Organized cybercriminals emboldened by autocrats — most prominently Russian President Vladimir Putin — have caught Washington flat-footed with a rising tide of ransomware and other hacking operations that intelligence sources say have the dual aim of weakening the U.S. economy while also gaining geopolitical leverage over Washington on the world stage.
The Biden administration has scrambled to respond in the wake of the recent Colonial Pipeline ransomware attack that nearly crippled gasoline supplies across the southeastern United States for more than a week. But cyber experts are calling on the White House to address the threat for what it is: a state-sponsored campaign that will only get worse until confronted by U.S. leadership.
Former CIA director and Obama administration Defense Secretary Leon Panetta criticized the Biden administration’s actions giving cyberattackers a green light to continue cyber intrusions.
“My concern right now is that we do not have an effective national strategy to deal with these various attacks that we’re confronting and that we have not developed the kind of comprehensive cyber-defense strategy that this country should develop in order to protect our security,” Mr. Panetta told C-SPAN.
“We also need to have an offense as well,” he added, “that can make clear to our adversaries — whether it’s Russia, or China or North Korea or Iran or terrorists — that if they’re going to continue these kinds of attacks on the United States, they too will have to pay a price for what they are doing.”
President Biden, however, has stopped short of directly blaming the Kremlin for authorizing the cyberattack on Colonial Pipeline in its immediate aftermath.
“So far, there is no evidence based on, from our intelligence people, that Russia is involved. Although there’s evidence that the actors, ransomware, is in Russia,” the president said in May. “They have some responsibility to deal with this.”
Mr. Biden will pursue a ransomware “action plan” with top U.S. allies at the Group of Seven meetings in the U.K., according to the White House on Monday.
But even as Mr. Biden moves ahead, ransomware cyberattackers holding management and regulatory systems hostage in exchange for payment have acted with increasing boldness in recent months, disrupting not only fuel supplies, but food, education, health care, and transportation in America.
Punching back publicly would do more to deter digital blackmailers than offensive operations conducted only in the shadows, including Jamil Jaffer, IronNet Cybersecurity senior vice president.
“The challenge with deterrence in cyberspace is not that cyberspace is special or different, but rather that we don’t typically employ classical deterrence approaches in the cyber domain,” said Mr. Jaffer, a former chief counsel to the Senate Foreign Relations Committee. “The fact is that in the cyber domain we simply don’t talk about our red lines, our capability to impose costs, nor do we consistently impose those costs, much less [impose] them publicly. That makes effective deterrence impossible.”
The FBI observed a spike in ransomwareattacks starting in the final months of 2020, and private cybersecurity companies have seen that trend continue. Hospitals and medical facilities became top targets during the coronavirus pandemic. Cybersecurity firm Check Point said it observed an 84% increase in the amount of cyberattacks on the U.S. in May 2021 as compared to May 2020.
Deterring individual criminals and nations online are two different animals. A ransomwareattack that nets a few million dollars but produces gas lines and fuel shortages or fears of food insecurity may be considered a rousing success by a hostile foreign power.
When Robert Eatinger left the CIA in 2015, ransomware attackers deployed sophisticated levels of anonymization and would seek to infiltrate several users’ computers to cloak their activity. Mr. Eatinger said the changing nature of the targets from individual businesses to critical infrastructure entities in recent years hints that foreign adversaries have encouraged or enabled the cyberattackers.
“It would not surprise me if a service like the Russians or somebody like that would also make these [cyber] tools available to private entities that are out there engaging the criminal ransomware aspect, if for nothing else [because] it provides some cover for their own activities,” said Mr. Eatinger, a former top lawyer at CIA with more than 20 years experience. “So I think when you see the demands for a lot of money from just your basic commercial enterprises, that to me is probably private and criminal but it doesn’t mean that’s where they didn’t originally get the tools from some state actor.”
Cyberattackers in Russia fall into three loosely organized categories, experts say — state-directed attackers, independent criminals, and surrogates that may have developed the knowledge or hacking tools from the state. Some cyberattackers may work for the government for part of the day and launch their own cyberattacks for private profit during the rest of the day without objection from their bosses.
Attribution in the cyber domain is difficult, a fact that cyberattackers have exploited to gain an advantage. Both Colonial Pipeline and meat producer JBS were hit in May by ransomwareoperators with ties to Russia, but it is not clear who exactly is behind the keyboard and how they picked their targets.
Ransomware operators using DarkSide hit the pipeline servicing the East Coast of the U.S., while JBS got hit by an outfit known as REvil. Both DarkSide and REvil operated on a ransomware-as-a-service model, with developers of malicious software and the affiliates deploying it sharing portions of the ransom payments made by victims to regain access to their systems or data. Some cyberattackers using DarkSide had also allegedly partnered with REvil, according to cybersecurity firm FireEye.
A new form of terrorism
The Biden administration responded to the spate of ransomware attacks by elevating cyberattacks to a level on equal footing with terrorism. FBI Director Christopher Wraycompared the ransomware flood to the challenge of the September 11, 2001 terrorist attacks in an interview with the Wall Street Journal. The Justice Department sent a memo to U.S. attorneys’ offices across the country last week declaring every report of a new cyberattack as “urgent” and directing ransomware attack investigations to get the same priority given to terrorism investigations.
Mr. Eatinger said casting ransomware as terrorism is important because it provides the government’s national security apparatus to get involved rather than leaving the problem for domestic law enforcement agencies. He said the change in language may allow the national security community greater opportunity to help find the cyberattackers and knock them offline.
For victims struggling to determine whether to pay their cyberattackers’ ransoms, the government has sent mixed signals. In the aftermath of the cyberattack on Colonial Pipeline, the FBI and Cybersecurity and Infrastructure Security Agency urged victims not to pay while the White House’s top cyber official said the Biden administration was leaving that decision up to the company.
Colonial Pipeline acknowledged it paid its cyberattackers’ $4.4 million ransom, and its CEO Joseph Blount will appear before the Senate Homeland Security and Governmental Affairs Committee on Tuesday. The Justice Department on Monday announced that it had recovered much of the cybercurrency that Colonial had paid to the hackers last month.
Not everyone pays the cyberattackers. After Sky Lake Medical Center in Oregon got hit with ransomware linked to Russia last October, the center’s spokesperson said that it did not pay ransom. Instead, patients whose medical records were corrupted by the hackers were provided the opportunity to have the imaging procedures redone at no cost, said Tom Hottman, the center’s spokesperson, earlier this year.
“Whether these companies pay this sum or not, the message is there that this is a tool that Russia or others potentially providing state-sponsored support of hackers, can use to try and restrain U.S. power projection by ordering up some high-level cyber operations against the United States,” said an intelligence community source.
The Biden administration is looking to squeeze ransomware gangs with stricter rules surrounding cryptocurrency that is often used to pay cyberattackers. Anne Neuberger, deputy national security adviser for cyber and emerging technology, said in May that the Treasury Department was leading international efforts to adopt virtual assets standards intended to combat the use of cryptocurrencies in ransomware demands.
• Tom Howell Jr. contributed to this story.