DarkSide poked the Bear. Now what?

When cyber events occur, it is always a good practice to pause, listen, learn and allow time for things to unfold before commenting. Too often, rushing to be the ‘first to comment’ before impacts are fully understood means accuracy suffers.

With that said, it is time now to talk frankly.

First let's set aside DarkSide's attempt to portray itself as a not-so-bad criminal organization, like when it tried to play down fears about widespread infrastructure attacks going forward. And the effects of this event go far beyond the ransom: They cascaded downstream, across the South and up the East Coast, raising prices for consumers and causing panic buying, as well as having material impacts upstream. 

The largest US refinery shut down two units in Texas because storage was at capacity and there was nowhere to move the refined product. All of this while yet another company is suffering hits to its reputation and while multiple companies upstream, midstream and downstream experienced hits to their revenue.

What DarkSide did is criminal, period. And it's not just DarkSide.

<<< Start >>>

<<< End >>>

Accenture's Cyber Threat Intelligence (CTI) team has observed numerous egregious attacks against organizations in the US and beyond, including industrial and energy, utilities and chemical companies.

Incidents like these can also provide these groups with a way to attack the business ecosystems and customers of these companies as well—so it’s not surprising that the total amount paid by ransomware victims increased by 311% in 2020, reaching nearly $350 million worth of cryptocurrency.

Now that the Bear has been poked, what should happen next?

All companies really need to elevate their cyber posture as best as possible, especially those deemed as operating critical infrastructure. In addition, governments where these cyber-criminal enterprises operate must bring them to justice—and the US government should take swift action. Let's take these one at a time.

Energy and utility companies

One lesson we have learned is that even if the operational technology systems that run your factory (or pipeline, or electric distribution system) are well protected, an attack elsewhere can still have a cascading effect on production.  The belief that firewalling or ‘air gaping’ systems mean there is no risk is almost always incorrect.  Operational Technology systems and assets and supporting IT systems need each other. Oftentimes, bringing one down means the other comes to a standstill, if for nothing else than precaution.

Foreign countries where these criminals operate

Countries should be accountable for the bad actors within their borders: If they are operating in your jurisdiction, then bring them to justice—which does happen sometimes, though some countries aren't likely to extradite criminals indicted in the US. More on that in a moment. Beyond that, we are starting to hear some leaders in the US call for the government to take offensive action against entities and even other governments that fail to police what's going on under their noses. Could this include launching its own counter-cyberattacks? My guess is yes.

The US government

With input from many, including Accenture, the Biden administration issued an executive order on Wednesday  aimed at significantly improving cybersecurity in our country. Personally, I believe the EO is an important step, especially considering the cascading effect an attack on critical infrastructure can have. But right now it's sad and disappointing that paying ransomware has become a cost of doing business. One possible solution not addressed in the EO: Take steps to track cryptocurrency.

A great example of international cooperation

The system of international justice can work. In one case, high-ranking members of a sophisticated international cybercrime group operation out of Eastern Europe were arrested. According to federal indictments, they are members of FIN7, which employs highly sophisticated malware campaigns that targeted more than 100 U.S. companies. FIN7 stole millions of customer credit and debit card numbers.

One of the Ukrainians in the group, arrested in Dresden, Germany, was sentenced to 10 years in prison. A second was arrested in Bielsko-Biala, Poland, where he was awaiting extradition. The third was detained in Spain pending the United States’ request for extradition. “Cyber criminals who believe that they can hide in faraway countries and operate from behind keyboards without getting caught are just plain wrong," said a US Attorney. 

A victory that may be short-lived

Cyberattacks are extremely harmful, especially those mistakenly or on purpose targeting critical infrastructure. When the world comes together to denounce such attacks and rational governments put pressure on these criminal enterprises, we can see changes, such as DarkSide saying it will disband.

Although this is a win against DarkSide, make no mistake that many of the people there will just set up another shop under another mysterious name, continuing their nefarious activities. Our only choice is to increase our cyber defenses and be prepared.

Accenture Security

Accenture Security is a leading provider of end-to-end cybersecurity services, including advanced cyber defense, applied cybersecurity solutions and managed security operations. We bring security innovation, coupled with global scale and a worldwide delivery capability through our network of Advanced Technology and Intelligent Operations centers. Helped by our team of highly skilled professionals, we enable clients to innovate safely, build cyber resilience and grow with confidence. Follow us @AccentureSecure on Twitter or visit us at www.accenture.com/security.

The opinions, statements, and assessments in this document are solely those of the individual author(s) and do not constitute legal advice, nor do they necessarily reflect the views of Accenture, its subsidiaries, or affiliates.

Copyright © 2021 Accenture. All rights reserved. Accenture, and its logo are trademarks of Accenture.

This document makes descriptive reference to trademarks that may be owned by others. The use of such trademarks herein is not an assertion of ownership of such trademarks by Accenture and is not intended to represent or imply the existence of an association between Accenture and the lawful owners of such trademarks.