ALPS blog

Something unusual has just happened, and in the flood of daily news, the little note has more or less been lost. But it could have far-reaching (positive) consequences for the IT security world. In view of the Colonia pipeline hack on 7 May (DarkSide is said to have shut down in the meantime), US President Joe Biden has now declared that the criminals responsible acted from Russia but have no connection with the Russian state. At the same time, he called on Russia to take joint action against this kind of crime. Normally, at this point, we would smile at the naivety of a new president who optimistically dreams of the good in people. But this case is different, and maybe – just maybe – something good can come out of it …

The underground and politics

It is no secret that states attack each other with hacking methods. The US and Russia are both among the top “players” here. They may have thus indirectly and perhaps directly supported the cybercriminal underground: The more “noise” is created in the log files of political opponents, the easier it is to conceal one’s own deeds or disguise them as the work of criminals. But also the uncovering of politically motivated attacks such as those via Stuxnet or NotPetya and their analysis regularly cause a boom in cybercrime activities.

Since the mid-2000s, we have already observed an expansion of the criminal underground. Among other things, perpetrators benefit from the fact that police actions end at national borders. Thus, Russian perpetrators do not have to fear sanctions if they commit cybercrimes in a Western country, and the same is true the other way around. The US journalist Brian Krebs therefore recently recommended in a tweet that Cyrillic characters be loaded into the system as an additional keyboard setting. They do not have to be used, their presence is sufficient to deter Russian criminals.

The actors are aware that state IT attacks also harm their own people. In an internationalised and IT-based economy, the radius of cyber weapons never ends at the border – sooner or later they boomerang. But that tends to support the cover. For example, the first victims of the 2017 NotPetya attack included Russian companies. The US and the UK nevertheless accused the Russian state of perpetration, which was of course rejected by the Russian side.

Control over cybercrime has slipped away from politics

About nine years ago, a disturbing development began, the effects of which we are only now beginning to understand. The first signs were already there in 2015/2016, when the first wave of ransomware started. However, the method behind it was only the outwardly visible symptom of the change, not its cause. In fact, it was the emergence and success of cryptocurrencies with the flagship Bitcoin in 2012 that made the success of digital extortion possible. For the first time in history, a state monopoly was thus broken by the collective, removing the possibility of state control. Cybercriminals can now carry their wealth on USB sticks across any border in the world and make police investigative tactics difficult. Whereas earlier attempts to extort money failed, today they go through automated mass extortion and central “accounts” into which money can be deposited.

The cybercriminal market today

This laid the groundwork for the first true global market: No state, no bank and no (known) individual can control it. There are no police, and there are no rules, trust is a currency like Bitcoin. And where no crimes can be charged, there are no punishments. The marketplace brings together all kinds of businesses, even lawyers’ offices with appropriate licences. Not all services are illegal… at least not everywhere. Acts that are punishable in one country are not in another. And good profits can be made through cooperation.

A new dimension

The Colonia pipeline hack now represents a new dimension of cybercrime. The deliberate disruption of critical state infrastructures and thus the creation of a political crisis situation was previously within a state’s monopoly on the use of force. This has changed since last week. It is the transition to a time when the Blofelds and Goldfingers, the villains of the James Bond films, have the power to blackmail states.

This situation is not entirely unexpected. For years ago, countries like the Federal Republic of Germany tried to protect at least critical infrastructures with measures like the IT Security Act (IT-SG) and, above all, to make industry aware of this growing problem. In the second version of the IT-SG, more companies are now officially included and the requirements have been tightened in some points. (It is recommended that all companies take a look at the contents of the IT Security Act 2).

The IT security industry has also long warned about the increase in crime – both its quantity and quality. The countless small incidents are already no longer publicly perceived. Even police investigative successes such as the elimination of the emotet infrastructure hardly play a role in the overall picture. In purely statistical terms, at least as far as our telemetry data is concerned, it was hardly verifiable. And even the attacks on companies continue in unmitigated severity. But that, too, is part of a market in which there is as much supply and demand as competition. If one player is eliminated, others fight over his customers.

What should change now

Politicians must realise that they are losing this game. If states continue to fight each other in cyberspace, thereby providing criminals with cover and sometimes even the tools for their deeds, attacks of this kind will increase. The failure of critical infrastructure, whether terrorist or financially motivated, has the potential to endanger any political system in its support among the population.

In this respect, it would be advantageous to outlaw this type of attack in principle and to support each other in investigating and condemning them – such cooperation would be an enormous step forward for the good of all! It would not only remove the basis for cybercrime but would also expose its players to an increased risk of prosecution.

Until then

Is it realistic to expect that a corresponding agreement can be reached between Russia and the USA and later globally? An optimist might say, but probably the lights will literally have to go out in more countries before joint action can be taken. The fact remains, however, that the issue of cybercrime can no longer be tackled by the policies of a single country.

In this respect, the pipeline hack must be understood as a final wake-up call. It can affect anyone. Relationships with governments no longer matter. Neither does whether you think you have important data or not. A market will always try to grow. The cybercrime market is no exception. Be prepared to be confronted with it sooner or later. Because even if there are hopes for political change, it will still take a while for this to have an effect.

Until then, the following applies: processes, employees and, above all, your company’s defence technology must be able to recognise and combat an emergency in good time. Techniques, tactics and strategies that are more than two years old often struggle with modern attacks and need to be adapted. This is what is meant by “state of the art”. As an industry, we have solutions. Let us implement them.