May 17, 2021 | 5 minute read
Late on Friday May 7, 2021, Colonial Pipeline, the company that runs the largest gasoline pipeline in the US, shut down operations following a ransomware attack on their systems. It later emerged that a relatively new ransomware-as-a-service criminal organization known as DarkSide was behind the attack - but there was a twist.
Reportedly, DarkSide did not intend to strike a crippling blow against an American regional fuel pipeline and, despite the likelihood they are based in Russia or Eastern Europe, the attack reportedly did not involve the Russian government. It was simply a matter of the ransomware purveyors not taking care to vet the targets chosen by their affiliates.
In a statement on their blog they said, “We are apolitical, we do not participate in geopolitics, do not need to tie us with a defined government and look for other our motives [sic]. Our goal is to make money, and not creating problems for society. From today we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future.” (Source)
DarkSide also claims to adhere to certain moral principles, not unlike the “Gentleman Thief” or “honest criminal” archetype. They say that they refuse to attack medical targets like hospitals or nursing homes, funeral services, education like universities, non-profits, or the government sector. They claim a scrupulous reputation for always decrypting the data of those who pay their ransom, which means their victims can pay with confidence that their data will be restored to them.
But woe betide those who do not. Victims who refuse face double-extortion: having their stolen data published on DarkSide’s TOR CDNs for a criminal free-for-all and notice sent to the media, the victim’s partners and customers, alerting them of the breach. Harsh, but… fair? As long as you pay the criminals’ ransom.
What are DarkSide’s motives in their strictly apolitical stance (if a criminal organization’s PR is even to be believed)? What would they hope to gain from having a public code of ethics that, in theory, stymies their ultimate goal of extorting large sums of money? One can only speculate, but they would hardly be the first criminal organization to advertise a code of ethics, even outside the boundaries of penny-dreadful fiction. In fact, they wouldn’t even be the first to write an apology note to their victims when they violate that code.
From the 1600s through the early 1700s, in a period famously known as the Golden Age of Piracy, the lines between pirates and nation-states were not nearly so clear-cut as “Treasure Island” would lead modern audiences to believe. Indeed, the conflict that most defined the Golden Age of Piracy was the Anglo-Spanish Wars, an often unofficial, on-again-off-again “cold war” between the naval powers of England and Spain. Amidst that conflict, individual opportunists rose to prominence, figures that became legendary household names like Blackbeard, Calico Jack, and Anne Bonny.
One such individual was Blackbeard’s own mentor, for the lack of a better term, one Benjamin Hornigold. “Pirate” is the most common term used to describe Hornigold, but “self-styled English privateer” might be just as accurate. While not officially working for the English Crown, Hornigold became famous for his refusal to attack the ships of his home country, focusing his piratical activities instead on England’s rival countries like Spain or France.
This code of ethics made Hornigold into something of a folk hero and spared him the wrath of the formidable English Navy. By claiming to be acting as a privateer rather than a pirate, he also gained the (somewhat tenuous) legal defense that he and his crew were operating on England’s behalf in the war against Spain.
Hornigold was not the first pirate to spare, or at least claim to spare, his own countrymen and thus rise to folk hero status back home. The “Arch Pirate” Henry Every in the previous generation had also reached Robin Hood-like legendary stature while (falsely) advertising a similar claim. And, when caught attacking the English ships he claimed to avoid, he wrote a letter apologizing, claiming he was still “an Englishman’s friend." The letter was, in tone and legibility, not all that different from the one recently issued by the DarkSide gang after their allegedly accidental attack on the Colonial Pipeline.
Unlike Every, however, Hornigold’s reluctance to attack English ships did not end with his rise to fame and fortune, but with the loss of his command. In 1716, his crew grew desperate for spoils during a lean year and democratically voted to replace Hornigold so they could freely attack all targets, including the English.
Hornigold took off with his own ship soon thereafter, wisely it turned out, as these attacks on the English quickly brought down the wrath of their navy that Hornigold had so scrupulously avoided. Hornigold went on to receive a pardon from the English Crown and eventually a job: hunting down pirates on England’s behalf, many of whom were his former acquaintances and shipmates.
Today, pirates turning pirate-hunter, or rather, former “Black Hat” hackers becoming “White Hat” hackers to pursue their former peers is a story so common it’s hardly newsworthy. But “White Hat” and “state-sanctioned” hacking are not always synonymous.
For some nations, like North Korea, cybercrime such as ransomware attacks are not only state-sanctioned, but state-controlled, with their team members carefully selected and trained. In that, one might see a parallel to the nation-state navies of the Age of Sail. Other nations, like Russia, have a more permeable relationship with their cybercriminals. Perhaps the Russian Hacker Army could be better defined by this metaphor as the Russian Hacker Navy, or Privateers.
Similar to English pirates and privateers of the early modern era who often had their origins in the British Navy, these Russian hackers are often trained by and/or have worked for the state, but are free to independently pursue their own criminal activities so long as they remain pointed at the correct targets.
On May 11, 2021, investigative cybersecurity journalist and friend of Cybereason Brian Krebs tweeted, “Pro tip for the "but how do we protect ourselves?" folks. DarkSide ransomware, like many other strains, will not install on systems where certain Cyrillic keyboard and other scripts are already installed. So, install the Russian keyboard. You don't have to use it.”
DarkSide’s avoidance of any system that has a Russian Cyrillic keyboard installed is, in effect, a quick and dirty way to avoid trouble from their own government and allies, not unlike how Hornigold avoided ships flying the British flag. Also like English privateers, in times of trouble, these attackers might find themselves press-ganged into more formal (and less lucrative) service to the state. But, by and large, the state is simply another customer, and can even serve as a formidable protector for their criminal activities, as long as they toe the line.
To conclude the metaphor, perhaps the “Wild West” is no longer a proper parallel for the internet in its current form. Cyberattacks are no longer against small, individual “homesteads” and the undefended outposts of small businesses far from the protection of their government, who can barely understand much less protect against these attacks, as they were in the 90s. Rather, we are in a new Age of Sail, with the internet as the new international waters.
The targets now range from behemoth corporate galleons laden with booty to the vulnerable merchant ships of small businesses. Authentication is just as easy to fake now as it was then, with pirates as hackers spoofing their identity by running up the flag of the nation they wish to impersonate or avoid, only rarely flashing the skull and crossbones of “no quarter” and openly advertising their criminal status to their victims before they attack. Individuals and their data are only so many passengers and trade goods traveling aboard these ships, at the mercy of the defenses (or lack thereof) of the ship where their assets are stored.
And just like the Age of Sail, there is a new risk for criminals, when what appears to be an enormous galleon laden with gold turns out to be protected by nation-state warships who are prepared to retaliate. Did DarkSide intend to rile the United States’ military might by deliberately attacking the Colonial Pipeline? According to DarkSide’s own code of ethics and statements, apparently not.
If they are to be believed, all they saw was another slow-moving, wealthy target. They were pirates, they tell us, not privateers, and certainly not a nation-state navy. And they are honest pirates who follow a code, and thus deserve some sympathy for this huge, but honest mistake.
Like Hornigold, and Every before him, DarkSide wouldn’t be the first criminal organization to appeal to the sympathies of their victims by claiming that they follow a strict code of ethics. It remains to be seen if it will work, or if it’s true. Semi-state sanctioned crime may not repeat itself through the ages, but it often rhymes.
Maggie MacAlpine is a cybersecurity strategist and one of the co-founders of the DEF CON Voting Machine Hacking Village. Over the course of ten years spent in the field, MacAlpine has been a contributing researcher on the “Security Analysis of the Estonian Internet Voting System” in partnership with the University of Michigan and a co-author of the DEF CON Voting Village Machine Hacking Village annual reports. She has been a speaker at conferences including DEF CON, ShmooCon Hacker Conference, PacSec Tokyo and in presentations to Capitol Hill on the topic of election security. In February 2021, she joined the office of the CSO at Cybereason as a security strategist.All Posts by Maggie MacAlpine