DarkSide Hacker Cyberattack Cause Colonial Pipeline Shutdown : The Indicator from Planet Money A cyberattack forced the shutdown of a major U.S. fuel pipeline, and the hackers wrote ... a press release? We discuss the business of hacking, and why hackers would give a press statement.

The Hacking Business

  • Download
  • <iframe src="https://www.npr.org/player/embed/995662926/995694555" width="100%" height="290" frameborder="0" scrolling="no" title="NPR embedded audio player">
  • Transcript

SYLVIE DOUGLIS, BYLINE: NPR.

(SOUNDBITE OF DROP ELECTRIC SONG, "WAKING UP TO THE FIRE")

STACEY VANEK SMITH, HOST:

This is THE INDICATOR FROM PLANET MONEY. I'm Stacey Vanek Smith.

Over the weekend, news broke about a massive cyberattack on an oil pipeline that stretches more than 5,000 miles from the Gulf Coast all the way to the northeast of the United States. The pipeline is run by this company called Colonial, and it is responsible for delivering nearly half of the gasoline and jet fuel used on the east coast. Hacking has become a huge global business, and hacker groups are bringing in billions of dollars from desperate companies and individuals trying to get their data back or regain access to their systems. The White House has said a group of hackers known as DarkSide is responsible. They're thought to operate out of Russia. And in a very interesting twist, DarkSide released a public statement.

I mean, I'm looking at a press release right now saying, like, we are apolitical. We do not participate in geopolitics. I mean, is this typical or...

JAYA BALOO: This is not typical.

VANEK SMITH: Jaya Baloo is the chief information security officer at Avast Software, an antivirus company.

BALOO: There's a whole bunch of ransomware groups. Not all of them take the effort to issue these type of statements, to, you know, do press releases. The question is, why are they doing such a good communication strategy?

VANEK SMITH: Today on the show, the hacking business - how big is it? Who is it targeting? And why would a group of hackers bother with a press release?

(SOUNDBITE OF MUSIC)

VANEK SMITH: What went through your head when you saw the news?

BALOO: The first thought that went through my head is how good we are at getting attacked, actually. And this is saying something.

VANEK SMITH: Like, how good the U.S. is at getting attacked by cyberattackers.

BALOO: Well, it's not just the U.S. anymore, unfortunately. We saw it during the COVID pandemic. We saw ransomware also getting to hospitals. I mean, we've seen tons of critical infrastructure being held at the mercy of these attackers, who are pretty much deploying rather standard, by this point in time, methods to go and victimize really important pieces of infrastructure that we all depend on.

VANEK SMITH: So if you don't mind getting very, very basic, like, what exactly happens in a ransomware attack? I mean, I know there have been some really, really high-profile ones. Like, Sony got slammed with a huge one. I also remember the infidelity dating site, Ashley Madison. I remember they had a very theatrical hack happen to them.

BALOO: I love this because I think it was almost like a movie plot. The employees came to work. And when they turned on their machines, it started blasting AC/DC.

VANEK SMITH: (Laughter) Which song?

BALOO: It was "Thunderstruck."

(SOUNDBITE OF SONG, "THUNDERSTRUCK")

AC/DC: (Singing) Thunderstruck.

BALOO: (Singing) Thunderstruck.

And yeah, it was awesome. I mean, it wasn't awesome. Obviously, it wasn't really awesome, but you get, like, the movie plot imagery that happens. So they come to work. AC/DC's "Thunderstruck" is blasting at full-pitch.

(SOUNDBITE OF SONG, "THUNDERSTRUCK")

AC/DC: (Singing) We're doin' fine.

VANEK SMITH: So obviously, you know, you could be locked out of your email. That doesn't seem like that big of a deal. Maybe it is a little bit if things get leaked. But, like, what are companies getting locked out of that is so valuable? - because the ransoms are often for millions of dollars.

BALOO: Well, let's be honest. It's millions of dollars because it's not just about the connectivity and the access. It's also about the data that's been encrypted in the first place. In the case of the Sony attack, it was months of embarrassing details about all these actors that were under contract to Sony and, you know, racist comments by management and terrible stuff, so nobody wants this information out there.

VANEK SMITH: Is there also system stuff in addition to, like...

BALOO: Yes, absolutely.

VANEK SMITH: ...The sort of embarrassment factor? OK.

BALOO: No. And unfortunately, like, the systems that are interconnected that are not just, like, the IT of the company but also the operational tech of the company - they are still running at a, very often, base system of just regular Windows. And unfortunately, these systems can be compromised during such an attack. So it's, you know, not just like, oh, let's just shut off internet access for the company. You have no email. It could be that part of that really critical infrastructure that actually runs that pipeline or operates that technology of the pipeline also needs to be shut down because it's running on Windows.

VANEK SMITH: So this organization DarkSide, I mean, is it, like - do they have offices? Is it a traditional-looking company or not?

BALOO: Some of their practices are certainly traditional in the sense of their communications, their operations, their methods, the way that they have taken quite a professional stance to a lot of the communications they've had with their victims to ensure them that they will actually see their data back if they pay the ransom.

VANEK SMITH: Yeah, they're organized.

BALOO: They're very organized with, you know, a call center handling, like, customer questions and complaints - so really incredibly well-organized in that regard.

VANEK SMITH: Like, a call center people can call in to - it's like so...

BALOO: Yes.

VANEK SMITH: If you've been hacked, press one. If your systems have been frozen, press two (laughter).

BALOO: Kind of like that.

VANEK SMITH: Your call is important to us.

BALOO: Exactly. But it's...

VANEK SMITH: Really?

BALOO: Yes, really. And if you've taken a look at them, they say that they don't want to hack critical infrastructure. They don't want to hack for political motivations, and they're not, you know, really trying to hack hospitals, et cetera.

VANEK SMITH: I mean, I'm looking at a press release right now saying, like, we are apolitical. We do not participate in geopolitics. And they apparently give money to charity. It's like there's - I have...

BALOO: It's a little Robin Hood-y (ph). Yeah.

VANEK SMITH: It's a little Robin Hood-y. There's something sort of endearing about it. I mean, is this typical, or...

BALOO: This is not typical. There's a whole bunch of ransomware groups. Not all of them take the effort to issue these type of statements, to, you know, do press releases. I think what they've done very well from the beginning is a communications strategy. They've got that down. The question is, why are they doing such a good communication strategy? And I feel it's more to be kind of, like, professional about this and say, hey, ransomware is just a business, like everything else. And we say what we do, and we do what we say. So if you pay us, we get - give you your data back.

VANEK SMITH: I mean, that is really interesting that it's almost like - it seems like reputation is important, even for a group like this, because there needs to be the trust that if you give them money, they will give you your data back. So brand reputation is important, even among ransomware.

BALOO: Yeah. And I think this is, like, a gross, naive misassumption on the part of anyone who falls for this communications lure. Bottom line, they're still in the business of ransomware, and they will always harm folks that never should be harmed because they think it's a victimless crime. And we've proven with the potential impact of this attack that it's not.

VANEK SMITH: As you point out, DarkSide says that they won't hack hospitals and things like that. But obviously, there have been some high-profile hospital hacks. There was one after COVID started, I think, in New Jersey, where a New Jersey hospital paid something like almost $700,000. It seems like holding people's data hostage pays a lot. Is that fair to say?

BALOO: I think that's very fair to say.

VANEK SMITH: Is this, like, many billions of dollars a year or millions? Or how big is this business globally?

BALOO: I think it's many billions of dollars a year. If you take a look at the total cybersecurity threat that we're facing in 2021, we're looking at trillions in terms of the damage that's being caused by different types of cybersecurity threats.

VANEK SMITH: What kind of a threat does this pose to, I guess, the U.S. economy and other economies around the world?

BALOO: I think, honestly, this is a ticking time bomb that's only going to get worse, especially when it comes to critical infrastructure. You mentioned that hospital in New Jersey. There were hospitals all over Europe that still had this issue. There are universities that have these issues, and there are people who cannot pay that still become victims. But I think that, unfortunately, there's going to have to be an even worse one for us to kind of wake up and smell the coffee. It's not going to be enough to ask for critical infrastructure to be disconnected from the internet because pretty much everything is going to be connected to the internet, especially that operational technology. I mean, it hasn't stopped us from buying internet-connected toasters and blenders. It's not going to stop us from putting all of our network management facilities for all this critical infra (ph) online.

VANEK SMITH: Jaya, thank you so much for talking with us today.

BALOO: Oh, thank you so much, Stacey.

(SOUNDBITE OF AC/DC SONG, "THUNDERSTRUCK")

VANEK SMITH: President Biden is reportedly preparing an executive order strengthening cybersecurity for federal agencies. There is no word yet on whether or not Colonial has decided to pay off the DarkSide gang to get its data back or not.

(SOUNDBITE OF SONG, "THUNDERSTRUCK")

AC/DC: (Singing) Thunderstruck.

VANEK SMITH: This episode of THE INDICATOR was produced by Dave Blanchard with help from Josh Newell. It was fact-checked by Sam Cai. THE INDICATOR is edited by Kate Concannon and is a production of NPR.

(SOUNDBITE OF SONG, "THUNDERSTRUCK")

AC/DC: (Singing) Yeah, yeah, yeah. Say yeah, it's all right. We're doin' fine.

Copyright © 2021 NPR. All rights reserved. Visit our website terms of use and permissions pages at www.npr.org for further information.

NPR transcripts are created on a rush deadline by an NPR contractor. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of NPR’s programming is the audio record.