13 July 2021

Russian Criminals Cross Biden’s Cyber Red Line

Samantha Ravich & Annie Fixler

Over the weekend, Russian cybercriminals launched a supply chain-based ransomware attack of unprecedented scale that began with the breach of an American information technology (IT) firm. Coming three weeks after President Joe Biden warned his Russian counterpart, President Vladimir Putin, of the consequences of cyberattacks on U.S. critical infrastructure, the incident will be an early test of the administration’s resolve.

The hackers breached Miami-based IT company Kaseya and, from there, penetrated Kaseya’s clients, which include managed service providers (MSPs). These MSPs use Kaseya’s software to automatically install software and security updates on their clients’ networks. The hackers used this software supply chain to launch ransomware attacks against more than 1,500 companies in 17 countries. The FBI said that the bureau and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency “may be unable to respond to each victim” because of the size of the incident. The Russian-speaking REvil cybercriminal group claimed responsibility for the attack and demanded a $70 million ransom to provide a decryption key to resolve the entire attack.

While Kaseya’s CEO Fred Voccola was quick to downplay the scale of the impact, the economic costs of a ransomware attack on a single MSP could top $77 million, according to a recent FDD study, and the latest attack may involve dozens of MSPs. Voccola also denied that the attack affected critical infrastructure, although some evidence appears to contradict his claim. It is likely too early to understand the full impact of the attack, but Kaseya and its MSP clients are part of the IT sector, one of 16 critical infrastructure sectors as defined by Presidential Policy Directive 21, which President Barack Obama issued in 2013. The attack also affected the critical and essential infrastructure of allies and partners, forcing a Swedish grocery store to close 800 stores across the country.

REvil operates a ransomware-as-a-service (RaaS) model in which affiliates (possibly located outside Russia) breach companies and are provided with the malware to deploy on the victim’s network. Because of the RaaS model, Biden instructed his intelligence agencies to determine if the affiliate responsible for the latest attack came from within Russia, and warned that if so, the United States “would respond.”

Following his summit with Putin in June, Biden pledged that if Russia violates norms against attacking critical infrastructure, “we will respond with cyber.” Signaling efforts are an important part of deterrence, but if the adversary violates a red line and a response is not forthcoming, deterrence evaporates. This attack violates the spirit, if not the letter, of Biden’s warning to Putin, as Russia has at a minimum tolerated and possibly abetted these RaaS criminal groups. If the White House does not respond forcefully to this operation, U.S. deterrence will weaken, and the next attack will be worse.

The Kremlin sees minimal cost in harboring RaaS gangs such as REvil and Darkside — the latter responsible for the Colonial Pipeline attack. In concert with like-minded countries, the Biden administration has a range of tools at its disposal for imposing costs not only on the gangs responsible for the attacks, but also on the Russian government that provides them sanctuary. In addition to cyber actions, the administration’s response could include regularly used diplomatic, economic, and law enforcement tools as well as more creative options, including information operations focused on corruption in Russia. The Ransomware Task Force outlined dozens of steps the U.S. government should take in partnership with the private sector and other governments to deter and disrupt ransomware operations, including, for example, “constrain[ing] ‘safe haven’ country activity in international financial markets.”

The drumbeat of ransomware attacks is getting louder, and if U.S. policymakers choose not to listen, the volume will only increase until it deafens. The Biden administration is at a critical juncture. It can take action to enforce its red line and defend cyber norms, or it can stand idly by as America’s adversaries repeatedly launch attacks on U.S. soil and determine the bounds of acceptable behavior in cyberspace.

No comments: