The blind men and the Elephant

I accept that I have some odd hobbies - one of which recently was reading through the released chat logs from ransomware gangs’ chat servers¹. They include insight into how and why payments are made, the negotiations and with it the techniques used by both attacker and victim to get the ransom demand to an “acceptable level”. But for all the hard talk, one thing became apparent:

“Hackers” are just normal people with unusual jobs.

They probably had an argument that morning with their girlfriend. Maybe they’re worried that their dog is unwell. Did they remember to put the bins out? Were they upset with Season 8 of Game of Thrones along with everyone else? One example that struck me was when a victim of ransomware mentioned they had COVID, there was genuine concern from the negotiator - “How are you feeling ? Is oxygen saturation in the blood normal?”.

We often think of a hacker as some form of elite superhuman. A technical genius. All-seeing. All-knowing. But we know they’re not - they make assumptions, and they make mistakes. In the negotiation chat logs, I saw numerous examples of errors by the attackers, such as:

• Targeting companies that should never have been hit in the first place because they are located in a CIS country, prohibited “by policy”, and suddenly offering to decrypt for free.²

• Even hitting one organisation that had long since been liquidated, so any ransomware negotiation was rather pointless.

Maybe its a recognition of the speed, breadth and scale that they’re operating at, that it’s inevitable that human error will start to creep in. This is not a criticism, its a simple fact. Even without the workload pressures they might be facing, there are plenty of opportunities for errors to appear.

Fog of war

I grew up playing strategy games, whether that be Real-Time Strategy games, such as Age of Empires or Command and Conquer; or Turn-based Strategy games, such as the Civilisation series. A common feature of those games was something called the “Fog of War” - a concept where unexplored areas of the gaming map are hidden, or at least “fogged over” if you don’t have an active playing unit in the area.

Fog of War from Civilization - screenshot from here

Fog of war isn’t a modern concept invented for gaming - just take a look at any world map pre-1492. Unexplored land or territories simply didn’t exist - the world only extended to what had previously been observed. Pre-1492, west of the Atlantic (depending on your scientific, political or religious persuasion) was either nothing; some form of wall or plummeting abyss; or a circular route back to the other side of the map.

The World Map as of 1492, by Henricus Martellus Germanus (source)

This is the same fundamental sensation felt by a cyber intruder to your network. They don’t know the internals of your network, their knowledge comes only through exploration. I’ve witnessed this across countless intrusions: their first device is simply a bridgehead, from there they are scanning, probing and exploring any neighbouring devices. Hopping from the bridgehead to the next internal device, and then it’s rinse and repeat, continuing to island hop and explore as they go.

As the network grows in complexity, with the added factor of segmentation and internal firewalls, its perfectly conceivable that an attacker could even miss an entire network segment, or be forced to forgo their exploration in one area or another due to higher levels of security.

“Hic sont dracones” (Translation: Here be Dragons), from early maps suggesting that beyond the known map edges led to danger. (Source)

Touch nothing but the lamp

For some defenders, getting attackers lost or simply stuck in one part of the network is a part of their defence strategy. Techniques such as honeypots or tarpits, are deliberately designed to trick an attacker.

Consider the story of the Aladdin. Our eponymous hero is tasked with entering the “Cave of Wonders”, filled to the brim with gold and treasures. But their only purpose is to distract our hero, preventing him from reaching the true treasure, the Genie’s lamp. And if he (or rather his pet monkey, Abu) does touch the gold, then the whole cave will come crashing down around them.

“Touch nothing but the lamp” - from Disney’s Aladdin

When a cyber intruder stumbles across some apparent treasure, how much further time do they feel they need to spend looking for possibly even more valuable data, or do time pressures force them to settle with what they’ve got? Maybe when they find something that looks and feels valuable, they get all excited and ignore any prospect of even more gold elsewhere.

Ultimately, for a cyber intruder, it is their internal reconnaissance that will them to understand where they are and what they have access to. As a result, an attackers view of their victim will only stretch as far as the devices and data they discover, potentially skewing their perception of the importance of what they have uncovered, potentially missing out on troves of much higher value data. It will always be an incomplete picture - the question is what assumptions do they make.

The Blind Men and the Elephant

There is some similarity here to the parable of the Blind men and the Elephant:

The Blind Men and the Elephant (original cartoon by G. Renee Guzlas)

In the parable, 6 blind men come across an unknown object. Each reaches out and touches the object, reporting back what they feel. Each described it differently, based on their experience and “…Though each was partly in the right, And all were in the wrong!”³.

Op CRONOS

Last week saw the public disclosure of Op CRONOS, a Law Enforcement led disruption operation against the LockBit ransomware network. Like many commentators, the multi-faceted approach that resulted in the collection of intelligence on some of the individuals behind the organisation, access to decryption keys, as well as the technical disruption of their operational infrastructure, seemed to be the most “complete” disruption operation seen for some time. And whilst I initially found some of the trolling by Law Enforcement of LockBit (such as the mimicking of their Name-and-Shame site for their own announcements) amusing, I started to worry whether there would be any proverbial egg on face at some point.

One indication that that might be the case, was when the much awaited announcement from Law Enforcement on the identity of LockbitSupp (the leader/administrator at the core of LockBit), was little more than a renewed plea for information. And then over the weekend, LockbitSupp released their own statement⁴, dismissing or at least downplaying many of the claims made by Law Enforcement.

“...All other servers with backup blogs that did not have PHP installed are unaffected and will continue […] they claim 1000 decryptors, although there were almost 20000 decryptors on the server [...] they found out the generated nicknames of the partners, which have nothing to do with their real nicknames on forums and even nicknames in messengers […] A couple of my partners were arrested, [...] they are probably just people who are laundering cryptocurrencies [...] that's why they were arrested and considered my partners, it would be interesting to see the video of the arrest, where at their homes, Lamborghinis and laptops with evidence of their involvement in our activities, but I somehow think we will not see it...”

In the case of Op CRONOS, the cyber intruders were now Law Enforcement⁵. Had Law Enforcement experienced their own parable of the Blind men and the Elephant? Had they got distracted by the LockBit version of the “Cave of Wonders”, or simply missed a goldmine of data due to the cyber equivalent of the Fog of War? The statement from LockbitSupp suggests they might have. Of course, this could just all be bluster on behalf of LockBit, who will be racing to get operations up and running and to repair the damage to their reputation for the purposes of building back out their affiliate network.

What’s interesting is that being taken down by Law Enforcement is now almost a badge of honour and proof to potential affiliates that they’re clearly a profitable endeavour given the level of effort organisations like the NCA and FBI are willing to invest.

“...New affiliates can work in my affiliate program if they have a reputation on the forums, can prove that they are pentesters with post-payment, or by making a deposit of 2 bitcoins, the deposit increase is due to proof and beautiful advertising from the FBI, which is that my affiliates and I earn together hundreds of millions of dollars…”

To be clear, I am still very much impressed with the actions taken under Op CRONOS, something that feels a real leap forward for disruption operations as seen before. But I think I’m forced to remind myself, that much like the first few hours of a breaking Cyber Incident, it’s worth waiting for the dust to settle before making an assessment on the impact to the business.

1

An easy way to access some is via this service: https://ransomch.at/, derived from raw data available here: https://github.com/Casualtek/Ransomchats

2

In these cases, the ransomware operators genuinely seemed worried about the trouble they’d find themselves in with the local police - something you don’t see when they target anyone else!

3

From John Saxe’s Poem, “The Blind Men and the Elephant”

4

A copy hosted by Security Researchers at VX-Underground

5

Or, probably more likely, their sub-contractors PRODAFT: https://resources.prodaft.com/opcronos