As for repercussions, notice they indicated "fear of the United States and its planning of offensive cyber operations". We don't hear a lot about US offensive operations. Maybe they're ongoing but they don't get a lot of press. If that's the case maybe the need more for deterrence purposes. Does anyone have any visibility?
Also, notice they did not mention any concern the FSB would invite them for tea, pay respects to their families, or any other ... imperial entanglements. This says a world about their standing in Russia, whether tolerated, encouraged or some other arrangement.
Russia's policy is to leave cybercrime alone as long as they don't attack Russia.
A hacker group in Russia declaring to only target companies in the USA and Great Britain is like a US group that only targets Iran and China. US agencies probably wouldn't find time in their busy schedules to go after someone targeting Iran either.
Hence why some malware programs won't activate if they detect the computer's keyboard layout is set to Russian.
*Russia and it's allies, CIS states are also off-limits.
But yes, you are correct.
Stuxnet and Windows are pretty well known I would say.
You might check out Inside Cyber Warfare by Jeffrey Carr from 2011. It's ancient, predating (AFACT) the rise of ransomware, and technically illiterate, but goes into considerable detail about the Russian cyber-crime/-war (they're the same, really) groups and their relationship to the government.
This is an interesting topic because BM claims to have a moral compass and is only interested in targeting wealth not impacting humans. Let me ask the question: âif companies paid for in-house security professionals competitive with what one might imagine BM pays, would people still choose the grey work?â. I presume in a dichotomy between clearly unethical and ethical, itâs easy for many to choose ethical. But when you add a grey option, it certainly changes things since I imagine most people are ethically grey. Letâs assume what BM is doing is effectively legal in the country where they operate.
> if companies paid for in-house security professionals competitive with what one might imagine BM pays, would people still choose the grey work?
Interestingly, they answer very clearly:
> We have not been involved in legal pentesting and we believe that this could not bring the proper material reward.
They're in only for the money, so the answer is "yes".
Ransomware is not "grey" work though, if this is the implication; it's extortion, which is illegal.
> Letâs assume what BM is doing is effectively legal in the country where they operate.
This specific activity has a direct contact with the victims, which makes it considerably different from other gray-area activities, where there is a strong disconnection with the victims (in which case, the concept of victim additionally becomes blurrier, e.g. tobacco industry or, uh, banking).
Assuming that one has valid job alternatives (and they definitely have, since they're highly skilled professionals, with an available market), one needs to be have a certain degree of sociopathy in order to be able to do this line of work.
I think itâs fair to assume that adding ethical gray is a well understood tactic in this world. And just that - a tactic.
Itâs not a moral compass.
Itâs a rational decision: Their method of making money is to quietly and without a fuss extort money and have the victim pay.
Attention just brings heat to their operation.
>would people still choose the grey work
some people are just outlaws and choose to do things because they are not allowed normally. so I'd say yes.
>Moreover, LockBit encrypts the first 256 kb of the file (which is pretty bad from the point of view of cryptographic strength). We, on the other hand, encrypt 1 MB. Essentially, thatâs the secret to their speed.
So I can just pad all my valuable data by 1MB?
wouldn't it just be easier to have duplicate back ups of your "valuables"?
And yet the ransomware is successful.
Of course it is because people don't make backups properly if at all.
However, my reply was to someone wanting to pad all of their valuable data with 1MB of fake data so if they were hit with a malware virus it would not actually screw up their data. Nevermind, that 1MB would screw up normal use as the apps would not know how to handle that padded data. But you know, yes, if you totally miss the point of the thread, I could see where thinking the point was the lack of failure of malware.
Or just have 1 padded disk image you mount.. Emm no wait, that's be an fs, so they'd f that up too
reminds me of the Bin Laden interview(s) before 9/11, specifically the one with Robert Fisk where Bin Laden was saying he was going to start attacking America
That was strangely fascinating
> it was seeking to recruit partners and claiming that it combined the features of notorious groups like REvil and DarkSide
I wonder if they have leetcode style interviews :)
I wonder why they refuse to rip off oil companies? Too well connected & therefore too risky?
Russia depends on oil revenue to survive. They don't want to put any part of that supply chain at risk.
> DS: What do you think about the attacks carried out against Colonial Pipelineâs infrastructure or JBS? Does it make sense to attack such large networks?
> BM: We think that this was a key factor for the closure of REvil and DarkSide, we have forbidden that type of targeting and we see no sense in attacking them.
I think it is your answer, too risky.
Imagine if they shut down every Shell gas station or something similar.
I imagined more along the lines of them hitting Shell HQ and extorting the execs for millions and millions. Shutting down a corporate office seems a more likely scenario than hitting a multitude of effectively independent franchises.
I feel like giving criminals a platform like this is wrong.
I'm all for reformed criminals giving interviews in the context of what they did being wrong, but this is an interview about how they're getting better at their crimes.
Regardless of how easy it might be given security practices, these are crimes, and they are crimes for a reason: they cause damage. Their impact is felt beyond the ransom money paid, it's felt by employees who may be put in terrible positions as their work is held ransom and who might pay up personally to avoid problems at work, it's felt by customers of these companies who end up with higher prices, it's felt by countries as their output is hit. The fact that this "industry" is getting more "professional" does not change the fact that it's harmful. They don't deserve the publicity and attention that this sort of platforming provides them.
I think this is a good thing. It might show potential victims that their opponents are not a bunch of smelly teenagers hopping online after midnight.
These are multi-million (billion?) businesses. There's strategic leadership, target acquisition pipelines, R&D, talent recruitment and coordination with other businesses in the space.
There's every indication that with a little bit of protection money, you can even run your business with no interference from the law, as long as you don't mess around in your own backyard.
You can see from the blog post, that this "company" has done a product-market-fit analysis. They've taken a look at their competitors' work, considered the pros/cons, and decided that they can do better. Since they are a b2b company (hehe) you can be reasonably sure this is not some PR aimed at consumers. I think it reads as a recruitment pitch to their lead generators (read: hackers whom infect other networks for them).
You can see the pitch, it almost reads as a vacancy post:
- We make a lot of money
- We're new to the scene but already have had success
- We only work with the best hackers
- We pay you lots of money to infect a network, if you got what it takes
When groups do this in furtherance of illegal activities, it's called "organized crime". And such groups need to be pursued aggressively because they are corrosive and poisonous to society at large. If they are not actively and aggressively fought, their negative effects seep into broader society and can become entrenched for generations.
How do you propose to pursue organized crime groups in Russia who are protected by the local authorities? Financial sanctions haven't been effective.
> such groups need to be pursued aggressively because they are corrosive and poisonous to society at large
No, they are pursued aggressively by the government because they compete with it.
What about when your âorganized crimeâ group has a moral compass and isnât breaking local laws?:
DS: Obviously, there are many talented professionals on your team. Why is it that this talent is aimed at destructive activities? Have you tried legal penetration testing?
BM: We do not deny that business is destructive, but if we look deeperâas a result of these problems new technologies are developed and created. If everything was good everywhere there would be no room for new development.
There is one life and we take everything from it, our business does not harm individuals and is aimed only at companies, and the company always has the ability to pay funds and restore all its data.
We have not been involved in legal pentesting and we believe that this could not bring the proper material reward.
For me the line between organized crime and robin hood is very blurry.
> as long as you don't mess around in your own backyard.
Based on the recent pipeline incident, it seems that these crime groups realize there are other places you'd better not mess around.
Screw with Bank A or Company B ... fine. Screw with infrastructure of a country with a large scale military, control over large chunks of global finance, and so much more ... probably not a good idea.
Next step is to search for investors.
It's hard to feel sorry for these companies when they have neglected security for so long.
This outcome was inevitable, and hitting the bean counters where it hurts (financial bottom line) is the only way to effect change.
I don't have metal bars across my windows, should they start targeting my house to force me to add them?
I'm being somewhat facetious, but I want to live in a society where not being hyper focused on all forms of security at all times, and just being _safe_ is an ok way to live your life.
"It's easy so we'll do it" is not a defence of this practice. The only reason the security is needed at all is because of people like this. I'm not saying security isn't important, but being bad at security is not a defence of people who take advantage of that poor security.
The reason security is needed is that we have institutional methods for transferring ransom and paying for the rackets.
The reason that itâs ok to have a shitty $80 lock on your front door or an unprotected window near ground level is that the value for a would be burglar to break in for a crime of opportunity is low. If youâre a well known jeweler or gun collector, you typically take other measures because you may be a target.
Cryptocurrency made computer crimes profitable crimes of opportunity.
The type of society you want to live in is utterly irrelevant. Those ransomware gangs exist and there is no way to eliminate them. That is our new reality. Any business leader who is bad at security is incompetent. I wish it didn't have to be that way but whining about it won't accomplish anything.
Companies are not people.
If your business is taming wild animals, should you have metal bars around them?
what makes you so sure ransomware is "wrong"?
let me rephrase this: do you think corporations are "good"?
that is not the same question :)
some corporations provide value to society. some don't. the evaluation of this will depend on your personal values.
my personal values do evaluate ransomware as "wrong". and the laws of most (all?) countries evaluate ransomware as illegal and thus legally "wrong".
Ransomware companies are also corporations
Not only this, but ransomware companies are even more nakedly in pursuit of profit than most non-ransomware companies. It's hard to imagine any ethical framework regarding capitalism etc. which would enable a favourable view of ransomware companies.
I think making companies and the industry more aware that their bug bounties are undervalued is important. It raises the bug bounties and creates more opportunities.
This is an approach of like "okay lets just ignore your rational for not doing that and give the hackers a platform until you change"
There's an elephant in this room and its name is ethics.
When I was a mainframe programmer at IBM, one of they first things they taught us was how to stop the processor of a System/370 machine. If you can do that, ladies and gentlemen, you can bring down Bank of America, the US Army, the Social Security Administration, etc. So everyone there knew how to be a "black hat" hacker if we wanted to.
Was there money to be made in that? Surely. More money than IBM ever paid anyone! But the reason neither I nor any of my colleagues would ever dream of using our skills to hurt people is that last part of the sentence: it hurts people.
Yes, IBM did some awful stuff from helping Nazis to keeping apartheid alive in South Africa (over employee objections while I was there), but overall, the "corporation" provided valuable goods and services to real people who had to slog on in real jobs every day to get the world's real work done.
Oil companies are in the same boat. The world runs on oil and some ransomware attacks aren't going to change that. The idea that terrorism (and black hat hacking is absolutely a form of terrorism) is a useful way to change corporate behavior is so ill-informed that it's pathetic.
When asked about taking a "white hat" approach and selling legal pen testing (or even PTaaS), these developers declined saying they probably couldn't monetize their skills at the same level that way.
Well, I say, too effin' bad. If everyone optimizes solely for himself, there will be no one left. It's appalling to me that criminal organizations now recruit, have price lists, and get PR placement. These people and their products (and their communication channels) need to be turned off ASAP for everyone else's sanity and self-preservation.
What elephant in the room?
They are self-admitted criminals. They admit to be in a destructive industry to line their own pockets. The only reason they are selective in their targets is because critical targets will increase the chances of them being caught.
I was referring mostly to the suggestions that attempted to justify this behavior by saying the targets are "bad companies."
Ah ok. When reading the article, I don't get the impression that they try to frame themselves as somewhat ethical, I think that may be an interpretation by some of us here.
> These people and their products (and their communication channels) need to be turned off ASAP for everyone else's sanity and self-preservation
But they can't be because enough people don't share your worldview. Do you believe private communication is a human right? Well then you can't stop them communicating either. How would we achieve a world where these products and services could be universally banned immediately?
You are right, the problem is ethics. The problem is that it's not universally criminal to attack other countries' wealth.
If it came out that this group ran their infrastructure on IBM cloud, and you still worked at IBM, what would you do? It seems you think that the generation of wealth for IBM's shareholders is more important stopping genocide therefore it's okay to be complicit. So you seem to have some general notion of ethical total harm.
> The idea that terrorism (and black hat hacking is absolutely a form of terrorism) is a useful way to change corporate behavior is so ill-informed that it's pathetic.
It does change behavior, though, whether you like it or not.
I certainly can't argue that you're wrong!
Private communication, even for business, is a human right. I was not suggesting that some authoritarian arm "shut them off," but rather that a profusion of businesses and individuals simply chose to ignore them. Death by recission.
It's also one's right to choose to be in an ethical business or not. I've rejected many customers and employers because I didn't want to help in their aims.
I was among the people who protested IBM's continued involvement in apartheid and it did end before I left. Companies can chose to "not be evil" or they can just say that.
And yes, sadly, everything changes human behavior. What I was going for is that ethics is a practical phenomenon as well as nice one for other people. I still believe that more can be accomplished through volunteerism (including volunteer agreements about money and work rather than coercive ones) than through violence. Perhaps that's naive or hopeful but I hope a few of us persist in keeping the idea alive.
Seeing the word âethicsâ emphasized, followed by âsure they helped Nazis but...â was really something. Congratulations, I guess.
Get a daily email with the the top stories from Hacker News. No spam, unsubscribe at any time.