The May 7, 2021, ransomware attack on Colonial Pipeline by a cyber-threat actor known to have been operating out of Russia is believed to have been at least tacitly authorized by the Russian government. The implications of the attack were immediately intriguing, but the analysis provided in this article was held pending a more definitive degree of attribution, which has yet to materialize.
The most compelling evidence that the Russian government is at least allowing cyber-crime actors to operate with relative safe haven is the fact that Russia would be among the last countries an organization would choose to operate from if it were concerned with government detection and retribution. Whether Russia is using malign actors such as DarkSide as GRU front organizations or cyberspace mercenaries – or simply turning a blind eye as long as they only target countries other than Russia and its allies – it is now among the top information operations with which the U.S. Intelligence Community is contending. Dating back to the early 1900s, however, the Russian ability to protect state secrets, disinform the West, and obfuscate their true intentions has remained consistently effective.
As it stands, based on what is known, there are two competing alternatives which suggest that either the GRU will now bring criminal organizations under more stringent control, or that the Colonial attack may be an even more alarming omen.
The Imperative of Access
A fundamental tenet of offensive cyber operations is that in order to attack a target system, the cyber-attack actor must gain (usually remote) access to the target system.
The manner in which the Russian cyber program (largely GRU) would exploit access to a target system, as opposed to an independent, transnational cyber-crime organization, would differ significantly. A criminal organization would exploit access to a target system with a ransomware attack directly after gaining access to the target system, in order to preclude any subsequent loss of access negating the opportunity for financial gain. In contrast, when a government-sponsored cyber program gains access to a target system, the objective then becomes to maintain and protect that access until the time at which exploiting the access and attacking the target system supports broader political/military national objectives. Therefore, unlike a criminal endeavor, a government program would conduct a very deliberate gain/loss analysis in determining when the benefits (gains) of expending the access outweigh the compromise (loss) of the ability to exploit this access in the future. When the decision is made to exploit the access for the purposes of a cyber attack, the access is then determined to be “expendable.”
There are two alternatives that are most inferably feasible based on what is known about the Colonial Pipeline attack, and given an understanding of the concept of access (and expendable access) as it applies to cyber attacks. If Russia did turn a blind eye, then they likely realized the costly aspect of this approach after it was too late. Alternatively, if they did authorize the attack with full cognizance of the “expendable access,” then the implications to the U.S. and its allies are daunting.
If the threat actor with the access to attack the Colonial Pipeline were a component of the larger Russian cyberspace operations enterprise, then it would be assumed that after having gained access to such a potentially disruptive component of U.S. critical infrastructure, they would have protected this access and waited to exploit it when it served a more pragmatic national security purpose — such as to deter or disrupt a large-scale U.S. military operation. Therefore, if Russia were allowing DarkSide to independently operate with the tangential benefit being that the organization was able to haphazardly degrade confidence in the United States’ ability to protect its infrastructure, the Russian GRU likely learned an important lesson from the pipeline attack.
The Colonial Pipeline is a key U.S. critical infrastructure component and an obvious target for Russian military contingency preparations. The payment of nearly $5 million was a relatively large ransom, indicating the potential impacts that this attack could have imposed had it been sustained. Cyber-crime organizations, to include DarkSide, are very capable cyber actors, but Russian government cyber capabilities are among the most sophisticated in the world. Therefore, it is unlikely that non-state criminal actors would identify exploitable vulnerabilities in priority U.S. critical infrastructure that elements of the Russian government program would not. And even if the GRU had not attained such accesses to the pipeline control systems, they would have readily paid $5 million for such a valuable cyber-enabling vulnerability.
If, in fact, criminal organizations are gaining access to U.S. critical infrastructure and expediently expending these accesses purely for monetary gain, this would imply that they are technically in direct competition with the Russian government in regard to exploiting U.S. critical infrastructure vulnerabilities. Under this alternative, the pipeline ransomware attack would have demonstrated to the Russians that by allowing criminal organizations to operate autonomously with the short-term benefit of antagonizing the U.S., it was enabling the compromise of critical infrastructure accesses that could serve much more important national security objectives in the future. As such, if DarkSide were operating with impunity and without any Russian oversight at the time of the pipeline attack, the GRU now realizes the risks in this approach that would likely compel it to exercise more control over these types of organizations in the future.
Consistent with the Russian propensity to deflect and deceive, the stage is now set for the Russians to project the appearance of cooperation while serving other national self-interests. Ironically, if there were a discernable increase in Russian control over cyber-criminal organizations, many would likely perceive this as acquiescence to demarches and sanctions. However, such a change in approach could project the façade of bending to international norms, while actually serving a more utilitarian purpose as it applies to its critical infrastructure attack planning and protecting valuable accesses for future exploitation.
Government sanction of the pipeline attack would have served a practical purpose by demonstrating Russia’s capability to disrupt U.S. critical infrastructure and impose economic impacts. Among other purposes, such an attack could have been intended to send a message regarding potential consequences to deter U.S. action in response to objectionable (yet non-existential) Russian actions such as the invasion of former republics or poisoning of political opponents. The guise of a criminal effort would also appear to have provided a degree of plausible deniability; although it is well-known that in the cyber domain, state-directed cyber spies and cyber assassins operate with relative anonymity among the vast population of cyber criminals.
If the pipeline attack was an officially sanctioned and calibrated pinprick to demonstrate, and warn of, Russia’s capabilities, then there are far-reaching implications that must also be acknowledged. If this was the case, the Colonial Pipeline attack would have been a deliberate decision based on a gain/loss assessment. Any decision prioritizing near-term gain over long-term loss would have been a determination made consistent with the concept of “expendable access.” Therefore, if the Russian government did wittingly allow the pipeline attack to proceed, this would denote that they viewed that specific access to the pipeline control system infrastructure as “expendable” relative to the outcomes of the expedited attack. The implications there are very concerning.
Taking the concept of “expendable access” to its logical conclusion, the possibility that the Russian government would consider the access that was exploited for a ransomware attack on the Colonial Pipeline as expendable would further indicate that the operational value of this access was relatively low in comparison to other critical infrastructure target accesses they must also possess. This applies not only to other vulnerabilities identified in the pipeline, but also to other accesses the Russians would possess across the broader national critical infrastructure sectors.
Hopefully, time will tell which of these two alternatives is the more feasible.
The views expressed here are the writer’s and are not necessarily endorsed by Homeland Security Today, which welcomes a broad range of viewpoints in support of securing our homeland. To submit a piece for consideration, email [email protected]. Our editorial guidelines can be found here.