12 May 2021 — Moon of Alabama

In January police in various countries took down the Emotet bot-network that was at that time the basic platform for some 25% of all cybercrimes.

Based on hearsay Wikipedia and other had falsely attributed Emotet to Russian actors. The real people behind it were actually Ukrainians:

The operating center of Emotet was found in the Ukraine. Today the Ukrainian national police took control of it during a raid (video). The police found dozens of computers, some hundred hard drives, about 50 kilogram of gold bars (current price ~$60,000/kg) and large amounts of money in multiple currencies.

bigger

Emotet had nothing to do with Russia.

Now the U.S. is accusing Russia of somehow having part in another cybercrime:

President Joe Biden said Monday that a Russia-based group was behind the ransomware attack that forced the shutdown of the largest oil pipeline in the eastern United States.

The FBI identified the group behind the hack of Colonial Pipeline as DarkSide, a shadowy operation that surfaced last year and attempts to lock up corporate computer systems and force companies to pay to unfreeze them.

“So far there is no evidence … from our intelligence people that Russia is involved, although there is evidence that actors, ransomware is in Russia,” Biden told reporters.

“They have some responsibility to deal with this,” he said.

Three days after being forced to halt operations, Colonial said Monday it was moving toward a partial reopening of its 5,500 miles (8,850 kilometers) of pipeline — the largest fuel network between Texas and New York.

Biden however is badly informed. There is no evidence that DarkSide has anything to do with Russia. It is, like Emotet, a commercial ‘ransomware-as-a-service’ criminal entity that wants to make money and does not care about geopolitics.

Yes, a version of the DarkNet software does exclude itself from running on system with specific language settings:

The DarkSide malware is even built to conduct language checks on targets and to shut down if it detects Russian, Ukrainian, Belarusian, Armenian, Georgian, Kazakh, Turkmen, Romanian, and other languages …

That is a quite long list of east European languages and Russian is only one of it. Why the authors of DarkNet do not want their software to run on machines with those language settings is unknown. But why would a Russian actor protect machines with Ukrainian or Romanian language settings? Both countries are hostile towards Russia. To claim that this somehow points to Russian actors is therefore baseless.

Russia strongly rejected Biden’s accusation:

The Kremlin has once again pointed out the importance of cooperation between Moscow and Washington in tackling cyberthreats amid a cyber-attack on Colonial Pipeline, a US company. “Russia has nothing to do with these hacker attacks, nor with the previous hacker attacks,” Kremlin Spokesman Dmitry Preskov assured reporters on Tuesday.

“We categorically reject any accusation against us, and we can only regret that the US is refusing to cooperate with us in any way to counter cyber-threats. We believe that such cooperation – both international and bilateral – could indeed contribute to the common struggle against this scourge [known as] cyber-crime,” Peskov said.

The U.S. seems notoriously bad at attributing computer hacks. It claims that the recent SolarWinds attack which intruded several government branches was also done by Russia. But that attack required deep insider knowledge and access to SolarWinds’ computers and processes:

The recently discovered deep intrusion into U.S. companies and government networks used a manipulated version of the SolarWinds Orion network management software. The Washington borg immediately attributed the hack to Russia. Then President Trump attributed it to China. But none of those claims were backed up by facts or known evidence.

The hack was extremely complex, well managed and resourced, and likely required insider knowledge. To this IT professional it ‘felt’ neither Russian nor Chinese. It is far more likely, as Whitney Webb finds, that Israel was behind it.

Indeed – the programmers of an Israeli company, recently bought up by SolarWinds, had all the necessary access for such a hack. However the U.S. sanctioned Russia over the SolarWinds hack without providing any evidence of its involvement.

If the U.S. continues to blame Russia without any evidence for each and every hack there may come a time when Russia stops caring and really starts to hack into or destroy important U.S. systems. The U.S. should fear that day.