The Colonial Pipeline hack, the Russians, & Bitcoin – here's what actually happened
Facts, minus the spin.
Top Department of Justice officials claimed to strike a major blow against the culprits of the Colonial Pipeline cyber attack Monday, announcing that they had seized almost all of the funds paid to the affiliate group responsible for contracting the DarkSide ransomware attack.
Colonial Pipeline suffered a ransomware attack in early May and responded by preemptively shutting down the pipeline’s entire operations for some time, forcing a temporary but major energy crisis throughout the Southeastern United States. In order for the computers that maintained the pipeline to get back to full operation, Colonial agreed to pay a ransom in the form of 75 bitcoin, which was worth about $5 million at the time.
Now, here’s where things get weird:
In their triumphant statements this morning, the DOJ claimed to have seized the funds from the group that reportedly paid DarkSide for their Ransomware as a Service (RaaS) attack on Colonial. Notably, they did not secure the funds from DarkSide, which took a fee from the ransom in bitcoin that remains in the possession of the shadowy operation.
“There is no place beyond the reach of the FBI to conceal illicit funds that will prevent us from imposing risk and consequences upon malicious cyber actors,” FBI Deputy Director Paul Abbate said in a statement. “We will continue to use all of our available resources and leverage our domestic and international partnerships to disrupt ransomware attacks and protect our private sector partners and the American public.”
Now, the DOJ does appear to have secured the affiliate funds, but not in the fashion that it is being advertised by federal officials and widely reported in the corporate press.
Bitcoin is secured through a currently unbreakable cryptographic formula known as a Elliptic Curve Digital Signature Algorithm. You can safely rule out the possibility that the feds broke this form of encryption and were able to pull off this computing power miracle, which is only theoretically possible through the use of quantum computing, a technology that is still very much a work in progress. The feds did not “hack” a bitcoin wallet in this manner, though they certainly seemed happy to give off that impression, as it sows doubt about the security of the bitcoin network.
The DOJ has historically been extremely hostile to bitcoin, labeling it as a preferred monetary system for cyber criminals, despite bitcoin transactions being publicly available to anyone with access to the internet.
A DOJ warrant from Monday morning gives us much more detail about how the government actually secured the bitcoin funds. They did so by obtaining a warrant on a bitcoin wallet or exchange that had servers in Northern California. Yes, you read that correctly. The entity responsible for the ransomware attack did not in fact have custody over their bitcoin. Instead, they were using a custodian for their funds. It is unclear whether this account with servers in the United States is an FBI wallet or the affiliate’s wallet, but the major error in bitcoin 101 custody remains the surprising issue. Using a custodian for your funds instead of maintaining possession of them is a very basic error, especially for an allegedly sophisticated hacking gang. Given that bitcoin transactions are publicly available, it was easy for the feds to track the funds transferred from Colonial to this outfit, as Colonial’s initial transfer to the bitcoin wallet is public information. All they had to do was “follow the money,” which strangely made its way into a U.S. based custodial address.
The latest events surrounding the Colonial Pipeline drama simply do not square with the narratives coming out of the Biden Administration and its stenographers in the corporate press. We were told this much-hyped hacking group of alleged Russians posed a serious threat to our entire critical infrastructure, yet in the same breath happened to have committed a laughably amateurish bitcoin custody faux pas that allowed for the feds to easily take back possession of the affiliate funds.
I will refrain from getting conspiratorial about possible government involvement and leave that to the readers in the comments section. In my opinion, this ransomware attack was successful largely due to Colonial’s lack of basic security measures in place. Similar to the notorious DNC emails hack (with the same claimed Russian government culprits), where John Podesta’s password was literally the word password, the hackers succeeded because Colonial had no measures in place to protect themselves. Everything else in the timeline going back to early May seems blown way out of proportion. Despite the claims made by some powerful people in D.C., there is no compelling evidence that this incident was some kind of Kremlin-directed operation to decimate America’s critical infrastructure.
In the end, the Russians and Bitcoin are not the antagonist actors in this story, though the DOJ seems more than happy to promulgate both of these narratives. Once the feds were able to identify a bitcoin “hot wallet” (as opposed to an offline bitcoin wallet that is controlled by the hackers themselves) was connected to online servers, it became a routine process to seize the funds through legal channels.
There’s also the possibility that the feds identified an individual or group in the affiliate organization responsible for contracting the ransomware attack due to some kind of sting operation. Once identified, the FBI may have proceeded to require these entities to send their funds into a bitcoin wallet in Northern California that is controlled by the FBI.
Anyway, the real issue here is how easily this could have all been avoided. It shows how horrifically poor our infrastructure is protected in this nation, to the point where a cheap ransomware attack by unnamed actors can result in a nationwide energy crisis. The story has nothing to do with U.S. adversaries and digital currencies, but of unbelievable incompetence and neglect on the part of Colonial and our overall security apparatus. It's called *critical* infrastructure for a reason.