Some time ago, a friend of mine sent me a sad story about CodeSpaces, a collaborative coding site that was hosted on Amazon's Elastic Computing service, EC2. On June 17th, they experienced a distributed denial of service attack, an attack that prevented people from getting access to their website. The people behind the attack demanded money to have the attack lifted, but CodeSpaces did not pay up. Instead they held firm.
While the attack was ongoing, the attackers were able to gain access to the CodeSpaces hosting account and deleted just about everything to ensure that CodeSpaces could not continue to operate since they refused to pay the ransom for the denial of services attack.
This is a very severe attack. First the denial of service attack to prevent customers from getting access to the website, and then the the complete and total destruction of the company data, including production data and all backups. Once the attackers gained access to the hosting account, they had complete access to everything and even made backup accounts to be sure that they could still get back in and finish the job even if the account they were using was disabled or the password was changed.
This is clearly premeditated, very well planned and organized as far as attacks go. One can only imagine what must have been going on in the minds of the attackers, what they were hoping to achieve and the level of confidence they may have had as they pursued their objectives. When they saw that they weren't going to be able to extort money from their victim, they destroyed the business that was their victim. That is vindictiveness in the extreme.
From what I know of the story, the attackers are still unknown and have probably covered their tracks very well. I also see that two-factor authentication could have been used by the company, but it was not implemented. Worse, the company did not have a disaster recovery plan. That could have saved the company.
While reading all of this, I have considered the possible mindset of the attacker. How does an attacker justify spending 12 hours deleting everything in sight that a company has created for paying customers? "Look, all they had to do was pay me and they could have kept their business" is what I imagine them to be saying in their minds. That suggests an awful lot of confidence in their position. The attackers were confident that they could destroy the business if their demands were not met and they could do so without detection or tracking.
Or could they?
A long time ago, I learned about something called karma. After reading the local news for years, I got really tired of seeing stories about people doing really nasty stuff to other people. I could see the karma coming back for the perpetrators of crime. I see this both in violent crime and in white collar crime. But in all cases, I see something coming back to haunt the bad guys.
I am reminded of Isaac Newton, one of the greatest scientists of all time, a man who came up with some simple laws of the universe more than 400 years ago. Objects that are at rest tend to stay at rest. Objects that are moving tend to keep moving unless another force acts on that object to bring it to rest. For every action there is an equal and opposite reaction.
That last one has always been in the back of my mind since I first read it so many years ago. I have adapted it for my own use, a sort of principle that I follow to this day:
"If you push really, really hard on the universe, be prepared to duck."
This is to say that whenever I push on the universe, against anything or anyone, I can expect that the universe will respond in kind. I don't slam doors. I don't break things out of anger. I think before I speak and consider the feelings of others when I do speak. I avoid doing that which makes my chest burn with guilt or my stomach tingle with fear. My body is my ethical barometer. This is what I feel and what I use as my guide.
But the perps who destroyed Code Spaces may not have access to that barometer that everyone has if they want to. They may not mind living a life where they will never really know for sure if someone is lurking around the corner, ready to exact revenge. They may not mind a life where they will always have to look over their shoulder, and never really know for sure if they are safe asleep at night. Yes, even criminals have to sleep sometime. How much money must be paid to ensure the loyalty of the people around the criminal? Is that enough? Can they ever be sure? They may even believe that enough money in the bank will help to numb the sensation of fear, uncertainty and doubt they must consider about their fate every waking hour as a result of their chosen "profession".
How does a criminal find sleep let alone love if there is no way to be sure he can trust anyone?
It must be a very dark heart indeed to be willing to destroy a company like that. But no matter how confident the perps were, there is no such thing as "getting away with it." Across the spectrum of wrongdoing, from cyber attacks to physically violent attacks, they all have the same result. The mind never forgets. The heart never forgets. And with that, sleep will not be easy to come by.
Somehow, in the mind of the criminals who attacked Code Spaces, their spite was justified. I honestly don't see how spite could be justified, even for money. This is something we must consider when confronted with such a soul that can justify and rationalize everything. I'm not saying we should ever condone destruction, but that we must be prepared when confronted by the same.
To be sure, Code Spaces should have had a backup plan that has been tested and known to work. But the perps? Who knows how the pendulum swings?