SecuringAV: The Colonial Pipeline Ransomware Cyberattack — Part 2

hacker cybersecurity cyberattacks

What motivates a hacker or group of cyberattackers? The answer is typically money.

For each column in this series, rAVe writer Paul Konikowski takes a deeper dive into a recent security event or data breach, shedding light on supply chain vulnerabilities, infrastructure and cyber-physical security.

The Colonial Pipeline ransomware attack in May of 2021 caused many gas shortages. It also resulted in an Executive Order from the Biden administration to “improve the nation’s cybersecurity and protect federal government networks.” The EO press release noted, “public and private sector entities increasingly face sophisticated malicious cyber activity from both nation-state actors and cyber criminals.” But what motivates these attackers?

Hollywood movies and television series have long depicted hackers as teenagers huddled in a basement or dorm room, hacking into systems to change their grades or just to cause a little mayhem. The mischief-minded nerdy teens or collegiate hacker groups do exist in real life, for sure. But those stories are rare, and the impact of hacks by mischievous “script kiddies” is usually very minor. It’s more of competition at that age. While the pride of “cracking” a device or “pwning” someone is a real feeling among cybercriminals, most don’t do it for fun. Instead, most cyberattackers are motivated by money. Let’s look at the Colonial Pipeline as an example.

On May 7, 2021, a group of cybertattackers known as DarkSide used ransomware to attack the business networks of Colonial Pipeline, and the pipeline management quickly shut down the pipeline systems too.

A few days later, the Darkside website hosted a statement about the motivation of the attack, which said:

“We are apolitical, we do not participate in geopolitics, [you] do not need to tie us with a defined government and look for … our motives… Our goal is to make money, and not creating problems for society. From today we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future.” 

Granted, if this statement came from criminals, it could be a partial or complete lie. But for the sake of this article, let’s assume they are truthful about their goal: to make money. Of course, money, more specifically bitcoin, is the goal of most ransomware attacks. Still, there are times when ransomware is used for other reasons outside of, or in addition to, extorting money.

In 2014, Sony Pictures Entertainment was attacked by ransomware over its upcoming release of a movie called “The Interview,” which depicted the leader of North Korea in a bad light. The ransom, in this case, was to NOT release the movie, which Sony eventually did anyway after it had restored its servers. But a lot of damage was done, as the hackers stole customer and employee data and multiple unreleased films. Furthermore, they released this stolen data in huge chunks hoping to intimidate Sony and its American allies.

This sort of attack is commonly known as hacktivism. It’s the digital equivalent of Woody Harrelson climbing the Golden Gate Bridge and hanging a sign in hopes of saving a redwood grove. (Was that really 25 years ago? … Damn, I’m getting old.)

Other times it’s a mix of politics and global security. For example, many sources say that the U.S. was behind the Stuxnet attack on the Iranian Nuclear Plant. Some say that the purpose of the attack was to slow down Iran’s nuclear war program, to maintain an edge in global warfare, but others would say it was to continue controlling the “Big Oil” money. Check out the movie “Zero Days” for more theories on Stuxnet.

Other cyberattackers are motivated by domestic politics: They attack their local candidate’s opponents’ webpages or large corporations who support them. It’s unclear if these attacks are effective in changing the outcome of elections, but the attackers feel righteous about it.

“Righteous” is a keyword here. Both malicious hackers and well-intentioned cybersecurity researchers feel righteous in exposing and exploiting vulnerabilities. They feel they must do so, and yes, there is an element of mischief to it too, but it’s more about the pride they feel in outsmarting those who built the computer systems. Thus, they look at finding a vulnerability like solving a mystery or winning a video game.

Last but not least, some hackers are motivated by personal reasons. Perhaps they got laid off or just didn’t like their current or former employer. Nation-states blackmail some hackers into performing attacks they would never do on their own accord. People will do anything to protect their families or their reputations. This is why many cybersecurity researchers prefer to remain anonymous, as the ones who get credit for finding vulnerabilities may inadvertently put their own lives and families at risk.