A spokesman from the United States said on 07 April 2022 that it had secretly removed malware from computer networks around the world in recent weeks, a step to pre-empt Russian cyberattacks and send a message to President Vladimir V. Putin of Russia. The actions, made public by Attorney General Merrick B. Garland, comes as U.S. officials warn that Russia could try to strike American critical infrastructure including financial firms, pipelines and the electric grid in response to the sanctions that the United States has imposed on Moscow over the war in Ukraine.
The malware enabled the Russians to create “botnets” networks of private computers that are infected with malicious software and controlled by the G.R.U., the intelligence arm of the Russian military. But it is unclear what the malware was intended to do, since it could be used for everything from surveillance to destructive attacks. An USA spokesman said that the United States did not want to wait to find out. Armed with secret court orders in the United States and the help of governments around the world, the Justice Department and the F.B.I. disconnected the networks from the G.R.U.’s own controllers. “Fortunately, we were able to disrupt this botnet before it could be used,” Mr. Garland said. The court orders allowed the F.B.I. to go into domestic corporate networks and remove the malware, sometimes without the company’s knowledge.
President Biden has repeatedly said he would not put the U.S. military in direct conflict with the Russian military, a situation he has said could lead to World War III. That is why he refused to use the U.S. Air Force to create a no-fly zone over Ukraine or to permit the transfer of fighter jets to Ukraine from NATO air bases. Biden’s hesitance does not appear to extend to cyberspace. The operation that was revealed showed a willingness to disarm the main intelligence unit of the Russian military from computer networks inside the United States and around the world. It is also the latest effort by the Biden administration to frustrate Russian actions by making them public before Moscow could attack.
Even as the United States works to prevent Russian attacks, some American officials fear Mr. Putin may be biding his time in launching a major cyber operation that could strike against the American economy. American officials say, the primary Russian cyber actions have been directed at Ukraine including “wiper” malware designed to cripple Ukrainian government offices and an attack on a European satellite system called Viasat. The details of the satellite attack, one of the first of its kind, are of particular concern to the Pentagon and American intelligence agencies, which fear it may have exposed vulnerabilities in critical communications systems that the Russians and others could exploit.
The Biden administration has instructed critical infrastructure companies in the United States to prepare to fend off Russian cyberattacks, and intelligence officials in Britain have echoed those warnings. And while Russian hackers have sometimes preferred to quietly infiltrate networks and gather information, researchers said that recent malware activity in Ukraine demonstrated Russia’s increasing willingness to cause digital damage.
See: https://redskyalliance.org/xindustry/dhs-warns-of-russian-cyber-attack
“They are engaged in a cyberwar there that is pretty intense, but it is targeted,” said Tom Burt, a Microsoft executive who oversees the company’s efforts to counter major cyberattacks and shut down an attack in Ukraine during the opening of the war. Security experts suspect that Russia may be responsible for other cyberattacks that have occurred since the war began, including on Ukrainian communications services, although investigations into some of those attacks are ongoing.
In January 2022, as diplomats from the United States prepared to meet with their Russian counterparts in an attempt to avoid military conflict in Ukraine, Russian hackers already were putting the finishing touches on a new piece of destructive malware. The code was designed to delete data and render computer systems inoperable. In its wake, the malware left a note for victims, taunting them about losing information. Before U.S. and Russian representatives met for a final attempt at diplomacy, hackers had already begun using the malware to attack Ukrainian critical infrastructure, including government agencies responsible for food safety, finance and law enforcement.
Adam Meyers, the senior vice president for intelligence at CrowdStrike, who analyzed the malware used in the January 2022 attacks and linked the group to Russia, said the group intended to cause damage and aid Russian military objectives. “It’s a relatively new group, clearly purpose-built with a disruptive capability in mind,” Mr. Meyers said. “The emergence of it is a progression of a continued demand from Russian forces for cyber operational support.”
Another attack occurred on 24 February 2022, the day that Russia invaded Ukraine, when hackers knocked Viasat offline. The attack flooded modems with malicious traffic and disrupted internet services for several thousand people in Ukraine and tens of thousands of other customers across Europe, Viasat said in a statement. The attack also spilled over into Germany, disrupting operations of wind turbines there. Viasat said that the hack remained under investigation by law enforcement, U.S. and international government officials and Mandiant, a cybersecurity firm that it hired to look into the matter, and it did not attribute the attack to Russia or any other state-backed group.
According to senior U.S. officials said all evidence suggested Russia was responsible, and security researchers at SentinelOne said the malware used in the Viasat attack was similar to code that has been linked to the G.R.U. The United States has not formally named Russia as the source of the attack but is expected to do so as soon as several allies join in the analysis.
In late March 2022 a cyberattack again disrupted communications services in Ukraine. This time, the attack focused on Ukrtelecom, a telephone and internet service provider, knocking the company’s services offline for several hours. The attack was “an ongoing and intensifying nation-scale disruption to service, which is the most severe registered since the invasion by Russia,” according to NetBlocks, a group that tracks internet outages. Ukrainian officials believe that Russia was most likely responsible for the attack, which has not yet been traced to a particular hacking group. “Russia was interested in cutting off communication between armed forces, between our troops, and that was partially successful in the very beginning of the war,” said Victor Zhora, a top official at Ukraine’s cybersecurity agency, the State Service of Special Communications and Information Protection. Ukrainian officials said Russia had also been behind attempts to spread disinformation about a surrender.
In the United States, officials fear similar cyberattacks could hit critical infrastructure companies. Some executives said they hoped the federal government would offer funding for cybersecurity.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.wapacklabs.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/3702558539639477516
Comments