Hacker News new | past | comments | ask | show | jobs | submit login
US passes emergency waiver over fuel pipeline cyber-attack (bbc.com)
611 points by selfsimilar on May 10, 2021 | hide | past | favorite | 451 comments



All: please don't post flamebait such as calls for war and whatnot. It's incredibly tedious. We're trying for interesting conversation here.

https://news.ycombinator.com/newsguidelines.html


Colonial Pipeline precisely does keep it's control network disconnected from the internet - the only thing that was ransomwared is their corporate network. They shut the pipelines down voluntarily to prevent further spread.


If we define critical system as "necessary to the operation of the business" then the corporate system is absolutely critical. It doesn't matter if the SCADA system is airgapped if you can shut down the capability by crashing the corporate systems.


Their approach makes a lot of sense. Corp network hacked - so to be careful shut down pipeline until you've really made sure that you are fully safe pipeline side as there now may be more attack vectors.


I built some of the SCADA and IT systems for Colonial Pipeline.

Many industrial SCADA systems (nearly all) send data from their "OT" systems (PLC/DCS/SCADA) to their "IT" and business layers (Historians/Timeseries Databases, Dashboards, Power BI/etc). This almost always happens through a two-way link (think TCP/IP, HTTP). While the software should not allow data flow backwards, the hardware absolutely does. So how much do you trust the software?

I often advocate that industrial SCADA systems utilize "data-diodes", one-way opto-isolators, or other physically verifiable methods of confirming that no information/data/instructions can get from a "higher" layer (OSI Pi, PowerBI) to a lower layer (Allen-Bradley PLC, Siemens PLC, Emerson DeltaV DCS, etc).

Convincing the powers-that-be to do this has been incredibly impossible in most places and a large reason why I'm trying to transition to a different space - I simply have had ethical concerns about providing engineering services to critical infrastructure without building in best practices.

Stuxnet was over a decade ago - I don't understand how these protections aren't mandated by the DHS already.

Disclaimer: I don't think it's reasonable for non-involved people to assume the OT side has been compromised. I do think Colonial will need some time to verify the integrity of their SCADA systems and it makes sense to keep the power to the physical devices (valves/pumps) offline until they do. I understand why they chose to shut down but I don't think there's any evidence that they'll be unable to start back up again.

Lastly, I saw a quote in one article:

>>> Digital Shadows thinks the Colonial Pipeline cyber-attack has come about due to the coronavirus pandemic - the rise of engineers remotely accessing control systems for the pipeline from home.

I strongly doubt this. It's possible, of course. But it's extremely unlikely to me that employees would have remotely accessed OT/SCADA systems from home. No one I've worked with has had that capability enabled.

Many companies use products which have been shown to have flaws, like Citrix or various corporate VPNs. These could be compromised to get access "closer" to the OT layers but never directly into it.

Onion layer security is very much practiced everywhere I've been.

Edit: I have heard of some petrochemical facilities moving towards allowing operators and engineers to manipulate valves/pumps on their iPhones. This horrifies me for many reasons. I've never actually seen it implemented and I always bring up Stuxnet when I hear people mention it. I personally believe that DHS should make this sort of thing illegal for critical infrastructure. Many good engineers disagree with me.


Dan Kaminsky spent an enormous amount of time and effort on creating a secure hardware framework 10 years ago. It went nowhere for a lot of the same reasons you discuss in this comment.

The government and industry are all talk. Until we see actual enforcement / incentives for secure hardware, just assume everything (and I mean everything) can get shut down at any time. The only people who think this is an exaggeration are those who haven’t seen what things actually look like on the inside.


> Dan Kaminsky spent an enormous amount of time and effort on creating a secure hardware framework 10 years ago.

Can someone please link me to a page that goes into more detail about this secure hardware framework? Not a month from his passing, and we get a national-security-level attack that might have been prevented if US business took more seriously software engineering and security engineering from back then.

Also, I cannot help but wonder if Dan would still be with us if the irretrievably broken US healthcare system was a national system that supplied him with an inexpensive CGM and insulin no matter his employment situation.


There were a bunch of people who worked with him on this in Taiwan. I don't think anything ever got released publicly, and I think Dan found the whole episode to be so frustrating that he never commented on it much in public.


I’m curious — how would something like a data-diode work in real life? It makes sense, but what about something like TCP where the sending side needs the ability to receive ACK messages? Is a firewall (dedicated, if need be) enough?

Or would this be some other kind of physical interface that took some kind of read-only data (serial?) and sent it up the layers using TCP/IP, where only this box would be at risk?

Edit: looks like you answered part of this below — you suggest switching to UDP protocols.


TCP would not be possible if your physical layer doesn't support two-way communication. I think UDP would.

Firewalls are currently used, and probably generally configured well. Petrochemical companies have a many-layered onion security strategy with minimal communication paths through the firewalls. Generally you might have 4-8 layers of firewalls from public facing internet to the PLC/DCS/SCADA. Administrative people might VPN 1-2 layers deep and engineers would at worst get remote access to the historian, 1-2 firewall layers above the PLC/DCS/SCADA.

It's my professional opinion that firewalls are not good enough for critical infrastructure. Even a completely air-gapped system was hacked thoroughly over a decade ago in Iran (See Stuxnet).

Your suggestion would suffice, if that box ("gateway", in the IoT parlance) was connected with a one way physical connection to the SCADA system over serial or what-have-you. Then it could communicate with TCP using existing application stacks.

I am designing a system like this at my current job, where luckily we are a small enough team so people have genuinely listened to my suggestions about this.

However, good engineers often disagree with me. I may be overly zealous on this particular issue and I take a lot of criticism about how dogmatic I am at times. I'm not a senior engineer by any stretch.


> I’m curious — how would something like a data-diode work in real life?

Low, fixed-bitrate transfer over unidirectional fiber optics. Unidirectional transcievers are the norm for long-haul fiber.

My local electrical utility is still running 11.52kbps RS-232 over fiber for exactly this reason. At those bitrates you don't need backpressure -- your disk will never fill up and if the CPU can't handle that bitrate you already have much larger problems.

It's kind of funny that they have sheaths where one strand is running this piddly dozen-kilobit protocol and other strands in the same sheath are doing 10gbit/sec * 16-channel CWDM.

Most electrical utilities are into fiber optics in a very big way; they already (usually) own the poles and unlike copper it's nonconductive. Many of them have vastly more strands of fiber between substations than they need.


> how would something like a data-diode work in real life?

The ones I have worked with convert a TCP stream to UDP, send it across the diode, and then convert it back to TCP. Each UDP packet has a sequence number and there is a single reverse-diode that is fired when a packet is missed or arrives out of order that triggers a retransmission of the last N packets.


I have heard some plane infotainment systems use a 1-way optical link to solve this problem to get the speed/altitude/etc to the displays. It just receives the data as a downlink (no 2-way communications) and being optical its electrically isolated as well as impossible to transmit or even interfere the other way.


That was FUD[1] spread by Chris Roberts who has been called out for it. He claimed he was able to issue climb commands from the IFE to the CAN bus.

Apart from this being technologically impossible, if he would have really done it he would have been charged for endangering an aircraft and prosecuted. (So the only explanation why he isn't in prison is that it didn't happen). The technical reason is Data diodes are common in aviation to separate IFE and CAN bus or position data. (e.g in the ARINC)

[1] https://www.pentestpartners.com/security-blog/a-pen-testers-...


If you don’t allow 2-way comms to SCADA devices, how can you set values on those devices. For example, open valve 9881 to 10% … how would that be done?

SCADA devices are not read-only.


That functionality would be local, before the one-way isolator. A human at a terminal located near the valve could still press a button to make that happen. That system could even be running windows (most are!).

But a hacker wouldn't be able to use their access to the Timeseries database for supply chain and logistics, to pivot to the SCADA system because their attempts would be blocked by a lack of a physical layer connection in that direction.

It would significantly reduce the attack surface of the OT systems.


I think the original use-case was delivering data for use in dashboards or other business systems, not the SCADA network in general (where you’d want write access). So, places where you might want to get read-only data from a secured system, but not allow write access. These business/reporting systems might be internet connected, hence the desire for better isolation.


You don't let remote systems open valve 9881.

That would be like deploying the landing gear of the airliner, because someone triggered a bug while changing the channel on the in-flight entertainment system.


The whole point of SCADA systems is that you can open and close valves remotely, without requiring to drive hundreds of miles along the pipeline to wherever the particular valve is located.


Industrial applications use unidirectional gateways (See NIST 800-82r2). The gateways have diode-like hardware at their core, but add software. The software acquires snapshots of industrial state, converts those snapshots to proprietary unidirectional protocols & formats, and on the external enterprise network makes the data available to enterprise users.

A common example is a SQLServer database of all industrial data that is authorized to share with the enterprise. Grab new and changed data as it arrives on the industrial side. Push unidirectionally to the enterprise side. Insert/update the data in an identical SQLServer. Enterprise users & applications interact normally and bi-directionally with the replica database.

The technology is used routinely to provide access to industrial data that enables business efficiencies, without providing access to the industrial systems that produce the data.

For more info see: https://waterfall-security.com


That can work. Or you can have A use TCP to B, C use TCP to D, and B and C are connected by a very short one-way cable, maybe something optical.

The US government term of art for this pattern is a “guard”, often with a regex or manual filter.


A data diode doesn't have to be just a one way ethernet port, it can include a pair of dedicated servers.

The inside (isolated) server would poll everything, store it into a buffer, and send that buffer (plus error correction) out through an optoisolator to other server.

The outside (internet facing) server would then keep up with the ring buffer, and serve requests, and do any outbound push of data via any protocol required.

A system to do this could be made with a pair of raspberry pi computers and a little bit of discrete components for less than $150 in hardware costs.


> how would something like a data-diode work in real life?

A webcam? Second hand, but that's what I was told a dam operator was using as a "grass-roots" solution a while back


Not sure, but seems like literal diodes on the data line would work? Probably packaged to make it plug and play.


Excellent info, thanks.

"OT" vs "IT":

"Operational Tech" (pipeline and safety-critical monitor and control)

and

"Information Tech" (payroll, email, other business stuff)

?

I could only imagine trying to tell a large corporation that their "IT" authentication system can't be linked to the access card keys for the front gate, or whatever other physical security they might have in place.

It doesn't matter if we can formally prove that a remote access system is sufficiently secure as to aloow engineers to operate valves and pumps from home... For inevitably, some months from now, a wildly insecure utility will be connected to that, and you lose the ability to reason about how to keep the streams from crossing.


Easiest opto-isolator is to epoxy the sfp into the socket, and then fill the rx port on the critical side with epoxy, and then just run one fiber. The epoxy may seem excessive, especially if the sfp dies and you have to swap a whole nic, but it makes people stop and think.


Do you think Colonial identified some "physical world" risk, as in the possibility of a pressure overload or pipeline leak? I imagine that verifying the integrity of these SCADA systems is a very complex task, so I'm wondering if they've already identified a possible attack vector/entry point or if this was entirely preventative.


I have no idea. Shutting down preventatively would be smart, and they had good leadership in their IT space while I was there. Friendly people who could make the hard decisions quickly, weren't afraid to pick up the phones to call people, and supported the growth of struggling employees without letting shoddy work get approved. They were also good at managing large multi-year and nation-wide project campaigns - a rare skill in this world.

That said, determining whether or not a system was compromised can be incredibly difficult. I'm sure they'll face massive pressure to turn the pipeline back on as it does supply almost half of the east coast with oil. I wouldn't want to be the person who has to make that call when it's impossible to prove a negative.

CPC had two explosions a few years back which caused gasoline shortages in new england, that may provide indication of the scale of disruption to expect.


Thanks for the response. It's amazing to have a community where "subject-matter experts" like yourself just pop up.

I'm quite surprised and comforted to hear that the leadership there is competent and knows how to manage people. I've heard from friends/acquaintances who have worked in the energy industry about how terribly things are put together on an IT front (PG&E being a prime culprit), so I was expecting the same here.

I really like your "data-diodes" concept. Interested to see if such a thing takes off especially as these attacks evolve.


That's why physical write-enable switches are a must for ROMs. If it's "off", the malware won't survive a reboot.


> I personally believe that DHS should make this sort of thing illegal for critical infrastructure.

I can't speak to non-electrical infrastructure, but the NERC CIP "high impact" standards already make it largely impossible to operate critical electrical infrastructure from anywhere other than a secured control centre. Operating from your laptop or iPhone from the kitchen table is however allowed for "low impact" assets like small power plants.


I also wonder why nobody who has secure computing issues demands physical write-enable switches for ROM, rather than using software switches that are inevitably corrupted.


Generally it's been the opinion that the control systems need to be modifiable. For example if you add a single valve in a facility which has 4,000 valves already, it would be nice to just add add a controller for that valve to the current SCADA system.

However, a write-only ROM system is possible as long as the ROM chips were reasonably affordable and a company could provide reasonable turnaround times for small modifications. That would move the target of vulnerability up the supply chain.

Some of the things which matter though are necessarily run-time variables like "is the valve commanded open or closed?" and "what are the tuning parameters for this PID control loop?". It's always theoretically possible for a buffer overflow/rowhammer/etc to flip the bit responsible for the valve's open/closed command. Even with an OS/Application stack burned into ROM. You still need RAM.

At least power cycling a readonly-storage device would remove any malicious RAM changes.


Thanks for your many informative posts here. It's a pleasure reading from someone who knows what they're talking about :-)

I did say ROMs, but you can also use EEPROMs, which are erasable in-circuit, and you certainly put a physical write-enable in that circuit. Ideally, it would be a momentary push-button that has to be pushed in person on-site.

Back in college we used EPROMs, which are erased by putting them for 20 minutes or so under a UV lamp. EEPROMs came out later.


Another thing that can be done is to divide the pipeline into several sections, not just one long one. So if one section gets compromised, it doesn't propagate to the next.


Do you propose that each section gets their own control/monitoring facility staffed 24/7 ? If not, the shared control/monitoring facility is the most likely place of compromise anyway, and it by design can control all the pipeline hardware.


I'm not sure how that would work-- each section would still need to send its petroleum products to the next section, making it effectively still one pipeline. Unless I misunderstand your statement?


Consider cars on a freeway. There is no central control. Each car controls itself, cooperating with its neighbors. If one car goes berserk, it doesn't take down the whole freeway.

With a pipeline, if sections operated autonomously but cooperated with each other, and one goes berserk, its neighbors will shut down, but they won't be damaged. The repair work only has to repair the one section.


Ah, I see. Not segmented pipeline, segmented pipeline control. That makes a little more sense. However it might make it significantly more difficult to make coordination between segments possible: The self organizing behavior at work with car driving may be significantly different than what is required for a pipeline.

People driving cars are essentially doing what is best for themselves individually (within the bounds of the law), and that ends up translating to something that works for the whole. With a pipeline, that might not work: If pressure gets too high in one area, it might take highly coordinated control across thousands of miles to bleed off contents into buffer tanks & ease pressure a dozen segments away.

I'm not saying that couldn't be done, I'm sure the SCADA systems could be isolated from each other in this way, it just seems like it would require a lot more difficulty with explicit coordination between technicians, not a self-organizing system such with driving on a highway.


is there evidence of suspicion the Ransomeware is on the controller HMI's, infected from Enterprise connections


is there indication of speculation the Ransomeware is on the Contoller HMI's or is it Enterprise


I have no idea why they would do that unless the system was not airgapped properly or it was hard to untangle the admin network from the control network (in which case, the control network is effectively not airgapped).


Flash drives.

I used to work in fabs and every couple of years some tool or other would get a virus, sometimes it spread through the network.


USB ports are generally disabled in BIOS or purposefully physically damaged on most OT systems I've worked on for oil/gas/chemicals. Many places are fond of using epoxy to block the ports.


I like those people. The problem being sometimes you need logs or data off tools. I’m far from an IT wizard so I don’t know what other solutions exist but the flash drives to get stuff off tools was the easiest


It makes some things more difficult. CD/DVD's are generally used instead. Sometimes other computers could be connected but in that case there would be some organizational procedure for attempting to make sure that other computer was as low risk as possible.

You can't eliminate the possibility of malicious action, Stuxnet proves that. It's my opinion that at least for critical infrastructure we can probably make things much more difficult for our adversaries at a relatively low cost. This pipeline is purported to carry half the gasoline/diesel/heating oil to the east coast, but I'd be lying if I said I knew exactly where the cost-benefit equilibrium should land.


I'd be lying if I claimed I knew...but I would be willing to bet that cost-benefit analysis was made a long time ago before these concerns became so timely.


Please explain why shutting down the pipeline will contain the hack?


You need the SCADA systems to run the pipeline. They control the pumps, valves, product sequencing, etc. So Colonial purposely shut down the pipeline to prevent the SCADA system from getting affected, which might cause physical damage that truly would be a catastrophe.


I'm really confused: the pipeline is resilient to a hack: they just shut down the pipeline so it won't be 'affected' (hacked?)?


It was intended to be airgapped, but we're talking about a pipeline that is several thousand miles long, with many pumping stations and delivery terminals. All it would take is one of the SCADA systems at one of those locations to suddenly open a valve and dump petroleum out into the environment to cause a disaster.

Or worse - rapidly open & close valves in rhythm, and the water hammer effect (the inertia of the petroleum in the pipeline) would cause the pipeline to destroy itself. The repair costs would be astronomical - you'd naturally have to repair the damaged sections, but then also re-test all the welds to see if any had been weakened by the pressure pulses.


It was not intended to be air-gapped. These systems generally communicate to business layers through firewalls.

Onion-layer security rather than air gaps. Communication through the firewall isn't supposed to allow control over the valves, but it does communicate both ways (TCP/IP). This is the general practice in petrochemicals, at any rate.


In airplanes, this is dealt with by having an independent system monitoring things.

Think what would happen if the autopilot suddenly went berserk and did a hardover.


It can be already hacked but while power to the valves and pumps are removed then the SCADA system hacks can't cause physical damage.

I haven't seen any evidence that the "OT" side of their network was compromised in a way that would cause physical damage, a la Stuxnet.


And to add it’s perfectly possible that the pipeline networks were air gapped (Ed: which don’t believe them) but you still need to shut down.

I could imagine a situation where information another network (e.g. orders or incoming flows from another customer or user) is necessary to run the pipeline but unavailable to use to operate the pipeline control system.


I saw Robert Lee of Dragos giving an opinion on that here https://www.reuters.com/business/energy/knowns-unknowns-abou... but did they confirm that officially?

>Colonial has not given any public indication as to the reach of the ransomware outbreak, but Robert M. Lee, chief executive of cybersecurity firm Dragos, said he believed Colonial's operations network was shut down proactively "to make sure that nothing spread into those systems."


We detached this subthread from https://news.ycombinator.com/item?id=27101293, which was a generic subthread, because the discussion turned more relevant at this point.

(To a first approximation, generic == less interesting and specific == more interesting on HN: https://hn.algolia.com/?dateRange=all&page=0&prefix=true&sor...)


Any source for that?


Why is the network constructed in such a way that it allows things to spread?


Super common. A lot of companies have this hard on the outside gooey on the inside model (aka flat network structure).


Most petrochemical companies have an onion structure. There are lots of layers of firewalls with what are supposed to be limited communication paths for specific applications.

We need to move to using physical layers where data can only be transmitted in one direction (and then use something like UDP)


it's always means it is (or it was); it's never possessive.


That gang may have bitten off more than they can chew. They've now gotten the US government involved officially, which means that beyond the sheer mass of resources that will go into tracking this gang, the government also has something to prove now.

Being at the center of an international incident is probably not good for business.


When you said “the gang”, I had an image of the gang from “It’s Always Sunny” writing their first virus and this being the result. I’d watch that episode.


When the Feds catch up to them, Dennis and Mac are loading frozen beef in to the back of his car and are legitimately confused by what the cops are saying. They moved past the virus several weeks ago and have had literally dozens of plans since then.


And then Charlie walks out and goes "Ooooh, uh oh, uh yeah, guys you know what... I think I know what they mean. Last week when everyone was talking about the virus, I had just watch this really cool cyber hacking movie on TV last night, so I kinda zoned out and didn't know what our next scheme was, so when I went home I paid someone on the darkweb for a virus just like in that movie-"

Dennis: "How the hell do you have money to pay people on the darkweb Charlie?"

Charlie: "KittenCoin"

Dennis: "Oh god dammit, KittenCoin? You did that huh? Alright, checks out. Anyways, so then what happened?"

Charlie: "Well then I didn't really know what we were doing still, so I just emailed the file the russian kid sent me to your email, but I totally messed up the address cause my fingers were all sticky with peanut butter at this point and-"

Dennis: "WHY WERE YOUR- You know what, not only do I not wanna know, but I'm also gonna take a stab at how this story ends. Charlie, are you telling me you made a scam cryptocurrency and then used the profits to pay some sketchy russian hacker for a ransomware virus which you then emailed to a random address with a subject line something along the lines of "FOR FRIEND, IMPORTANT FILE, FOR PLAN, GIVES MONEY", which obviously enticed the random receiver to open said email promptly starting a massive email worm that managed to spread its way into the government's oil pipelines?"

Charlie: "That's... Uh, yeah, yup, yup, that's pretty much spot on dude, I'm pretty sure."


The Gang "Solves" the Gas Crisis (2021)


I think it would have to be "Still Solving the Gas Crisis".


Lol this was my first reaction as well, they now have a nation-state on their ass. But that being said its not impossible that this was just a cover for a Russian state-sponsored attempt on US infra


If I were running the Russian hacking center in charge of pwning US infrastructure, I'd be pissed as hell. This is like getting vaccinated -- all of a sudden we're going to take this seriously and patch a bunch of exploits that they've had ready to go.


Maybe this gang doesn't need to worry about the US going after it, it needs to worry about the FSB going after it for screwing up its game plan...


"nation-state" is not just a fancy infosec word for country, and there's some debate as to whether the USA constitutes an actual nation state, rather than a state.


We regret to inform you that language is mutable.


Now introducing, TypeLang! A strictly typed spoken language with core emotional concepts built into the standard library and immutablity as default. Easily transpiled into dozens of different languages, such as English, Japanese, JavaScript, and Smooth Jazz.


see https://en.wikipedia.org/wiki/Esperanto not exactly what you are looking for, but :)

Also French has an official body that authorizes words.


We really need SI units for emotions. Something that can be based on reproducible observations.


A megasophia of wisdom.


nation-state" is not just a fancy infosec word for country,

This is pedantic and adds no value. In what sense could the precise definition of "nation state" matter? in this context everyone understands the phrase in exactly the way it's meant -- a resourceful national government.


:thums-up:

Some people can’t stop fighting “blasphemy,” even if they aren’t in a classic religion.


The USA is absolutely a nation state. Cocal-cola, mcdonalds, Christmas, enlgish, etc. are well dispersed throughout the entire population. We have a uniform culture, although not as uniform as much smaller countries, but uniform nonetheless.


> Cocal-cola, mcdonalds, Christmas, english

These are well dispersed throughout the world...


Cultural dominance isn’t an argument against national cohesion.


Arguably the "nation" of the USA extends into England, Australia, Israel and a few other places which have taken a lot of the culture.


> A nation state is a state in which a great majority shares the same culture and is conscious of it. It has been described as a political unit where the state and nation are congruent. It is a more precise concept than "country", since a country does not need to have a predominant ethnic group. [1]

Interesting.

[1] https://en.wikipedia.org/wiki/Nation_state


Yes, because the Russian state has nothing better to do then inconvenience the operation of a foreign fuel pipeline for a few days.


Believe it or not, massive governments that employ hundreds of thousands of people are capable of doing multiple things simultaneously.

I don't think there's any evidence this was state-sponsored, or even state-approved, but "oh there's better things to do" is not a good argument in the least.


I'll keep it in mind the next time a horse bolts from a barn in some foreign country - 'Clearly, this was the CIA's doing. There's no evidence for it, but they have the capability, and their motives are sufficiently sinister and shadowy, and while there's no reason for them to be engaging in medium-scale hooliganism on the other side of the world, they could be the ones responsible!'


The Russian Government had huge motive for this attack, they were not at all happy about the United States' retaliation for SolarWinds/Election interference. Shutting down a major oil pipeline in the United States is not "medium-scale hooliganism."

Also shouting 'No Evidence' is a typical tactic the propagandists use to cast doubt and muddy the waters; surely the attackers would love to see what evidence is available, so they can adapt - that's why evidence is largely kept private.


Why do you assume that propagandists only work for them?

What makes you think propagandists on our side would never use lack of evidence to make whatever they want up, and cite your exact reason as justification?

This is medium-scale hooliganism in the sense that the end result isn't going to accomplish more than a dedicated idiot with a toolbox, and a grudge against gas pipelines couldn't achieve. IT will clean things up, operations will resume, life will go on.

Not to mention that this gives the industry another, rather low-stakes kick in the ass to take IT security seriously.


Russia and China have been suspected of doing things like this for years. And who says it's just to inconvenience them? There will other things happening because of this and this could impact other nations in a postive manner.


> Russia and China have been suspected of doing things like this for years.

By who? People who never provide evidence for their claims?

> There will other things happening because of this and this could impact other nations in a postive manner.

While it's certainly possible that the FSB is playing 59-dimensional chess, here, hoping for a true butterfly-effect sequence of causality, I think the onus is on you to demonstrate that.


> By who? People who never provide evidence for their claims?

By lots of countreies. The US charged 4 chinese military officers for hacking Equifax.

> While it's certainly possible that the FSB is playing 59-dimensional chess, here, hoping for a true butterfly-effect sequence of causality, I think the onus is on you to demonstrate that.

You seem to think that it would require multiple things to fall into place to benefit a foreign country. Say you want to manipulate the price of the fuel. Increasing the costs of transport would do that.


Hacking Equifax[1] makes sense, because it directly useful for intelligence work. Find people of interest who have credit problems, and lean on them. [2]

This isn't even a blip on the radar of global fuel prices. It is completely lost in the noise. [3]

[1] Or the OPM, since it was kind enough to have lists of 'all spies operating abroad' on its intranet. Whoops.

[2] I mean, you could also just pose as a landlord or employer, and ask for credit checks on them, it costs ~$30 per query, but it is what it is.

[3] If the FSB really wants to increase demand for fuel, they should try stalling a junker or two on an interstate bridge... Imagine the fuel wasted from all the cars idling, or taking detours!


I'm just pointing out countries have been hacking each other for ages and specifically infrastructure. Which was originally stated as absurd because there is no benefit to them, which considering you don't know all the basic effects this attack is having. And who said they wanted to raise global fuel prices?

End of the story is intelligence agencies around the world have been bulking up for cyber warfare for at least a decade. Russia and China have been been fingered repeatedly for cyber attacks. It is not completely outlandish that one of them is behind it for whatever reason. I'm pretty sure the entire point of these agencies is that we don't know what do or why they do them.


I'm not super-knowledgable about cybersecurity, but shouldn't simply using TOR make it nearly impossible for the US government to track them down?

If they want to go overkill, they can additionally use a public VPN account purchased using walmart giftcards bought on ebay using a stolen identity and then mailed overseas.

They can also perform the hack using a brand new computer that they never use again afterward.

It just seems to me like the attacker has most of the advantage here if they know what they're doing.


That would work against network tracking of the actual connection, but that is not the main means of attribution and tracking culprits.

One way is to look at any tools and artifacts used/deployed - it's not common that only "off-shelf" tools are used, and as soon as there's anything custom, most likely it's not a one-off thing that never ever appears anywhere else; if you got it from someone, that's a potential lead; if you wrote it yourself, you're likely to use it (or a modified version) elsewhere, so if you make a mistake in one "gig" then it can relate to all your other activities as well.

Another is people - those things are often not done alone, and people talk, especially if they get detained for something else. And last but not least, the money trail sometimes leads to results as well.

But the key thing is that even if you do everything securely enough, it can work once or a couple times if you're careful enough, but nobody is careful enough to sustain proper opsec all the time, everyone makes mistakes every now and then. These things often take years to resolve, but the legal system has sufficient patience to link something done five years ago to a mistake you'll make next year.

There's sort of an asymmetry for an attack - that if the defender closes 99 vulnerabilities but leaves one, that one is enough for an attacker to get in; but there's a similar asymmetry for detection; if the attacker hides their trail in 99 ways but leaves one, that one is enough to find them afterwards.


> I'm not super-knowledgable about cybersecurity, but shouldn't simply using TOR make it nearly impossible for the US government to track them down?

PSA: There are known traffic correlation attacks against Tor. It's not magic security dust you can sprinkle on a system. If you're doing thoughtcrimes, assume any G10 intelligence service can track you down. (If you're into extortion, human trafficking/exploiting children, or financing/advocating violence against civilians, then Tor is totally magic and is 100% guaranteed to make you invincible. Tor is all you need a-hole.)

Tor intentionally makes latency-privacy tradeoffs to make web browsing usable. I'm not familiar enough with Tor internals, but I believe applications have no control over these tradeoffs.

Anyone know if I2P allows applications to adjust latency/privacy tradeoffs? (Conceptually, you want your store-and-forward mixnet to use a priority queue for each hop, setting a deadline when each message arrives, and filling the pipe with expired messages first, and then non-expired messages in uniform random order. Applications more tolerant of latency get their traffic spread over a longer window. Per-hop latency targets should allow applications to avoid hop-to-hop correlations in latency targets.)


I don't know much about TOR but recall reading speculation that the NSA operates a majority of the exit nodes.


Yes, you can pick tunnel length in I2P.


But, can you allow some nodes to queue messages for a longer period of time?


No, it is designed for low latency communication.


Getting operational security right is surprisingly hard.

The really hard part is that you need to have gotten it right some years ago already.

I remember that I read that other day that a bitcoin tumbler operator was charged for money laundering. The way they got to him was tracking initial funds that started the tumbler, which was purchased from an exchanged and not obfuscated.

There are all kinds of things you can get wrong: your build tools could accidentally store compromising meta data in your malware; payments from previous campaigns could be tracked, a single non-TOR access to the command&control infrastructure could get you busted, as could a single login to an email provider you used to communicate with somebody related to the ransomware operation.

All in all, if you have a larger team, the chances of at least one person messing up aren't too small, and then it's a matter of the investigators pouring enough money and attention into the case to find it.


As a rule, there is no off-the-shelf software solution that you can simply use to avoid being detected by the NSA or other powerful nation intelligence services. Even if there were, they are not limited to tracking you through technological means - they very much know how to find people the old-fashioned way as well.

That's not to say that it is impossible to hide from them, but it's never simple, when they're actively looking for you.


No - Running enough TOR entry and exit nodes allows one to unmask initial connections[1].

One can suspect a healthy percentage of Tor nodes are operated by Governments as TOR was developed and released by the US Navy[2].

[1] https://www.theregister.com/2015/05/30/researchers_claim_tra...

[2] https://www.torproject.org/about/history/


Tor isn't perfect. Government agencies like to create TOR endpoints/nodes that allows collection of bulk traffic data. They can't see exactlt who sent specific packets or their exact contents by looking at them individually, but they can see which mode it just came from and where it's going next. By watching traffic to entry and exit points they can create probablist models based on traffic volume that can allow them to identify where large volumes of packets most likely came from when they're already watching the destination. This is how they tend to catch drug dealers and similar illegal transactions using TOR and a similar setup that monitors crypto currency transactions that simply monitors either known bad agents (criminals, dark web sites selling illegal goods, suspects, etc) or suspected targets. By combining the two data sets they've even identified who certain crypto currency wallets belong to. The main thing to be aware of is that it's extremely difficult for them to identify anyone with low traffic levels, or that do not interact with actively monitored actors/targets.


> shouldn't simply using TOR make it nearly impossible for the US government to track them down?

Not even close. Tor kinda secures one aspect of very many, but kinda doesn't.

It attracts attention: Governments actively try to defeat Tor. And if they are looking for a criminal, they might look first at Tor users. In fact, they collect data on Tor use before a crime is committed.


Doesn't every cyberattack get attention from the U.S. government? After all, carrying out a cyberattack is a federal crime.


Not this kind of attention. Oil pipelines are considered critical energy infrastructure. This will likely be viewed as a national security threat.

The US government will have to respond to deter others. They have "poked the bear".


Yes, in the sense that it gets reported to law enforcement and investigative agencies. Without being specific, I was a victim of identity theft and cybercrime. My incident was “reported to the FBI” but I’ve literally never heard anything back from them.

In practical terms there needs to be something special about the cyberattack for the government to devote any resources towards it.


How could it? There are thousands of cyberattacks against US companies and infrastructure every day.

There are cyberattacks and then there's going after the most important domestic energy line of a superpower.

This is quite different from your run of the mill cyberattack, they're not all created equal.


This is exactly right.

It all depends on the attention these attacks get. Now that they've had a tangible effect on the news cycle, creating concern about the safety of US energy infrastructure, there will be more incentives for the Government to hunt them down and get credit for doing so.

I think I read somewhere that China based attackers have already penetrated networks of major US infrastructure systems but didn't do anything because whats the point of wrecking havoc now? Better wait for more opportune times.

Which also seems to indicate that this may not be a Nation State... they would be after a bigger prize than some bitcoins.


I think it's 50/50 some real gang vs a branch of the NSA who sees how pwned the US infrastructure is and wants to make a (fairly harmless) splash so we take it more seriously and patch our shit.


Wouldn't the NSA branch be "disciplined" if they were found out? Seems risky.


The difference between "the FBI will look into it if they find some spare time" and "you've made the top 10 target list of the NSA".


I'm going to link this here: https://attack.mitre.org/ Those are only the reported attacks. You could check groups as well, and their TTPs.


> That gang ...

Maybe it's another government, trying to sow chaos, disrupt markets, test US response capabilities, etc.


Could be, but ransomware gangs are a dime a dozen, and many are simply financialy motivated.

It's just a very profitable business model.


This was a very stupid thing to do, if it was a ransomware gang.


maybe it's the CIA, trying to increase hostilities between the united states and some other country.


Third administration in a row to do nothing. Read sandworm. The wolf is in the hen house now and nothing will still be done.


That almost sounded like a hollywood like prologue. Nothing interesting, nothing the average joe doesn't know, just your fantasies.

Good


The US Govt is fit for nothing beyond setting up social media offices these days.


So, a very limited state of emergency which allows fuel that is ordinarily piped to be transported by truck.

Ancillarily, It's not evident this cyberattack actually compromised the industrial controls, but rather trashed the administrative system controlling the controls.


> It means drivers in 18 states can work extra or more flexible hours when transporting gasoline, diesel, jet fuel and other refined petroleum products.

This means truck drivers hauling 45,500+ lbs of an extremely flammable liquid aren't required to sleep.

I worked in the supply chain industry for a few years, dropping these restrictions is unheard of. My instinct tells me this issue is a lot worse than it seems now.


Armchair take: The pipelines handle a lot of fuel, and the US needs / uses a lot of fuel; to move the same amount, you need a lot of trucks. And if that need is not met, the economy etc will be disrupted heavily, price of fuel will go up, and the price of fuel going up has caused massive issues in the past.


Last time I checked the amount of sleep I need doesn't go down when an oil pipeline stops flowing.

It's offloading the risk to drivers to benefit these companies first and foremost, which is ridiculous. The cherry on top is the article pointing out even with the extra hours they won't be anywhere near meeting demand...


No, that part of the regulations (the 10 hour break requirement) specifically does not get suspended in an emergency, if I recall correctly, but federal qualifications for new drivers do, so maybe someone otherwise hauling oranges from Florida might drive a tanker while the normal driver has a day off. Plus, this is only federal law; state laws still apply, and it is state troopers who pull you over, not feds.


And I thought we were already facing a nationwide shortage of qualified tanker truck drivers.

On the bright side, these guys will be making mega-bucks on overtime, provided they can stay awake. coffee and no-doz will only take you so far.


Could be that, or the heightened sensitivity to all issues cyber we’re experiencing right now


Will there be enough extra tanker-hours and tired tanker-hours to see a statistically significant upturn in accidents and deaths?


It's definitely a good natural experiment on the efficacy of these types of laws.


I don't think so. These drivers need more specialized training, and the type of equipment they haul is different. Plus I'd imagine your mindset is different when you have a swimming pool's amount of oil a few feet behind you compared to a bunch of toilet paper or whatever.


Don't trucks transport fuel like this all the time? Or maybe it's the quantity.


They do, but to me GP's issue is with relaxing the requirements for rest.

IE, the issue isn't that drivers transport fuel, but that possibly tired drivers do so.


Everyone here is failing to read between the lines.

Nobody in trucking gripes about limited working hours. The current hours per week available for work are more than enough to work at an unsustainable rate of sleep. What everyone bitches about is the electronic logging requirements that prevent them from cooking the books in order to account for delays that happen over the normal course of business. Because people can no longer cook the books they do other things that increase risk.

For political and optical reasons the DOT can't exempt them from e-logs to make their lives easier. So they just exempt them from all of it. They're basically saying "if you're gonna push yourselves we'd rather you cut the smart corner and work a 12hr day than drive around like maniacs trying to fit X hours of driving in a Y hour window."


Absolutely they do, but with the pipeline down its a volume and distance issue.

Normally the pipeline would pump huge amounts of fuel around to various distribution centers where trucks and tankers would then haul it the last leg to e.g. gas stations and other end users. Now there will be far fewer distribution centers to pick up the load from, and much longer distances to drive to deliver the product.

Naturally a pipeline has much greater capacity than a string of trucks, not to mention the impacts on traffic and safety concerns that go with pushing the truck drivers that far. The limited number of distribution points with the pipeline offline will probably have a logistical impact as well since there will be an imbalance re: how many trucks are arriving to get filled up.


It's interesting to consider the human link between the admin systems and industrial control systems here. If we assume the controls are on an airgapped network, the attackers, in some sense, jumped the airgap and shutdown the pipeline.

Obviously not as bad as an actual compromise of the control systems though, which presumably could cause leaks, explosions, etc.


Generally the controls are firewalled from the administrative/business systems, not air-gapped.

Production data (like gallons per minute of flow through the pipeline) must be sent from the controls to the business analytics software. That's generally done through a firewall over TCP/IP.


I've seen systems where data is sent via UDP and the physical connection was transmit-only (for example, only the transmit fiber plugged in to the port) to avoid potential firewall exploitation.


Often that kind of reporting data is delivered back via a “data diode” unidirectional network. That said, there is usually just a dmz between biz and prod to enable remote support of the controls system (ala the Purdue model), and not any real air gap.


…and the controls still have internet access, but it is NAT’ed, and it still has a fresh copy of Internet Explorer 9.

I have only witnessed this once, at a wastewater treatment plant, so very anecdotal.


I've worked on these systems, they are separate.

They likely could have kept running the pipeline without incident.

I imagine when the government stepped in they decided to dial their procedures up to 10 and they plan on making an example out of this incident and the perpetrators.


> James Chappell, co-founder and chief innovation officer at Digital Shadows, believes DarkSide bought account login details relating to remote desktop software like TeamViewer and Microsoft Remote Desktop.

Once they get in to the internal network, they could possibly have access to anything. Most organizations don't follow good practices for internal services and there's all kinds of unauthenticated crap that's accessible to anyone who knows where to look.

If its really a ransomware attack, they could have taken over some internal system, or maybe just locked out remote access. We will need to know more, but at first glance it doesn't look very good.


Previous related thread:

U.S.'s Biggest Gasoline Pipeline Halted After Cyberattack - https://news.ycombinator.com/item?id=27086403 - May 2021 (190 comments)


"Multiple sources have confirmed that the ransomware attack was caused by a cyber-criminal gang called DarkSide, who infiltrated Colonial's network on Thursday and took almost 100GB of data hostage."

re: "infiltrated Colonial's network"

I have been reading some of the other reports of this incident from different publications.

Many of the stories include a line about attackers downloading "100 GB in only 2 hours" as if that was being downloaded from the company's on premises servers.

Eventually I found a story that disclosed the data was actually downloaded from a cloud provider.


It's a lot easier to pull the plug on on-premise systems.


It’s really not. SME branch office is dead easy. Multinational corporations virtually impossible.

In the cloud you can stop your whole VM estate, nuke roles and access and pull an audit trail and access logs for everything in a few minutes. Without even getting off your butt. Or having to negotiate with a branch office IT team who disagree with you.

In the 20 or so years I’ve been running ops for corporates, the cloud is the nearest we’ve come to half decent DR and emergency response capability. It has got to the point now where compliance and audit is built in and I can actually write some code here and there rather than arguing about trivial stuff like “what happens if X happens” with people who are only in it for the pension.


Is it though? We have plenty of cases of on-prem and in-cloud going down. And we have also plenty of evidence that some companies do actually manage to do disaster recovery pretty well. Not all, of course, usually those that experience frequent disasters.


My environment is mostly on-prem, and it's nearly always the cloud services that drop out and leave us high and dry. In fact, not long ago, a cloud service we don't use went down, and it took one of our vendors down, and their cloud service went down, because of an outage with a completely unrelated service we don't use! The cloud is a house of cards that is run by companies that should have disaster recovery down, and really don't even come close.

Meanwhile, I can unplug one cable to isolate our site, and everything that isn't a cloud service is pulled offline. (And delightfully, almost all of it would still be independently operational until I plugged it back in, too.)


>The gang even has a website on the dark web where it brags about its work in detail, listing all the companies it has hacked and what was stolen, and an "ethics" page where it says which organisations it will not attack.

And yet they don't give the URL.

I wanna see this page. Does anyone have it?


I don't have it, but I would go to dark.fail's onion address and browse there (http://darkfailllnkf4vf.onion/ verify this and get in the habit of doing so! dark fail's clearnet website just got hacked while their onion site was unaffected), and then I would go to Dread forum (onion reddit clone) and ask there.

A little tedious but there is lots of commerce on onion sites, and a lot of valuable information in general that I've never seen anywhere else, so it can be worth it.


Most people will probably be hesitant to post it for obvious reasons here. But it was helpful to me, to find a ransomware url, during the college leak a few weeks ago (https://dorper.me/articles/unileak.aspx) to find out which colleges were impacted because tons of people I know were in it. There are plenty of good reasons to want to have it. But I understand why BBC wouldn't post it...


People that read Hacker News on their work machine: note that if you're on the org VPN (and even if you're not, if your org installs IDS tools or other spyware) many of those tools may flag your visit of such site as "malicious".

Best to use a personal device.


Here's a list of the common malware URLs. BE VERY CAUTIOUS. Also note that DarkSide's onionsite is down and has been for a while.

Babuk: http://wavbeudogz6byhnardd2lkp2jafims3j7tj6k6qnywchn2csngvtf...

Dopple: http://hpoo4dosa3x4ognfxpqcrjwnsigvslm7kv6hvmhh2yqczaxy3j6qn...

Maze: mazenews.top

AKO: http://37rckgo66iydpvgpwve7b2el5q2zhjw4tv4lmyewufnpx4lhkekxk...

Nefilim: http://hxt254aygrsziejn.onion/

Ragnar: http://p6o7m73ujalhgkiv.onion/

Clop: http://ekbgzchl6x2ias37.onion/

Netwalker: http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdr...

REvil: http://dnpscnbaix6nkwvystl3yxglz7nteicqrou3t75tpcc5532cztc46...

Sekhmet: http://sekhmetleaks.top/

Pysa: http://wqmfzni2nvbbpk25.onion/partners.html

Conti: conti.news & htcltkjqoitnez5slo7fvhiou5lbno5bwczu7il2hmfpkowwdpj3q2yd.onion

Suncrypt: http://nbzzb6sa6xuura2z.onion/

DarkSide: darksidedxcftmqa.onion


It might help if you format these as "domain[dot]com" to avoid misclicks.


Too late.


You can edit your comments here.


Well the reason for that is that the website has dumps that you can easily download.

Here is a text dump of their press page https://pastebin.com/fxJCaUDq


I like how they are charging 10% more if you pay with Bitcoin than with Monero.

I think commerce would greatly improve if other networks had Tor clients, especially because of the stablecoin and private stablecoin availability as of this year. All EVMs as well as Tendermint networks have no out of the box solutions for Tor nodes and connectivity. But they both have ways for ERC20 tokens to have a great degree of privacy. One Tendermint network called Secret Network has private smart contract execution, and a variety of bridges. So as all tokens are smart contracts the metadata and variables would not be visible onchain.

sDAI would be more useful for commerce if the nodes and wallets could easily resolve over Tor.

Is anybody working on that?


> I like how they are charging 10% more if you pay with Bitcoin than with Monero.

I smell a business opportunity... Kick off a ransomware attack and accept Bitcoin or a Shitcoin at a 30% discount.

Some shitcoins have such little liquidity... a 50k buy would push their price off by hundreds of percentage points. You can even refund their money back after they pay... a modern day pump/dump.

The thing about being an ethical player in unethical markets is coming up with ideas that could make you richer but not wanting break laws / be a terrible person.


Illiquid asset pumping is the best way to launder the money in the crypto space.

AccountA has bought or owns the illiquid asset using clean money, in advance. AccountB has the ransom proceeds in the more liquid digital asset. AccountB eventually buys the illiquid asset and pumps it. All the blockchain detectives are still following AccountB across many more addresses and blockchains, hoping and praying and imagining that one of the touched accounts needs fiat so that a human identity can be assigned to the funds. But that never happens. AccountA has the 8,000% or other arbitrarily high gain and nobody can distinguish them from any other crypto trader, as these kinds of gains are commonplace. All the trading can (and should) occur onchain without any financial intermediary, as there would be no transaction size limits or issue moving the funds, compared to odd activity on a business' centralized custodial exchange.

AccountB connected accounts are saddled with the illiquid asset. Maybe organic growth has occurred from fear of missing out and AccountB can resell, but that is just an embellishment and icing on the cake.

AccountB connected accounts can also create the liquidity pool, or create the yield farming opportunities to incentivize others to join the liquidity pool. And if AccountB really never cares about the funds, they can also burn the bearer liquidity pool share, providing confidence to the market that they can always trade at high volumes onchain.


I don't get how Account B gets to the point of extracting value from the illiquid asset after purchasing?

Seems like they either, 1) sell periodically or as the assets value appreciates, but this is generally unreliable and tough or 2) create a liquidity pool or yield farming opportunities

For 1, this isn't necessarily reliable but it seems like the most plausible popular case. For 2, given the previously mentioned challenge of the illiquid asset, how does it work to provide incentive in liquidity pooling and yield farming?

Note, that I'm less well aware of the mechanics of 2 so perhaps its also a fundamental ignorance issue.


AccountB doesn't have to make more money as it directly or indirectly transferred all the liquid assets to AccountA (and many other people). In a liquidity pool kind of exchange, AccountB would have simply put all its liquid assets into the liquidity pool, in exchange for removing the illiquid asset into AccountB's custody. The liquidity pool maintains prices based on a ratio of two assets in the pool, so the illiquid asset would have quite how price after this activity. AccountA would have just sold its holdings of the illiquid asset back into the liquidity pool at a coincidentally favorable time. AccountA can also have been a liquidity provider, and when they unbundle their liquidity pool share it will have more of the liquid asset and less of the illiquid asset. Many possibilities, permissionless.

If it must be said, AccountA is yours too and is just for reintegrating the illicit proceeds into the economy without trying to do something more convoluted like running a permissionless SaaS business with fake customers spending Monero for domain name lookups.

But, AccountB can attempt to make its assets more liquid again. You just go on Telegram and pump it in speculator groups, buy off some youtubers. How much are you laundering? You can keep a few thousand dollars in liquidity for negotiations. AccountB should also provide liquidity itself. Just launch a yield farm contract, copy and paste, change the input and output token address, redeploy, lock a substantial portion of the illiquid token inside of it (or pay off a more coveted yield farming project like Pancake or Polygon to list a farm and pay farmers in their token). Make the yield high.


> I don't get how Account B gets to the point of extracting value from the illiquid asset after purchasing?

My understanding is, accounts A and B are both controlled by the same person/group. Account A always deals with clean money and pretends to do speculative investing; account B uses dirty money to pump illiquid assets. An example scenario, as a simplified list of transactions:

  | Time | From    | To     | Amount     | Note                                      |
  |------+---------+--------+------------+-------------------------------------------|
  |    0 | Pocket  | A      | 10 $GOOD   | Initial investment.                       |
  |    0 | -       | B      | -          | Created account for criminal activity.    |
  |------+---------+--------+------------+-------------------------------------------|
  |   10 | A       | Market | 10 $GOOD   | Exchanged liquid $GOOD for illiquid       |
  |   10 | Market  | A      | 1000 $BAD  | $BAD at 1:100.                            |
  |------+---------+--------+------------+-------------------------------------------|
  |  100 | Victims | B      | 3000 $GOOD | Crime - e.g. ransomware payments.         |
  |------+---------+--------+------------+-------------------------------------------|
  |  150 | B       | Market | 3000 $GOOD | Buying up $BAD to generate interest and   |
  |  150 | Market  | B      | 1500 $BAD  | pump its value.                           |
  |------+---------+--------+------------+-------------------------------------------|
  |  200 | A       | Market | 1000 $BAD  | Buying back $GOOD for temporarily liquid  |
  |  200 | Market  | A      | 5000 $GOOD | $BAD at 5:1.                              |
  |------+---------+--------+------------+-------------------------------------------|
  |  500 | B       | Market | 1500 $BAD  | If $BAD didn't collapse, recovering some  |
  |  500 | Market  | B      | 100 $GOOD  | of more stable asset at 1:15; can be used |
  |      |         |        |            | to repeat the trick later.                |
In this scenario, criminals turned $3000 of dirty $GOOD in account B into $5000 of clean $GOOD in account A. If they were good with OPSEC, there's no connection between accounts A and B - from outside, it looks like the owner of account A got lucky speculating on crypto, and owner of account B was a dumb criminal that made a bad investment. Hell, if criminals are sure of their OPSEC, they could even go as far as paying taxes for their gains on account A, reinforcing the image that A is owned by some random, legitimate investor (but that could bite them hard if law enforcement realizes there's a connection between accounts B and A). Account B is never cashed out - it's used only for purposes of pumping illiquid cryptocurrencies, and eventually abandoned.


Yeah we would be talking about paying taxes and having a record of the funds for more social benefits in society.

AccountA is just a speculator. Stuff you speculate on right now has other accounts pumping it from funds that just appeared out of Tornado.cash, or were just swapped from Monero. There is no way to distinguish between you controlling those or someone else, and there isn’t probable cause from this behavior to investigate the accounts that appeared with funds from obfuscated sources. Just some OPSEC considerations.


What are EVMs, ERC2, and sDAI? I do not believe your objective is to confuse or obstruct, but additional context would help understand the unique value of your contribution. This is coming from someone with a recent BSc in Computer Engineering yet still completely unaware of these acronyms & references.


Only a few universities are teaching this stuff right now. In any case:

EVM is "Ethereum Virtual Machine", a similar concept to the JVM "Java Virtual Machine". EVMs are one the most common technology for deployment of arbitrary execution within distributed networks. These kinds of functions and applications are colloquially called smart contracts. The biggest distributed network with this technology being simply called "Ethereum" or "Ethereum mainnet". But any code deployed on Ethereum mainnet is deployable on any other EVM environment, such as Polygon, Avalanche, Binance Smart Chain, Tron, Ethereum Classic, Hashgraph, or Quorum which was stewarded by JP Morgan for a few years for internal enterprise use.

With the other common smart contract network being Tendermint also colloquially referred to as Cosmos.

There are a couple of standard classes with a certain protocol of functions on all these networks. One standardized class is called ERC20, which is a fungible token standard. Deploying this kind of class ensures that you have created an asset with a name, ticker symbol, quantity, and a transfer function. Therefore ERC20 just is a quick way to refer to an additional asset. Assets that represent something the market wants or is familiar with or is redeemable for something the market likes therefore have certain monetary values associated with them. Some communities representing other networks have different protocol names for the same concept, for example, the Binance Smart Chain community has a token standard called BEP20 which is mostly contrived marketing but it could also have tweaks to the ERC20 standard, you have to read them. No different than reading the IETF's REST protocol standard for each function, and then seeing how it is implemented slightly differently across different browsers, devices and frameworks.

DAI is an ERC20 asset that maintains convertibility with $1 US Dollar. It is collateralized by a basket of assets, some completely digital assets and some that are backed by real world assets from centralized issuers.

When it comes to ERC20 naming styles, the market has resorted to prefixes for now.

So on the Secret Network (which uses Tendermint/Cosmos technology instead of EVM), assets that enter it from bridges are called sAssets. So DAI that enters the Secret Network would be sDAI. Where it will inherit the private nature of the network. Specifically the current state of the functions such as quantity, transfer(to, from) would all be unknown from looking at the blockchain.


Thank you for the elaboration. Your humble willingness to do so is much appreciated.


You're welcome!

One of the highest growth areas and highly demanded is in building bridges for assets to move between blockchains. Particularly Liquidity Pool shares and other asset backed derivatives. If you would like to apply yourself here. The market-based rewards are direct, swift, and very high.

More than what FAANG pays their E5's and L5's.


I was reading about DOT and decided to start learning rust. I've used python in a couple automation tasks before, but besides that have very little programming ability. Rust has been hard so far but very rewarding. What technologies would you suggest learning if i wanted to get into blockchain programming?


Solidity or the Javascript frameworks that compile down to solidity. EVMs are heavy in this.

Rust is good too. I'm not too familiar with the Polkadot ecosystem, but the main thing you need to know is that every financial app that has been popular on EVMs needs to be rebuilt on those other ecosystems. There can be multiple of the same things too, no different than multiple grocery stores in a town, or multiple actual bridges. Nothing unique needs to occur, just more. Its literally a global boom town you don't need to go anywhere for and your competition would rather argue about how a MySQL database is better for yield farming than a blockchain.


That seems interesting, and rewarding. Any pointers on how one can get into this area. Thanks


Where can someone learn more about this? Any resources?


I recently learned of zkDai[1]. Do you have any thoughts on this or the Aztec protocol?

[1] https://medium.com/aztec-protocol/introducing-zkdai-into-the...


It is just too expensive for the Ethereum network and not a large enough mixing set (haven't looked recently though) and nobody accepts it therefore requiring you to exit it if you want anything, but exiting will reveal who you are because there is nobody else it could be.

Privacy on the Ethereum network remains just Ether in Tornado Cash.

edit: oh cool Aztec actually transitioned to the Optimistic Rollup. That is different than their prior smart contract and requires new analysis. I recall their article last year or before about doing a "zk zk rollup" and I didn't keep following.


Is it illegal to pay the ransom?


At least for public services in Canada, it is. Which serves as as a deterrent since attackers are guaranteed to _not_ get money. Also whips management into more than CYA-and-wait IT security.


There is an argument for that. Haven't heard of prosecutions for doing so.


Bitcoin full node– which processes and verifies all transactions– uses only 7GB disk space. It doubles as a wallet, and it has native bidirectional Tor support.


> I like how they are charging 10% more if you pay with Bitcoin than with Monero.

Source? How much are they asking for?


There is a screenshot in the article in the Ransomware as a Service (Raas) section.


probably because btc is epxpensive and hard to launder


Yes, it is nice to see the market adjusting.

There are only a few cryptocurrency networks with robust Tor infrastructure for now. There should be more but the stewards haven't prioritized it, for the most part many nodes and wallets for other networks are UDP, which is a major hurdle as Tor requires TCP exclusively. Bitcoin and Monero do not have this limitation, but Monero is the only private by default one and has a large mixture set to stay easily obfuscated.


The reason that cyberattacks are proliferating is because it has only recently become easy for the threat actors to receive massive payments quickly and anonymously. Remove that ability and the entire cyberattack ecosystem shuts down instantly. It is only a matter of time before this happens.


The reason cyberattacks are proliferating is because many enterprises refuse to learn from the mistakes of others. They continue to connect ancient, unpatched Windows and Exchange servers to the public internet, they don't segment their networks, they don't secure TeamViewer and RDP, they don't use FIDO U2F, they don't have an IDS, they don't monitor logs, they don't execute email links and attachments in a sandbox, etc., etc., etc.


Yes, but this is not new. Cryptocurrency is.

Also blaming the victim can only go so far


If you write the combination for your safe on a post-it note and stick it to the door of the safe, and a thief opens the safe and steals everything in it, it's still the thief's fault.

But it's not victim-blaming to observe that you shouldn't have made it so easy for the thief.

If it's just your valuables that get stolen, then that's unfortunate for you, but at least it doesn't hurt anyone else.

But when other people trust you to keep the safe secure, and are hurt because of your negligence, then it's also not victim-blaming to observe that your negligence caused harm to other people.


My guess is that there are many factors.

- More infrastructure than ever has some exposure to the internet - Outsourcing at massive scale (probably) makes consistent security screening harder - There are more programmers in the world than ever and so (probably) there are more black hats, malicious hackers, etc - As time goes on, there are more and more aging computer systems, thus (probably) there are more and more vulnerabilities in the wild - As time goes on, systems accrete complexity, thus (probably) there are more and more vulnerabilities in the wild

But yes, I do think cryptocurrency is an important change. Cash is still king when it comes to crime, but crypto does make crossing borders much easier.


The whole thing is very asymmetric:

Your own jurisdiction and law enforcement have no power on foreign territory; but foreign organizations (state sponsored or not) located there have freedom to penetrate your society and economy. Moreover, foreign governments may deliberately ignore your requests to investigate.

Thanks to technologies and to chaotic reactions to modern day problems (including covid-19 pandemic) it looks like modern forms of independent sovereign states are very archaic.


Meanwhile Microsoft and "app" developers are training normal users to avoid updates by continuing to push anti-user updates...


BTC will increasingly become viewed as playing a significant role in these incidents. Legislation antithetical to crypto currencies should be expected with bi-partisan support. I would imagine fairly soon.


This is why “it’s just like cash but better, and humanity has been using cash for centuries” is not a valid argument for adoption of cryptocurrencies. Cash has fundamental scale-limiting properties; cash without those properties is a qualitatively different beast for which there’s no precedent in humanity’s history. The above argument actively conceals the sheer scope of unknown unknowns.


Cat is out of the bag I think.

Even if you shut down the cashing out infrastructure (exchanges) in the affected countries, it will quickly spring up again in countries belligerent to them. The FATF is the main global body trying to curb this, but my hunch is they will lose this battle long-term.

Imagine if you are on the FATF red list [1] and you announce a free-for all domestic exchange for local spending. It's free FDI.

[1] http://www.fatf-gafi.org/countries/#high-risk


This would be terrible in the long term because without ransomware companies regularly carrying out such attacks, vulnerabilities would remain unaddressed until a rival nation decides to use them. Much better to have one pipedown temporarily shut down now than for China or Russia to shut them all down at once sometime in future.


I assume you're thinking of blockchain tech? How do you think the genie will be put back in the bottle?


BTC has value because people exchange it for "real" money. If BTC is heavily regulated or outlawed, a whole lot of folks are going to duck out. It's one thing to try and get in on the ground floor of the latest meme stock, it's another thing to buy into a currency/practice that's illegal in your country.

Add onto that making it illegal to pay ransoms in BTC, then there's really no value in using it as a ransomeware currency. No one is buying it so all you are getting are some random digits on a piece of paper.


The US and other government wills outlaw all cryptocurrencies but the ones that they control (“Govcoin,” as The Economist refers to them). Game over.


You're assuming the US and other government are not using cryptocurrencies for their own covert transactions.


So what? Many governments have nuclear weapons arsenals but they don't make it legal for everyone to buy or manufacture atomic bombs.


I would expect that the drug production and export business is a more apt analogy.


>The US and other government wills outlaw all cryptocurrencies but the ones that they control (“Govcoin,” as The Economist refers to them). Game over.

Just like how outlawing drugs ended the drug trade.


Outlawing a thing except for when the govt controls it is just another way of saying governement regulation. Which is both common and successful.

When was the last time you drank bootleg liquor? Answer: I don't know of course, but for most people in rich western countries I would think the answer is never.


It's a good point but that's a particularly bad analogy. Brewing and distilling are strongly culturally ingrained, at least in the west. I live in a state where (last I checked) no legal method exists to distill ethanol for personal use. Nonetheless, a surprising number of acquaintances over the years have had stills and offered me samples.


Do you think your local circumstances are broadly generalisable? I would be surprised.


In the US, honestly, yes. I've had the same experience in two different states at this point and friends who relocated from other places have reported similar. I mean, you can literally order a small still that you use on your stove top from Amazon!

I think it just depends on the sort of people you choose to spend time with.


Well mark me down as dubious but not invested enough to research it. However, I do wonder if you/they test or filter for poisonous impurities like methanol? Seems like a bit of a risk?


Testing and filtering is accomplished by the distillation itself. A very basic understanding of what comes out when is more than enough for a simple pot still and only one or two passes. Humans have been doing that since long before the concept of a molecule even existed.

If you decide to mess around with a large fractionating column though, do read up and make sure you have a full conceptual understanding of how the chemistry works. Even seemingly benign chemicals can be extremely dangerous to ingest or handle once concentrated. (For example, vinegar. Dilute acetic acid makes for a good salad dressing. Above 90%, contact will leave you with severe burns and scarring.)


How so? The US has banned heroin, cocaine etc but it never provided a state-sanctioned alternative.


Blockchain has many uses, including as a record of transaction. Crypto currencies are merely a subset of what might be available using blockchain. Legislation can certainly target that subset.


I looked at their available posted jobs on Friday as news broke about the attack. Colonial has had a position for Cybersecurity Manager open for over 30+ days. I wonder what happened to the old manager....


…first to be questioned by the Feds no matter what terms they left under. Too important an attack for that institutional knowledge to stay out of the fray.


Seems like this company has more than just IT problems https://newrepublic.com/article/161498/huntersville-north-ca...


Incredible. This company must be penalized, but I don't have any faith they're gonna change.


Amazing. I live in the Carolinas and hadn't heard of this. Sounds like maybe we should be thanking the hackers for shutting this thing down.


Ransom ware seems like a potential antidote to vulnerable US digital infrastructure. It provides a persistent, material bug bounty which incentivises the C-suite to fix them.


Yes! The ultimate bug bounty program! Instead of ranking on some hackerone or bugcrowd leader board you rank on the FBIs most wanted list!


> which incentivises the C-suite to fix them.

It doesn’t. It provide C-Exec material to increase significantly Cyber Defense budget not overhaul Information System.

For those executives these are two different topics with different budget.

Of course for regular engineers it’s not, legacy infrastructure is probably much simpler to hack than modern one.


A lot of people are talking about the the results of this hack and a little bit about the industrial control systems, but no one is really addressing the hack itself.

>James Chappell, co-founder and chief innovation officer at Digital Shadows, believes DarkSide bought account login details relating to remote desktop software like TeamViewer and Microsoft Remote Desktop.

>He says it is possible for anyone to look up the login portals for computers connected to the internet on search engines like Shodan, and then "have-a-go" hackers just keep trying usernames and passwords until they get some to work.

Nothing sophisticated, nothing difficult, you just need some capital in the bank to buy some leaked credentials someone else worked hard to poke at, that is, some academic security person on a PhD worked hard for months to find some bug in software back in 2014, that turned into code someone else copy and pasted back in 2017, that yielded a dump in 2019 that some other hackers actually probed for some sucker's old login details he probably didn't even realize was in a dump, or might not even use anymore! The only hard work in this story is that academic in 2014 did and he definitely probably no connection to the criminals who basically got the president to issue a national emergency.


> who basically got the president to issue a national emergency.

*got the Department of Transportation to...

Further, aren't such blind credential attempts really noticeable if anyone is checking the access logs?


I seriously don't understand why the pipeline operators don't have some contingency plan or have simulated scenarios like this which enables them to roll-back systems immediately to some usable state.

How the hell is some random ransomware gang able to shut down critical infrastructure at purely a software level


That sort of scenario preparation takes a lot of time for planning and design to support work-arounds. If the business thinks this is low risk, they won't invest, no matter how significant the scenario could be.

Businesses train and prepare for scenarios that make money, not scenarios that may lose money. I used to do a lot of work related to safety across industries and I can assure you, every business I worked with was only interested in the bare minimum of legally required safety. It was rare to see a business interested in investing resources into things like safety or security vs something that might directly increase their revenue streams.


IT/Security/Software is all secondary for a pipeline operator, who's main business is to move liquids from A to B over a set of fixed pipes put in place decades ago.

Without some forcing function to have cybersecurity threats taken seriously, industrials are unlikely to suddenly develop tier-1 security protocols.


Given that this is preventing them from moving liquids from A to B they should realize that protecting their system isn't a secondary concern.


Would be interested in seeing if this does result in a change in their processes, or if they will just accept the risk of this happening as a "risk of doing business".


If things go wrong, they receive millions in resources from the FBI/Federal Law Enforcement. Unless they get a bill, it's likely that they will continue their lax practices.


> I seriously don't understand why the pipeline operators don't have some contingency plan or have simulated scenarios like this which enables them to roll-back systems immediately to some usable state.

I would expect that most companies, even companies whose core product is technology, are not capable of what you describe.


With tons of companies paying insane software engineering salaries, I doubt that a pipeline operator that probably doesn't invest much in IT at all is attracting the best talent either.


This is predicated on computer systems outside of the tech industry not being held together with zipties and prayers.


Something doesn't quite add up. I feel like we don't have the full story:

>After seizing the data, the hackers locked the data on some computers and servers, demanding a ransom on Friday. If it is not paid, they are threatening to leak it onto the internet.

So... that constitutes a state of emergency? What data would they have that would be so sensitive? More likely they have hooks deep into the operation of the pipeline and may be threatening to shut it down/destroy it if not paid. Or, rather, they may be having trouble restoring operations without paying the ransom.

Side note/speculation: Will the feds make a move against crypto?


As per the article:

> The emergency status enables fuel to be transported by road.


The Fuel company in question apparently handles 40% of all the fuel in the NE sea board. So thats probably a problem.


> Or, rather, they may be having trouble restoring operations without paying the ransom.

Usually your only option with a ransomware attack is restoration from backups. So no backups or bad backups means no system.

It certainly sounds like this may be the case given that it’s triggering emergency orders. If so, it is being omitted from official accounts.


* There exists a decryption tool for DarkSide https://labs.bitdefender.com/2021/01/darkside-ransomware-dec...

* Critical infrastructure should not be allowed to run on Microsoft Windows

* The remote workers, through which the attack was performed, didn't even use a VPN, just TeamViewer and MS Remote Desktop.


I don't see this being called a "State of Emergency" anywhere but that BBC article. There's nothing on the Whitehouse.Gov briefing room, google news, etc.

https://www.whitehouse.gov/briefing-room/


It's not clear to me that this is actually a "state of emergency". The BBC has now quietly amended their headline to say "US passes emergency waiver over fuel pipeline cyber-attack." (The web page calls it a "Regional emergency declaration.")


My inherent cynicism leads me to believe the real reason they shut down the pipeline was because the attackers took down the accounting system.


I like how they "guarantee support in case of problems" after you pay them. God forbid they lose a customer. Are they going for repeat buys?


No but they want to get a reputation that paying them makes the problem go away. With that reputation, more people will pay instead of thinking it's a waste of money as the data are gone one way or another.


I saw a youtube video once of someone trying to communicate with ransomware attackers and their support was better than even some legit companies. It was funny as hell how they were so 'professional' about it


They want to ensure ransoms are paid by there being lots of sources that say they do what they say. The kneejerk reaction is to be skeptical and waste time. The only reaction is to determine if you have a backup or not, or if the consequences are favorable or not. In all of the “or nots” then you pay and move on.

In the absence of consumer protection, word of mouth (or the compulsory google results) is key.


Gotta honour the Pirate Code.


Brought to you by Bitcoin.


you never had to worry about ransomware back when we used clay tablets for accounting.


You're getting downvoted, but how many ransomware attacks would be successful if a bank account was required?


Bitcoin's not the problem, America's shitty corporate culture around not treating cybersecurity as a priority is the problem.


Technological advancements happen because of a confluence of different events, each contributing to its eventual success.

Bitcoin is absolutely one of the components that allows for the proliferation of ransomware. The key to a ransom is the ability for the attacker to obtain payment in an way that doesn't put them at risk of being caught. BTC enabled that. In fact, anonymous payments are widely considered to be one of the major purposes of BTC.

If ransomware was a positive thing, then BTC advocates would be talking about how BTC is the key technology that enabled malware to make the transition from hobby/annoyance/weapon to a full-fledged industry.


Any chance this acts as a catalyst to face the ransomware problem head-on? Someone in a position of power in US intelligence agencies has to know this won't be the last time that a massive piece of infrastructure is taken down.


We knew about this since before 2000 probably, earliest articles I could find : 2007, 2009 : https://www.cfr.org/backgrounder/americas-vulnerable-energy-... , https://www.wsj.com/articles/SB123914805204099085


This is depressing and not going to stop because it is so lucrative and relatively easy for these malware companies to find victims. It makes me wonder if cybersecurity should be considered a state responsibility and infrastructure so it will be uniform and available for every business like electricity or police protection.


If it is uniform then when a weakness is found, the whole economy can be exploited; rather than isolated companies.


Isn’t this already the case? Like SolarWinds?


Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: