In Episode 10 of Know Your Adversary™, ICE Miller Managing Partner Guillermo Christensen discusses the difference between the 2012 Saudi Aramco destructive cyber attacks and the 2021 Colonial Pipeline ransomware attacks.

In 2012, Iran attacked Saudi Arabia-based Aramco’s information technology (IT) infrastructure, denying service to the entire company to the point that Aramco gave gas away for free. Fast forward to 2021, a Russia-based ransomware gang Darkside attacked the IT infrastructure of Colonial Pipeline, particularly the billing system. When Colonial Pipeline couldn’t determine how to charge customers, instead of giving gas away for free, they shut down the pipelines thus denying gas to most of the United States easter seaboard. 

Primary Takeaways:

1. Ransomware gangs based out of Russia have organizational structures like most enterprises: sellers, access data brokers, operators, malware developers, and ransom negotiators. 
2. Small and medium sized enterprises have little chance to defend against these gangs without the help of experts, typically in the form of managed service offerings such as detection, response, and intelligence. 
3. Attribution to the actors and organizations is not as challenging as many make it out to be with the right coverage inside and outside the firewalls. Actors make mistakes not segmenting their infrastructure between attack stages and reusing emails and passwords to build their infrastructure, often on third party services. 
4. Enterprises need to consider national security related legal and consulting services that deal with nation state actors.