The misspelt scam email, the clumsy phishing attack, the gaudy pop-up virus threat. All these I can resist. Cyber criminals have developed an altogether more sinister weapon, though: the polite press release.
DarkSide issued a statement after it was blamed for shutting down a vital US fuel pipeline with ransomware. It read for the most part like a standard piece of public relations guff. It combined concision, a non-apology apology for the inconvenience caused, and a purpose statement that would have made Milton Friedman proud: “Our goal is to make money, and not creating [sic] problems for society.”
DarkSide is the most prominent group in the fast-professionalising industry dubbed ransomware-as-a-service. From its unambiguous brand name to its “customer” support line, it is using tools of corporate capitalism to facilitate attacks on corporate capitalism itself. In a world of black-hat and white-hat hackers, say hello to the bowler-hat hackers.
Tempted? Max Heinemeyer, director of threat-hunting at Darktrace, the cyber security company, told me there was a “war for talent” under way in forums on the dark web, where résumés and references are solicited.
DarkSide is also wise to the ESG trend. “We value our reputation,” it says. The group has recently added funerals and crematoria to universities, schools, and municipalities as places it claims it will never attack. According to Databreaches.net, a cyber security website, it even makes occasional charitable donations.
Criminal or not, any group of more than two people needs to be managed. The larger it is, the more structure it requires. After Osama bin Laden was killed in 2011, documents seized from his compound in Pakistan revealed al-Qaeda to be a complex matrix, with a rule book that insisted, among other strictures, that “departmental expertise must be respected . . . and should not be overstepped”.
Similarly, a cyber security sleuth once told me it was possible to identify state-sponsored hackers because, like good public servants, they stopped attacking while they took their contractual one-hour lunch break. When Emotet, a notorious “botnet” of hijacked computers used to launch co-ordinated attacks, went offline in the summer, some speculated its masterminds were tending to their wellbeing by taking a holiday.
As for DarkSide’s ethical code, mafia bosses have long governed on the basis of internal principles that are often more carefully respected than a bank or consultancy’s core values.
DarkSide and its competitors have good business reasons for mimicking their targets, too, to present themselves as peers or partners of their victims. The mock legalese that they use also makes it easier for hapless systems administrators to explain a hack to their chief executives.
“If you’re a company and you’re hacked, do you pay the ransom demand that comes in a weird scam letter that you can hardly decipher, or DarkSide?” Heinemeyer points out. He estimates eight out of 10 attacks are successful in encrypting corporate data, and between 20 and 50 per cent of companies pay a ransom to free their information.
That is a reminder that the most vulnerable brick in corporate cyber defences is usually human rather than technological. It should also make everyone more wary of legitimate pitches that bear the too-smooth veneer of PR and purpose.
Whatever image DarkSide wants to project, the reality is likely to be less glamorous. When a co-ordinated operation took down the Emotet network earlier this year, Ukrainian police posted video from their raid on a dowdy apartment. If this was Emotet HQ, it was hardly the Googleplex.
Even so, that a critical pipeline could be crippled by private hackers is worrying. Scaled up to become an Amazon of cyber crime, using the efficiencies of big business and the talents of amoral associates headhunted from the dark web, such groups could pose a bigger threat.
Unless, that is, the faultlines that often destroy fast-growing companies also undermine the black-hat hackers.
Such networks can collapse under their own weight. The documents in bin Laden’s bunker showed that by 2011, al-Qaeda had grown into a rules-encumbered bureaucracy, with myriad committees and subcommittees, internal arguments about brand and mission, and divisive office politics.
More likely is that DarkSide’s reputational push backfires. The more notorious the hackers become, the more likely they are to feature among the FBI’s Most Wanted. Big Tech faces a similar dilemma as it tries to dodge the regulatory radar, with one obvious difference. As Heinemeyer says, explaining why he avoided the dark side when he was a teenage hacker, “prison is a big deterrent”.