Targeting critical infrastructure has critical implications

The ransomware group that targeted the Colonial Pipeline claims they are in it for the money, not for a political reason. An interesting predicament for the attackers, defenders and the future of such attacks.

The recent ransomware attack on Colonial Pipeline is yet another brutal reminder of the implications of cyber security breaches. The attack’s effect was immediate – the pipeline was shutdown resulting in fear of a spike in gas prices. In addition, a state of emergency declaration for 17 states allows truck drivers to do more extra hours and get less sleep.

While the investigation of the attack is still ongoing, there has been an interesting development in the form of an announcement by the threat actor, DarkSide. In a statement by the group, they claim they are an apolitical group interested in money and not social disruption. In addition, they promise to start checking every company prior to targeting and ransoming it to avoid such cases in the future.

his announcement is interesting for several reasons. First off, it is almost a standard procedure for organizations that have been breached to claim it was a nation state actor that conducted the attack. This helps with mitigating calls for taking full responsibility over the attack because it widely agreed upon that a nation state actor is nearly impossible to stop and prevent their actions. With DarkSide announcing they are an “apolitical” group and specifically saying “do not need to tie us with a defined government” (sic) using this excuse goes out the window. This begs the question – why did DarkSide feel the need to announce this? This ransomware group has targeted dozens of companies in the past, what is different now?

The answer to that is – the target! DarkSide targeted a critical infrastructure and they might have just realized what that means. It means they are not up against an organization’s SOC, they are up against the federal government. Multiple three letter agencies will now be involved in the investigation, and as demonstrated in the past, this can have consequences to the ransomware operation and operators. It seems the group is genuinely concerned as the announcement also states they will make sure that in the future they don’t target systems that which have “social consequences.”

So where do things stand now? While DarkSide claims they will avoid similar targets in the future, it is clear that critical systems will be targeted not just by nation states, but by groups looking to make monetary gains. The “it’s a nation state actor” approach might be off the table for some types of attacks, on the other hand, this also looks like a golden chance for nation state actors to hide their operations under the mascaraed of a ransomware attack. This has already been done in the past…The Liar’s Dividend is something threat actors are happy to take advantage of.