Russian President Vladimir Putin has repeatedly denied Moscow’s involvement in the surge of ransomware attacks on U.S. targets, but a recently retired American spy chief says there is no question Russian intelligence has influence over the hacking operations.
The reason: The cyberattacks fit into Mr. Putin’s larger strategy to undermine American democracy and economic power.
“The Russian government could shut this down in one moment if they wanted to,” said William R. Evanina, who until early this year tracked Russian and other hostile operations against the U.S. as director of the National Counterintelligence and Security Center. He also has served as chief of the CIA’s counterespionage group.
Mr. Evanina generally praised the Biden administration’s attempts to elevate the government’s response to the growing drumbeat of ransomware and other cyberattacks, but he told The Washington Times in an interview that U.S. intelligence could engage in dramatically more aggressive cyberoperations to counter Russian hacking.
“We always have a list of targets,” Mr. Evanina said. U.S. intelligence “can reach out and touch anybody, anytime we want.”
But he said numerous legal and policy concerns, along with the prospect of a “cascading escalation” with Russia, have held back the offensive cyberoperations.
He made the comments as President Biden and Mr. Putin engaged in a high-stakes summit in Geneva last week.
The U.S. accused Russian intelligence of involvement in last year’s SolarWinds hack, viewed as the worst cyberespionage breach ever against American government agencies. The Colonial Pipeline ransomware attack that nearly crippled gasoline supplies across the Southeast last month also was blamed on hackers operating in Russia.
During the summit Wednesday, Mr. Biden gave Mr. Putin a list of critical American infrastructure systems that he said should be off-limits for ransomware and cyberattacks. He warned the Russian president that the U.S. has “significant cyber capability” to respond to such attacks.
In his own press conference, Mr. Putin denied Russian involvement in any cyberattacks. “Russia isn’t on the list” of countries the attacks could have originated from, he said. He told NBC News ahead of the summit that the charges were “farcical.”
Mr. Evanina, who currently runs the Evanina Group, which advises CEOs and boards of directors on strategic corporate risks in cybersecurity and other arenas, said the recent attacks were carried out by “a criminal element in Russia [that is] unable to operate without the express or implied protection of the [Russian] intelligence services.”
“They’re being protected by the Russian Federation,” he said. He drew a parallel to Russian meddling in the 2016 U.S. presidential election via the Internet Research Agency, a pseudo-private Russian firm that manipulated American social media accounts in coordination with Russian intelligence before the U.S. neutralized the intrusion with counter-cyberattacks.
The Internet Research Agency was “an ‘independent contractor’ in Russia, but if anybody thought they were doing that without the instruction of the intelligence services, it would be foolish and naive, to say the least,” Mr. Evanina said. He added that the recent wave of cyberoperations fits Mr. Putin’s modus operandi of doing “anything he can to destabilize our democracy.”
The Biden administration scrambled to respond to the Colonial Pipeline attack, but the White House was criticized for not explicitly addressing the threat as a state-sponsored campaign that would grow without confrontation from U.S. leadership.
Leon E. Panetta, a former CIA director and Obama administration defense secretary, recently told C-SPAN that the U.S. “lacks an effective national strategy” for dealing with cyberattacks.
“We also need to have an offense as well that can make clear to our adversaries — whether it’s Russia or China or North Korea or Iran or terrorists — that if they’re going to continue these kinds of attacks on the United States, they, too, will have to pay a price,” Mr. Panetta said.
Before his summit with Mr. Putin, Mr. Biden stopped short of directly blaming the Kremlin for authorizing the Colonial Pipeline attack.
“So far, there is no evidence based on, from our intelligence people, that Russia is involved,” the president said in the immediate aftermath of the attack. He added, however, that “there’s evidence that the actors, ransomware, is in Russia” and that the Russian government has “some responsibility to deal with this.”
Mr. Evanina said one of the primary challenges is the elusiveness of the cyberspace realm. “People don’t understand it, they don’t see it, they don’t taste it,” he told The Times. “It’s not like terrorism, where there is kinetic value, where you get to see people hurt. It’s invisible.”
He said the sophistication of ransomware attacks has risen dramatically in recent years.
“Two years ago, you had criminals or ransomware threat actors who would lock down your systems and then you would have to pay to have them unlocked. It was a simple formula,” Mr. Evanina said. “Now, ransomware has turned into a data issue. Data is the huge commodity right now. So now there are ransomware actors, criminals, who can steal your data and use your data as a bargaining chip for remuneration.”
Such was the case with Colonial Pipeline. Hackers locked important proprietary company files and threatened to make them public if the company didn’t pay.
“They’ve upped the game, and they’ve upped the ante,” Mr. Evanina said.
He cautioned against dismissing seemingly small ransom demands. In the Colonial attack, the hackers sought $4.4 million from a company with assets of more than $3 billion.
“Four million dollars will fund a lot of stuff in Moscow …,” Mr. Evanina said. “We’re talking about astronomical numbers” when one considers the full slate of ransomware attacks in recent months — a slate that includes incidents not publicized or reported to government agencies.”
He said “we don’t know” how much is really being paid in ransom, but he estimated it’s in the “tens of millions upon hundreds of millions of dollars.”
Colonial CEO Joseph Blount told Congress this month that the decision to pay was the hardest he has made in 39 years in the energy industry.
The White House said it didn’t offer advice to Colonial on whether to pay the ransom, igniting criticism that the administration is leaving American companies to fend for themselves against Russian state-sponsored cyberattacks.
Mr. Evanina was a career FBI official before he was tapped in 2014 to head U.S. counterintelligence under President Obama. He then stayed on through the Trump administration.
He broadly defended the Biden administration‘s cybersecurity policy moves, including the president’s executive order last month requiring federal agencies to increase their basic cybersecurity protections and setting higher security standards for federal government software contractors.
Mr. Evanina told The Times that the administration has “the right concepts in place” to improve government and private-sector preparedness. With China and Iran also “getting more brazen with their cyberattacks,” he said, “we’re going to have to respond accordingly, and I think the Biden administration is doing that.”
He stressed, however, that “there needs to be more aggressive intelligence-sharing” between the government and the private sector.
“We have to have the ultimate public-private partnership here, with the government to be able to provide as much information as possible about the networks and the criminal elements — whether or not they are state-sponsored — to the sectors and corporations so that CEOs can make value-added business decisions of whether or not they’re going to pay,” Mr. Evanina said.
“There [also] needs to be a concerted effort by industry to take precautions that are necessary to prevent ransomware in the first place, and those precautions start with basic cyber-hygiene,” he said. He suggested increasing employee awareness of potential spear-phishing emails.
The Justice Department said this month that it was elevating investigations of ransomware attacks to the same level as terrorism.
Mr. Evanina predicted a dramatic increase in cyberoperations by the U.S. intelligence community and the Pentagon’s Cyber Command.
Despite the legal and policy implications, “I think you’re going to see an opening of the optic so the American people and the world will see that we are going to continue to fight back but we will be more transparent about it.”
• Dave Boyer, Jeff Mordock and Ryan Lovelace contributed to this report.