases, it is, because sending cash to prohibited parties is a crime, this is easily danced around by hiring a consulting company, paying them a ransom + a fee, and letting the consulting company mysteriously get the data back. Because there is plausible deniability, nobody gets hauled to court for this, and the consulting company is likely offshore in a region where those laws don't apply.
Of course, it is no wonder why stuff like this has emboldened ransomware distr
Re:Fantastic Job (Score:5, Interesting)
Should have been modded funny, not insightful.
Needs to be a law against paying ransom. Give the victims another layer of defense: "But if I pay you then you can threaten to reveal that I paid you."
Stating the obvious, but the managers of the pipeline are guilty of criminal stupidity. Companies run by stupid managers deserve to go bankrupt.
NOT worthy of Insightful moderation. "Just the facts, maam."
I'll add a cultural note about a similar crime. Ever heard of "sokaiya"? It was a kind of extortion against companies. The extortionist merely bought a few shares in the company and then threatened to shop up at the annual meetings and create an embarrassing public ruckus unless the company paid up. The government finally (mostly) cured the problem by making it illegal to pay them.
Re: (Score:3)
What stopped it was a law that in case of kidnapping all the assets of relatives and the kidnapped people were seized until the hostage was released, makig very difficult to pay ransom.
How to discourage ransome payments? (Score:3)
Hmm... Not bad, but I see how the kidnappers could work around it. Obviously the criminals would put more pressure on the relatives not to ask for help from the police until after the ransom was paid.
However, as regards my suggestion, I'd like to change the victims' response to something like "But if I pay you and you ever get arrested then I will get arrested, too, because I paid you. You're a professional criminal and you are going to get nailed sooner or later. But you know I hope for sooner, too."
Re: (Score:2)
Re: (Score:2)
Sounds like a lawyerly distinction, but thanks for the data.
I'd prefer to focus on the non-legal technical side. If only that could be separated out.
Re: (Score:2)
Re: (Score:2)
Maybe I need new glasses? Or new fingers?
s/shop up/show up/
5 million was cheap (Score:3)
how many years have they gone without hiring a cyber security department? (they were advertising for the lead posiiton when they were attacked-- note to self don't advertise you are without a cyber security department!) The salaries and benefits alone over 10 years would be over 5 Million. And that's without actually impmentening the expensive physical and software security, replacing insecure systems, and so forth. On top of that it's likely that some of the less secure practices may have enabled cheap
Re: (Score:2)
Yeah, that was a tremendously good deal. I imagine the gang could have sold their access to the Russians or Chinese for an order of magnitude more.
Re: (Score:2)
Just imagine how much they'll demand of the U.S. Government when (not if at this point anymore, but when) they hijack critical infrastructure, or U.S. military assets.
All of this penny-ante stuff they've been doing have been just the proof-of-concept for their capabilities.
Re: (Score:2)
I blame "work from home". They obviously opened up a bunch of ports on machines for PC Anywhere!
This was most likely social hacking (Score:2)
Re: (Score:2)
I don't see this as a problem. Eventually, Colonial will go out of business paying so many repeated ransoms, and the hacking group will have enough money to invest in legitimate enterprises.
Idiots. (Score:2)
This is why hackers do what they do. There's a reason governments don't negotiate with terrorists.
Re:Idiots. (Score:4, Insightful)
Governments negotiate with terrorists every single day and always have.
Re: (Score:3)
This is why hackers do what they do. There's a reason governments don't negotiate with terrorists.
Trump negotiated with the Taliban [bbc.com].
"Disaster Recovery" (Score:2)
When "Disaster Recovery" is something you think about only after the disaster happened, you suck at your job. I get that they probably have a huge complicated system ( which, itself, can be cause for alarm. "As simple as possible" should be the name of the game ), but there shouldn't be a single reason why they needed to pay their attacker to fix the system.
IT leadership there should have their names published and fired. There is no excuse which justifies their incompetence.
Re: (Score:2)
> When "Disaster Recovery" is something
Pfftt.. this is critical infrastructure. They need "Business Continuance". IBM, Cisco and EMC can come in to do an assessment, but the IT big boys are seasoned professionals at shaking companies down. It would probably be cheaper to just pay $5M to hackers every month.
Re: (Score:2)
Infrastructure can't be that critical if the TSA was put in charge of overseeing security [wsj.com].
Lawmakers are demanding answers on how the Transportation Security Administration probes pipeline security, after a cyberattack on the East Coast’s main conduit for fuel snarled the region’s gasoline supply.
The Colonial Pipeline Co. hack has brought fresh scrutiny to optional U.S. cyber standards for the sector, which contribute to uneven security investments by companies that transport oil and gas and coul
Re: (Score:2)
I get that they probably have a huge complicated system ( which, itself, can be cause for alarm. "As simple as possible" should be the name of the game ), ...
Noting that "as simple as possible" can still be hugely complicated ...
Re: (Score:2)
When "Disaster Recovery" is something you think about only after the disaster happened, you suck at your job. I get that they probably have a huge complicated system ( which, itself, can be cause for alarm. "As simple as possible" should be the name of the game ), but there shouldn't be a single reason why they needed to pay their attacker to fix the system.
IT leadership there should have their names published and fired. There is no excuse which justifies their incompetence.
Well I can think of at least one excuse. When IT presented their security and continuity requirements to the team of money grubbing MBA's on their board, they were shot down.
As always, keep a paper trail to CYA when this type of situation occurs. On paper, and maybe a memory stick or 10 you keep in many different places.
Re: (Score:2)
IT leadership, in that case, should have employed other "methods". "Leaks" and the like, to prod the board towards the right decision. Absent that, leave.
Re:"Disaster Recovery" (Score:4, Informative)
Re: (Score:2)
Mod parent "Funny" and "Sad, but true".
Disconnect: Check. (Score:3)
. The tool was so slow that the company continued using its own backups to help restore the system, one of the people familiar with the company's efforts said.
Ok. Backups: check.
Still gave them the money: check.
Re: (Score:2)
for $5m they should get some customer support on that decrypt tool.
get them a hot-patch for the bottleneck.
Re: (Score:2)
Funniest part is, this hacker group just did the biggest faux pas that ransomware group can make. They provided a worse way to decrypt the network than backup restoration.
The one thing that ransomware groups have that is exceedingly valuable is their reputation that "if you pay, we give you your data back and we do it swiftly". Because if you don't have it, almost no one will pay your ransom. I wouldn't be surprised if other groups in the same business hired a hit on these idiots back in Russia for damaging
Re: (Score:2)
Yeah - this is what I'm not understanding. They HAD BACKUPS. They even did the restore from those backups.
Why did they pay the ransom?
Re:Disconnect: Check. (Score:4, Insightful)
Yeah - this is what I'm not understanding. They HAD BACKUPS. They even did the restore from those backups.
Why did they pay the ransom?
Part of what Darkside promised was a detailed report on how they broached the system.
If Darkside makes good on that, it's probably worth it.
Re: (Score:2)
Re: (Score:3)
Cheaper than paying Andersen Consulting...
F/K/A Accenture (pronounced "ass-enter" - anyone else remember Fucked Company [fuckedcompany.com]?)
I want the IT director in jail, same with CIO... (Score:4, Interesting)
...and whoever moron approved the payment.
All three should get jail, hard time jail, for negligence. It'll never happen, but this just makes my blood boil.
It's time to start cutting out the cancer anywhere it's found.
Weak. What a fucking weak outfit.
Re:I want the IT director in jail, same with CIO.. (Score:4, Interesting)
You've missed the point: the $5M payout is less than they'd spent if they'd done it right the first time. It's cheaper to ask for forgiveness than to get permission.
Let's look at this from the business perspective:
The only people getting screwed here are the little guys. IOW, Colonial is doing good business, maximizing revenue for their clients and minimizing cost. Sure, you have to pay more for gas, but that was the entire point of business in the first place. You may not be happy about it, but would you rather pay twice as much for gas all the time, just to know the pipeline was secure?
It's like the credit card fraud finding algorithms. American credit card companies delayed chip-and-pin systems by more than two decades because they found it was less expensive to catch most of the fraud through pattern matching software than to implement a more secure system. Because they could pass the cost of fraud onto the merchants (a third party), the had very little incentive to change.
Re:I want the IT director in jail, same with CIO.. (Score:4, Insightful)
Except the $5mil is only what it cost them as part of the payout. Presumably they also make money under normal circumstances that they weren't while their pipeline wasn't operating
Re: (Score:2)
You've missed the point: the $5M payout is less than they'd spent if they'd done it right the first time. It's cheaper to ask for forgiveness than to get permission.
No, it's not such a simple cost/benefit analysis. Using this logic, no one should test their code, because it costs time and money to increase code quality. No one should do backups at all, because backup systems cost money. They can just pay off the ransomware gangs whenever they need to, and they'll come out ahead.
The reality is that good backups and good software coding practices do cost money, but they pay dividends over the long term. It only makes sense to pay off ransomware gangs in the short term.
Bu
Re: (Score:2)
> Colonial has saved money on IT spending
> The oil companies have increased profits from the shortage
So the CEO and all the O will have a big bonus at the end of the quarter/fiscal year!
Re: (Score:3)
Criminalizing these payments is the only way to stop it. But given how many banks were bailed out in the 2008 crash, I really doubt the government is willing to let big companies fail.
Re: (Score:2)
Concurrence^2
Re: (Score:2)
All three should get jail, hard time jail, for negligence.
How were they negligent? Is it illegal to lose money? Is it illegal to have downtime? Is it illegal to be unable to meet contractual obligations between private entities? Is it illegal to pay "external IT consultants" for services to your business to help improve getting back online?
As much as I want to see people punished as well at present it's not illegal to be stupid, and to prove criminal negligence you'd need to show how the way these people acted deviates drastically from the way anyone else would in
Re: (Score:2)
Re: (Score:2)
It's illegal to pay criminals for criminal activity.
They aren't paying for criminal activity. They are paying for decryption services. The criminal activities are in the past. And that is precisely how the legal system would work if anyone ever tried this stupid approach.
They should go to prison under RICO violations.
There's nothing quite like the word RICO to out people as not having a clue how the legal system works. Hint: You can't RICO yourself for starters.
https://www.popehat.com/2016/0... [popehat.com]
Was it in cash or crypto (Score:5, Interesting)
If it was crypto those hackers are screwed. Everyone knows that the anonymity that bitcoin provides is only at the surface. Anyone who wants to really wants to put in the effort to track you can, even if you are trying to do some fancy laundering. And in this case I'm thinking the anyone are the FBI (with help from their 3 letter cousins) . And I'm thinking that unless these hackers are deep in Russia proper, they going to get caught in about 9-18 months. Even if they are in Russia, it's likely Putin will have more use for them as trading pieces for negotiations with the West than anything else.
You got to monitor your systems and now when to walk away...hitting a small regional hospital, mid-sized city, you can still stay under the radar. Hit 'Muricans at the gas pumps and literally we'll start a war.
Re: (Score:3)
it's likely Putin will have more use for them as trading pieces for negotiations with the West than anything else.
Hard to say. That will come down to public perceptions. If the public comes to regard this group as a team of elite cyber terrorists than they will have have value to administration. It will be politically useful for various government agency heads and the president to show "they did something and put some bad hombres out of action!"
On the other hand if they choose to spin this as being done by some "seriously bad dudes" they both give Putin something of value to trade, and expose themselves to uncomfortabl
Re: (Score:2)
https://www.getmonero.org/ [getmonero.org]
Crypto laundering exists. (Score:3)
Despite what you may think about it's traceability, laundering exists for cryptocurrencies. [slashdot.org] It's a highly attractive option too because the losses are minimal when compared to laundering cash which is about a 50% loss rate.
Re: (Score:2)
Re: (Score:2)
Yeah, laundering bitcoin works just fine. Except that there's a big sign on your wallets (input and output) saying "yo, this dude visited the laundromat!"
Re: (Score:2)
Except that there's a big sign on your wallets (input and output) saying "yo, this dude visited the laundromat!"
Cryptocurrency laundering works by mixing legal funds and illegal funds. What this means is potentially millions of legitimate cryptocurrency wallets have a single launderer in the history of their cryptocurrency despite having no involvement with cryptocurrency laundering. The launderers that insufficiently launder funds are the ones that get caught. Thus far, only a handful have been caught.
Re: (Score:2)
Regular money laundering works the same way. If cryptocurrency ever catches on then you'll be able to set up a casino or restaurant or some other business that at least theoretically attracts enough legit users to obscure the bad. With the dearth of legit uses for cryptocurrency right now, and the impossibility of hiding transactions, your mixing service is just begging for a visit from local state security. All your customers too, legit and otherwise. Could be next week, or it could be a decade from now. A
Re: (Score:2)
Law enforcement sat on its hands dealing with this issue until it was too late. Just as bad as the indifferent security implemented by Colonial.
The larger problem... (Score:3, Insightful)
The US govt keeps talking about cybersecurity for infrastructure, but a big chunk of that infrastructure is owned and operated by private, for profit businesses. These jokers were maintaining profit by not investing in and maintaining their own cybersecurity. The same reason the electric grid in Texas failed because the company maintaining it did not want to lose profit investing in something they didn't think would happen.
Even now the bean counters at Colonial are probably like "$5 mil for that security breach, we saved a ton of money by not beefing up our security, by not staffing a team of security experts, by not investing in pentesting, and by not continuously applying product updates for OS, services, applications and tools that we use. Yay, more profit for us!"
And as we've seen by the panic buying of gas, at this point really any attack is going to trigger panic buying by the herd of sheeple getting their news from alt-right sources.
Penetrate and hack Sysco for example (a major food distributor to restaurants and stores in the US) and people will start clearing the shelves. Hold Firestone (a tire manufacturer) for ransom and people will start hoarding tires.
The government doesn't get that it is not just the water and power that needs protection and can cause disruption. Those might be on a larger scale, but even a hit on a private company like this can have a major impact on people, on the economy, etc.
Re: The larger problem... (Score:3)
Amen. Time and time again, private companies show that the MBA's they hire to run things are no better than monkeys. You might as well just pay them in bananas. They make the government look like paragons of efficiency. There's no substitute for hiring people who care about doing a good job and rewarding them when they do.
Re: (Score:2)
While true, this is like saying that stores have a shoplifting problem because they are too cheap to invest in adequate security. It's blaming the victims for the crime.
Should companies take better precautions? Yes. But let's not blame them for being "too cheap" for failing to build a fortress around their digital assets to fend off roving bands of criminal hackers. Instead, let's get better a tracking down and punishing the hackers.
"hackers provided operator with tool to decrypt" (Score:5, Insightful)
Re:"hackers provided operator with tool to decrypt (Score:5, Insightful)
Running a hacker-provided tool on their systems doesn't sound like a great idea to me.
Hackers, even the evil kind do have a big incentive to follow through and correctly and non-nefariously remove the encryption after a ransom is paid, otherwise they'd have very little hope for future business.
These are criminals not politicians we're talking about, they still have some integrity.
Sounds like a smokin' deal to me (Score:2)
$5 million is peanuts in the grand scheme of things. It will probably cost more in IT services to rebuild all of those Windows systems. Colonial pumps 100 million gallons per day. They could easily tack on a fraction of a cent for a few months to pay that ransom and nobody would care. But the longer they fart around pointing fingers and f*cking TALKING, the worse things get.
Sting operation (Score:5, Interesting)
This sounds like a sting operation, where the FBI told them to go ahead and pay so they could better track the hacker's organization and follow the cryptocurrency as it's transferred and spent.
Re: (Score:2)
"untraceable cryptocurrency"? (Score:3)
We've all read enough stories here to know that cryptocurrency IS traceable given enough time and resources.
Re: (Score:3)
Even more interesting to me, the actual article says "The company paid the hefty ransom in difficult-to-trace cryptocurrency within hours after the attack"
So did the submitter change it to "untraceable"?
They wouldn't pay their IT dept ten cents before. (Score:2)
It's not the money (Score:3)
IT security is a lot like partying: It costs money, but money usually isn't the problem.
The problem is IT departments not having a clue what they are doing. Giving those more money just means that they will buy more "security in a box" solutions which wouldn't have prevented this. Most of the problems which make such attacks to easy were actually caused by spending money on things that are inherently dangerous. Installing Active Directory costs money, installing Office software with scripting facilities cos
Re: (Score:2)
Most of the problems which make such attacks to easy were actually caused by spending money on things that are inherently dangerous. Installing Active Directory
There are absolutely risks with things like Active Directory. On the other hand its easy to forget things like AD exist to solve older security problems. Without central authentication is really hard to have concept of identity when it comes to systems access, without which audit becomes impossible; so you have a different set of risks. Without centeral authentication how to effect access control changes when someone leaves the organization, what about when people change departments or roles how to preserve
Re: (Score:2)
Re: (Score:2)
Well there is a solution here is to consult the users to find good solutions for their demands. Essentially it's a process of finding out what the users want, not what they say they want. If they still insist on a risque solution you should warn them of the risks in writing and let them sign the order.
Colonial just screwed us all (Score:5, Insightful)
Fuckers! (Score:2)
While I generally don’t like to start with an explicative shitgoddamnhellfuck, don’t they get it? This means that the cost of defense has gone up so significantly due to the “easy payback” the criminals get.
I get that it isn’t a huge deal for the company, and that it would theoretically save them money and protect trade secrets, but you have to break the cycle.
The next step (Score:2)
Re: (Score:2)
Is that like when people demand the police investigate themselves and hold themselves accountable?
We need to move BACKWARDS (Score:2)
Re: (Score:2)
Re: (Score:2)
But I stand behind my original thought; truly critical systems that don't need to be internet connected should not be internet connected.
They might as well have not paid the ransom (Score:3)
From TFA, the decryption tool they received was too slow:
Once they received the payment, the hackers provided the operator with a decrypting tool to restore its disabled computer network. The tool was so slow that the company continued using its own backups to help restore the system, one of the people familiar with the companyâ(TM)s efforts said.
Re:They might as well have not paid the ransom (Score:5, Insightful)
A couple of underlings will get fired (Score:3)
The CEO will still get tens of millions in bonuses even after this blatant dereliction of duty. Because freedom.
MURICA!
Colonial Pipeline has always passed their cost to (Score:2)
Taxes and Value (Score:3)
Backups (Score:3)
A reminder that backups are only as useful as their ability to be restored
Pay a sysadmin to install updates (Score:2)
Just think how easy it would be to pay a junior admin to install the updates on your Exchange Servers?
Roger that (Score:3)
Calling earthworm, calling earthworm, this is altimeter one.
This is earthworm, go ahead altimeter one.
earthworm, can you confirm the laser paint on the digital signature?
affirmative altimeter one, signature is bright.
earthworm be aware there is one hot on the rail and this will be danger close.
This is earthworm, we are dug in and waiting for the show to start. ...
Homeland Security audit (Score:2)
As someone who was head of IT security at a site that had nasty enough chemicals that Homeland Security got involved and audited us. We were one step down from a nuclear site. All the fluff and great countermeasures were in the books and audited. But they were fluff because they had no teeth. All it took was one babied person at the executive level to bitch that the "requirements' were too onerous and that he had a business reason for not doing things, then it would not be done. There was no teeth and the f
The jokes on them... (Score:2)
Smart move (Score:2)
"untraceable cryptocurrency" isn't a thing. Every one of those coins is tainted now. The crooks will fuck up in a few years and use part of a coin they've forgotten to launder correctly and boom, found you.