The ransomware-induced disruption of Colonial Pipeline, which supplies 45% of fuel consumed on the East Coast, has already forced big changes to U.S. government policies on pipeline security and brought heightened scrutiny of organizations’ decisions to pay hackers ransoms.
Now, the incident has factored into one prominent security firm’s decision to change how it publicly classifies the relationship between criminal hacking groups and the governments that host them.
Talos, the threat intelligence unit of Cisco, said Wednesday that it would begin using the term “privateers” to describe hacking groups that aren’t controlled by governments but which “benefit from government decisions to turn a blind eye toward their activities.”
Other cybersecurity executives have compared the safe havens that some governments provide cybercriminals today with 17th century piracy.
“If it were the 17th century, and pirates harassing the English merchant fleet were ducking into Dutch harbors, at what point would the Dutch be held culpable?” tweeted John Hultquist, vice president of threat intelligence at Mandiant FireEye. “At what point would claims of a neutral policy wear thin?”
Talos researchers said that DarkSide, the Russian-speaking cybercriminal syndicate that allegedly hacked Colonial Pipeline, is one example of a privateer.
President Joe Biden seems to agree.
“So far there is no evidence … from our intelligence people that Russia is involved, although there is evidence that the actors’ ransomware is in Russia,” Biden told reporters on May 10. “They have a responsibility to deal with this.”
If Talos’ classification system catches on with other security firms, it could have implications for how the U.S. government and its allies approach the issue. U.S. prosecutors draw heavily on the analysis and assistance of such research firms in bringing indictments against both non-state and state-linked hackers.
Talos researcher Vitor Ventura said in an email that his firm’s goal is to “challenge the status quo of group classifications” used in the cybersecurity industry.
“It is important to distinguish these groups from typical state-related actors because they bridge the threat between crimeware and APT groups from a complexity standpoint,” he added, using an acronym associated with state-sponsored hackers.
“For a long time, the lines that distinguish state-sponsored and crimeware groups were well-defined,” Ventura and his colleague Warren Mercer wrote in a blog post. “We believe this is no longer the case.”
Among the criteria that Talos proposed for the privateer label is hacking groups hosted in countries that don’t cooperate with extradition requests. A privateer should also be one that engages in “big-game hunting,” or targeting large corporations for extortions, Talos researchers said. That is a trademark tactic of Russian-speaking ransomware gangs.
The labeling change from Talos is an indication that private sector researchers have in recent years become more skilled at attributing hacking operations to individual organizations, and more comfortable with drawing conclusions about those groups’ relationships with governments.
The debate over what level of culpability to ascribe governments for hacking that occurs on their soil is not new, it has just taken on added importance after the days-long shutdown of Colonial Pipeline.
Nine years ago, Jason Healey, now a senior research scholar at Columbia University’s School for International and Public Affairs focused on cyberwarfare, wrote a paper on the “spectrum” of responsibility that governments have for cyber operations carried out on their territory, including those that the state ignores and those that it orders.
The purpose of the paper, which researchers are reading anew following the Colonial Pipeline hack, was to “shift the [policy] discussion away from ‘attribution fixation’ to national responsibility for attacks in cyberspace,” Healey wrote.