Cybercriminals Turning U.S. Security Tools Against Us

President Joe Biden has taken a hard line against Russia in terms of cybersecurity sanctions. However, as these organized crime groups use U.S. security tools against us, it severely limits his retaliation options.

The Current State of Affairs

Newsweek reported this week that a cybersecurity official told them that “Technically, a lot of these tools that are being leveraged for ransomware are tools that were leaked from our own organization.”

He added that “One of the challenges that I look at is, these tools are not tools that are generally created by other nations. What’s funny is other nations are using the tools that were developed by us.”

Two major ransomware attacks have occurred since Biden took office. The first was Colonial Pipeline which was hit hard, and the attack disrupted operations for a week where fuel shortages and panic spurred an instant price increase. Colonial Pipeline paid a hefty ransom but received little in return. The decryption software they purchased did not unlock their files. The government seized cryptocurrency wallets belonging to the DarkSide gang and recuperated $2.3 million of the $4.4 they paid. 

The second attack was on JBS, a global meat packaging company. Their operations were halted for a short time as a result. However, JBS also decided to pay a shocking $11 million ransom. Their decision to pay turned out better in that the decryption software worked for them. Although they were confident that no data had been exfiltrated and most of their files were operational, they explained why they paid the ransom “in consultation with internal IT professionals and third-party cybersecurity experts; the company made the decision to mitigate any unforeseen issues related to the attack and ensure no data was exfiltrated.”

How These Tools Fall into the Wrong Hands

The cybersecurity professional that spoke with Newsweek explained how these tools end up in the hands of bad actors. “It’s that challenge where anytime a tool or capability is used; it’s pretty much considered burned,” the official said. “Because, for an offensive portion, you have to deploy processes and technologies to adversarial systems to be able to reach out and touch somebody, right? So, once they’re uncovered, they can reverse-engineer it.”

Ex-CIA official J.D. Cook told Newsweek that “Sometimes it gets used. That’s why you have to protect your stuff, and there’s a point that I think people should really make about that. It’s true. A lot of things get repurposed, whether it’s an American cyber tool, France, British, Russian, Chinese, etcetera, and that sucks because some of these tools have gotten out. There have been security issues.”

Cook also mentioned that when U.S. intelligence officers target Russian cybercriminal groups, they need to be very careful about the tools they use. The Russian’s are just sitting there waiting to see what type of resource is exposed that they can then use to their advantage. 

Cook reiterated this when he said, “You have to think about what you use, think about what your signature looks like. And if you just do it ham-fisted, you may be giving a gift to the Russians that may hit you in some of your other technical operations, that you may be doing as well.”

CrowdStrike cybersecurity company chimed in with, “Adversarial groups have access to U.S. tools and put them into the public domain. Are they being repurposed, or are they being re-engineered? The answer is yes.”

The FBI agency feel strongly that the U.S. has a responsibility to keep this from happening in the future. The Biden Administration is swiftly working to enact laws that furthers the war on ransomware and cybercriminals. Although the Administration hasn’t singled out Russia for the two latest attacks, the President has made strong warnings and threatened sanctions for any additional attacks.