The current US administration has a message for Russia: Rein in the criminal hackers operating from inside your borders who hit Western targets, or we will do it for you. The White House says that is the imperative being stressed in ongoing talks between high-level officials in the US and Russian national security teams following the mid-June summit in Geneva between the US President and the Russian President.
Experts say disrupting ransomware will take more than diplomacy, and needed cybersecurity improvements in the "critical infrastructure" which is overwhelmingly run by private companies and will take time and focused private-public partnership efforts to fix. But disrupting the criminals launching these attacks remains top law enforcement and diplomatic priority, US officials say, and the Biden administration is bringing multiple tactics to bear. After the Geneva meeting, for example, Biden said he'd told Putin that certain types of "critical infrastructure" were off-limits to any attacks emanating from Russia, including any repeat of the May ransomware attack against Colonial Pipeline Co., which supplies 45% of the fuel used along the US East Coast.
"I looked at him. I said: 'Well, how would you feel if ransomware took down the pipelines from your oil fields?' He said it would matter," Biden said. "This is not about just our self-interest. This is about our mutual self-interest." Biden added, "Responsible countries need to take action against criminals who conduct ransomware activities on their territory." Since that meeting, "We have undertaken expert-level talks that are continuing, and we expect to have another meeting next week focused on ransomware attacks," the White House Press Secretary told reporters on Tuesday. "And I will just reiterate a message that these officials are sending, as the president made clear to President Putin when they met, ‘If the Russian government cannot or will not take action against criminal actors residing in Russia, we will take action or reserve the right to take action on our own.’ "
Ransomware poses a difficult challenge, as highlighted by the fact that it remains so difficult to disrupt. But many ransomware operations appear to be tied to Russian-speaking individuals who may be operating from Russia. The Colonial Pipeline attack, for example, was launched by a ransomware-as-a-service operation called DarkSide, which US intelligence said appeared to be run, at least in part, from Russia. Credit for the supply chain attack against remote-management software vendor Kaseya has been claimed by REvil, aka Sodinokibi which is a RaaS operation that many experts suspect is run from Russia. See: https://redskyalliance.org/xindustry/dr-evil-does-not-work-for-the-revil-gang
"One of the interesting things about ransomware is that it is this blend of criminal and nation-state activity, which is to say that clearly most of the criminals that are involved in carrying this out are out to make money," says the president and CEO of the Cyber Threat Alliance. "On the other hand, it is also the case that ... the REvil group [is] right there being harbored by and sheltered by a nation-state," says the CEO, who from 2012 to 2017 served as the White House's cybersecurity coordinator. "And so, there are these overlaps and interconnections between the criminal world and the nation-state world that make ransomware a very challenging threat to deal with."
But there have been increasing calls to do something, including holding Russia's leadership to account for failing to blunt such attacks. "Vladimir Putin is harboring these organizations, and more importantly, he is benefiting from their actions," says the head of the cybersecurity strategy at VMware Carbon Black. "There should be a proportionate cyber response," he says. "There should be a targeted response against REvil infrastructure in the dark web. … There should be a campaign of disinformation against REvil - amongst the other cybercrime cartels - to underscore and undermine their credibility."
How Might the US 'Take Action'? How would this be done? Likely by using US Cyber Command, a military unit with offensive hacking capabilities, to try to disrupt specified criminal operations.
The former head of Britain's National Cyber Security Center said recently wrote in Lawfare, has backed this strategy for use by many Western governments. He noted that it was used successfully by Cyber Command to disrupt Russia's Internet Research Agency troll farm ahead of the 2018 US midterm elections. "A direct cyberattack on an adversary’s infrastructure to destroy it and therefore prevent its future hostile use … has been used against transnational cybercriminals in the past and should, in my view, be deployed where possible against the scourge of ransomware," he said.
Any attempt to hold a government accountable for the actions of criminals operating inside its borders, however, can be fraught. "We are entering a very tricky time - the wrong decision now could escalate very quickly," says a cybersecurity expert and visiting professor of computer science at the University of Surrey. "The bottom line is the authorities in the US are very unlikely to stand quietly by if the attacks continue at this sort of rate," he says. "What’s left, offensive defense - hacking back, disable the hacking infrastructure by attacking it electronically. The trouble with this is that it lays the U.S. open to a certain extent to the same criticism often leveled at the Russians about carrying out 'operations' on foreign soil." He says any such attacks on adversary infrastructure would have to remain narrowly focused on criminal infrastructure. If political targets were hit instead, things could quickly spiral out of control, becoming "a hop, skip and a jump to proper cyber warfare - and cyber warfare will not be purely electronic, as damaging as that could be, and could quickly lead to kinetic attacks on related cyber targets," he says. "It’s all too easy to see how it could escalate to a place no one in their right minds wants to go."
Could the US restrain its offensive cyber targeting to just criminal targets? After all, not all network intrusions emanating from Russia are criminal in nature, some instead involve espionage. The backdooring of security vendor SolarWinds' software that came to light last December, has been attributed by the US government to Russia's Foreign Intelligence Service (SRV).
For example, the Republican National Committee (RNC) recently announced that an attempt to breach its systems had been detected by its managed service provider, Synnex. The RNC reported the attempt was unsuccessful. Investigators suspect the intrusion attempt traced to the Russian government hacking team known as Cozy Bear (APT29), which is believed to be run by the SVR.
"Let’s keep our eye on the prize, folks. The real national security issue is ransomware," says the chairman of the Silverado Policy Accelerator and the former CTO of CrowdStrike. "Attempted hacking of political organizations - without dump of data - is called espionage," Alperovitch says. "The Russians have been doing it for hundreds of years and will continue doing it for hundreds more. As will we."
And Carbon Black says that many cybercriminals inside Russia including REvil have government ties. "They're one of the more sophisticated ransomware crews out there. They definitely have affiliations and connective tissue back into the intelligence services. They're viewed as a cyber militia in many regards to help offset economic sanctions and when called upon to do so, to launch attacks against the Western world in a punitive fashion for geopolitical tension or escalations of such," he says.
It remains to be seen, whether disrupting ransomware operations' infrastructure will be successful. To begin with, many are run as affiliate programs, bringing together distributed administrators and partners, including various types of specialists. Many ransomware-using criminals appear to speak Russian, but that does not mean they are operating from Russia. Many malicious operations appear to be very distributed.
Many experts continue to emphasize that a solution to the problem will not come via government showdowns or diplomatic imperatives, but rather on multiple fronts. Organizations must improve their defenses to better repel attackers. Security teams should be highlighting the latest incidents, such as Kaseya, to senior management. "This is yet again leveraged to have the discussion with leadership about why prevention is way more cost-effective than the cure, and that investing in prevention investing in better cybersecurity upfront will really pay dividends down the road," experts caution.
Public-private partnerships will also be vital to help organizations in the critical infrastructure understand just how vulnerable they are, the good professor says. "Government doesn’t want to run some of these services but they may be best-placed to ensure those services have adequate security put in place by those that are running them," he says.
The US Cybersecurity and Infrastructure Security Agency (CISA) says it is pursuing these exact types of strategies. "President Biden signed an executive order back in May that lays the groundwork for what we think is a much more secure cybersecurity posture for the federal government, and it really identifies a number of areas where we can use the federal government's procurement power and standard-setting ability to help shape the software development cycle for the IT community that could have broad effects on the private sector, well beyond just the federal government," says CISA's acting director. Wales also notes that the White House has launched 60-day sprints focused on ransomware as well as improving the security of industrial control systems. Such sprints already have been widely used in critical infrastructure sectors, such energy, chemicals and water. More broadly, he says that "to work in partnership, to reduce those risks," remains a core part of CISA's founding mission statement. "We've got a lot of work to do. But I feel like we have, in some respects, the winds at our back: We've got strong support from the administration, we've got strong support from Congress, and we're moving out quickly to see what we can do to improve our cybersecurity posture," he says.
Despite moves by CISA and others, experts say no quick fix for the ransomware problem will likely be forthcoming. Organizations will need time to improve their defenses to make it more difficult for ransomware-wielding criminals to exploit them. Diplomacy, too, takes time.
At Red Sky Alliance, we can help these teams with services beginning with cyber threat notification, analysis and complete elimination of cyber threats from both the inside and outside of networks. Our team members will be happy to hold a brief call with your team to help them better prepare for cyberattacks, malware, and ransomware. And what if this call led to savings in current duplicated services and forecasted need for additional personnel?
Red Sky Alliance is in New Boston, NH USA and we are proud to be helping in the overall cyber defense posture. We are a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please contact the lab directly at 1-844-492-7225, or firstname.lastname@example.org.
Interested in a RedXray subscription to see what we can do for you? Sign up here: https://www.wapacklabs.com/RedXray
- Reporting: https://www.redskyalliance.org/
- Website: https://www.wapacklabs.com/
- LinkedIn: https://www.linkedin.com/company/64265941