Share this page!

Kim Zetter Profile picture
Twitter logo
7 Jun, 6 tweets, 2 min read
DoJ announces that it has found and recaptured the majority of the ransom that Colonial Pipeline paid.
They seized the money from a bitcoin wallet.
"We identified a virtual currency wallet that the Darkside actors used to collect payment.... Victim funds were seized from that wallet preventing Darkside actors from using it."
The criminals still made off with a little more than $2 million
From the FBI affidavit in the Colonial Pipeline ransomware seizure: "Systems that played a role in Victim X's business were also affected, which led Victim X to take portions of its critical infrastructure out of operation." storage.courtlistener.com/recap/gov.usco…
From the affidavit: "The private key for the Subject Address is in possession of the FBI in the Northern District of California"

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Kim Zetter

Kim Zetter Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @KimZetter

Kim Zetter Profile picture
3 Jun
Adding to previous reports that DoJ had seized phone records of WaPo reporters, the NYT now says DoJ also secretly seized phone records of four NYT reporters spanning Jan 14-Apr 30, 2017: Matt Apuzzo, Adam Goldman, Eric Lichtblau and Michael S. Schmidt. nytimes.com/2021/06/02/us/…
In addition to phone records, DoJ also secured a court order to seize logs — but not contents — of the reporters' emails, but “no records" were actually obtained using the order. The Biden admin has since avowed that it will not seize journo records for leak investigations.
DoJ didn't say which article was being investigated but the NYT says it appears to be related to classified info reported in an April 22, 2017 article the reporters wrote about how James Comey "handled politically charged investigations during the 2016 presidential election."
Read 6 tweets
Kim Zetter Profile picture
25 May
This has gotten a lot of attention in last months and people have tried to bring me into the argument because my book states that Stuxnet used 5 zero-days (one patched before Stuxnet launched so only 4 at time of launch). Liam, Eric and I disagree on what constitutes a 0-day.
They say a hard-coded password that Siemens placed in its system was a 0-day because Stuxnet exploited it. I use the conventional definition of a 0-day as something the vendor doesn't know about and has therefore had 0-days to patch it....
The hardcoded password was intentionally placed there by Siemens, and even after Stuxnet was discovered exploiting it, Siemens warned customers not to change the password or the system wouldn't work. That's not a 0-day to me. Eric, Liam and I laugh about it and agree to disagree.
Read 5 tweets
Kim Zetter Profile picture
14 May
"Elliptic has identified the Bitcoin wallet used by the DarkSide... this wallet received the 75 BTC payment made by Colonial Pipeline on May 8, following the crippling cyberattack on its operations." So CP paid ransom on Saturday (depending on which timezone this uses)
The wallet has been active since 4th March 2021 and received 57 payments from 21 different wallets. Some of the payments directly match ransoms known to have been paid to DarkSide by victims, such as 78.29 BTC ($4.4 million) sent by chemical distribution company Brenntag May 11.
"It has been reported within the past hours that DarkSide itself has ceased operations and has had its funds seized - and indeed their wallet was emptied of the $5 million in Bitcoin it contained on Thursday afternoon."
Read 4 tweets
Kim Zetter Profile picture
13 May
Colonial Pipeline paid $5 million ransom to Darkside hackers within hours after attack last week. Once paid, the hackers provided a decrypting tool to restore the company's disabled network. Tool was very slow to work though. bloomberg.com/news/articles/…
Story says Colonial restored netwrk from backups not decrypted systems, because decryption tool was too slow. Note tho, expert I spoke to yesterday says they never restore from ransomed machines because untrustworthy; they always use backup when available zetter.substack.com/p/anatomy-of-o…
Some might ask why, if Colonial paid Friday, it took so long to get pipeline running. As noted in story👇 restoration from backups can take 1-2 months. Expert told me companies often don't have plan for restoring backups, and takes time to coordinate. zetter.substack.com/p/anatomy-of-o…
Read 5 tweets
Kim Zetter Profile picture
10 May
How a little-known cybersecurity consulting firm is leading one of the most significant events related to the 2020 presidential election. Why significant? Because what happens in Maricopa won't stay in Maricopa. zetter.substack.com/p/what-happens…
"Logan used to work for Digital Software in its Bloomington, Indiana office and founded Cyber Ninjas there in 2013 before moving to Sarasota the following year ...He has eleven children and describes Cyber Ninjas as a Christian firm.
“As a Christian company, we also believe we have a responsibility to serve, as Christ served,” reads a company press release. “Helping the USCC is a great way to be a blessing to others, while helping combat evil hackers.”
Read 5 tweets
Kim Zetter Profile picture
10 May
Biden declares state of emergency over pipelines - the move allows oil suppliers to transport their fuel via roadways while Colonial pipelines are down. I spoke w/ someone who works for oil company about what Colonial has told them and what they're doing zetter.substack.com/p/biden-declar…
Source tells me Colonial said pipelines would “not be fixed in 1-2 days, but won’t take 6 weeks.” He’s not sure why Colonial gave such wide timeframe but said it’s “very concerning for our interests.” They're scrambling to find more storage and may have to reduce refinery output
Source also tells me one reason Colonial might have taken operational network down - aside from being cautious - is because they may not be able to invoice customers who receive fuel if their IT network is locked with ransomware, preventing them from being paid for fuel.
Read 7 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @KimZetter has new unrolls!

Check out other threads from @KimZetter!

Read all threads by @KimZetter

:(