The Finer Details of the DarkSide, Hackers of the Colonial Pipeline

Primer: Five months before DarkSide attacked the Colonial pipeline, two researchers discovered a way to rescue its ransomware victims. Then an antivirus company’s announcement alerted the hackers.

Colonial Pipeline hack is latest example of cybersecurity ...

Related reading

On January 11, antivirus company Bitdefender said it was “happy to announce” a startling breakthrough. It had found a flaw in the ransomware that a gang known as DarkSide was using to freeze computer networks of dozens of businesses in the US and Europe. Companies facing demands from DarkSide could download a free tool from Bitdefender and avoid paying millions of dollars in ransom to the hackers.

But Bitdefender wasn’t the first to identify this flaw. Two other researchers, Fabian Wosar and Michael Gillespie, had noticed it the month before and had begun discreetly looking for victims to help. By publicizing its tool, Bitdefender alerted DarkSide to the lapse, which involved reusing the same digital keys to lock and unlock multiple victims. The next day, DarkSide declared that it had repaired the problem, and that “new companies have nothing to hope for.”

“Special thanks to BitDefender for helping fix our issues,” DarkSide said. “This will make us even better.”

DarkSide soon proved it wasn’t bluffing, unleashing a string of attacks. This month, it paralyzed the Colonial Pipeline Co., prompting a shutdown of the 5,500-mile pipeline that carries 45% of the fuel used on the East Coast—quickly followed by a rise in gasoline prices, panic buying of gas across the Southeast, and closures of thousands of gas stations. Absent Bitdefender’s announcement, it’s possible that the crisis might have been contained, and that Colonial might have quietly restored its system with Wosar and Gillespie’s decryption tool.

Instead, Colonial paid DarkSide $4.4 million in Bitcoin for a key to unlock its files. “I will admit that I wasn’t comfortable seeing money go out the door to people like this,” CEO Joseph Blount told the Wall Street Journal.

The missed opportunity was part of a broader pattern of botched or half-hearted responses to the growing menace of ransomware, which during the pandemic has disabled businesses, schools, hospitals, and government agencies across the country. The incident also shows how antivirus companies eager to make a name for themselves sometimes violate one of the cardinal rules of the cat-and-mouse game of cyberwarfare: Don’t let your opponents know what you’ve figured out. During World War II, when the British secret service learned from decrypted communications that the Gestapo was planning to abduct and murder a valuable double agent, Johnny Jebsen, his handler wasn’t allowed to warn him for fear of cluing in the enemy that its cipher had been cracked. Today, ransomware hunters like Wosar and Gillespie try to prolong the attackers’ ignorance, even at the cost of contacting fewer victims. Sooner or later, as payments drop off, the cybercriminals realize that something has gone wrong.

Whether to tout a decryption tool is a “calculated decision,” said Rob McLeod, senior director of the threat response unit for cybersecurity firm eSentire. From the marketing perspective, “You are singing that song from the rooftops about how you have come up with a security solution that will decrypt a victim’s data. And then the security researcher angle says, ‘Don’t disclose any information here. Keep the ransomware bugs that we’ve found that allow us to decode the data secret, so as not to notify the threat actors.’”

In a post on the dark web, DarkSide thanked Bitdefender for identifying a flaw in the gang’s ransomware. (Highlight added by ProPublica.)

Wosar said that publicly releasing tools, as Bitdefender did, has become riskier as ransoms have soared and the gangs have grown wealthier and more technically adept. In the early days of ransomware, when hackers froze home computers for a few hundred dollars, they often couldn’t determine how their code was broken unless the flaw was specifically pointed out to them.

Today, the creators of ransomware “have access to reverse engineers and penetration testers who are very very capable,” he said. “That’s how they gain entrance to these oftentimes highly secured networks in the first place. They download the decryptor, they disassemble it, they reverse-engineer it, and they figure out exactly why we were able to decrypt their files. And 24 hours later, the whole thing is fixed. Bitdefender should have known better.”

It wasn’t the first time Bitdefender trumpeted a solution that Wosar or Gillespie had beaten it to. Gillespie had broken the code of a ransomware strain called GoGoogle, and was helping victims without any fanfare, when Bitdefender released a decryption tool in May 2020. Other companies have also announced breakthroughs publicly, Wosar and Gillespie said.

“People are desperate for a news mention, and big security companies don’t care about victims,” Wosar said.

Bogdan Botezatu, director of threat research at Bucharest, Romania–based Bitdefender, said the company wasn’t aware of the earlier success in unlocking files infected by DarkSide.

Regardless, he said, Bitdefender decided to publish its tool “because most victims who fall for ransomware do not have the right connection with ransomware support groups and won’t know where to ask for help unless they can learn about the existence of tools from media reports or with a simple search.”

Bitdefender has provided free technical support to more than a dozen DarkSide victims, and “we believe many others have successfully used the tool without our intervention,” Botezatu said. Over the years, Bitdefender has helped individuals and businesses avoid paying more than $100 million in ransom, he said.

Bitdefender recognized that DarkSide might correct the flaw, Botezatu said: “We are well aware that attackers are agile and adapt to our decryptors.” But DarkSide might have “spotted the issue” anyway. “We don’t believe in ransomware decryptors made silently available. Attackers will learn about their existence by impersonating home users or companies in need, while the vast majority of victims will have no idea that they can get their data back for free.”


The attack on Colonial Pipeline, and the ensuing chaos at the gas pumps throughout the Southeast, appears to have spurred the federal government to be more vigilant. President Joe Biden issued an executive order to improve cybersecurity and create a blueprint for a federal response to cyberattacks. DarkSide said it was shutting down under US pressure, although ransomware crews have often disbanded to avoid scrutiny and then re-formed under new names, or their members have launched or joined other groups.

“As sophisticated as they are, these guys will pop up again, and they’ll be that much smarter,” said Aaron Tantleff, a Chicago cybersecurity attorney who has consulted with 10 companies attacked by DarkSide. “They’ll come back with a vengeance.”

At least until now, private researchers and companies have often been more effective than the government in fighting ransomware. Last October, Microsoft disrupted the infrastructure of Trickbot, a network of more than 1 million infected computers that disseminated the notorious Ryuk strain of ransomware, by disabling its servers and communications. That month, ProtonMail, the Swiss-based email service, shut down 20,000 Ryuk-related accounts.

Wosar and Gillespie, who belong to a worldwide volunteer group called the Ransomware Hunting Team, have cracked more than 300 major ransomware strains and variants, saving an estimated 4 million victims from paying billions of dollars.

By contrast, the FBI rarely decrypts ransomware or arrests the attackers, who are typically based in countries like Russia or Iran that lack extradition agreements with the US. DarkSide, for instance, is believed to operate out of Russia. Far more victims seek help from the Hunting Team, through websites maintained by its members, than from the FBI.

The US Secret Service also investigates ransomware, which falls under its purview of combating financial crimes. But, especially in election years, it sometimes rotates agents off cyber assignments to carry out its better-known mission of protecting presidents, vice presidents, major-party candidates, and their families. European law enforcement, especially the Dutch National Police, has been more successful than the US in arresting attackers and seizing servers.

Similarly, the US government has made only modest headway in pushing private industry, including pipeline companies, to strengthen cybersecurity defenses. Cybersecurity oversight is divided among an alphabet soup of agencies, hampering coordination. The Department of Homeland Security conducts “vulnerability assessments” for critical infrastructure, which includes pipelines.

It reviewed Colonial Pipeline in around 2013 as part of a study of places where a cyberattack might cause a catastrophe. The pipeline was deemed resilient, meaning that it could recover quickly, according to a former DHS official. The department did not respond to questions about any subsequent reviews.

Five years later, DHS created a pipeline cybersecurity initiative to identify weaknesses in pipeline computer systems and recommend strategies to address them. Participation is voluntary, and a person familiar with the initiative said that it is more useful for smaller companies with limited in-house IT expertise than for big ones like Colonial. The National Risk Management Center, which oversees the initiative, also grapples with other thorny issues such as election security.


Ransomware has skyrocketed since 2012, when the advent of Bitcoin made it hard to track or block payments. The criminals’ tactics have evolved from indiscriminate “spray and pray” campaigns seeking a few hundred dollars apiece to targeting specific businesses, government agencies and nonprofit groups with multimillion-dollar demands.

Attacks on energy businesses in particular have increased during the pandemic—not just in the US but in Canada, Latin America, and Europe. As the companies allowed employees to work from home, they relaxed some security controls, McLeod said.

Continue reading here.

Details on the Pentagon Targeting Extremism

Image

Your task is to check out the resumes of each of these people. For further context keep reading.

*** The 17 page DARPA document is here.

Flags from the left-wing Antifa movement. Depictions of Pepe the Frog, the cartoon character that’s been misappropriated by racist groups. Iconography from the far-right Proud Boys, including the phrase “stand back and stand by” from former President Donald Trump.

They are all signs that extremists could be infiltrating the military, according to internal training materials that offer a more detailed view into the array of radical groups and ideologies the Pentagon is trying to keep out of the ranks.

“There are members of the [Department of Defense] who belong to extremist groups or actively participate in efforts to further extremist ideologies,” states a 17-page briefing obtained by POLITICO that was compiled by the DoD Insider Threat Management and Analysis Center, which is part of the Defense Counterintelligence and Security Agency.

“Be aware of symbols of far right, far left, Islamist or single issue ideologies,” it warns, stressing that members of the military and civilian personnel have “a duty and responsibility” to report extremist behavior or activity.

The materials were prepared as part of a broader Pentagon effort to crack down on extremists who may be lurking inside the military after dozens of ex-service members were arrested for their roles in the Jan. 6 attack on the U.S. Capitol to stop the certification of the presidential election.

The prevalence of extremists in the Defense Department appears to be small. For example, the 222,000-strong Marine Corps recently reported that it kicked out four members last year for extremist activity.

But the Pentagon says one is too many and the true numbers are not known because adherents who have been recruited by extremist groups or encouraged to enlist often organize and communicate in secret.

“No one truly knows,” Audrey Kurth Cronin, the director of American University’s Center for Security, Innovation and New Technology, told a House panel this week. “No serious plan can be built without defining the scope of the problem.”

The internal training materials focus on extremist behavior and symbolism — of all different stripes — and point out the risk of making false assumptions about people who do not pose any threat. This includes pointing out that religious conservatives are often mistakenly lumped together with white supremacists or other extremists.

The Department of Homeland Security has said white supremacist extremists are the most lethal terror threat facing the U.S. And while Republicans accused far-left groups such as Antifa of taking part in the insurrection, FBI Director Christopher Wray told lawmakers this month there’s “no evidence” those groups played a role.

Last month, Defense Secretary Lloyd Austin ordered a force-wide stand down requiring all units to discuss the threat of extremism within 60 days.

He called it the first step in “a concerted effort to better educate ourselves and our people about the scope of this problem and to develop sustainable ways to eliminate the corrosive effects that extremist ideology and conduct have on the workforce.”

The stand downs also include “listening sessions” to hear from Pentagon personnel about their experiences with activity, such as one held on Friday by a unit of the Army’s 101st Airborne Division.

The department published broad guidance for commanders to address address extremism, which focuses on reinforcing the military’s core principles enshrined in the oath they take to the Constitution and several case studies of military members who were prosecuted for engaging in extremist activity or plotting with radical groups.

But those materials did not identify specific threat groups, and Austin has provided wide leeway for individual units and commands to address the challenge as they see fit.

The internal briefing shared with POLITICO was compiled by the human resources office at the Defense Advanced Research Projects Agency, a small Pentagon agency of several hundred military personnel, civilian employees and contractors that manages research into breakthrough technologies.

Pentagon spokesman Jamal Brown noted that military units and individual components have been given broad authority to tailor their own approaches to addressing the extremist threat with their employees. He could not immediately say how many personnel have received this specific information and deferred questions about it to DARPA.

Jared Adams, a spokesperson for DARPA, explained in an email that “our training module was copied verbatim from the material provided by the DOD Insider Threat Management & Analysis Center of the Defense Counter Intelligence and Security Agency.

“We did not add any symbols and used all the imagery provided,” Adams said.

The briefing was sent to civilian employees as part of required training across the department for “Extremism and Insider Threat in the DoD.” Adams said it is required training to be completed by this month. Employees have to digest the material and then answer some questions.

The more detailed materials break down extremist movements into three main categories, including “Patriot” extremism, anarchist extremism, and ethnic/racial supremacy.

More here from Politico.

Hunter Flew out of Joint Base Andrews 23 Times

And yet daddy never knew about his business adventures nor asked about them? C’mon man…so many unknown unknowns about this cat and the whole family…

Breitbart:

Rep. Devin Nunes (R-CA), the ranking member of the House Permanent Select Committee on Intelligence (HPSCI), told Breitbart News that revelations in a new book that President Joe Biden’s son Hunter Biden took more than 20 trips through Joint Base Andrews are more proof of “utter corruption” of establishment media.

“The revelation of Hunter Biden’s trips through Joint Base Andrews is further proof of the corporate media’s utter corruption and blinding partisanship,” Nunes told Breitbart News exclusively on Sunday. “They dismissed, ridiculed, and censored reporting on Hunter’s obvious conflicts of interest for the sole purpose of helping Joe Biden’s election prospects. The corporate media has fully merged with the Democratic Party, and their reporting is indistinguishable from crude Democrat talking points.”

Nunes’s comments on this matter come after revelations about Hunter Biden’s travel practices, when his father was vice president to former President Barack Obama, were published Saturday from the new book Breaking the News: Exposing the Establishment Media’s Secret Deals and Hidden Corruption. In particular, the book—from Breitbart News Editor-in-Chief Alex Marlow—revealed Secret Service travel records that showed Hunter Biden took 411 trips, including to 29 foreign countries and 23 trips through Joint Base Andrews, from 2009 to 2014. During that time, his father—now the president of the United States—was vice president of the United States.

The reason why the Joint Base Andrews trips are important is because that is the home of Air Force One and Air Force Two. On Saturday, Breitbart News published a piece from Marlow adapted from the book that further explained the significance of the revelations:

Despite this evidence that there was not an “absolute wall” between Hunter and Joe when it comes to business endeavors, the establishment press has shown little interest in exploring whether Hunter was actually leveraging his father’s power to enrich himself. In fact, quite the contrary. The New York Times, for example, published a story in 2020 portraying Hunter as a skilled artist who was mastering painting. The article, headlined “There’s a New Artist in Town. The Name Is Biden,” un-ironically featured glossy photographs of a relaxed and polished Hunter Biden working away in his studio.

The American public has been told consistently that Hunter Biden is as pure as the driven snow. Joe Biden called his son “the smartest guy I know.” Dr. Jill Biden (Ed.D.) and Joe both expressed confidence that Hunter had done nothing wrong. And, of course, Joe said he thought it was all Russian disinformation. And of course, Facebook and Twitter famously censored bombshell reporting by the New York Post on Hunter Biden that has not been proven to be “Russian” or “disinfo.”

The fact that Hunter Biden flew through Joint Base Andrews during the Obama administration more than twenty times–and to nearly 30 countries on 411 total trips, per Secret Service records–seems to contradict claims that Joe Biden made when he was running for president in 2019. “I have never spoken to my son about his overseas business dealings,” Biden said on the campaign trail in Iowa in the summer of 2019. “Here’s what I know. Trump should be investigated.”

Biden then added specific instructions for the establishment media–which dutifully obliged his not-so-subtle demand that the media instead investigate his opponent then-President Donald Trump instead of his son Hunter.

“You should be looking at Trump,” Biden told the media in Des Moines when he arrived at the annual Democrat fundraiser the Polk County Steak Fry. “He’s doing this because he knows I’ll beat him like a drum. And he’s using an abuse of power and every element of the presidency to try to smear me … Ask the right questions.”

After that, most of the establishment media followed Biden’s orders and completely ignored the hard evidence that proves the Biden narrative about Hunter Biden is untrue. Many questions remain unanswered about exactly where Hunter Biden was going, with whom he was meeting, why he was using an American military base for trips, what he was doing on these trips, and more. Those questions remain unanswered in large part because of the fact the establishment media have ignored, by and large, the Hunter Biden matter for years.

Nunes weighing in on the matter, though, is a sign that top Republicans have begun wising up to these facts about establishment media outlets. He was a critical figure in Congress during the Trump administration when it came to fighting back against fake narratives such as the Russia collusion hoax claims, and later the push to impeach Trump the first time over his call with Ukraine’s president—which was, of course, a central point in the whole Hunter Biden narrative given that it was all about corruption concerns with the now-president’s son and shady business dealings in the eastern European nation.

 

Scientists are Growing Aborted Baby Hair on Lab Rats

Is there a word more descriptive than depravity that really works to define this work between the University of Pittsburgh and the National Institute of Allergy and Infectious Diseases? Where is the rest of the media on this? Anyone in Congress? Planned Parenthood provided the fetuses….

 

A new video from the Center for Medical Progress exposes a gristly experiment at the University of Pittsburgh that involved scalping five-month aborted babies and implanting their scalps onto rodents.

Now, Pennsylvania leaders are demanding an investigation and urging the university to stop its experiments using aborted baby body parts.

“Publicly available information demonstrates that Pitt hosts some of the most barbaric experiments carried out on aborted human infants, including scalping 5-month-old aborted fetuses to stitch onto lab rats,” the Center for Medical Progress said in a statement.

The information comes from a study that University of Pittsburgh researchers published in September 2020 in the journal “Scientific Reports.” It describes how scientists used scalps from aborted babies to create “humanized” mice and rats to study the human immune system.

Along with the study, the researchers published photos of their experiment – horrific images that show tufts of babies’ hair growing on the rodents.

The Center for Medical Progress video raises even more concerns about unethical and potentially illegal practices at the university, including babies potentially being born alive in abortions, killed and then dissected for their organs.

It also suggests the University of Pittsburgh and local Planned Parenthood, which supplies aborted baby body parts, may be involved in an “illegal quid pro quo” partnership.

“Local Planned Parenthood of Western Pennsylvania abortion providers supply the aborted fetuses, while Pitt sponsors the local Planned Parenthood’s operations,” the investigation found.

What’s more, a number of the experiments using aborted baby body parts at the university are funded by U.S. taxpayers through the National Institutes of Health and, in particular, Dr. Anthony Fauci’s National Institute of Allergy and Infectious Diseases office, CMP found in its investigation.

The Pennsylvania Family Institute letter also urged the university to end its unethical research in an open letter in response to the investigation.

“We call on the University of Pittsburgh to stop all experimentation on aborted babies and the inhumane practice of grafting their skin and body parts onto rodents,” it says.

They urged the state legislature to conduct a full investigation of the university, Planned Parenthood and other groups involved in the experiments.

“This ghastly finding is a product of Pitt’s systemic practices of using aborted babies for inhumane research,” they wrote. “Pitt has been involved in hundreds of fetal kidneys and other organs from aborted babies being distributed for research as part of a project funded by the National Institute of Health. Pitt has also had scientists harvesting fetal livers ‘in vivo’ from fetuses delivered via labor induction.”

Information in the video comes from public documents, including research published in scientific journals and on the National Institutes of Health website.

Action: Sign the open letter calling on the University of Pittsburgh to end its experiments on aborted babies and supporting a full investigation by the Pennsylvania General Assembly. source

 

 

Biden Ignoring Ukraine in Favor of Russia

The real hurt and consequence is Ukraine as you read on.

The Biden administration has waived sanctions on a company building a controversial gas pipeline between Russia and Germany.

The US also lifted sanctions on the executive – an ally of Russia’s Vladimir Putin – who leads the firm behind the Nord Stream 2 project.

The move came in a report on Russian sanctions delivered to Congress by the Department of State.

Critics say the pipeline is a major geopolitical prize for the Kremlin.

The project, which would take gas from the Russian Arctic under the Baltic Sea to Germany, is already more than 95% complete.

The Department of State report notes that Nord Stream 2 AG and its chief executive, Matthias Warnig, a former East German intelligence officer, engaged in sanctionable activity.

Nord Stream 2: Biden waives US sanctions on Russian pipeline - BBC News

How it bypasses Ukraine further putting Ukraine into a financial crisis –>

Ukraine crisis: Europe's stored gas high as prices soar - BBC News

But it concludes that it is in the US national interest to waive the sanctions.

 

The Department of State also imposed sanctions on four Russian ships involved in the building of Nord Stream 2, though detractors said that would not be enough to stop the pipeline.

Meanwhile:

Ukrainians breathed a collective sigh of relief last month when Russian President Vladimir Putin said he would withdraw the majority of more than 100,000 troops that had been shifted to the Russian-Ukrainian border. So did the U.S., NATO and the rest of Europe.

But nobody should be breathing easy: Putin isn’t one to stay on the retreat. So, where should we expect his next provocation? Very likely, the waters of the Black Sea.

Russia invaded Ukraine in 2014 and carved off the strategically vital peninsula of Crimea, the largest land grab from a sovereign state in this century. Since then, he has supplied money, training, arms and military advisers to separatist forces in the Donbas region of southeast Ukraine.

The recent buildup was probably a signal to the West of how relentless Putin will be on pressuring Ukraine, and of his deep opposition to it joining the North Atlantic Treaty Organization. It was also a distraction from his persecution of opposition leader Alexey Navalny, and played well with Putin’s base in Russia, where his approval rating soared during the Crimea annexation. Finally, the buildup allowed the Russian military a pretty effective practice run, in case Putin does decide to roll the dice and invade across the border.

Although one should never underestimate Putin’s ability to surprise his geopolitical rivals, this doesn’t seem like the moment for a full-blown land incursion. Putin is already financially overextended with his overseas adventures. Reconstructing Syria will come with a huge bill. Support to Ukrainian separatists is expensive. He has a great appetite for expensive new weapons (militarizing space, for example). And he remains under significant sanctions from the West. source

***

Seems President Biden got the lobby memo to support Moscow.

OS: Biden has not made any moves that would prevent completion of the pipeline, which would transfer natural gas from Russia to Germany while bypassing Poland and Ukraine. That’s a win for both Berlin and Moscow. It’s also a win for Washington lobbyists.

Companies involved with the pipeline spent more than $1 million lobbying on sanctions and other issues related to the project through the first three months of 2021.

Nord Stream 2 AG spent $840,000 on lobbying in the first quarter of 2021, on pace to surpass its nearly $3.6 million lobbying spending last year. The Swiss firm is wholly-owned by Russia’s state-run energy firm Gazprom. Alexei Miller, Gazprom’s executive chairman, is longtime Putin ally, as is Nord Stream CEO Matthias Warnig.

The company spent $600,000 to dispatch Vincent Roberti, a top lobbyist and prolific Democratic donor. Roberti reported lobbying on “issues related to the U.S. position toward the Nord Stream 2 pipeline, including potential financial sanctions affecting the project.” The firm spent another $240,000 to dispatch BGR Group’s Walker Roberts, a former Republican staffer for foreign affairs congressional committees.

Other foreign firms are also dispatching lobbyists to advocate for the pipeline. Five foreign companies partnering on the project — Austria’s OMV AG, the Netherlands’ Shell International, France’s ENGIE, and Germany’s Wintershall and Uniper SE — hired lobbyists at McLarty Inbound to lobby the State Department and the National Security Council. They collectively paid the firm more than $840,000 for lobbying in 2020 and $210,000 in the first quarter of 2021.

McLarty managing partner Richard Burt, the former U.S. Ambassador to West Germany and a member of several influential Washington think-tanks, reported lobbying for a slate of foreign companies that have partnered on the project on “Russian sanctions issues” and “natural gas as an element of European energy security.” Burt donated $2,000 to Biden’s 2020 campaign and $10,000 to pro-Biden super PAC Unite the Country while he was a registered lobbyist for foreign companies partnering with Nord Stream on the pipeline. Biden’s campaign had not refunded Burt’s money at the time of publication, more than 6 months after the donations were given, despite pledging to reject lobbyist donations.

Because firms working for proponents of the pipeline registered under the Lobbying Disclosure Act instead of the Foreign Agents Registration Act, details of which government officials the lobbyists met with remain hidden from the public.

Lobbyists for private entities that would otherwise be required to follow FARA disclosure requirements may choose to instead register under the LDA with the House Clerk’s Office and Secretary of the Senate so long as the “principal beneficiary” of the influence operation is not a foreign government or political party. Nord Stream is owned by a Russian state-run firm, but the Kremlin has insisted the pipeline is a “commercial project.”