A Valuable Lesson In Cyber Warfare

By Hubert Yoshida posted 05-25-2021 19:06

The Colonial Pipeline Ransomware story continues to provide valuable lessons in Cyber Security. The latest lesson is reported by

One of the cardinal rules of the cat-and-mouse game of cyberwarfare: Don’t let your opponents know what you’ve figured out. 

During World War II, the British had figured out how to decipher the German’s Enigma cipher machine as early as 1942 and had knowledge of German troop and supply movements during most of the war. The German’s believed in the invincibility of the machine since the Enigma Machine had 13x10114 possible cipher patterns which would be impossible to decipher by brute force. Despite the Enigma’s technical sophistication, Dr. Alan Turing and his team of hackers at Bletchley Park were able to crack the codes through a combination of mathematical genius along with exploiting weaknesses in the hardware, human error, procedural flaws, and leaks of key information. This helped Allied forces break Enigma ciphers and allowed them to read many of the messages and gain advantages which eventually led to Allied victory and the shortening of the war.

Of course, great care had to be taken over Allied use of Intelligence derived from breaking Enigma. If the Germans suspected that the Enigma ciphers that been broken, they would have taken counter measures that would have made it even more difficult to decipher. No-one on the Allied side was permitted to base any action on a decrypt, unless there was also another way in which the relevant Intelligence might have been acquired. This meant that in some cases preemptive action could not be taken to prevent the loss of lives. The care with which Enigma-derived Intelligence was handled prevented its source from being discovered, and this, together with Germany’s unjustified faith in the machine’s power, meant that knowledge of Allied breaking of Enigma remained a secret not just throughout the war, but until 1974, when The Ultra Secret, a book written by RAF Intelligence officer Frederick Winterbotham, revealed the truth.

In the case of Colonial Pipeline and the DarkSide Ransomware attack, two researchers, Fabian Wosar and Michael Gillespie, had noticed a flaw in the ransomware that DarkSide was using to freeze computer networks of dozens of businesses in the US and Europe and had begun discreetly looking for victims to help. Had Colonial Pipeline contacted these researchers before DarkSide changed their code, they could have recovered their data without paying the ransom of 75 Bitcoins, which at that time was about $4.4 million.

Unfortunately, a Romania based Cyber Company, Bitdefender discovered the same flaw and made a public announcement that companies facing demands from DarkSide could download a free tool from Bitdefender and avoid paying millions of dollars in ransom to the hackers. By publicizing its tool, Bitdefender alerted DarkSide to the flaw and the next day, DarkSide declared that it had repaired the problem, and that “new companies have nothing to hope for.”

“Special thanks to BitDefender for helping fix our issues,” DarkSide said. “This will make us even better.”

By the time Colonial Pipeline was hit by DarkSide in May, the flaw was fixed and Colonial had to pay the ransom in order to restore service to the Eastern United States.

From BitDefender’s perspective, it might have seemed like a marketing coup to be able to announce a decryption solution to DarkSide, but from a Security perspective it was a disaster. You don’t want marketing people to run a security firm.




05-04-2022 11:51

Nicely written, thanks

04-27-2022 02:52

Thanks for sharing