- Key government cybersecurity and counterintelligence officials tell CNBC hackers from the disbanded DarkSide group which hit key energy infrastructure could still operating or will soon be back under another alias.
- The federal experts say the Colonial Pipeline hack highlights the threat of more sophisticated criminal attacks that rise to the level of national security threat and are made more possible by rival nation states.
- President Joe Biden will meet Russian president Vladimir Putin at a U.S.-Russia summit in mid-June in the aftermath of DarkSide and the larger SolarWinds attack which was allegedly carried about by Russia.
In the wake of the Colonial Pipeline hack, the group behind it, DarkSide, went dark, disappearing from the world along with the websites attributable to them. No one seems to know what happened to DarkSide, but federal officials focused on cybersecurity and counterintelligence say the group could be back another day under a new hacking umbrella — maybe already is — and one lesson from the recent national security threat is that some of the biggest geopolitical rivals of the U.S. are not doing anything to stop these groups from proliferating.
Nation states are serving as safe havens for sophisticated criminal cyber actors and that is leading to an "increased blending of the threat," said John Demers, assistant attorney general at the National Security Division at the Department of Justice, speaking on a CNBC Evolve livestream on Wednesday.
He said that is also a reason to believe that DarkSide could be back, or is still operating under a new name.
"When nation states aren't doing their part to investigate and root out hacking activity happening within their borders, then any number of things could have been the answer to ... what happened to the DarkSide infrastructure including that ... they're just off renaming themselves, so we'll see."
"Groups like that will come back," he added. "Probably Darkside itself, those actors that comprise that group, will be back if they're not already out there in other forms operating as we're talking about."
In the aftermath of the Colonial Pipeline attack, President Biden and other administration officials called out Russia for not doing enough to prevent hacking from within its territory, without blaming Russia for the attack.
On May 10, Biden told reporters that the U.S. did not currently have intelligence linking the group's ransomware attack to the Russian government. "So far there is no evidence from our intelligence people that Russia is involved although there is evidence that the actor's ransomware is in Russia, they have some responsibility to deal with this," he said.
The Kremlin has denied claims that it has launched cyberattacks against the United States.
Biden and Russian president Vladimir Putin are expected to meet in Geneva on June 16 with many points of tension between the two world leaders.
DarkSide described its actions as "apolitical" before disappearing.
But the hack came on top of the larger SolarWinds hack that hit key government agencies and was pinned on Russia as a nation-state actor by the U.S.
"The DarkSide sophistication was not anywhere near what SolarWinds did," Lior Div, CEO of cybersecurity firm Cybereason, which detected DarkSide well before the Colonial hack, told CNBC. "It's the difference between a nation-state and non-nation state."
Michael Orlando, acting director of the National Counterintelligence and Security Center, said during the CNBC Evolve livestream that ransomware attacks on critical infrastructure rise to the level of national security threat and the "safe haven" aspect is one part of the cybersecurity riddle the government and business world will have to counteract.
"We do know that countries like Russia and China, Iran and others certainly create safe havens for criminal hackers as long as they don't conduct attacks against them. But that's a challenge for us that we're going to have to work through as we figure out how to counter ransomware attacks."
Making a deal with the dark side
The decision by the owner of the Colonial Pipeline decision to pay a ransom to the hackers did not go over well with the government officials — the government position has always been to not pay.
Demers said companies need to make better decisions ahead of time about protecting their critical assets and having back-up systems so they aren't faced with that "impossible choice" when the system is actually encrypted and shut down.
"The problem with the ransomware payments – in addition to the fact that you're just funding illegal activity ... You're not just funding the amazing lifestyle of some ransomware hacker. That would be fine, I guess, at the end of the day you buy his yacht, you buy his houses, his vacations – but you're actually funding the criminal activity itself," Demers said.
Colonial's CEO said in an interview with The Wall Street Journal on May 19 that it was not a decision made lightly but was "the right thing to do for the country."
"You're making a deal with someone who is a thief. And the question for any business is going to be, 'can I really trust this person to deliver back to me the decrypt key that just does its job, doesn't implant any other malware into my system, and effectively allows me to unlock my system in a short amount of time?'" Demers stressed.
He said it is better for companies to have a plan for restoration of systems and data backups so "you're not counting on the criminal to help you recreate your files by giving a decryption key after you give them millions of dollars."
The situation has changed drastically from the era when it was foreign intelligence services looking to steal government secrets and government technology.
"Now we have nation state actors, looking to take intellectual property from the private sector and using all the tools to do that," Orlando said. Companies are "up against paid and well-trained intelligence services that have key technologies and tradecraft to steal from you, both illegally and using illegal means to do it," the national security official said.
"Assume that someone is going to get in," Demers said. "And then plan from there ahead of time. ... Segregation and segmentation of the data to make it harder for hackers to move around," he added.
The threats are multiplying, with the insider threat of employees who oftentimes are recruited by foreign intelligence services; and supply chain issues like the SolarWinds hack. Insiders are being used by nation states to plants malware on company computers. "Afar from a nation state – that computer system could exfiltrate a whole bunch of data," Demers said.
What the Colonial Pipeline showed more than anything is that infrastructure attacks often associated with nation state actors are being conducted by criminal actors and it is a more aggressive threat that government and industry need to work on together, including overcoming points of tension which have stymied collaboration in the past.
"They are the ones who are providing us with the wakeup call in that area," Demers said, and they don't have to play by any of the rules that apply to rival nation states. "We have to figure out how to deal with this problem of criminal safe havens where actors are allowed to ... act with impunity," Demers added.
There are concerns that the ransomware attacks associated with the criminal underworld around Russia might be a preview or testing of nation state capabilities.
Orlando said it would be a mistake to focus only on ransomware, but it is true that the nation state actors are most interested in inserting malware into those systems. "In time of conflict, they can cause disruption to create issues for our decision makers. But I can't necessarily say that the ransomware is a part of that," he said, but he added, "this is a real issue that nation state actors are trying to do that to disrupt our networks."