Hackers tattle to SEC: is this a good thing for cyberdefenders?


Last month, the ALPHV/BlackCat ransomware gang filed a U.S. Securities and Exchange Commission (SEC) complaint against MeridianLink for not disclosing the attack within the mandated four-day window.

Per BleepingComputer:

The ALPHV/BlackCat ransomware operation has taken extortion to a new level by filing a U.S. Securities and Exchange Commission complaint against one of their alleged victims for not complying with the four-day rule to disclose a cyberattack.

Earlier today, the threat actor listed the software company MeridianLink on their data leak with a threat that they would leak allegedly stolen data unless a ransom is paid in 24 hours.

This may have broken the world record for sheer audacity by a crime gang, and while ransomware is never funny, the stunt doubtless has a lot of people snickering. But probably not cybersecurity professionals charged with defending infrastructure and data for American enterprises. Or their boards and C-suites. For some of these folks, the game just got a lot uglier.

But for the cybersecurity community at large, this may actually be a positive development.

The bad guys cooperate, but the good guys don‘t

Hacker gangs, who have evidently figured out that they’re all on the same team, are known for their exceptional levels of cooperation.

Sherri Ramsay, a former director of the U.S. National Security Agency (NSA), notes the cooperation between attackers.

The attackers meet in the dark corners of the internet to share exploits, vulnerabilities, exploitation infrastructure, and whatever other information might be helpful to those looking to attack our networks for nefarious purposes.

The harsh reality is that there is extensive collaboration among the cyber bad guys; there are few lone wolves. This extends across the entire spectrum of bad actors—nation-states, criminals, hacktivists, and terrorists. Even a single hacker is not really alone.

But why do they collaborate? Simple: it saves time and money. According to Etay Moor, Senior Strategist at IBM, “Information sharing is a given on the dark side of the net.” That’s a big reason the average cost of conducting an attack is decreasing and attacks are spreading across networks at a faster pace, year after year.

They learn sophisticated tricks from legitimate businesses, too. For example, Booz Allen reports that:

Cybercriminals have discussed in open forums proposals to create a venture capital organization or stock market where interested parties can finance the development of malware tools and frameworks without ever writing a line of code.

This is a big enough problem on its own, but the bigger issue is that cyberdefenders don’t cooperate. If the bad guys collaborate, asks Ramsay, why don’t we?

The reasons are obvious enough to anyone who understands American business culture. Companies often fear news of a breach will damage stock prices, cause customers to abandon them, and damage the brand. As a result, they may decide they’re better off keeping it quiet, even when the cost (say, in the case of a ransomware attack) is extremely high.

How often does this happen? A lot. The U.S. Department of Justice (DOJ) estimates that 85% of cybercrime goes unreported.

If this information were widely shared, though, other enterprises could inoculate themselves against the tactics, techniques, and procedures (TTPs) employed. As it is, the same TTPs might work countless times.

The reporting mandate

Enter the SEC, which adopted new incident reporting requirements in July. The rules require disclosure of

…cybersecurity incidents that are determined to be material by the company. This requirement is similar to the materiality standard for other 8-K disclosures under U.S. securities laws. Issuers must disclose the material impact of the incident on the company’s financial condition and its operations. Disclosures must be filed within four business days after a company determines that it has experienced a material cyber-incident. [Read more…]

The new rules don’t become official until December 15, but that didn’t seem to bother ALPHV/BlackCat.

So why is this news good for cyberdefenders?

It’s still too early to know for sure, but ALPHV/BlackCat’s brazen gambit may well help convince other attack victims that keeping things a secret won’t necessarily keep them a secret. If failing to report a breach not only risks federal noncompliance, but also serves no purpose re: public exposure, there’s much less incentive to take the chance of nondisclosure.

The attackers may have won the battle in this instance, but in doing so they’ve perhaps provided businesses with a strong motive for sharing the sort of information that will boost the shared security mission.

We’re huge fans of transparency and anything else that complicates life for cyberattackers, so this is certainly the way we’re rooting.