A few days after the Colonial Pipeline was attacked, a former law enforcement source close to the company told Red Sky Alliance that law enforcement officials used a cyber type ‘dye pack’ to track the Bitcoin Colonial ransom payment. A traditional dye pack is used in banks to be used during a bank robbery. The robbers take the cash bundle with the dye pack and within minutes, the dye pack ignites and paints the robber with a dye, so responding police can identify the fleeing felon. The federal law enforcement cyber cops basically did the same thing. Very clever indeed.
The US Department of Justice announced earlier this week the recovery of $2.3 million, about half, of the ransom that was collected by hackers last month in the Colonial Pipeline cyber-attack. Cyber experts say it was a surprising outcome to an increasingly frequent and severe crime. "Ransomware is very seldom recovered," said the Institute for Technology Law and Policy at Georgetown Law, who described it as "a really big win" for the government. "What we don't know is whether or not this is going to pave the way for future similar successes."
That's because there are several unexplained factors that contributed to the operation's success. A new cyber task force holds the key to this success. Top US federal law enforcement officials explained that the money was recovered by a recently launched Ransomware and Digital Extortion Task Force, which had been created as part of the government's response to a surge of cyberattacks.
To resolve the attack on Colonial Pipeline, the company paid about $4.4 million on 8 May to regain access to its computer systems after its oil and gas pipelines across the eastern US were shutdown by ransomware.
Victims of these attacks are given very specific instructions about when and where to send the money, so it is not uncommon for investigators to trace payment sums to cryptocurrency accounts, typically Bitcoin, set up by the criminal organizations behind the extortion. What is unusual is to be able to unlock those accounts to recoup the funds.
Court documents released in the Colonial Pipeline case say the Federal Bureau of Investigation (FBI) got in by using the encryption key linked to the Bitcoin account to which the ransom money was delivered. However, officials have not disclosed how they got that key (nor will they). One of the reasons criminals like to use Bitcoin and other cryptocurrencies is the anonymity of the entire system, as well as the idea that funds in any given cryptocurrency wallet can be accessed only with a complex digital key. "The private key is, from a technology perspective, the thing that made it possible to seize these funds," a researcher said. Cyber-attackers will go to great lengths to guard any information that could lead someone to associating the key with an individual or organization: "They're going to really try and cover their tracks."
Officials likely got the private key in one of three ways: One possibility is that the FBI was tipped off by a person associated with the attack. Either the person or group behind the scheme or someone associated with DarkSide, a Russia-based ransomware developer that leases its malware to other criminals for a fee or a share of the proceeds. A second possibility is that the FBI uncovered the key thanks to a careless criminal. There is a saying in law enforcement, “you don’t always catch the smart ones.” Deputy FBI Director said that the bureau has been investigating DarkSide since last year. It is likely that in their surveillance, agents and analysts may have had search warrants that enabled them to access the emails or other communication by one or more of the people who participated in the scheme. "And through that, they were able to get access to the private key because maybe somebody emailed something to help them track down," they explained. A final likelihood is that the FBI tracked down the key by leveraging information it got from Bitcoin or from the cryptocurrency exchange where the money had been bouncing from one account to another since it was first paid.
It is not known whether any of the exchanges have been willing to cooperate with the FBI or to respond to the agency's subpoenas. But if they are, it could be a dramatic game changer in fighting ransomware attacks. Yet, a caution is provided that the good guys can never underestimate the bad guys.
What is not likely is that the FBI somehow hacked the key on its own. While some admits it is theoretically possible, "the idea that the FBI would have, through some sort of brute-force decryption activity, figured out the private key seems to be the least likely scenario." Regardless, if law enforcement authorities are able to consistently remove the profits from the attacks, they will ‘likely’ eliminate the crime.
Of interest is that following the money did not take long. The attackers made an unusual error in this case by failing to keep money moving. The $2.3 million that ultimately was recovered was still sitting in the same Bitcoin account it had been delivered to. You really do not see that with cybercrimes. Was this done on purpose, or through carelessness?
Another scam where a company is tricked into submitting a payment using phony instructions. Funds get wired to accounts at legitimate banks. The banks do not realize that the account was set up by a fraudulent actor. And as soon as those funds hit the account, they are wired back out of the account by the criminals almost instantly. Within 72 hours, those funds are gone and very hard to track or trace.
Red Sky Alliance cannot over state the obvious that, “We are living in perilous cyber times.” An ounce of prevention is ALWAYS worth a pound of cure. Red Sky Alliance strongly recommends ongoing monitoring from both internal and external perspectives. Internal monitoring is common practice and very important, however, external threats are often overlooked and can represent an early warning of impending attacks. Red Sky Alliance can provide both internal monitoring in tandem with RedXray notifications on external threats to include, botnet activity, public data breaches, phishing, fraud, and general targeting.
Red Sky Alliance is in New Boston, NH USA. We are a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or firstname.lastname@example.org.
Interested in a RedXray subscription to see what we can do for you? Sign up here: https://www.wapacklabs.com/RedXray
- Reporting: https://www.redskyalliance.org/
- Website: https://www.wapacklabs.com/
- LinkedIn: https://www.linkedin.com/company/64265941