That gang may have bitten off more than they can chew. They've now gotten the US government involved officially, which means that beyond the sheer mass of resources that will go into tracking this gang, the government also has something to prove now.
Being at the center of an international incident is probably not good for business.
When you said “the gang”, I had an image of the gang from “It’s Always Sunny” writing their first virus and this being the result. I’d watch that episode.
When the Feds catch up to them, Dennis and Mac are loading frozen beef in to the back of his car and are legitimately confused by what the cops are saying. They moved past the virus several weeks ago and have had literally dozens of plans since then.
And then Charlie walks out and goes "Ooooh, uh oh, uh yeah, guys you know what... I think I know what they mean. Last week when everyone was talking about the virus, I had just watch this really cool cyber hacking movie on TV last night, so I kinda zoned out and didn't know what our next scheme was, so when I went home I paid someone on the darkweb for a virus just like in that movie-"
Dennis: "How the hell do you have money to pay people on the darkweb Charlie?"
Charlie: "KittenCoin"
Dennis: "Oh god dammit, KittenCoin? You did that huh? Alright, checks out. Anyways, so then what happened?"
Charlie: "Well then I didn't really know what we were doing still, so I just emailed the file the russian kid sent me to your email, but I totally messed up the address cause my fingers were all sticky with peanut butter at this point and-"
Dennis: "WHY WERE YOUR- You know what, not only do I not wanna know, but I'm also gonna take a stab at how this story ends. Charlie, are you telling me you made a scam cryptocurrency and then used the profits to pay some sketchy russian hacker for a ransomware virus which you then emailed to a random address with a subject line something along the lines of "FOR FRIEND, IMPORTANT FILE, FOR PLAN, GIVES MONEY", which obviously enticed the random receiver to open said email promptly starting a massive email worm that managed to spread its way into the government's oil pipelines?"
Charlie: "That's... Uh, yeah, yup, yup, that's pretty much spot on dude, I'm pretty sure."
Lol this was my first reaction as well, they now have a nation-state on their ass. But that being said its not impossible that this was just a cover for a Russian state-sponsored attempt on US infra
If I were running the Russian hacking center in charge of pwning US infrastructure, I'd be pissed as hell. This is like getting vaccinated -- all of a sudden we're going to take this seriously and patch a bunch of exploits that they've had ready to go.
"nation-state" is not just a fancy infosec word for country, and there's some debate as to whether the USA constitutes an actual nation state, rather than a state.
Now introducing, TypeLang! A strictly typed spoken language with core emotional concepts built into the standard library and immutablity as default. Easily transpiled into dozens of different languages, such as English, Japanese, JavaScript, and Smooth Jazz.
nation-state" is not just a fancy infosec word for country,
This is pedantic and adds no value. In what sense could the precise definition of "nation state" matter? in this context everyone understands the phrase in exactly the way it's meant -- a resourceful national government.
The USA is absolutely a nation state. Cocal-cola, mcdonalds, Christmas, enlgish, etc. are well dispersed throughout the entire population. We have a uniform culture, although not as uniform as much smaller countries, but uniform nonetheless.
> A nation state is a state in which a great majority shares the same culture and is conscious of it. It has been described as a political unit where the state and nation are congruent. It is a more precise concept than "country", since a country does not need to have a predominant ethnic group. [1]
Believe it or not, massive governments that employ hundreds of thousands of people are capable of doing multiple things simultaneously.
I don't think there's any evidence this was state-sponsored, or even state-approved, but "oh there's better things to do" is not a good argument in the least.
I'll keep it in mind the next time a horse bolts from a barn in some foreign country - 'Clearly, this was the CIA's doing. There's no evidence for it, but they have the capability, and their motives are sufficiently sinister and shadowy, and while there's no reason for them to be engaging in medium-scale hooliganism on the other side of the world, they could be the ones responsible!'
The Russian Government had huge motive for this attack, they were not at all happy about the United States' retaliation for SolarWinds/Election interference. Shutting down a major oil pipeline in the United States is not "medium-scale hooliganism."
Also shouting 'No Evidence' is a typical tactic the propagandists use to cast doubt and muddy the waters; surely the attackers would love to see what evidence is available, so they can adapt - that's why evidence is largely kept private.
Why do you assume that propagandists only work for them?
What makes you think propagandists on our side would never use lack of evidence to make whatever they want up, and cite your exact reason as justification?
This is medium-scale hooliganism in the sense that the end result isn't going to accomplish more than a dedicated idiot with a toolbox, and a grudge against gas pipelines couldn't achieve. IT will clean things up, operations will resume, life will go on.
Not to mention that this gives the industry another, rather low-stakes kick in the ass to take IT security seriously.
Russia and China have been suspected of doing things like this for years. And who says it's just to inconvenience them? There will other things happening because of this and this could impact other nations in a postive manner.
> Russia and China have been suspected of doing things like this for years.
By who? People who never provide evidence for their claims?
> There will other things happening because of this and this could impact other nations in a postive manner.
While it's certainly possible that the FSB is playing 59-dimensional chess, here, hoping for a true butterfly-effect sequence of causality, I think the onus is on you to demonstrate that.
> By who? People who never provide evidence for their claims?
By lots of countreies. The US charged 4 chinese military officers for hacking Equifax.
> While it's certainly possible that the FSB is playing 59-dimensional chess, here, hoping for a true butterfly-effect sequence of causality, I think the onus is on you to demonstrate that.
You seem to think that it would require multiple things to fall into place to benefit a foreign country. Say you want to manipulate the price of the fuel. Increasing the costs of transport would do that.
Hacking Equifax[1] makes sense, because it directly useful for intelligence work. Find people of interest who have credit problems, and lean on them. [2]
This isn't even a blip on the radar of global fuel prices. It is completely lost in the noise. [3]
[1] Or the OPM, since it was kind enough to have lists of 'all spies operating abroad' on its intranet. Whoops.
[2] I mean, you could also just pose as a landlord or employer, and ask for credit checks on them, it costs ~$30 per query, but it is what it is.
[3] If the FSB really wants to increase demand for fuel, they should try stalling a junker or two on an interstate bridge... Imagine the fuel wasted from all the cars idling, or taking detours!
I'm just pointing out countries have been hacking each other for ages and specifically infrastructure. Which was originally stated as absurd because there is no benefit to them, which considering you don't know all the basic effects this attack is having. And who said they wanted to raise global fuel prices?
End of the story is intelligence agencies around the world have been bulking up for cyber warfare for at least a decade. Russia and China have been been fingered repeatedly for cyber attacks. It is not completely outlandish that one of them is behind it for whatever reason. I'm pretty sure the entire point of these agencies is that we don't know what do or why they do them.
I'm not super-knowledgable about cybersecurity, but shouldn't simply using TOR make it nearly impossible for the US government to track them down?
If they want to go overkill, they can additionally use a public VPN account purchased using walmart giftcards bought on ebay using a stolen identity and then mailed overseas.
They can also perform the hack using a brand new computer that they never use again afterward.
It just seems to me like the attacker has most of the advantage here if they know what they're doing.
That would work against network tracking of the actual connection, but that is not the main means of attribution and tracking culprits.
One way is to look at any tools and artifacts used/deployed - it's not common that only "off-shelf" tools are used, and as soon as there's anything custom, most likely it's not a one-off thing that never ever appears anywhere else; if you got it from someone, that's a potential lead; if you wrote it yourself, you're likely to use it (or a modified version) elsewhere, so if you make a mistake in one "gig" then it can relate to all your other activities as well.
Another is people - those things are often not done alone, and people talk, especially if they get detained for something else. And last but not least, the money trail sometimes leads to results as well.
But the key thing is that even if you do everything securely enough, it can work once or a couple times if you're careful enough, but nobody is careful enough to sustain proper opsec all the time, everyone makes mistakes every now and then. These things often take years to resolve, but the legal system has sufficient patience to link something done five years ago to a mistake you'll make next year.
There's sort of an asymmetry for an attack - that if the defender closes 99 vulnerabilities but leaves one, that one is enough for an attacker to get in; but there's a similar asymmetry for detection; if the attacker hides their trail in 99 ways but leaves one, that one is enough to find them afterwards.
> I'm not super-knowledgable about cybersecurity, but shouldn't simply using TOR make it nearly impossible for the US government to track them down?
PSA: There are known traffic correlation attacks against Tor. It's not magic security dust you can sprinkle on a system. If you're doing thoughtcrimes, assume any G10 intelligence service can track you down. (If you're into extortion, human trafficking/exploiting children, or financing/advocating violence against civilians, then Tor is totally magic and is 100% guaranteed to make you invincible. Tor is all you need a-hole.)
Tor intentionally makes latency-privacy tradeoffs to make web browsing usable. I'm not familiar enough with Tor internals, but I believe applications have no control over these tradeoffs.
Anyone know if I2P allows applications to adjust latency/privacy tradeoffs? (Conceptually, you want your store-and-forward mixnet to use a priority queue for each hop, setting a deadline when each message arrives, and filling the pipe with expired messages first, and then non-expired messages in uniform random order. Applications more tolerant of latency get their traffic spread over a longer window. Per-hop latency targets should allow applications to avoid hop-to-hop correlations in latency targets.)
Getting operational security right is surprisingly hard.
The really hard part is that you need to have gotten it right some years ago already.
I remember that I read that other day that a bitcoin tumbler operator was charged for money laundering. The way they got to him was tracking initial funds that started the tumbler, which was purchased from an exchanged and not obfuscated.
There are all kinds of things you can get wrong: your build tools could accidentally store compromising meta data in your malware; payments from previous campaigns could be tracked, a single non-TOR access to the command&control infrastructure could get you busted, as could a single login to an email provider you used to communicate with somebody related to the ransomware operation.
All in all, if you have a larger team, the chances of at least one person messing up aren't too small, and then it's a matter of the investigators pouring enough money and attention into the case to find it.
As a rule, there is no off-the-shelf software solution that you can simply use to avoid being detected by the NSA or other powerful nation intelligence services. Even if there were, they are not limited to tracking you through technological means - they very much know how to find people the old-fashioned way as well.
That's not to say that it is impossible to hide from them, but it's never simple, when they're actively looking for you.
Tor isn't perfect. Government agencies like to create TOR endpoints/nodes that allows collection of bulk traffic data. They can't see exactlt who sent specific packets or their exact contents by looking at them individually, but they can see which mode it just came from and where it's going next. By watching traffic to entry and exit points they can create probablist models based on traffic volume that can allow them to identify where large volumes of packets most likely came from when they're already watching the destination. This is how they tend to catch drug dealers and similar illegal transactions using TOR and a similar setup that monitors crypto currency transactions that simply monitors either known bad agents (criminals, dark web sites selling illegal goods, suspects, etc) or suspected targets. By combining the two data sets they've even identified who certain crypto currency wallets belong to. The main thing to be aware of is that it's extremely difficult for them to identify anyone with low traffic levels, or that do not interact with actively monitored actors/targets.
> shouldn't simply using TOR make it nearly impossible for the US government to track them down?
Not even close. Tor kinda secures one aspect of very many, but kinda doesn't.
It attracts attention: Governments actively try to defeat Tor. And if they are looking for a criminal, they might look first at Tor users. In fact, they collect data on Tor use before a crime is committed.
Yes, in the sense that it gets reported to law enforcement and investigative agencies. Without being specific, I was a victim of identity theft and cybercrime. My incident was “reported to the FBI” but I’ve literally never heard anything back from them.
In practical terms there needs to be something special about the cyberattack for the government to devote any resources towards it.
It all depends on the attention these attacks get. Now that they've had a tangible effect on the news cycle, creating concern about the safety of US energy infrastructure, there will be more incentives for the Government to hunt them down and get credit for doing so.
I think I read somewhere that China based attackers have already penetrated networks of major US infrastructure systems but didn't do anything because whats the point of wrecking havoc now? Better wait for more opportune times.
Which also seems to indicate that this may not be a Nation State... they would be after a bigger prize than some bitcoins.
I think it's 50/50 some real gang vs a branch of the NSA who sees how pwned the US infrastructure is and wants to make a (fairly harmless) splash so we take it more seriously and patch our shit.
Being at the center of an international incident is probably not good for business.