Organized cybercriminals emboldened by autocrats — most prominently Russian President Vladimir Putin — have caught Washington flat-footed with a rising tide of ransomware and other hacking operations that intelligence sources say have the dual aim of weakening the U.S. economy while gaining geopolitical leverage over Washington on the world stage.
The Biden administration has scrambled to respond in the wake of the Colonial Pipeline ransomware attack that nearly crippled gasoline supplies across the Southeast for more than a week. Still, cybersecurity experts are calling on the White House to address the threat for what it is: a state-sponsored campaign that will only get worse until U.S. leadership confronts it.
Leon E. Panetta, a former CIA director and Obama administration defense secretary, criticized the Biden administration’s actions giving cyberattackers the green light to continue intrusions.
“My concern right now is that we do not have an effective national strategy to deal with these various attacks that we’re confronting and that we have not developed the kind of comprehensive cyberdefense strategy that this country should develop in order to protect our security,” Mr. Panetta told C-SPAN.
“We also need to have an offense as well that can make clear to our adversaries — whether it’s Russia, or China or North Korea or Iran or terrorists — that if they’re going to continue these kinds of attacks on the United States, they, too, will have to pay a price for what they are doing,” he said.
President Biden stopped short of directly blaming the Kremlin for authorizing the cyberattack on the Colonial Pipeline in its immediate aftermath.
“So far, there is no evidence based on, from our intelligence people, that Russia is involved,” the president said last month. “Although there’s evidence that the actors, ransomware, is in Russia. They have some responsibility to deal with this.”
Mr. Biden will pursue a ransomware “action plan” with top U.S. allies at the Group of Seven meetings this weekend in the United Kingdom, the White House said Monday.
Even as Mr. Biden moves ahead, ransomware cyberattackers holding management and regulatory systems hostage in exchange for payment have acted with increasing boldness. In recent months, they have disrupted U.S. fuel and food supplies, education, health care and transportation.
Punching back publicly would do more to deter digital blackmailers than offensive operations conducted only in the shadows, argues Jamil Jaffer, IronNet Cybersecurity senior vice president.
“The challenge with deterrence in cyberspace is not that cyberspace is special or different, but rather that we don’t typically employ classical deterrence approaches in the cyber domain,” said Mr. Jaffer, a former chief counsel to the Senate Foreign Relations Committee. “The fact is that in the cyber domain, we simply don’t talk about our red lines, our capability to impose costs, nor do we consistently impose those costs, much less [impose] them publicly. That makes effective deterrence impossible.”
The FBI observed a spike in ransomware attacks starting late last year, and private cybersecurity companies said the trend continues. Hospitals and medical facilities became top targets during the COVID-19 pandemic. Cybersecurity firm Check Point said it observed an 84% increase in cyberattacks in the U.S. from May 2020 to May 2021.
Deterring individual criminals and nations online are two different animals. A ransomware attack that nets a few million dollars but produces gas lines and fuel shortages or fears of food insecurity may be considered a rousing success by a hostile foreign power.
When Robert Eatinger left the CIA in 2015, ransomware attackers deployed sophisticated levels of anonymization and sought to infiltrate several users’ computers to cloak their activity. Mr. Eatinger said the changing nature of the targets from individual businesses to critical infrastructure entities suggests that foreign adversaries have encouraged or enabled the cyberattackers.
“It would not surprise me if a service like the Russians or somebody like that would also make these [cyber] tools available to private entities that are out there engaging the criminal ransomware aspect if for nothing else [because] it provides some cover for their own activities,” said Mr. Eatinger, who has more than 20 years of experience as a lawyer at the CIA. “So I think when you see the demands for a lot of money from just your basic commercial enterprises, that, to me, is probably private and criminal, but it doesn’t mean that’s where they didn’t originally get the tools from some state actor.”
Experts say cyberattackers in Russia fall into three loosely organized categories: state-directed attackers, independent criminals, and surrogates that may have developed the knowledge or hacking tools from the state. Some hackers may work for the government for part of the day and launch their own cyberattacks for private profit during the rest of the day without objection from their bosses.
Attribution in the cybersecurity domain is difficult, and cyberattackers have exploited that hurdle to gain an advantage. Ransomware operators with ties to Russia hit Colonial Pipeline and meat producer JBS last month, but it is unclear who is behind the keyboard and how they picked their targets.
Ransomware operators using DarkSide hit the pipeline servicing the East Coast, and an outfit known as REvil hit JBS. Both DarkSide and REvil operated on a ransomware-as-a-service model, in which developers of malicious software and affiliates that deploy it share portions of the ransom their targets pay to regain access to systems or data. Some cyberattackers using DarkSide are suspected of partnering with REvil, according to cybersecurity firm FireEye.
A new form of terrorism
The Biden administration responded to the spate of ransomware attacks by elevating cyberattacks to a level on equal footing with terrorism. In an interview with The Wall Street Journal, FBI Director Christopher A. Wray compared the ransomware flood to the challenge of the Sept. 11, 2001, terrorist attacks. The Justice Department sent a memo to U.S. attorneys offices across the country last week declaring every cyberattack report as “urgent” and directing investigators to give ransomware attacks the same priority as terrorism.
Mr. Eatinger said casting ransomware as terrorism is important because it gets the government’s national security apparatus involved rather than leaving the problem for domestic law enforcement agencies to resolve. He said the change in language might give the national security community greater opportunity to help find the cyberattackers and knock them offline.
The government has sent mixed signals on whether those hit by cyberattacks should pay the ransom. In the aftermath of the cyberattack on Colonial Pipeline, the FBI and the Cybersecurity and Infrastructure Security Agency urged it not to pay, but the White House’s top cybersecurity official said the Biden administration would leave that decision to the company.
Colonial Pipeline acknowledged it paid its cyberattackers’ $4.4 million ransom. CEO Joseph Blount will appear before the Senate Homeland Security and Governmental Affairs Committee on Tuesday. The Justice Department announced Monday that it had recovered much of the cybercurrency that Colonial paid to the hackers.
Not everyone pays the ransom. Sky Lakes Medical Center in Oregon was hit with ransomware linked to Russia in October, and spokesman Tom Hottman said earlier this year that it did not pay the ransom. He said some patients’ medical records had been corrupted and that the health care facility would perform their imaging procedures again at no cost.
“Whether these companies pay this sum or not, the message is there that this is a tool that Russia or others potentially providing state-sponsored support of hackers can use to try and restrain U.S. power projection by ordering up some high-level cyberoperations against the United States,” an intelligence community source said.
The Biden administration is looking to squeeze ransomware gangs with stricter rules on cryptocurrency, which is often used to pay cyberattackers. Anne Neuberger, the deputy national security adviser for cyber and emerging technology, said last month that the Treasury Department was leading international efforts to adopt virtual assets standards intended to combat the use of cryptocurrencies in ransomware demands.
• Tom Howell Jr. contributed to this report.