with Aaron Schaffer
In the news release in question, the Romanian cybersecurity firm BitDefender touted a digital tool it had developed to unlock computers that were locked by the ransomware gang DarkSide without the victim paying a ransom. BitDefender was offering the tool free to all DarkSide victims.
That news release helped a lot of DarkSide victims. But it also gave the gang a chance re-engineer its ransomware based on what BitDefender published in ways that ultimately made the tool ineffective.
A few months later, when DarkSide’s ransomware hit Colonial Pipeline, there was no easy fix. Ultimately, Colonial paid a $4.4 million ransom to regain access to its computer systems.
The article accuses BitDefender of being a “secret weapon” for the ransomware gang and valuing its own self-promotion over public safety.
If the company had just quietly shared its tool with DarkSide victims rather than publishing it online, the tool might have still worked when Colonial was hacked, the authors Renee Dudley and Daniel Golden argue. Indeed, two other researchers, Fabian Wosar and Michael Gillespie, had been doing just that with a similar tool they discovered.
“The incident…shows how anti-virus companies eager to make a name for themselves sometimes violate one of the cardinal rules of the cat-and-mouse game of cyberwarfare: Don’t let your opponents know what you’ve figured out,” Dudley and Golden write.
But BitDefender sees it differently.
By publicizing its tool, the company helped far more DarkSide victims than it could have by simply scouring news reports about victims and quietly reaching out, the company’s director of threat research Bogdan Botezatu told ProPublica.
And even if the company had kept mum, DarkSide might have figured out the flaws in its ransomware on its own.
“We are well aware that attackers are agile and adapt to our decryptors,” Botezatu said. “[But] we don’t believe in ransomware decryptors made silently available. Attackers will learn about their existence…while the vast majority of victims will have no idea that they can get their data back for free.”
Here’s more from CyberScoop reporter Sean Lyngaas:
The notion that DarkSide wouldn't have figured out that there was a decryptor out there but for an AV company announcing it seems far-fetched. And the announcement can reach victims who otherwise wouldn't have any idea how to deal with an infection: https://t.co/oGgs8Amm3H
— Sean Lyngaas (@snlyngaas) May 24, 2021
Cybersecurity venture capitalist Bob Ackerman, meanwhile, called the story a warning that “the cybersecurity community can sometimes do as much harm as good" by publicizing their work.
Great article by Propublica discussing the "cat and mouse" dynamic of ransomware and how the cyber security community can some times do as much harm as good in their never ending quest for recognition and media attention.... A goo…https://t.co/dz4WifFR3U https://t.co/CyO1sDPVja
— Bob Ackerman (@BobAckerman) May 24, 2021
Ransomware hackers can be voracious consumers of news about their exploits, noted Allan Liska, senior threat intelligence analyst at Recorded Future.
conversation. Last week a few journalists asked me what members of these underground forums were discussing around DarkSide and Colonial Pipeline. Most of the conversation revolves around news articles about DarkSide and the Colonial Pipeline attack.
— Allan “Ransomware Sommelier🍷” Liska (@uuallan) May 24, 2021
The dispute is a twist on a familiar debate in cybersecurity — whether it’s better to gather more information about the bad guys or to stop them in their tracks.
“The security researcher angle says, ‘Don’t disclose any information here. Keep the ransomware bugs that we’ve found that allow us to decode the data secret, so as not to notify the threat actors,’ ” Rob McLeod, senior director of the threat response unit for the cybersecurity firm eSentire, told ProPublica.
On the marketing side, however, “you are singing that song from the rooftops,” he said.
U.S. intelligence agencies have similarly struggled to strike a balance between gathering more information about hacking groups backed by foreign governments and using what they know to prevent future attacks.
An added danger in that case is that actions that disrupt other governments' hacking groups may reveal the sources and methods by which intelligence agencies know what they do — and cut off those sources of information in the future.
The keys
More than 100 U.S. municipalities bought Chinese surveillance equipment that the U.S. government says was used to repress Uighurs.
Local governments have continued to purchase the technology even though Congress banned federal agencies from buying it, TechCrunch’s Zack Whittaker reports.
The local governments have purchased the cameras — which are made by Chinese firms Hikvision and Dahua — for use in public schools, probation departments and other places.
Dahua has denied U.S. government allegations that its equipment helps spy on China’s Uighur Muslim population. “Contrary to some reporting in the media, our company has never developed any technology or solution that seeks to target a specific ethnic group,” the company said in a statement. Hikvision didn’t respond to TechCrunch’s request for comment.
A Commerce Department security unit collected information on hundreds of people with questionable authority.
The Investigations and Threat Management Service monitored Asian American employees because they used Chinese-language keywords in email correspondence, former investigators and documents obtained by Shawn Boburg say. It also scoured social media for people criticizing the decennial census. Critics said the unit’s operations looked more like a counterintelligence agency than a small agency tasked with protecting Commerce officials and facilities.
The Biden administration suspended the agency's criminal investigations March 10 and suspended all activities earlier this month. That came two days after The Washington Post presented its findings about the agency.
The unit has behaved as if “someone watched too many ‘Mission Impossible’ movies,” said Bruce Ridlen, a former supervisor. Investigators had complained about the unit to their supervisors and the department’s internal watchdog had launched multiple inquiries into it.
Republicans who boosted unfounded election fraud claims are trying to become their states’ top election officials.
Trump allies in Georgia, Arizona, Nevada and Michigan — which were all sites of unsuccessful legal challenges to 2020 election results — are running to be those states’ secretaries of state, Politico’s Zach Montellaro reports.
The races raise the possibility that the most vocal proponents of baseless theories that the 2020 election was stolen could be put in charge of running future elections. If elected, the officials would have broad authority over elections including, in many cases, vetting voting machines for cybersecurity and other issues.
“Someone who is running for an election administration position, whose focus is not the rule of law but instead ‘the ends justifies the means,’ that’s very dangerous in a democracy,” Bill Gates, the Republican vice chair of Maricopa County, Arizona’s Board of Supervisors, said. “This is someone who is trying to tear at the foundations of democracy.”
Chat room
Secretaries of state who are running now could play a vital role if there's a Georgia-like dispute in a future presidential race. Olivia Troye, a former aide to former vice president Mike Pence:
Do not lose sight of these Secretary of State elections.
— Olivia of Troye (@OliviaTroye) May 24, 2021
Many #Republicans are seeking to undermine our #democracy at every level. What if next time, we don’t have GA Sec of State Raffensperger’s integrity? These state roles have nat’l level implications.https://t.co/xJJs6oCWyx
Georgia Public Broadcasting’s Stephen Fowler:
If you *really* thought elections were rigged then it seems like you wouldn’t run for office considering the grand conspiracy would never let you win.
— stephen fowler (@stphnfwlr) May 24, 2021
Unless, and hear me out, someone’s not telling the truth behind their motives (or how elections work) https://t.co/eZPwpIKRsQ
Government scan
Industry report
Global cyberspace
A new hacking group is hitting Israeli and other Middle Eastern organizations, researchers say.
The group, which may be tied to Iran, is masking its operations behind ransomware, researchers from cybersecurity firm SentinelOne said.
Cyber insecurity
A massive Russian cybercrime marketplace has postponed its global expansion.
Transactions on the Hydra dark web marketplace rose to $1.37 billion last year. But the marketplace is delaying expansion plans, blaming external issues and the coronavirus pandemic, according to a new report by cybersecurity firm Flashpoint and blockchain analysis company Chainalysis.
Daybook
- Retired Gen. Keith Alexander, the former commander of U.S. Cyber Command and director of the NSA, speaks at a cybersecurity conference hosted by the U.S. Chamber of Commerce at 9:15 a.m. today.
- Ben Bernstein, senior special counsel at the Securities and Exchange Commission, discusses cyber governance at a Cyber Crossroads event at 11:35 a.m. today.
- A House Science Committee panel holds a hearing on software supply chain security in the wake of the cyberattack on SolarWinds and other companies today at 2 p.m.
- Former Undersecretary of Defense for Policy Michèle Flournoy, the co-founder of WestExec Advisors, speaks at the Institute for Security and Technology’s Strat-Tech conference at 2:10 p.m. today.
- Amb. Tobias Feakin, Australia’s cyber ambassador, and a White House official speak at a Center for a New American Security event today at 6 p.m.
- Secretary of Homeland Security Alejandro Mayorkas testifies before House and Senate Appropriations Committee panels at 10 a.m. and 2 p.m. on Wednesday.
- Former Director of National Intelligence Adm. Dennis Blair and former Homeland Security Secretary Michael Chertoff speak at a Center for Strategic and International Studies launch event for the Multilateral Cybersecurity Action Committee on May 26 at 2 p.m.
- The Senate Homeland Security and Governmental Affairs Committee holds a confirmation hearing for top nominees to the Department of Homeland Security on Thursday at 10:15 a.m.
- Retired Adm. Michael Rogers, the former commander of U.S. Cyber Command and director of the NSA, discusses critical infrastructure supply chain security at an event hosted by the Israeli Economic Missions to North America and Team8 on Thursday at noon.
- Anne Neuberger, the deputy national security adviser for cyber and emerging technology, and Jeffrey Greene, the National Security Council’s acting senior director for cybersecurity, speak at a Center for Strategic and International Studies event on Thursday at 2 p.m.
Secure log off
Today’s second @washingtonpost quarantine TikTok features the recent sanctions on Belarus but as an episode of “The Circle” on Netflix https://t.co/6QX5WA72Ug pic.twitter.com/5LZ2jBG0Q6
— Washington Post TikTok Guy 🕺🏼 (@davejorgenson) May 24, 2021