“We are apolitical, we do not participate in geopolitics, do not need to tie us with a defined government and look for other our motives. Our goal is to make money and not creating problems for society.” That may sound like satire, but it is how the cyber criminals behind the Colonial Pipeline outage attempted to apologize. Crippling a pipeline operator and shutting off 45 percent of the gas supply and jet fuel to the East Coast was, they claim, just an accident.
The reality may not be so simple.
True motives and players are often murky in the days following high-profile hacks like this. Last week the FBI confirmed the involvement of DarkSide, a little-known gang of cyber criminals based somewhere in Eastern Europe, possibly Russia. It purports to be a cyberpunk version of Robin Hood, collecting ransom from rich corporations and giving (some) to charity. It reportedly got $5 million in digital currency from Colonial and has now dropped out of sight online.
Back in 2014, a group calling itself the Guardians of the Peace claimed the Sony Pictures hack, leaking confidential information, awkward emails, and a few unreleased films. The hack was later attributed to a group called Lazarus, which had also perpetrated a digital heist at the Bangladeshi central bank and unleashed the notorious WannaCry ransomware; the group was ultimately identified as the government of North Korea. In 2015, a group calling itself the Cybercaliphate hacked the French television station TV5Monde, replacing its broadcast with text reading “Je suIS IS.” That hack was ultimately attributed to the Russian government. The 2017 NotPetya cyberattack, which caused $10 billion in damage and ground shipping firms and hospitals to a halt, initially seemed to be a ransomware attack intended for financial gain. It was eventually revealed to be Russian malware deployed as a part of a digital attack on Ukraine.
True motives and players are often murky in the days following high-profile hacks.Share on Twitter
These false flag incidents illustrate why it may be too early to believe the DarkSide hackers when they say we “do not need to tie us with a defined government and look for other our motives.”
DarkSide admits to hacking on behalf of others, and is known to provide ransomware-as-a-service for other criminal groups. So far there is no evidence that their client list includes Russia, North Korea, or other nation states, but it's still important to determine who exactly DarkSide is, who they work for, and where they are based.
Last year we examined the problem of ambiguous cyberattackers in a report for the Defense Department, looking at how to deter attacks on the U.S. power grid. The U.S. military relies heavily on commercial energy assets, making the implications of such events more serious than just higher prices at the gas pump. Studying the landscape of international law and cyber norms revealed one clear point: The origins and severity of an attack dictate what the United States might do in response.
The Colonial Pipeline cyberattack is a serious crime that likely will lead the Justice Department to indict and charge the hackers, who appear to be foreign nationals. If the country where such hackers operate doesn't cooperate with the investigation or arrests, that could warrant a severe response from the U.S. government, including the potential suspension of trade or investment protections.
The origins and severity of an attack dictate what the United States might do in response.Share on Twitter
However, if the government of another country is directly involved in cyberattacks against the U.S. energy system—which affects both civilians and military operations—international law permits the United States to respond with limited reprisals, such as cyber counterattacks, or even proportional uses of force. In the long run, taking these punitive actions can support the credibility of a national deterrence policy.
Ransomware attacks against pipeline operators have been increasing; the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency issued a specific warning last year. There were earlier red flags as well, including Iran's 2013 cyberattack that took control of a New York state flood-control dam. Russia left a swath of Ukraine in the dark for hours after a 2015 attack on its grid, and the same Russian group infiltrated the U.S. power grid in 2016.
Cyberspace gives attackers—some of them state-sponsored—the opportunity to take repeat shots at the U.S. energy system. That is a major worry, including to the U.S. military. But the bigger concern might be that a hack causes a level of damage that forces the United States to question whether there is a difference between destroying crucial infrastructure with bombs and doing it with code.
Anu Narayanan is a senior engineer at the nonprofit, nonpartisan RAND Corporation, where her research focuses on the intersection of critical infrastructure and national security. Jonathan Welburn is an operations researcher at RAND whose work focuses on systemic risk in economic systems, supply chain risks, cybersecurity, and deterrence.
This commentary originally appeared on Defense One on May 18, 2021. Commentary gives RAND researchers a platform to convey insights based on their professional expertise and often on their peer-reviewed research and analysis.