The rising frequency of ransomware attacks against private companies involved in banking, gasoline supplies, beef production and other crucial business may feel like an overhyped national security threat, but a growing number of experts are warning that the attacks represent a cyberwar trend that U.S. adversaries are poised to exploit not for money but for serious geopolitical gain.
Analysts predict that as the scope and sophistication of the incidents grow in the coming months and years, states such as Russia, China, Iran and North Korea are likely to accelerate the use of ransomware to exact foreign policy concessions either directly from Washington or from U.S. allies around the world.
“I think it’s a matter of time before key adversaries like Iran and North Korea are leveraging ransomware for political gain,” said Jenny Jun, a nonresident fellow at the Atlantic Council’s Cyber Statecraft Initiative.
It is important to understand the basic mechanics of a typical ransomware attack: A group of hackers bore into a company’s computer system, find sensitive data such as client bank account numbers and then lock up that data with an encryption key — or password — that makes it impossible for the company to access the data. The hackers then demand that the company pay a fee in exchange for the encryption key to unlock the data.
Ms. Jun said the same processes present hostile forces — both state and nonstate actors — with new and affordable ways to wreak havoc, particularly if the companies targeted are involved in major critical infrastructure or other politically sensitive industries such as defense production and high-level banking.
Hacking groups such as DarkSide and REvil have used ransomware in recent months to get U.S. companies to pay tens of millions of dollars for encryption keys to free up data. Ms. Jun predicts that foreign governments with influence over hacking groups will soon be demanding something other than money.
Foreign adversaries could instead seek sanctions relief, prisoner releases and subtle policy shifts designed to undermine U.S. interests on the global stage, Ms. Jun said in an interview with The Washington Times.
“It could be a demand that a country concede its control over a particular piece of territory,” she said.
A foreign adversary also could use ransomware to demand that an international bank, or the country where it is located, stop cooperating with U.S. sanctions, she said.
Iran has a track record of engaging in such tactics outside the cyber realm, she said. Tehran, she noted, succeeded in pressuring South Korea to release nearly $7 billion in frozen Iranian assets early this year by seizing control of a South Korean-flagged oil tanker.
Ms. Jun called it a “no-brainer” that Iran, which has billions of dollars frozen in overseas banks because of U.S. and Western economic sanctions, will eventually turn to ransomware attacks to achieve similar ends. “You can imagine a country having their facilities taken hostage through ransomware and then the Iranians saying, ‘We’ll release the encryption key if you release our money,’” she said. “It doesn’t have to be against the U.S.; it could target U.S. partners.”
Preparing the ‘battlefield’
The future of cyberwarfare is coming quickly.
“In the coming years, the cyber domain may be the most important ‘battlefield,’” said David Maxwell, a former U.S. Special Forces officer who focuses on North Korea at the Foundation for Defense of Democracies. “For North Korea, it is just too tempting of an environment in which to operate. The benefits are high, and so far the costs are extremely low.”
North Korea is not known to have engaged in state-sponsored ransomware attacks, but Mr. Maxwell said Pyongyang appears to be engaging in a range of hacking activities designed to conduct “reconnaissance” on South Korean, U.S. and other networks for potential action aimed at achieving specific geopolitical gains.
“They could be ‘preparing the battlefield,’ so to speak,” he told The Times. “Someday, we could see major attacks on infrastructure that might be able to do an extremely high amount of damage,” which in turn could benefit the regime’s “blackmail diplomacy.”
Stewart Baker, a former National Security Agency general counsel and Homeland Security Department policy chief now practicing technology law at the private firm Steptoe & Johnson, said in an interview that “it is not implausible” that foreign adversaries will seek a subtle way to launch ransomware attacks for political ends.
“You’re not necessarily going to get geopolitical influence by locking up a piece of data and publicly demanding a policy change,” Mr. Baker said. “But could you do it quietly? Perhaps.”
Are there scenarios in which a private-sector ransomware incident could turn into a public policy football? “Yes,” said Mr. Baker, pointing to the Colonial Pipeline attack by Russia-based hackers that briefly halted the flow of gasoline across the southeastern United States in May.
The attack could have taken on a major geopolitical twist, Mr. Baker said, if it were much more sophisticated and succeeded in tying up Colonial’s industrial control systems for weeks on end, taking over the computer system that makes the pipeline open and close. Colonial officials acknowledged paying off the ransomware thieves to restore supplies after about a week.
Had the shutdown been more extensive and more prolonged, Mr. Baker said, Russian President Vladimir Putin could well have come forward and told U.S. officials that Moscow had the capability to track and capture the Russian-based hackers and would do so on the condition that, say, Washington agree to prevent American social media companies such as Twitter and Facebook from giving Russian dissidents a forum to criticize Kremlin policies.
Inside cyber geopolitics
U.S. cybersecurity officials have focused on the prospect that geopolitical developments, such as U.S. airstrikes or sanctions against a particular country, will trigger increases in cyberattacks against the United States — not that cyber or ransomware attacks themselves could preemptively become geopolitical weapons in the hands of foreign adversaries.
The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency circulated an “insights” document in January 2020 warning that “increased geopolitical tensions and threats of aggression may result in cyber and physical attacks against the homeland and also destructive hybrid attacks by proxies against U.S. targets and interests abroad.”
The document homed in specifically on the prospect of “disruptive and destructive cyber operations against strategic targets, including finance, energy and telecommunications organizations, and an increased interest in industrial control systems and operational technology” by foreign hackers.
It also warned about the ongoing threat of “cyber-enabled espionage and intellectual property theft targeting a variety of industries.”
Mr. Baker told The Times that China has long engaged in such cyber-enabled espionage targeting American companies that contract with the Pentagon to work on U.S. defense and weapons development.
“This has been less about leverage than about giving China geopolitical advantages they didn’t otherwise have,” Mr. Baker said. Cyber-espionage has effectively “allowed the Chinese to modernize their military probably 15 years ahead of time by stealing stuff — by hacking into defense contractors.”
“It’s not that they go in and they call up [whomever they’ve hacked] to say, ‘Hey, woohoo, we have your data,’” Mr. Baker said. “No, instead, they’ve taken that data and handed it off to someone else and said, ‘Here you go. Build this [weapon] for us now.’
“So there’s a geopolitical impact in that,” Mr. Baker said.
The United States has reportedly pursued geopolitical goals through covert cyberactions over the past decade. The New York Times reported that the Obama and Trump administrations ordered the Pentagon to carry out offensive cyberstrikes against North Korea’s missile program in hopes of sabotaging Pyongyang’s missile test launches in their opening seconds.
Analysts generally agree that it would be a geopolitical coup for Washington if such cyberattacks reliably neutralized the threat from nuclear-tipped North Korean intercontinental ballistic missiles. However, the effectiveness of the Pentagon campaign targeting Pyongyang’s launches remains a subject of debate in Washington.