The Daily - Who is Hacking the U.S. Economy?
Episode Date: June 8, 2021In the past few weeks, some of the biggest industries in the U.S. have been held up by cyberattacks.The first big infiltration was at Colonial Pipeline, a major conduit of gas, jet fuel and diesel to ...the East Coast. Then, J.B.S., one of the world’s largest beef suppliers, was hit.The so-called ransomware attacks have long been a worry. But who are the hackers and how can they be stopped?Guest: Nicole Perlroth, a reporter covering cybersecurity and digital espionage for The New York Times. Sign up here to get The Daily in your inbox each morning. And for an exclusive look at how the biggest stories on our show come together, subscribe to our newsletter. The Daily is doing a live online event: We follow up with students and faculty from our series Odessa. And we hear from the team who made the documentary. Times subscribers can join us June 10.Background reading: The Biden administration has taken steps to counter the growing threat of cyberattacks on U.S. businesses. The F.B.I. director compares the danger of ransomware to the 9/11 terror threat.As the ransomware industry exploded, a Russian-speaking outfit called DarkSide offered would-be computer criminals not just the tools, but also customer support. Here’s how the group became a hacking powerhouse.It’s been almost a decade since Leon Panetta, then the secretary of defense, warned of an impending “Cyber Pearl Harbor.” He didn’t want to be right.For more information on today’s episode, visit nytimes.com/thedaily. Transcripts of each episode will be made available by the next workday.
Transcript
Discussion (0)
Hey, it's Michael.
This has been a year unlike any other.
And throughout it, we've tried to tell the story of just how profoundly people's lives have changed.
In places like Odessa, Texas, where we followed one school's attempt to reopen during the pandemic.
Now, as the school year comes to a close, I'll be hosting a live virtual event,
taking you behind the scenes of the making of that powerful series.
You'll hear from the producers who created it, the teachers and students who were documented in it,
and a performance by the Odessa High School Marching Band.
Plus, there'll be a commencement address from a surprise speaker.
band. Plus, there'll be a commencement address from a surprise speaker. So join us this Thursday night, June 10th, at 6 p.m. Eastern. Times subscribers can RSVP at nytimes.com slash
graduation. And thanks.
From The New York Times, I'm Michael Barbaro.
This is The Daily.
Over the past few weeks, hackers demanding exorbitant ransoms have repeatedly held hostage vital segments of the American economy,
threatening everything from the energy industry to the food supply.
Today, Sabrina Tavernisi spoke with our colleague, Nicole Perrott,
about why the attacks are becoming so common. And who exactly is behind them.
It's Tuesday, June 8th.
Nicole, I keep seeing these headlines about ransomware attacks.
But I don't actually have a very good sense of what is happening.
Explain to me what's been going on in the last few weeks.
So we've actually been seeing this never-ending onslaught of ransomware attacks.
But what happened over the last few weeks is that two key industries were hit with ransomware.
Colonial Pipeline. Colonial ransomware. Colonial Pipeline.
Colonial Pipeline.
Colonial Pipeline.
So there was a ransomware attack on Colonial Pipeline.
It targeted the Colonial Pipeline that runs from the Texas Gulf Coast through the Southeast up to the Northeast, 5,500 miles.
So workers showed up to work, turned on their computers, but instead of being able to access their email or other key operations, they were met with a ransomware note.
And the note basically said, we've held your data and your systems hostage until you pay us millions of dollars.
The company notified authorities and hired an outside firm to investigate all of it.
You can imagine this may have an impact on already rising gas prices.
an outside firm to investigate all of it. You can imagine this may have an impact on already rising gas prices. So at Colonial, the company just shut down the pipeline because with its
billing systems frozen, it had no way to charge customers. And as a result, this gas station
behind me is out of regular gas. And there are thousands of gas stations just like this one up
and down the East Coast. You saw panic buying at the pump. You saw nonstop flights have to ground themselves
to pick up fuel en route to their destinations.
This had a really big visceral effect.
The FBI is investigating another major cyber attack
affecting a key part of our economy.
Now it's the meat industry.
And then the second big attack was on JBS,
which is one of the world's biggest beef
suppliers. JBS was forced to bring all of its U.S. plants to a halt after this crippling cyber attack.
And there, ransomware criminals hit the company in the middle of a beef shortage.
The attack hitting as summer celebrations ramp up, with Father's Day and July 4th just around
the corner. And so with that attack, you just started seeing the price of beef go up on menus and you start seeing a lot of panic buying around beef supplies.
we're seeing these ransomware attacks, which look like attacks just on individual companies,
actually have an effect on the entire infrastructure of the American economy.
So as a cybersecurity reporter, what did you think when you saw the news of these recent attacks?
Well, for one, I wasn't surprised. You know, We have been seeing ransomware attacks on all kinds of industries. Just in the last couple of months, we've seen ransomware attacks on American mainstays,
not just gas and meat, but television networks, police departments, NBA basketball teams,
minor league baseball, ferries to Martha's Vineyard, hospitals. And what's happening in
the background is that these ransomware groups have been coming
for our businesses and municipalities and cities and towns for a long time. But all of a sudden,
they're hitting these industries that Americans are feeling for the first time. We have this very
potent, powerful image of gas running out and people not being able to get meat ahead of their
4th of July vacations. And so suddenly, you know, you're seeing this big freak out among government
agencies who have worried about ransomware for a long time. But suddenly the problem is really
catching up to them. Welcome back. We've got some breaking news. The Justice Department is elevating
ransomware
attacks to a similar priority level as terrorism following last month's Colonial Pipeline attack.
You had FBI Director Christopher Wray last week who said dealing with ransomware is like dealing
with the challenge of global terrorism after 9-11. Wow. I want to update everyone on the ransomware cyber attack that impacted on the colonial...
You saw Biden get up to the podium and for the first time, an American president was speaking to the threat of ransomware.
And our Justice Department has launched a new task force dedicated to prosecuting ransomware hackers to the full extent of the law.
hackers to the full extent of the law. So suddenly you see this scramble to deal with something that's been a pretty constant problem for the last couple years. Okay, so what you've
been describing is a billion-dollar industry that most of us didn't even realize exists.
How did we get to this point? So ransomware has been going on for a long time,
but when I first started covering this about 10 years ago, it looked very different. How did we get to this point? So ransomware has been going on for a long time.
But when I first started covering this about 10 years ago, it looked very different.
This was something that was hitting people's individual computers in Europe.
People would log onto their computer and they would see a ransomware note, only it purported to come from Interpol or the FBI.
And it said, hey, we've locked up your computer.
We know you've been looking at some illegal sites.
Sometimes it's pornography.
And we need you to pay this fine.
And the fines were something like 100 to 200 euros in those days.
And at the time, cybersecurity experts warned me
that eventually this would come for the United States.
And when it did, it didn't look that different.
It was ransomware groups holding up individual PC users
and demanding $100 to $200 in fines.
But then something happened in 2017
that really brought ransomware to the next level.
And that was the year we started seeing nation states
use ransomware to bring entire companies and industries to their knees.
So just to back up, that year we had seen this group come out of nowhere.
We still don't know who they are, but someone started showing up on Twitter.
They called themselves the Shadow Brokers. This week, a group called Shadow Brokers released what purports to be top secret computer code that the NSA has reportedly used to break into foreign government systems.
And they claim to have hacked the NSA.
And over a period of several months between 2016 and 2017, they started dribbling out some of the NSA's best kept hacking tools.
dribbling out some of the NSA's best-kept hacking tools.
These are tools that you use to break into an entire firewall for an entire computer network. This allows you to bypass all the defenses to simply walk in and be able to get into that network, more importantly, undetected.
And in 2017, we actually saw North Korea pick up one of the NSA's own tools
and use it in a global ransomware attack that
the industry called WannaCry. Cyber security experts are scrambling to recover from a massive
cyber attack that hit nearly every corner of the world. WannaCry has paralyzed computers and banks
and government agencies and factories in 150 countries since it was unleashed.
And really the lasting legacy of WannaCry was that it didn't just come for individual PC users.
It hit entire businesses and hospitals.
So I was all ready to go. And then at half past one, the surgeon turned up and
said, unfortunately, we've been hacked and there's nothing we can do.
We can't operate on you today.
It actually hit the British health system.
Our focus at the moment is making sure that we end the disruption
being caused by this particular attack.
And so we had these very powerful images of ambulances
that were getting turned away from hospitals in the UK
that had been held up with
this North Korean ransomware. And it was the first time that you could see that ransomware wasn't
just something that would hold up an individual's computer. It was something that could cripple an
entire hospital or entire industries. And it actually got worse. So one month after the North Korean attack, we saw Russia
pick up the same NSA tools and use them in their own attack, this time just at Ukraine.
It hit every major Ukrainian government agency. It hit their railways.
It hit their post offices.
It hit ATMs.
People couldn't get money out of ATMs.
And not only that, it actually ended up hitting any business that had any operation in Ukraine,
even a single employee working from Ukraine.
So it actually hit FedEx. FedEx suffered something
like $400 million in damages. It hit Merck. Merck actually had to tap into the CDC's emergency
supplies of the Gardasil vaccine that year. It hit Cadbury egg factories in Tasmania.
All told, it actually cost $10 billion in damages. It was, to this day,
the most destructive cyber attack that we've seen. But the legacy from that attack is that it really
opened up cyber criminals' eyes to just how vulnerable these American businesses, some of our most critical businesses, were to ransomware.
And that these were really ripe targets.
We'll be right back.
Nicole, what is it about American companies in particular that made them so vulnerable to these ransomware attacks?
Well, it's a host of things, but I think it really just comes down to incentive models for businesses.
You know, I'm based in Silicon Valley and the operating MO here among big tech companies and startups is still very much Mark Zuckerberg's move fast and break things. Get your software to market before the competition
and you will win and you can fix the bugs in your software
and security glitches later.
And at the same time,
we've all bought into the Silicon Valley promise
of a frictionless society.
We have just been baking this buggy software
into so many of our core
industries like gas, like meat, like our factory production, like hospitals. And we never stopped
to think that maybe we were creating the world's right best attack surface. And so these ransomware
groups realized that they could hold up entire businesses hostage and not just charge them $100 or $200,
but millions of dollars to get their data back.
And you start seeing businesses, even police departments,
be willing to pay these fines just to get their data back.
We are learning that Colonial Pipeline did pay a ransom,
and the hackers had demanded about $5 million in cryptocurrency from the company.
Well, just in the past hour, NBC News has confirmed reports that Colonial Pipeline did pay
nearly $5 million in ransom to those hackers.
Were you briefed on the fact that the company did pay the ransom?
I have no comment on that. Is it company did pay the ransom? I have no comment on that.
Is it legal to pay these groups?
I mean, isn't paying them essentially making the problem worse?
Yeah, so it's not illegal.
The FBI has come out and said,
we really advise you not to pay these ransoms.
But the reality on the ground is that
when a company gets held hostage with this
ransomware, oftentimes the cost of the ransom is still cheaper than the cost of rebuilding
their systems and data from scratch. So there was actually a ransomware attack in Baltimore
that was pretty bad a couple of years ago. And the hackers were demanding something like $75,000 in Bitcoin
to hand them their data back. Baltimore refused to pay. And ultimately, the cost to rebuild all
of those services that had been destroyed and held hostage in the ransomware attack was $18 million.
And so over and over again, you see businesses and their insurers really calculate that they should just go ahead and pay the ransom because the ransom demand is still so much cheaper than the cost to rebuild.
Wow, that's amazing.
$18 million versus $75,000.
Yeah, that's a lesson I would take from that.
Right.
And who's getting all of this money?
Who are carrying out these attacks, like the one against Baltimore and the one against the oil pipeline?
So these are just people looking to make money.
Usually these are people who were working out of offices, almost like startups.
And they're holding these businesses hostage for ransom.
But the more companies and victims that were willing to pay
their ransoms, the more money they were getting. And these became pretty sophisticated enterprises.
Some of them are making hundreds of millions of dollars just over the past year. Right now,
the FBI says it's tracking about 100 different ransomware groups. Some of those are based in
North Korea and Iran. They popped up in Turkey,
but the vast majority of them are in Eastern Europe. And we think most of them are actually
based in Russia. And why Russia? Well, Putin has actually given Russia's cyber criminals safe
harbor. He won't arrest them and he won't extradite them when we indict them here. And really,
we think Putin has only two rules for Russia's cybercriminals. The first is don't hack targets
inside the motherland. And we actually see that in the code. In a lot of these ransomware attacks,
the groups will go out of their way to search your computer for its default language setting.
And if you are a Russian language
speaker, it won't infect you. It'll move right along. The second rule we think Putin has is
when we ask you to do a favor, you do whatever we ask. And that allows Russia to basically tap
into these cyber criminals for some of its more sensitive operations so that should they get caught,
the government can always say, we had nothing to do with this. We had no idea. These are
cybercriminals. They operate on their own. And we've actually seen Putin come out and say
something to this effect. A few years ago, he said, listen, hackers are like artists. They just
get up in the morning and start painting. We have no say over what they do or don't do.
And that gives the government cover should it need to use these cyber criminals for some of these more sensitive operations.
So from the perspective of the United States, this seems like it creates a real national security threat.
You have ransomware attacks coming for the bedrock of our economy, and they could be coming from the Russian state
or from these groups of cyber criminals. What can we do about this? It's not an easy ask,
and it's pretty complicated. But at the international level, it really starts with Biden getting up on that podium and speaking to the threat of ransomware for the first time as an American president.
It's working with other allies to come up with cohesive policy around our response to ransomware attacks.
to ransomware attacks. And then domestically, it's things like, should Treasury have a rule that makes it illegal for victims of ransomware attacks to pay these ransoms?
But the hardest thing we need to do is cyber hygiene. It's making ourselves less vulnerable.
It's all the things that we've been told we needed to do for a very long time,
creating different passwords for different websites,
turning on two-factor authentication, running your software updates and your security updates.
And that's where the focus really needs to go.
So a lot of it is really just on us, the boring, quiet, slow work of turning on two-step
authentication.
That's right.
You know, they have this saying that security is only as good as your weakest link.
And individuals and employees continue to be the weakest links.
And, you know, when you think about the colonial pipeline attack,
think of it as almost this massive attack on our country.
But what it came down to was an employee who had this old inactive account whose password had been stolen and they hadn't turned on two-factor authentication.
So as long as we're making it that easy for these ransomware groups, these ransomware attacks will continue.
And it doesn't matter what we're doing at the international level.
When it's so easy to just hack an American company using a stolen password, these attacks won't go away.
Nicole, thank you.
Thank you so much for having me. The sophisticated use of technology to hold businesses and even whole cities hostage for profit is decidedly a 21st century challenge.
But the old adage, follow the money, still applies.
On Monday afternoon, the Department of Justice said that it had recovered much of the ransom
paid by Colonial Pipeline to end the ransomware attack staged by DarkSide.
During a news conference, federal officials said they had seized $2.3 million worth of Bitcoin held by DarkSide,
a little more than half of the ransom paid by Colonial.
Today, we turned the tables on DarkSide.
We'll be right back. Here's what else you need to nerdy. I want to be clear to folks in this region who are thinking about making that dangerous trek
to the United States-Mexico border.
Do not come.
Do not come.
During her first foreign trip as vice president, Kamala Harris traveled to Guatemala,
where she bluntly warned immigrants across Central America against illegally crossing
into the United States. The United States will continue to enforce our laws and secure our
border. There are legal methods by which migration can and should occur. The trip marks the beginning of a broader U.S. effort, led by Harris, to break the
cycle of poverty and migration in the region, and ultimately, to stop the flow of migrants to the U.S.
border. Today's episode was produced by Robert Jimison, Daniel Guimet, and Annie Brown.
It was edited by M.J. Davis-Lynn,
engineered by Chris Wood,
and contains original music by Dan Powell.
That's it for The Daily.
I'm Michael Barbaro.
See you tomorrow.