The Washington PostDemocracy Dies in Darkness

The Cybersecurity 202: The Justice Department is taking the fight to ransomware hackers

with Aaron Schaffer

First off, don't panic. Disruptions of major websites this morning are due to an error at the cloud computing service firm Fastly and a fix is coming soon. Details from the Financial Times's Matt Taylor:

Now, on to the news.

The Justice Department's seizure of more than $2 million from the Colonial Pipeline ransomware hackers represents one of the most substantial blows against organized cybercrime to date. 

Although previous law enforcement operations have made it tougher for cybercriminals to conduct business, they've rarely created a situation in which those crimes aren't highly lucrative. 

The Justice Department action effectively erased the profit that the hackers made off a $4.4 million ransom the pipeline company paid in bitcoin to unlock its computer systems, Ellen Nakashima reports. The difference between the $4.4 million ransom and the $2.3 million seized is essentially due to the drop in the price of bitcoin and the ransomware version of processing fees. 

The department didn’t reveal all the operation’s details but said it used a method it could replicate again to obtain a key to the hackers’ bitcoin wallet and take out the money. 

The extortionists will never see this money,” said Stephanie Hinds, acting U.S. attorney for the Northern District of California. “This case demonstrates our resolve to develop methods to prevent evildoers from converting new methods of payment into tools and extortion for undeserved profits.”

The move comes as U.S. government officials are struggling to seize the offense against a surge of ransomware attacks that increasingly threaten U.S. economic and national security. 

In addition to the pipeline hack, a ransomware attack against JBS threatened U.S. meat supplies and a cavalcade of lesser attacks have temporarily closed schools, hospitals and local governments. 

Attacks against such vital institutions can often be more lucrative for ransomware hackers because those organizations can ill afford to stay offline and may be more likely to pay ransoms to unlock their computer systems and data. 

The Colonial ransom seizure alone won’t be enough to ward hackers off such targets, but it could be a start. 

“No one seizure, no matter how big and flashy, is going to cast much doubt on the economics of the [ransomware] business model,” Bobby Chesney, a former Justice Department official who directs the Center for International and Security Law at the University of Texas at Austin, told me. “But every journey starts with a first step and this is a pretty good step.”

If the Justice Department can repeatedly claw back ransoms in such high-profile cases, that could — at the very least — convince some ransomware gangs to focus on victims that won’t draw as much attention from law enforcement and the public

“If it becomes sufficiently questionable whether you’ll be able to monetize these efforts, that takes away a lot of the incentivizes,” Chesney said. “The big question is how replicable is this.”

Seizing money can only be part of the solution

U.S. government officials also are pushing allies to force more transparency from cryptocurrency exchanges about who their customers are so they can identify ransomware payments. 

And they’re pressing companies to improve their cybersecurity protections to stop hackers from seizing their computers in the first place. In the case of pipelines, officials are even preparing to mandate certain minimum protections. 

The seizure could take some heat off Colonial. 

The pipeline company has faced harsh criticism for its decision to meet the hackers’ ransom demand — including from many lawmakers. 

House Oversight and Reform Committee Chairwoman Carolyn Maloney (D-N.Y.) called the payment a “dangerous precedent that will put an even bigger target on the back of critical infrastructure going forward.”

Colonial CEO Joseph Blount acknowledged that making the payment was “a controversial decision” in a Wall Street Journal interview, but said “it was the right thing to do for the country.”

Blount is scheduled to testify before the Senate Homeland Security Committee this morning and before the House Homeland Security Committee tomorrow

He praised the FBI after the seizure.

“As our investigation into this event continues, Colonial will continue its transparency in sharing intelligence and learnings with the FBI and other federal agencies,” he said. “Our goal is to help our peers in the critical infrastructure space strengthen their cyber defenses and to collaborate across industry so that we can thwart these types of attacks before they happen.”

Lawmakers also were quick to praise the Justice Department. 

House Intelligence Chairman Adam Schiff (D-Calif.) called the operation “a significant success, sending a message to these criminal actors that we can and will impose consequences on them — despite their efforts to remain untraceable and anonymous.”

Rep. Jim Langevin (D-R.I.), co-founder of the Congressional Cybersecurity Caucus:

The keys

Police arrested hundreds after they downloaded an allegedly encrypted app that was actually controlled by the FBI.

The operation lasted nearly three years and resulted in roughly 800 arrests of alleged criminals who used the FBI-controlled app called ANOM, Rachel Pannett and Michael Birnbaum report

During that time, the unsuspecting alleged criminals “traded photos of cocaine packed into shipments of fruit, plotted robberies and put out contracts for killings,” my colleagues report. 

Police have fretted for years that criminals increasingly plan operations on encrypted communications systems that they can’t access — even with warrants. The operation was led by the FBI and included law enforcement from Australia and across Europe. 

Jean-Philippe Lecouffe, the deputy director for operations of Europol, called the bust “one of the largest and most sophisticated law enforcement operations to date in the fight against encrypted criminal activities.”

More details on the busts are expected later today

Hackers stole sensitive data from another pipeline company.

The Xing Team of hackers posted tens of thousands of stolen files from LineStar Integrity Services, which provides services to pipeline companies, Wired’s Andy Greenberg reports. The leaked data could leave pipeline companies vulnerable to even more serious cyberattacks, security researchers say. 

“If you were to steal data from a pipeline company, that could possibly enable you to construct a fairly conventional spearphishing email to another pipeline company,” Emsisoft researcher Brett Callow said. “We absolutely know that groups do that.” LineStar did not respond to a request for comment.

A Russia-linked group is spreading divisive posts on message boards popular among right-wing Americans.

The campaign has been amplified by nearly 20 accounts that were mostly created just after the 2020 election, researchers from the network analysis firm Graphika said. The people behind the campaign are also active on right-wing social media networks Gab and Parler, which have been home to Russian accounts seeking to denigrate President Biden.

“Suspected Russian actors retooled and doubled down on efforts to target far-right American audiences after their previous activities were disrupted ahead of the 2020 U.S. election,” the report says. “The actors’ continued presence on alternative platforms that lack rigorous policies on foreign interference has also allowed them to create a direct line to these communities, through which to deliver a stream of tailor-made political content.”

Chat room

Here are some more reactions to the Colonial Pipelines ransom seizure. Mandiant Threat Intelligence Vice President John Hultquist:

New York Times cybersecurity reporter Nicole Perlroth:

Matthew D. Green, an associate professor at Johns Hopkins University focused on cryptography:

Government scan

The Senate is set to pass a bill aiming to boost U.S. competition with China in semiconductors and other industries.

The bill includes billions of dollars in funding to boost the U.S. computer chip industry. 

The Senate could pass it as early as today, the New York Times’s David E. Sanger, Catie Edmondson, David McCabe and Thomas Kaplan report. The bill comes amid broad concerns that Chinese dominance in next-generation technologies could make the U.S. government and companies far more vulnerable to digital snooping from Beijing.

“Frankly, I think China has left us no option but to make these investments” in industries like semiconductors, said Sen. John Cornyn (R-Tex.). 

F.B.I. Investigates Cyberattack That Targeted N.Y.C. Law Department (New York Times)

Insurer Chubb paid $65,000 to help a city unlock ransomware in 2018. A second hack was more expensive. - CyberScoop (CyberScoop)

Securing the ballot

A conservative talk radio host once backed the Arizona GOP election recount. Now he's warning Republicans against it (Los Angeles Times)

Industry report

  • The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency is launching a program inviting outside researchers to search for computer bugs in its websites. The program, managed by  Bugcrowd and Endyna, is part of a government-wide mandate to make it easier for ethical hackers to disclose such bugs in government websites.  

Global cyberspace

Biden adviser: Investigating Bitcoin’s role in cyber attacks must be ‘priority’ for G7 (The Independent)

China Is the elephant in the room as Europe targets American tech (Forbes)

Privacy patch

Amazon is about to share your Internet connection with neighbors. Here’s how to turn it off. (Geoffrey A. Fowler)


  • Colonial Pipeline CEO Joseph Blount testifies before the Senate Homeland Security and Governmental Affairs Committee today at 10 a.m.
  • Chris Krebs, the former director of the Cybersecurity and Infrastructure Security Agency, and former FBI deputy director Sean Joyce discuss ransomware at an Aspen Institute event today at noon.
  • The Middle East Institute hosts its annual cyber conference on Wednesday.
  • Quinn Carman, the director of operations of the NSA’s Red Team, speaks at the Silicon Valley Cyber Security Summit on Wednesday at 10:50 a.m.  
  • The Senate Intelligence Committee holds a confirmation hearing for Christine Abizaid, President Biden’s pick to lead the National Counterterrorism Center, and Robin Ashton, who he nominated to be the CIA’s inspector general, on Wednesday at 2:30 p.m.
  • Colonial Pipeline CEO Joseph Blount testifies before the House Homeland Security Committee on Wednesday at noon. 
  • The Senate Homeland Security and Governmental Affairs Committee holds a confirmation for Jen Easterly and Chris Inglis, Biden’s picks for director of the Cybersecurity and Infrastructure Security Agency and national cyber director, on Thursday at 10:15 a.m.
  • Rep. John Katko (R-N.Y.), the top Republican on the House Homeland Security Committee, discusses cybersecurity at an American Enterprise Institute event on Friday at 10 a.m.
  • Gen. Paul Nakasone, the director of the National Security Agency and commander of U.S. Cyber Command, testifies before a House Armed Services Committee panel alongside the director of the Defense Intelligence Agency, Lt. Gen. Scott Berrier, and Undersecretary of Defense for Intelligence & Security Ronald Moultrie on Friday at 11 a.m.

Secure log off