> "We are apolitical, we do not participate in geopolitics, do not need to tie us with a defined government and look for other our motives," the group reportedly wrote. "Our goal is to make money, and not creating problems for society. From today we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future."
This is hilarious. "We're just straightforward parasites on society! We only meant to cause moderate amounts of harm! We will improve our practices going forward!" It honestly reminds me of the social media CEO song and dance every time they're in hot water with Congress.
It won't work as well for the hackers, of course, as they aren't paying for lobbyists, crisis PR, and political donations, however much they're trying to be more "professional". [1] I expect this ransomware crew just got a 10x bump in the number of federal agents going after them.
Doing increased harm brings increased amounts of attention. I'm pretty sure they would like to avoid that.
Before this hack, you had insurance companies wanting to stop these guys. They were comfortable with that level of heat. Having the NSA and CIA trying to track them down is a totally different level. Even if they don't get caught, they have to spend a lot more time worrying about opsec, which leaves them less for actually making money.
"We did not realize that the toe we poked was attached to an extremely large bear. Furthermore, we had never even realized that our chimney's diameter was slightly larger than that of an AGM-65. For that, we and our protectors are extremely sorry.
Until we can shift our assets and upgrade our chimney, we promise to refrain from poking large-ish toes. Nevertheless, we do poke toes, so we must continue to poke small ones.
We are sure that everyone understands the nuanced and unexpected realities of our predicament, especially those voters who can't get to work today."
US intelligence has indicated they believe Russia owns at least part of the responsibility; if that's true, then there will be no extraditions and the US almost certainly will not be sending missiles into Russian homes over hackers.
The degree to which US can craft an internationally persuasive story of Russia's culpability is the degree to which Russia will have to launch an internal investigation, and like, treat the matter Very Seriously and Stuff.
It's very straightforward. They are terrified of being treated as a national security threat instead of as criminals. If they are treated as terrorists, there are far fewer restrictions on how the state can pursue them, far more resources available, and possibly a more capable team pursuing them.
No, we truly live in a world where human beings have decided that it is ok to exploit others for their own gain. These criminals use corporate-speak because that's the language of exploitation.
I've been reading a lot of discworld lately, so this scans very well as a rather awkward conversation between Lord Vetinari and the head of the Thieves' Guild.
I'm not sure declaring yourself apolitical would save you. The results are the same. Otherwise all terrorists would say "we're apolitical, we just wanted to get money off stock trades based on this news".
>1. The deliberate commission of an act of violence to create public fear through the suffering of the victims in the furtherance of a political or social agenda.
>2. The use of unlawful violence against people or property to achieve political objectives.
>3. A form of psychological manipulation through warfare to the purpose of political or religious gains, by means of deliberately creating a climate of fear amongst the inhabitants of a specific geographical region
If you don't have an agenda behind it, it's not terrorism.
> You can have an agenda, create fear to further your goals and say you didn't have an agenda - pretend the results were accidental.
But that's not what's happening? It's not like we have IRA setting off bombs and then saying "it's us but it's accidental wink wink". Terrorists are interested in creating fear, hence why they take attributions in the first place.
>It can't be that easy - if some government is going to charge you, they'll do it based on what you achieved, not what you say.
You do realize something can be a crime and still not be terrorism, right?
> Terrorists are interested in creating fear, hence why they take attributions in the first place.
That's one possible way, but not always needed. The message for fear may be "US gas infrastructure can be broken for days by internet exploits" - that's been done. Adding "by Russian groups" at the end does change the message and creates a lot of issues as we've seen - so the preference may be to deny it.
Could they still end up treated like terrorists? Totally. Some drug lords are still called terrorists even though their only goal is monopoly control of the cocaine market by any means necessary.
But their loudly and public disclaiming all intent to harm puts them a huge step away from being terrorists in the public’s eyes. Even if the government designates them so, they still have to make a case as to why money should be spent in going after them instead of criminals the population actually cares about.
>Some drug lords are still called terrorists even though their only goal is monopoly control of the cocaine market by any means necessary.
1. who's calling them terrorists? Some shmuck off the street? Some writer for a tabloid? People on wallstreetbets think that hedge funds are "financial terrorists", doesn't mean they are.
2. drug lords can absolutely engage in actual terrorist activities, eg. "we will attack innocent civilians unless you stop arresting us".
You know. I looked it up, and it seems that there was a plan by Trump to list the Mexican cartels as terrorist orgs, but it never went through. Now Biden is being asked to do the same.
It's in line with the modern rule where your actions don't actually matter, you just have to state that your values are in line with popular opinions and you're automatically absolved of being a huge scumbag.
The moment they realize they made a grave tactical error by interrupting the US fuel supply must have been terrifying. They painted a big X on their backs and will probably never find peace again.
It's unusual. But this hack was also unusual. All the rest I'd heard of had much more localized ramifications. This one they hit too hard and I'm not sure the apology will be enough to stop what they have probably put into motion.
Somewhat similar: After a ransomware attack on a German hospital where one person died as a consequence, the attackers gave away the encryption key for free.
> The attackers reportedly withdrew the extortion demand and provided a decryption key to unlock the servers. The justice minister report said that the attackers are no longer reachable.
These groups are oddly professional. Excellent "customer" service and they care a lot about their reputation. Well, at least their reputation in reliably unlocking the data. It makes sense when you look at them as a business interested in making money. It's better for them to stay a (relatively) minor annoyance. If they reach the level of geo-political threat then suddenly governments will devote a lot more resources to shutting them down.
The incentives comparison of actually quite interesting. They're more of a sales team being called by customers who need their product, then a support team. Each caller is an almost guaranteed sale, but they close it by providing tech support.
As opposed to companies where the support is normally a pure cost center, talking to you after you already spent the money.
This is highly atypical, but they are probably worried. They just created a geopolitical incident that Russia has to clean up, and I would imagine there will be consequences for the group.
> Biden also said that although U.S. intelligence had found no evidence to link the attack with the Russian government, he believed the country had "some responsibility to deal with" the issue since some evidence did indicate that the ransomware may have originated in Russia. Ransomware is software that hackers use to take control of data before demanding money in exchange for its return.
>Leo Rosten in The Joys of Yiddish defines chutzpah as "gall, brazen nerve, effrontery, incredible 'guts', presumption plus arrogance such as no other word and no other language can do justice to". In this sense, chutzpah expresses both strong disapproval and condemnation. In the same work, Rosten also defines the term as "that quality enshrined in a man who, having killed his mother and father, throws himself on the mercy of the court because he is an orphan."
Chutzpah amounts to a total denial of personal responsibility, which renders others speechless and incredulous ... one cannot quite believe that another person totally lacks common human traits like remorse, regret, guilt, sympathy and insight. The implication is at least some degree of psychopathy in the subject, as well as the awestruck amazement of the observer at the display
Honestly, it feels like there may be an international game of terrible idea chicken going on.
I remember there being a similar statement after a hospital ransomware attack last made the news here. Now that I'm looking for it there are a lot of hospital ransomware attacks that didn't show up on my radar.
It makes sense from a pure self-serving rational perspective. They don't want to become target of a well-funded investigation or be held responsible for damages above and beyond some unimportant business network. They want to blend in with the background of 1000 other ransomware attacks per day and make money.
If they also prove they donated to charity via Bitcoin I would assume some legal rights for the victims to claim this money back off the charities. (And it looks like they've given $20k USD to date which is probably a paltry amount for what they've been extracting https://www.bbc.co.uk/news/technology-54591761)
That is an incredible understatement. Disrupting key infrastructure would be considered an act of war if it was done by a state actor. I'm not sure what the equivalent characterization would be for a non-state actor.
I do realize that in this case, as reported, the hack involved the IT systems and not the operational systems but I think my point still stands.
And that's the long story: tech is continuing to give individuals the powers only states had in the past. States are unsure how to respond. In addition, this allows actual states to attack other states and use individuals or small groups as shields.
Ross ran afoul of the FBI. Attacking a gas pipeline is somewhere between a terrorist attack and a military attack. If I were them I’d be less concerned about the FBI and more about being declared a terrorist and being put on a kill list.
According to the Geneva convention, hospitals are not targeted. Maybe we shall offer to drop that part and require hospitals to have their own anti-air defense.
Reality does seem quite inconsistent with itself lately. Maybe if I got in touch with it I could tell it to come back when it has fixed all its double standards. But I'm pretty sure it won't listen.
If you wanna try and tell it that, don't start from me - I'm just along for the ride. Same as all the commenters who have no loved one in either hospital but are quick to propose clever solutions to spherical problems in vacuum
Ultimately it's the patients that are the victims; the institution to which they had entrusted their health was the one that exposed them to remote attack.
It sure sounds like they messed up big time, and it could cost them. I'm sure Putin will never do anything to them while they are in Russia, but the moment they step out of the country to spend some of their money, all bets are off.
They deserve to be hunted down and punished accordingly. When your need to scam people out of money hurts many people and an economy, I say, "Screw You!!."
> I'm sure Putin will never do anything to them while they are in Russia,
Was this confirmed as a Russian hacker group? The article only states that:
> Biden also said that although U.S. intelligence had found no evidence to link the attack with the Russian government, he believed the country had "some responsibility to deal with" the issue since some evidence did indicate that the ransomware may have originated in Russia.
So basically the US authorities have no proof but their leader "believes" that the Russians are behind it.
I don't think your summary is correct. The fragment says there's no evidence for Russian gov connection, but there is some for country connection.
And the law enforcement actions against Russian ransomware groups are... pretty weak. Could have something to do with a few campaigns actually disabling the malware if Russian language is detected.
"Oops, no, sorry, we didn't mean declare war on the US. Didn't realise that oil would stop moving when we attacked an oil pipeline. Please don't send the Special Forces after us. All we wanted was some BTC to trade for Doge. How do we restart this level?"
If attacks of this nature are possible, they will happen. The problem is that they are possible. There is no excuse for the state of security - either in software or administration, or both - that leaves these vulnerabilities waiting to be exploited.
They opt for convenience instead of security... Infrastructure like this should not be able to be controlled remotely... but of course this is common sense.
Can you imagine accidentally compromising critical government infrastructure? I could almost see this being the premise for a stage play or a Terry Pratchett novel...
I'm imagining a story about a group of teenage hackers who accidentally put ransomware on important government infrastructure and the government offers them a ton of money so they have to pretend to be a serious hacking organization to keep up face
The exact same thing happening to the grid is almost inevitable at this point. A complete grid collapse would take months to recover from. Not to say fuel infra shutdowns are bad, but a complete grid failure is far, far worse.
>"We are apolitical, we do not participate in geopolitics, do not need to tie us with a defined government and look for other our motives..
.. for more information about our organization please visit www....click downl9ad and choose run, the site can only be viewed after agreeing to these terms."
I wonder if it was Warez, Pr0n, or phishing that fooled the employee into loading the malware.
Do you believe people have a right to privacy in their financial transactions? Even if you don't, many people do, and prior to cryptocurrencies there was no way for people to conduct online transactions with privacy.
By your logic, cash should be completely banned because some crimes wouldn't be possible if all transactions took place through police-monitored electronic systems. Encryption should be completely banned because without encryption it wouldn't be possible for criminals to communicate online.
Making pervasive tracking illegal would do so much more for purchase privacy than cryptocurrencies. On average it's still 99% impossible to conduct online transactions with privacy.
> By your logic
Nah, your extrapolations aren't really based in what they said.
>Making pervasive tracking illegal would do so much more for purchase privacy than cryptocurrencies.
Considering governments are not going to give up their panopticon-like powers without a fight, how about making pervasive tracking technically impossible?
That's not how it works at all. Suppose those two options were equally likely to happen. Would they be then equally likely to actually accomplish this goal?
In my mind, one option basically goes like this: get so many people outraged that they demand the goverment to do something. What happens next is lawmakers introduce some half-arsed legislation (like the self-defeating GDPR banners), companies budget for enforcement and keep violating user privacy.
The other goes like this: get so many people invested that they incentivize more and more businesses to accept crypto that has privacy baked into the actual transaction mechanism. And then what happens next is uncertain but I'm willing to bet on the tech and not on the bureaucrats.
So far most of businesses that are incentivized to accept crypto do it through a middleman and all the privacy is ruined. So even if they're equally likely, I think the legislative path would work better, in part because the average person doesn't have to understand and act on nearly as much nuance.
Also I like a lot of the mechanisms that credit and debit cards have like dispute resolution. I would like to continue to get those benefits, even in a world with easy cryptocurrency support. So privacy legislation would protect me more universally. Especially if I'm buying something to send to my address, where all the cryptography in the world doesn't help. Or if a store tracks who I am even if I'm paying with cash.
>So privacy legislation would protect me more universally.
Fundamentally, this is where our opinions diverge. You are simply more accustomed than I am to the idea of rule of law working as intended.
If we're looking to make an objective judgement, we should not state what we like, what we want, what we're accustomed to, etc., but we should simplify alternatives so we can compare things that are commensurate.
Let's assume elected officials bring into being the perfect privacy legislation (which contains 0% failure of democratic process due to corruption, misunderstanding of the subject matter, etc.)
That legislation would nonetheless protect you only as far as it is enforced. I would argue that the only way to enforce it at sufficient scale is to integrate the capability to reason about the correctness of transactions into the transaction medium itself.
Once transactions enforce their own validity (e.g. with regards to the desired level of privacy), if a central legislation is still necessary it can be implemented on top of the selfsame transaction medium.
It's either that, or paper over the complexity of the digital world with blanket bans and the like
And by your logic, nothing should be banned. Collectors of nuclear weapons should be allowed to enjoy their hobby in peace.
Obviously, the line is somewhere in the middle. I don't think banning Bitcoin is going to help at this stage as that Pandora's box is now open, but it's true Bitcoin is an insanely useful tool for extortion.
> Do you believe people have a right to privacy in their financial transactions?
Not really, no. Private financial transactions are of extremely limited usefulness to regular people, and are massively, overwhelmingly useful to criminals, and allowing them causes real, societal harm.
There isn't a clear dividing line. What you have are criminal organisations who may get protection and shelter from governments in exchange for making attacks which are incidentally beneficial to that government.
The skillset to compromise large enterprise networks is more readily available and more profitable than the skillset to compromise SCADA systems, and for all the flak they get, the culture at most large engineering firms in the West is extremely safety conscious. If it's not provably operating safely, it isn't. So it gets shut down.
So you all need to do is deny the link between the actual control system and lines of engineering reporting.
We truly do live in a simulation.