Cybereason CEO told the world about DarkSide's hacking techniques from a bomb shelter in Israel
In early May, Cybereason CEO Lior Div took his first trip back to Israel since before the pandemic to visit his 300 employees based there. It’s a journey he used to make every few months from Boston, where his company is headquartered.
The visit was much more eventful than he’d anticipated. A few days into Div’s stay came the news that the operator of the largest U.S. pipeline had been paralyzed by a cyberattack that knocked out a 5,500-mile fuel network.
Any big corporate hack catches Div’s interest because his start-up’s business is to keep out the bad guys. The Colonial Pipeline attack was of particular concern because the group responsible, an outfit called DarkSide, had tried to infiltrate one of Cybereason’s clients nine months earlier.
In tracing DarkSide’s roots, Cybereason researchers were so jarred by what they had learned that the company published a blog post at the beginning of April laying out some of its findings. It described DarkSide as a team of extortionists who steal private data and threaten to make it public unless the victim pays a large sum of money — typically between $200,000 and $2 million.
They’re called ransomware attacks, and Cybereason had learned that DarkSide was not only a big perpetrator of such cybercrimes, but was also selling a product described as Ransomware as a Service that allowed other groups to use its homegrown tools and similarly wreak havoc for money.
When the FBI determined that DarkSide was behind the Colonial Pipeline breach, Div took it upon himself to get word out about the group, how it operates and what companies should be doing to protect themselves. He went to the press, speaking with CNBC, CNN, Reuters, Bloomberg and other outlets.
During one of those interviews, the emergency alarms in Tel Aviv started blaring, a signal for everyone in the vicinity to find the nearest bomb shelter. Cybereason’s office has four on every floor.
The alarms were sounding because Israel and Hamas-backed Palestinian militants were at the beginning of a bloody 11-day battle. Residents in and around Tel Aviv were facing inbound rockets, while Israelis forces were raining airstrikes on the Gaza Strip.
“I continued the interview but went to the bomb shelter,” said Div, who previously served as a commander in the Israeli Defense Force’s 8200 unit that deals with military cybersecurity. “For somebody who grew up in Israel, it’s kind of switching to automatic response.”
Israel and Hamas agreed to a temporary cease-fire last week. The death toll from airstrikes in Gaza topped 240, while at least 12 people were killed in Israel.
Massive growth in cybercrime
Div started Cybereason in Israel in 2012, before moving the company to Boston two years later. It’s now one of the fastest-growing players in the burgeoning market of endpoint protection, which involves securing large corporate and government networks and their many devices from the advanced hacking tools and techniques that are proliferating across the globe.
Cybereason hit about $120 million in annual recurring revenue at the end of last year, roughly doubling in size from the prior year, Div said. While Div and his management team are in Boston, Cybereason’s 800 employees are spread across Israel, Japan, Europe and the U.S. In 2019, the company raised $200 million from SoftBank at a valuation of around $1 billion.
Cybereason faces a wide swath of competitors, ranging from tech conglomerates Microsoft, Cisco and VMware to cybersecurity vendors CrowdStrike and SentinelOne (ranked No. 4 on this year’s Disruptor 50 list).
Div says Cybereason’s special sauce, and what allowed it to recognize and stop DarkSide before a successful attack, is a web of sensors across the world that automatically identify anything suspicious or unfamiliar that hits a network. If a line of unrecognized code lands on a server that’s being protected by Cybereason, the incident is flagged and the company’s technology and analysts get to work.
“We’re proactively hunting,” Div said. “We’re not just waiting for our software to block things. We’re sifting through information that we’re collecting at all times to look for new clues.”
In August, when its software detected DarkSide, the company reverse engineered the code and followed the group’s virtual footsteps. It found that the relatively young organization was apparently seeking “targets in English-speaking countries, and appears to avoid targets in countries associated with former Soviet Bloc nations,” the company wrote in the April blog post.
Div said Cybereason found 10 attempts by DarkSide to attack its client base — eight in the U.S. and two in Europe.
Increasing cost of hacking
In the absence of technology to shield against DarkSide, Colonial Pipeline was forced into a ransom of $4.4 million. According to research firm Cybersecurity Ventures, ransomware damages will reach $20 billion this year, up more than 100% from 2018 and 57 times higher than in 2015.
More important than the money, the pipeline incident exposed a severe vulnerability in the country’s critical infrastructure, which is increasingly connected to the internet and protected by a loose patchwork of disparate technologies.
The shutdown also caused a disruption in nearly half of the nation’s East Coast fuel supply. Gas prices surged to a seven-year high as consumers panicked during the outage and waited hours in line to fill up.
The attack was costly and scary, but Div said the size and scale was nothing compared to what the U.S. saw last year in the SolarWinds intrusion, which hit an estimated nine government agencies and 100 private companies.
As many as 18,000 SolarWinds Orion customers downloaded a software update that contained a backdoor, which the hackers used to gain access to the networks. The hack came to light in December, when cybersecurity software vendor FireEye disclosed that it believed a state-sponsored actor penetrated its network primarily to get information on government customers.
U.S. authorities pinned the hack on Russia.
“The DarkSide sophistication was not anywhere near what SolarWinds did,” Div said. “It’s the difference between a nation-state and non-nation state.”
Div said that SolarWinds attackers scanned networks to determine if Cybereason’s software was installed. If they saw that it was present, they bypassed it and moved along to another network.
“This is how the malicious code worked,” Div said. “It was self-terminating if it was going to be detected.”
SentinelOne said its customers were also spared, based on the so-called Indicators of Compromise (IOCs) in the SolarWinds hack.
“In the SolarWinds attack, dubbed ‘SUNBURST,’ SentinelLabs research has confirmed that devices with SentinelOne agents deployed are specifically exempt from the malicious payload used in the reported IOCs,” the company wrote in a post on Dec. 13.
Whether it’s ransomware, common hacks such as phishing and malware, or complex spying efforts like with SolarWinds, Div said the frequency of today’s attacks is compelling companies to secure their networks with the most modern threat detection technology.
For Cybereason, big clients are typically paying in the hundreds of thousands of dollars per year, which Div says is quite cheap given what just happened to Colonial Pipeline.
“To see that somebody paid $5 million on a relatively tiny deal that we could’ve helped them, it’s crazy from my point of view,” he said.