Colonial Pipeline and Ransomware: The Kalashnikov of 2021

Tom Kellermann is the head of cybersecurity strategy for VMware. Prior to this role, Kellermann was the chief cybersecurity officer for Carbon Black. Tom serves as the Wilson Center’s Global Fellow for Cybersecurity Policy and sits on the Technology Executive Council for CNBC.

Kellermann previously held the positions CEO and founder of Strategic Cyber Ventures; chief cybersecurity officer for Trend Micro; vice president of security for Core Security; and deputy CISO for the World Bank Treasury.

In 2008, Kellermann was appointed a commissioner on the Commission on Cybersecurity for the 44th President of the United States. In 2003 he co-authored the book, Electronic Safety and Soundness: Securing Finance in a New Age.

From 2007-2015 Kellermann taught a course on cybercrime as an adjunct professor at American University’s School of International Service and Kogod School of Business, where he also earned his Master’s degree in International Politics.

In an effort to adapt and update technologies in order to improve business continuity, many have in fact exacerbated the cyber attack surface leaving room for cybercriminal cartels like DarkSide to infiltrate and wreak havoc, as is the case with the Colonial Pipeline attack. This is oversight along with the geopolitical motivations of many of the cybercrime gangs can unravel some of the reasoning behind why and how the attack occurred. As Kellermann explains:

“When you look at traditional cybercrime, or this ransomware as a service phenomenon, or some of the most regrettable facets of the dark web economy, it is all organized. And it is all protected by nation-states, and typically nation-states that used to be a part of the Soviet bloc.”

In this episode, Kellermann discusses:

  • The vulnerability of U.S. energy infrastructure;
  • The geopolitical motivations behind the attack;
  • What Colonial Pipeline should do now to mitigate the damage.

CLICK HERE for a full transcript of the conversation.

Steve King 00:13
Good day everyone. This is Steve King. I’m the managing director at cyber theory. Today’s episode is going to explore the ransomware attack on the colonial pipeline and the current state of cybersecurity as it relates to both critical infrastructure and our ability to detect and prevent attacks like this one. Joining me today is Tom Kellerman, the head of cybersecurity strategy for VMware. Prior to this role, Tom was the chief cyber security officer for carbon black. He serves as a Wilson centers global fellow for cybersecurity policy. And he sits on the technology Executive Council for CNBC, Tom previously held positions of CEO and founder of strategic cyber ventures was chief security officer for Trend Micro was the vice president of security for core security, and Deputy CFO for the World Bank Treasury. In 2008, Tom was appointed a commissioner on the Commission on cyber security for the 44th President of the United States. And in 2003, he co authored a book called electronic safety and soundness securing finance in a new age. In addition, Tom taught a course on cyber crime for about eight years as an adjunct professor at American University School of International Service in the cocoate School of Business where he also earned his master’s degree in international politics. Welcome, Tom, and thanks for joining me today.

Tom Kellermann 01:45
Thanks for having me.

Steve King 01:46
So Tom, colonial pipeline shut its entire network over the weekend. And I guess Friday, the that’s the source of nearly half of the US East Coast fuel supply, and it was a ransomware attack on Friday. What’s your opinion on the vulnerability of the US energy infrastructure today,

Tom Kellermann 02:05
in the energy sector is highly vulnerable to cyber attacks. in many regards, you know, because of the blackout of 2003. On the east coast, the energy sector was quick to adopt technologies to maintain resiliency, without fully comprehending that business continuity. And the effort to maintain business continuity actually exacerbates the cyber attack surface. And so as illustrated by this attack, we’re dealing with day four now of this crippling blow up to essentially the juggler of the US economy. And it is beyond me right now that we allow nation states to harbor cybercrime cartels who leverage these types of destructive attacks against our critical infrastructures.

Steve King 02:50
You and me both. And then of course, we know this is a nation state attack, there are many incentives for various countries to have a range of this attack and all the others that we’ve seen in the last 90 days. Which one do you think is behind this and why?

Tom Kellermann 03:04
Well, let’s be very clear. Give me the Latin term for who benefits. This is a Russian attack as a direct response for economic sanctions. And they’re using a proxy to carry out revenge for the recent economic sanctions that were imposed upon them. And this proxy, the dark side group, which really came onto the map last August, when they issued a press release. what’s notable about the attack code that they’ve leveraged in this regard, is that it will not detonate, it will not activate on a Cyrillic or Russian keyboard. So until the US government is willing to force all American companies to use Russian keyboards, we’re going to continue to deal with these types of threats.

Steve King 03:44
Right, so the statement from the Department of Energy says it’s monitoring potential impacts to the nation’s energy supply. While both the US seiza. And TSA say they’re working on the problem. In your mind, Tom, who should be working on this and what what should they be doing? Well, look, you know, the

Tom Kellermann 04:02
FBI and CES are going to do a good job of eliminating the footprint and exterminating the ransomware within the infrastructure. But we’re going to continue to see these types of attacks. These types of groups do tremendous reconnaissance on targets, they customize the ransomware specific to the environments they hit. So they’re creating tailor made, you know, custom munitions to target that infrastructure. And this benefits the Russians in many regards. Not only does it cripple and hurt, you know, the lifeline for energy up and down the East Coast. But it also increases oil prices globally, which directly benefits their economy.

Steve King 04:37
Exactly. Well, so we’ve reversed our position on energy independence here, whether in the last 100 days or so, you know, and politically, whether you like it or not, we’re now in a much more difficult position. And it’s not surprising then that Russia who is the largest natural gas exporter in the world would want to be able to be more aggressive in these markets with higher margins right and so the supplies are now diminished.

Tom Kellermann 05:03
What the Biden administration needs to understand here is that economic sanctions alone will not deter this type of aggression, aggression for a number of reasons. Number one, most ransomware most of it is developed by Russian speaking threat actors who are part of cybercrime cartels that are beholden to Putin and the regime. And they exist because of the fact that there’s they abide by the three rules, you never target anything within the sovereign boundaries of Russia, which is why most ransomware won’t detonate on Russian keyboards Cyrillic keyboards, if you find something of interest, or you can access to something of interest, you will share that access with the FSB and the SVR. And then most importantly, when called upon to be patriotic, and go after the foes of Mother Russia, you will do so against the Select target lists that are chosen for you by the intelligence services. In exchange, you maintain untouchable status. And this is a perfect example because economic sanctions are being offset by cyber crime. The majority of proceeds of cybercrime actually go back to the former Soviet bloc, they go back to Eastern Europe, the majority of ransomware was coded and developed by Russian cybercrime cartels. And then in addition to that, this type of attack obviously demonstrates that they can force function, a shift in the market and the value of energy globally, by leveraging attacks against critical infrastructure.

Steve King 06:21
Exactly. If these sanctions are as essentially useless, as you’ve just described, and I agree with you, what’s your alternative? Well,

Tom Kellermann 06:32
we need to we need to create a norm of international tournaments, the turns that dictates that if you’re harboring cybercrime cartels are leveraging attacks against critical infrastructures, whether they be hospitals or the energy sector, etc, that you will deal with shared risk. And there should be a proportionate cyber response by the NSA Cyber Command immediately. In addition to that, if you really want to go after it put pressure on the money that is laundered through the oligarchs via the cybercrime, cartels, etc, you need to put pressure on the alternative payment channels, and virtual currencies that are being used to launder the proceeds of cyber crime, whether they are complicit or not. There are bad actors, what are their exchanges throughout Eastern Europe and the Caribbean, or what a baby virtual currencies like mo narrow that, in large part are associated with cybercrime and the movement of money via cybercrime?

Steve King 07:25
Yeah, and I think that it won’t any actions like those require congressional approval,

Tom Kellermann 07:33
I don’t understand why proportionate share of risk and the NSA leveraging a proportional attack against the infrastructure of the cybercrime cartels requires congressional approval. I just think and it’s about a modernization of authorities, I think the challenge has been for the Defense Department is that when they leverage offensive action, they leverage it against state actors or non state actors that are associated with terrorism. And yet there’s this gray area of these proxies who are cyber criminals that also act as cyber militia members, they add value and firepower to groups like abt 29, like torula, etc, etc. And these proxies need to be brought to bear and so I’m not sure why, you know, the NSA, his capabilities have not been brought to bear against the cybercrime cartels at a minimum, need to remind,

Steve King 08:27
you can look at this attack in a couple of ways. Right, one of its obviously aimed at what we’ve discussed. But what happens as well is there’s a, it creates a societal response, if you will, of sort of fear and uncertainty and confusion about whether or not you know, we’ve got leadership in place that can deal with this sort of thing. You know, gas prices are already up a buck over last summer, you know, if this goes on for another couple of weeks, we’re gonna see gas prices increasing beyond that. And then, you know, maybe returning to the 1970s, you know, waiting in line to get gas when there’s not available, at least on the east coast. How much of this current attack do you think was, is targeted at disruption and division? Or is that just a byproduct?

Tom Kellermann 09:17
No, I do think the purpose of this attack is primarily to disrupt the US economy as payback for the economic sanctions that were leveraged against Russia recently as a response to solar winds, ironically, and that’s the great irony.

Steve King 09:31
Yeah, indeed. And it was the Russians that were behind solar winds too,

Tom Kellermann 09:36
right? Exactly. And frankly, if you look at cybercrime globally, yes, the Chinese stealing intellectual property, but when you look at traditional cybercrime, or this ransomware as a service phenomenon, or some of the most regrettable facets of the dark web economy and it all it is all organized and it is all protected by nation states. And typically nation states that they used to be a part of the Soviet bloc.

Steve King 10:04
Yeah. And if we attack those proxy groups, isn’t that very close to the declaration of war? You know, I

Tom Kellermann 10:11
would look at it again, just like terrorism, if you’re harboring terrorists, and people are launching attacks from your sovereign boundaries, whether or not you are blessing those attacks or insulating those groups from attribute retribution, there needs to be shared risk. And so I feel that the Western world now has been suffering significant systemic attacks on the hands of these threat actor groups that have a protection racket, and a pox mafioso with the Russian regime needs to draw a line in the sand here, if you’re going to target healthcare. If you’re going to target energy, if you’re going to target transportation, you will see a reaction a proportionate reaction of cyber offense against the infrastructures associated with those attacks.

Steve King 10:55
So if we do nothing about this one is the electrical grid up for the next attack.

Tom Kellermann 11:02
You know, the nice thing about the US energy sector and the electrical grid is you know, it’s not one grid. But I do think that, as the administration and Congress are negotiating this very week, to modernize American infrastructure, that a huge component of that modernization requires vigilant digital transformation. What I mean by that is, yes, they’re going to migrate to new technologies to create greater efficiencies to improve the infrastructure of the US. But cybersecurity must be built in, it must not be viewed as an afterthought, the sustainability of that infrastructure investment will be based upon the effectiveness of the cybersecurity strategy.

Steve King 11:40
Yeah, sure. If your colonial, what do you do now? Or do you pay the ransom and just,

Tom Kellermann 11:49
you don’t pay the ransom. And people don’t ever pay the ransom. That’s why this this group, in particular leverages double and triple extortion campaigns. No, you should never pay the ransom Look, the reality is, is they’re going to have to go, they’re essentially going to have to go back and reimage all these machines that have been impacted, start from the beginning, and then reconnect them to the system and ensure that they have, you know, endpoint detection response capabilities across the infrastructure now that can give them the telemetry to assure that there isn’t a secondary backdoor. And I know that, you know, fireeyes in there, they’re gonna do a great job on this, the FBI is in there and sisters in there. But that doesn’t mean this is you know, an isolated event. And it doesn’t mean that other parts of the sector won’t be targeted with secondary, and other waves of these types of attacks. Because as we see, geopolitical tension is manifesting in cyberspace. And the Russians, for decades, love the construct of using proxies to go after the US and US interests, whether it was in Central America in the 80s, or whether it’s in cyberspace now, the utility of proxies to become their Rottweilers is profound. And I would stress one last thing, you know, to my earlier point about most ransomware being developed by Russian cybercrime cartels, it’s true, but what’s interesting is, you know, ransomware, has pretty much become the collision of cough, of 2021. And it’s being more and more widely distributed, they have affiliate programs where they give you a percentage of the cut, if you leverage attacks with their capability sets. And then of course, they have the capacity to use the root kits that are automatically provisioned in these ransomware modules to access any system that’s been hit with the ransomware that they lease and or sell as a service to someone else.

Steve King 13:28
I know. It’s been so amazingly commercialized, it’s it’s immediate, you know, it’s it’s almost as if they take out ads, they have, you know, regular programming, you know, anything you need, they’ve got it and you can get it easily, you know, I guess that happens when you continue to turn away from reality of external scrutiny.

Tom Kellermann 13:49
If this group last August, put out a frickin press release, about their services offering.

Steve King 13:57
This is insane. It is insane indeed. So unlike solar winds, where, you know, I agree with you, I think you need to rebuild your networks, you know, but there’s no kinetic impact of the solar winds attack, whereas there’s very much so a physical, you know, cyber physical, if you will impact to this one. And we have no idea whether the OT is infected either. And I continue to read about people who, you know, while we’re upstream, but we pulled our pulled everything off our network, once we heard about these, and once you’ve heard about the attacks is like a little late for pulling things off your network. So, you know, yeah, going back and rebuilding all of that, but deep, what is your take on on how extensive either upstream or downstream infections are from this thing?

Tom Kellermann 14:47
Well, it’s not just a question of this thing. You know, it’s notable that Cisco put out an urgent directive for best practices to protect the sector as a whole in February, they must have been getting telemetry that this was coming or ongoing, not just specific to this group, but that long term campaigns of attack against the sector as a whole were beginning or had begun, or they wouldn’t have issued that directive is also notable that you know, and nurnberg stated that she was very concerned about destructive attacks being the third phase of solar winds. And that probably provoked the judge to authorize the FBI is unique activities to go in and destroy the shells and the backdoor is placed in systems by the Russians. So from our own data here at VMware, we’re seeing 118% of just increase in destructive attacks since last year. And the thing is, there’s no reporting requirements for the advent of a destructive attack. Typically, all recording plants associated with cybercrime are really focused on the theft of non encrypted data, right? This is a huge problem. I’m very concerned that this will be the year that a major public cloud provider infrastructure is used to systemically distribute destructive payloads against US corporations as a manifestation of geopolitical tension.

That’s encouraging.

Tom Kellermann 16:14
I mean, look, again, I the administration has some of the very best cyber leaders in great positions. I have complete faith in the capacity of those folks to know what needs to be done. However, there is this reticence, there is this reticence to create shared risk, there is this reticence because of our dependence on technology, but that is not inhibiting or deterring our adversaries, particularly our cold war adversaries from acting out in this space. So until we begin to create proportionate responses and shared risk to these adversaries, specifically, these proxies and cyber militia groups who are protected by these regimes, we will not see peace in cyberspace.

Steve King 16:52
I, I and you and I, and many others in our community share that view. The question, and for many of our listeners who are not, you know, cyber security savvy, the question is, when and how are we going to take that step, you know, to either federalize the grid, or in both in energy and electricity, or, and or in acting upon what we know, in terms of offensive cybersecurity.

Tom Kellermann 17:23
I’m hoping this is the tipping point, really am and you know, private corporations don’t have the authority power or wherewithal to go toe to toe with this phenomenon. It’s time to for Cyber Command to take the gloves off, and leverage a proportionate response. It’s time that we follow the lead of countries and law enforcement agencies like the Dutch with with the takedown of emotet. Right, or the Ukrainians or Estonians who actively hack into dark web forums and disrupt them that is effective. That is the only way in which they’ve survived the onslaught of cyber attacks behind the Iron Curtain. So look, we have to respect that there’s a Silicon Valley of the East. It’s in St. Petersburg, Russia, and it exists to offset economic sanctions, and to be used as a proxy and cyber militia by the regime against the West.

Steve King 18:16
Yeah, I guess, again, you know, it did it didn’t it took the Dutch while to do that, too. And there was a lot of international cooperation and negotiation, and yada, yada, while they were doing all of that, as well. And so, you know, if we think that and I think that there’s imminent threat, as a follow on to the one we just saw, there’s no time to do that sort of thing. So I, I wish I had a practical solution that this administration could implement. And I agree with you, we have fabulous cybersecurity talent now, in the federal government, you think this administration has the political courage to do what needs to be done here?

Tom Kellermann 19:00
I hope so. And I’d like to point your listeners and the audience here to something that really didn’t make the front pages of the press last fall, but should have really Shut up. You know, we were dealing with still dealing, we were dealing with a pandemic, hospitals were overwhelmed. We had just trick bot right, had just been taken down successfully, through joint action by the government and, and Microsoft’s to inhibit the capacity of the Russians to influence the election. Yeah, we all know about that. But in direct response to the trick bot takedown, by the same threat actors, right, you ransomware attacks were leveraged against all major US hospitals.

Steve King 19:41
That should have been a red line. Well, I hope we I hope we can find a way to put an actual red line down and and move forward here. But of course, you know, you and I agreeing it’s not going to change. It’s probably not going to change anything. So I

Tom Kellermann 19:57
think I think No, I think look real quick The court authorization of the FBI to go into private corporations and to eliminate the presence of the Russian footprint. That was a precedent setting. And there’s no reason why you may not see the same type of reaction to the infrastructure associated with dark side by the NSA and FBI.

Steve King 20:17
It makes sense. I’m conscious of the clock time. I know you’ve got an insane schedule. And I. So I think I want to call it at this point, but I think it was a great conversation and raised issues that need to be raised. So I want to thank our guest Tom Kellerman, for taking time out of his schedule to join me and what I hope was an intriguing exchange. So thank you, Tom. Thank you for having me. And thank you to our listeners for joining us in another episode of cyber theories exploration into the complex world of cybersecurity technology and global realities. Until next time, I’m your host, Steve King, signing out.

Category: Podcast
Previous Post
Creating Pathways for Women in Tech
Next Post
How ‘Just Plain Old Ransomware’ Took Down Colonial Pipeline