Cybersecurity experts break down a cyberattack as they become increasing threat

ABC News

(WASHINGTON) -- The U.S. government and American businesses have found themselves on the defensive lately as cyberattacks have threatened critical infrastructure, the food supply chain and people's personal data.

In hopes of preempting an attack, some businesses have hired groups, known as red teams, to hack into their systems like would-be terrorists and expose cybersecurity weaknesses. Brian Halbach and Jonathan Studebaker, two of these hackers, spoke to "Nightline" while "targeting" two different companies in two nights.

"The bad guys, they're getting more sophisticated," Halbach, a security consultant at RedTeam Security, said. "They're coming up with new ways, new tricks of their trade. ... So, businesses also have to react fast and they have to think fast."

After a ransomware attack against the Metropolitan Police Department in Washington, D.C., last month, Homeland Security Secretary Alejandro Mayorkas warned that cyberattacks, particularly ransomware attacks, had increased 300% in the past year. He said these cyberterrorists have targeted everything from government agencies to small businesses, and that $350 million in ransom had been paid for these attacks in 2020.

"We're not talking about people with a conscience," Mayorkas told ABC News' Pierre Thomas. "We're talking about criminals who want to make money illegally."

Watch the full story on "Nightline" TONIGHT at 12:35 a.m. ET on ABC.

Just this week, the Department of Justice announced that it had seized millions of dollars in Bitcoin that the Colonial Pipeline had paid as a ransom to the cybercriminal group DarkSide after last month's ransomware attack forced the company to temporarily shut down operations.

"DarkSide is a ransomware group that is believed to be based largely in Russia. ... They develop malicious code that can then be used to deploy within a network and encrypt all the data, and then supply all of the infrastructure to facilitate ransom payments, negotiation with victims, and then they basically franchise it out to lots of different affiliates," said Dmitri Alperovitch, co-founder of cybersecurity company CrowdStrike.

Colonial transports approximately 45% of all fuel consumed on the East Coast. Every day, 100 million gallons of fuel move through the pipeline between Houston and New York City. Panic-buying led Americans to rush to fill their tanks with gas as it became more expensive.

Javed Ali, a former senior director of counterterrorism for the National Security Council, said there was a "sort of anxiety of not knowing when gas supplies would come back in a neighborhood or a city."

"So, these are all really tough, not only business decisions, but decisions that have cascading effects throughout the country," said Ali, who is now the Townsley Foundation policymaker in residence at the University of Michigan Ford School of Public Policy.

The FBI exposed the group behind the attack as DarkSide two days after the attack had occurred. Three days later, Colonial announced that it had resumed operations. It wasn't long before the company also confirmed that it had paid the $4.4 million ransom in Bitcoin -- a decision that company CEO Joseph Blount made begrudgingly.

"I made the decision to pay and I made the decision to keep the information about the payment as confidential as possible. It was the hardest decision I've made in my 39 years in the energy industry," Blount told the Senate Homeland Security Committee on Tuesday.

"There are two types of companies out there: Those that know that they've been attacked and those that don't yet know that they've been hacked, and that's been the reality of the last 10 years," said Alperovitch. "That continues to scale up as we're seeing the attacks become more and more disruptive and destructive."

In his interview with ABC News, Mayorkas said that fortifying cybersecurity across the country is "not really a choice."

"It's an imperative because the vulnerability that one has, it creates a threat not only for oneself but for many others with whom one is connected," he said. "We always say in the cybersecurity realm, we're only as strong as our weakest link, because everything is connected. The vulnerability of one can become the vulnerability of many."

As more companies work to build their defenses against hackers, Halbach said red teams like his are up against hackers who are at the "top of the top" level of expertise.

"We [are] kind of at the point where if they want to get in, they are going to get in, and they are very persistent," he said. "Essentially, they can just keep attacking and attacking and attacking, and if it doesn't work one day, they can spend three weeks doing these advanced attacks until they get in. Eventually, they will find that weakness in the armor and get in."

Their work also focuses on companies' physical security by trying to prevent bad actors from stealing devices where they're located.

"I think that oftentimes we put a lot of faith in preventing people from getting in digitally, so we'll have a firewall and we'll have antivirus and we've got all these security controls in place for the digital world," said Studebaker, who also previously worked for RedTeam Security. "But in the office itself, they are usually a little bit more lax because you are going in there to work. It is a safe environment. You are there with coworkers and you think the bad guys are out -- that they are not going to come in."

"But there is that potential that if they do have physical access, because your guard is down, because it's this nice safe space, that in some ways actually makes it more vulnerable," he continued. "They could steal things like hard drives or plug into the network and get access to the entire network."

What it's like hacking into a system

Halbach and Studebaker brought "Nightline" along as they tested two companies' defenses against potential hackers. The first company, Intereum Inc., is a commercial furniture supplier in Plymouth, Minnesota. With no external networks to hack, the team looked to break into the building, trudging through thick woods in the dark of the night to find a blind spot in the company's security cameras.

Although they were able to break in, they were soon caught by the security cameras inside the building. Still, with their mission to expose all of the weaknesses, they continued on toward the server room, where Halbach looked to gain access to the company's servers.

"I'm connecting to their internal switch here. I'm gonna see if I can connect to an IP address to see if it lets me connect to an internal network, and poke around from there -- see what we can do on the network," Halbach said while executing the task.

The team also carried USB drives loaded with ransomware viruses, which they planned to use on unlocked computers. When they found one that granted the USB access, Studebaker took a picture to document the potential network access.

"This is a Trojan horse that we just detonated here," Studebaker said at the time. "What it did is it called out to our server and now we have remote command and control over their network."

The red team's second target was a digital security company that's also in Minnesota. In the middle of the night, the team used a device called a "pineapple" to attempt to deactivate Wi-Fi-enabled cameras outside the building.

They also used a specialized tool they'd developed called a Pwnagotchi, modeled after the Tamagotchi toy. The device allows them to knock Wi-Fi-enabled devices off of their networks. When they attempt to reconnect, the Pwnagotchi steals their password data.

Unable to break into the company's network from outside the building, the team subsequently worked their way inside, setting off alarms and capturing the attention of security cameras and motion detectors. Still, they carried on into the server room, and within 10 minutes, they had implanted a device known as a "raspberry pi."

"The whole point of those raspberry pis ... we would get another one of our red team members -- someone in another place or ourselves the next day -- we can remote back in and just start taking over everything," Halbach said. "As much as we want, we can't steal all of their IP in a single night. We would need multiple days to exfil[trate] gigabytes, terabytes of data, out of the network."

Over the course of about three hours, the team had not only implanted the raspberry pi, but also extracted usernames and passwords from people who worked there. The engagement was scheduled to last until 3 a.m., during which time, police and fire authorities were advised not to respond to alarms. After that time, the building's true alarm system reengaged, forcing the team to make a speedy exit.

After two nights of what some might consider cyber war games, both the red team and the companies that hired them walked away more aware and better prepared for hackers with malicious intentions. It's all meant to reinforce the blind spots in the defenses that they've already implemented, according to Halbach.

"A lot of times, they don't know what they don't know," Halbach said about companies in general.

Studebaker added: "I think the fact that they come to us as a client at all is an indicator that they want to be proactive -- that they want to be ahead of this. They don't want to be the next headline."

ABC News' Anthony Rivas, Ozren Milharcic, Jack Date, Kevin Rochford, Luke Barr and Alex Mallin contributed to this report.

Wednesday, June 9, 2021 at 8:05PM by John Kapetaneas, Pierre Thomas, Neil Giardino, and Laura Coburn, ABC News Permalink