National flags of Russia and the US (file photo) Photograph:( Reuters )
The latest hack was brought to light late Thursday by Microsoft and other private firms. They exposed how Russia’s SVR, the same intelligence agency that Washington has blamed for a range of cyberattacks on American networks over the past decade, infiltrated a communications company that distributes emails on behalf of the U.S. Agency for International Development
A newly disclosed effort by Russian intelligence to hijack the email system of a U.S. government agency prompted leading Democrats on Friday to urge stronger action against Moscow for accelerating cyberattacks before President Joe Biden’s summit next month with President Vladimir Putin.
The latest hack was brought to light late Thursday by Microsoft and other private firms. They exposed how Russia’s SVR, the same intelligence agency that Washington has blamed for a range of cyberattacks on American networks over the past decade, infiltrated a communications company that distributes emails on behalf of the U.S. Agency for International Development.
Using that access, the hackers sent authentic-looking messages to human rights groups, nonprofit organizations and think tanks, including some that have been critical of Putin. The emails contained links to malware that gave the Russians access to the recipients’ computer networks.
The White House on Friday played down the severity of the attack, saying it was typical of daily cyberconflict. Officials said the fact that the attack had been caught quickly and neutralized — chiefly by Microsoft, which acted when it saw fake emails being sent — was evidence that enhanced defenses being deployed to defend government networks were beginning to show results.
But the timing was striking, and added to the sense that the scope of cyberattacks emanating from Russia — ranging from the most sophisticated to the most embarrassing, as seen in the ease with which hackers got into the email system used by the aid agency — is expanding rapidly despite warnings and retaliation from Washington.
A month ago, Biden imposed economic sanctions on Russia and expelled diplomats in response to one of the most sophisticated attacks ever seen on the “supply chain” of software that government and private sector networks rely on — one that gave Russian intelligence wide access to 18,000 networks. While the Russians used the access only to enter about 150 government agencies and companies, the attack demonstrated that it was possible to corrupt regularly scheduled software updates of the kind that government agencies and companies rely on to keep their systems current.
Then, this month, came a ransomware attack on Colonial Pipeline, carried out by a criminal group that Biden said was based in Russia. The pipeline was shut down for days, prompting panic-buying, long lines at the pump and shuttering gas stations across the Southeast. Colonial paid a $4.4 million ransom, and the attack underscored the vulnerability of the United States’ critical infrastructure.
The latest attack, at a moment of heightened tension with Russia, was more basic, but it focused further attention on why the United States has not been able to deter the wave of attacks by making its adversaries pay a higher price for them.
Rep. Adam Schiff, D-Calif., chairman of the House Intelligence Committee, argued that years of efforts to deter such attacks from Russia were failing.
“If Moscow is responsible, this brazen act of utilizing emails associated with the U.S. government demonstrates that Russia remains undeterred despite sanctions following the SolarWinds attack,” Schiff said, referring to the attack last year on the software supply chain. “Those sanctions gave the administration flexibility to tighten the economic screws further if necessary — it now appears necessary.”
Sen. Mark Warner, D-Va., chair of the Senate Intelligence Committee, echoed Schiff in calling for stronger consequences. “We must make clear to Russia — and any other adversaries — that they will face consequences for this and any other malicious cyberactivity,” he said.
Biden has already said that Russia’s cyberaggression would be part of the tense conversation he planned to have with Putin on June 16 in Geneva, at a moment when the two nations are at odds over Ukraine, human rights and Russia’s new generation of nuclear weapons.
Some analysts praised the way the U.S. government was responding.
“If you look at the steps the administration is taking to both defend and deter, which are the two key things we need to do here, they are going in the right direction in a significant way we have never seen before,” said Tom Burt, a senior Microsoft official who worked with the administration on several of the recent hacks. “But they are also facing a greater threat than we have ever seen.”
But some intelligence officials argued that sanctions and more covert actions — if there have been any — were showing few signs of deterring Putin. And so Biden is seeing the same kind of robust debate inside his own White House over whether more forceful responses are necessary, whether by exposing Putin’s financial entanglements, or by conducting retaliatory cyberstrikes.
Biden has shown caution, saying last month that he “chose to be proportionate” in response to the SolarWinds attack because he did not want “to kick off a cycle of escalation and conflict with Russia.”
Some cybersecurity experts now argue that Biden should have responded more aggressively.
“The U.S. tends to get too hung up on proportionality,” said James Lewis, one such expert at the Center for Strategic and International Studies in Washington. “We were too cautious in responding to SolarWinds, and that turned out to be a mistake. The way you set boundaries is through action, not by sending them nasty, diplomatic notes.”
U.S. officials have often been reluctant to respond to cyberaggression in kind, in part because the country’s own defenses are so inadequate. “Until we are confident in our own ability to deflect Russian cyberattacks, our actions will continue to be driven by concerns over what Putin will do,” said Kiersten Todt, managing director of the Cyber Readiness Institute.
But both government officials and some experts argued that the hijacking of emails by the SVR was such bread-and-butter stuff in the modern world of constant cyberconflict that it did not mark an escalation from SolarWinds. “It’s not obvious to me that this type of attack is over the red line,” said Robert Chesney, director of the Strauss Center at the University of Texas at Austin.
In this case, Microsoft reported, the goal of the hackers was not to go after the aid agency itself. Instead, its motivation appeared to be to use emails purporting to be from the U.S. government to get inside groups that have revealed Russian disinformation campaigns, anti-corruption groups and those who have protested the poisoning, conviction and jailing of Russia’s best-known opposition leader, Alexei Navalny.
According to SecureWorks, an Atlanta cybersecurity firm tracking the attacks, the Russian hackers targeted the Atlantic Council and EU Disinfo Lab, which have both exposed several Russian disinformation campaigns.
Other targets included the Organization for Security and Cooperation in Europe, which has drawn Putin’s ire for criticizing the fairness of elections in Belarus and Ukraine; the Ukrainian Anti-Corruption Action Center, and Ireland’s Department of Foreign Affairs, according to SecureWorks.
Putin had previously described the Organization for Security and Cooperation in Europe as a “vile instrument of the West.” The fact that Russia took aim at these targets, not federal networks as it did with SolarWinds, suggested sanctions may have diverted Russia elsewhere.
“This may be Russia, and Putin specifically, saying, ‘Thanks for the sanctions — now we’re going to use America’s open and vulnerable networks for our own political purposes and vendettas,’” Todt said.
Microsoft, like other major firms involved in cybersecurity, maintains a vast sensor network to look for malicious activity on the internet, and is frequently a target itself. It was deeply involved in revealing the SolarWinds attack.
In the most recent case, Burt said that Microsoft had been tracking the hackers as they broke into a mass-email system run by a company called Constant Contact, which has the Agency for International Development as a client.
“They never had to enter a U.S. government system,” Burt said. Instead, they compromised the Constant Contact communications system and made their way into the agency’s account. That enabled them to send emails that appeared to be from the agency.
In a statement, Constant Contact, without confirming the identity of its client, suggested that hackers had used stolen security credentials to breach the agency’s Constant Contact email accounts. “This is an isolated incident,” the statement said, “and we have temporarily disabled the impacted accounts while we work in cooperation with our customer, who is working with law enforcement.”
But Russian hackers have seized on many such opportunities, intelligence officials say. Biden’s aides said that the fact that the hackers were caught so quickly underscored the need for government agencies and suppliers to adhere to new standards required by an executive order issued two weeks ago. That includes monitoring requirements that would most likely set off alarms in cases where malware is being transmitted in emails, and reporting requirements if there are attacks.
Presenting the new order this month, Anne Neuberger, Biden’s deputy national security adviser for cyber and emerging technology, said the new order would “raise the game” for anyone who wanted to do business with the federal government, and that the higher standards of security would spread through private industry. There are some signs that is already happening.
But the adversaries are also improving. Microsoft noted that the Russian attack used new tools and tradecraft in an apparent effort to avoid detection. “Some people would call this ‘espionage as usual,’ and it was,” Burt said. “But no government wants some other government living in their networks for three months.”