Sign in
A newsletter briefing on cybersecurity news and policy.
with research by Aaron Schaffer
A newsletter briefing on cybersecurity news and policy.
Welcome to The Cybersecurity 202! I’ll be on vacation the next couple weeks. Please send Aaron your best news and tips while I’m away. He’ll be running the shop along with a few special guest hosts.
Below: The Russian military was behind a hack of the satellite firm Viasat in the early days of the Ukraine invasion, U.S. intelligence analysts conclude, and U.K. police arrested seven people in the Lapsus$ hacking case.
The U.S. Justice Department released indictments against four Kremlin hackers yesterday — but the real message was for U.S. businesses.
While the Russian hackers will almost certainly never see the inside of a U.S. courtroom, the indictments send yet another loud and clear signal to U.S. businesses that they’d better raise their guard against a Russian hacking threat that’s as dangerous as it’s ever been.
“Although the criminal charges unsealed today reflect past activity, they make crystal clear the urgent ongoing need for American businesses to harden their defenses and remain vigilant,” Deputy Attorney General Lisa O. Monaco warned.
Monaco added that Russian government-backed hackers “pose a serious and persistent threat to critical infrastructure both in the United States and around the world.”
Details: The two indictments focus on a global hacking campaign against energy sector companies in 135 countries between 2012 and 2018. The hacking campaign targeted numerous U.S. firms and caused an emergency shutdown at one foreign facility, Devlin Barrett reported. It’s not clear how many energy firms the hackers actually compromised.
The indictments were both filed under seal last summer and unsealed yesterday.
There’s no evidence of serious destruction caused by the hacks, but many of them raised the possibility of such destruction — either through the hackers’ maliciousness or carelessness.
The indictments are the latest salvo in a concerted U.S. government effort to keep pressure on U.S. companies to gird their cyber defenses against Russian hacks.
Officials including President Biden have said they expect those hacks to target critical sectors such as energy, finance and transportation in responses to U.S. sanctions for Russia’s invasion of Ukraine.
Russia might also aim damaging hacks at Ukraine that leak out to computers in the United States and elsewhere as happened with the NotPetya bug in 2017.
“The conduct alleged in these indictments are the kind we are concerned about” in the current environment, a Justice Department official said, per the Wall Street Journal’s Dustin Volz.
Officials have been hammering similar points since before the Russian invasion with near-daily updates, a slurry of cyber checkup guides and a nearly three-hour briefing for industry hosted by the Cybersecurity and Infrastructure Security agency (CISA).
CISA jumped on the DOJ announcement with a guide for energy firms to protect against similar attacks from Russian hackers. CISA Director Jen Easterly:
👏Good to see @TheJusticeDept indictments on Russian state-sponsored cyber actors. Along with our #FBI & @DOE_CESER teammates, we’re releasing a Cybersecurity Advisory w/info & actions to defend against related threats to the energy sector: https://t.co/Qo3Ri5w38O https://t.co/zVP6c29er0
Experts also interpreted the indictments as a signal to industry.
Chris Painter, former top cyber ambassador during the Obama administration:
This makes clear that the recent WH & CISA warnings were not hyperbole. Good work by FBI & DOJ that gives context to present and future warnings & illustrates capabilities. https://t.co/MGlnmgXmzB
Harvard professor and former Department of Homeland Security official Juliette Kayyem:
While the specific charges relate to activity between 2012-2018 by members of the Russian government, but this is also about war, naming the culprits, and critical infrastructure: https://t.co/w0H9BU9AYg pic.twitter.com/oaDjMAtISr
Katie Nickels, director of intelligence for Red Canary:
USG messaging here is clear as day in this quote from Deputy AG Lisa Monaco https://t.co/1R2b2LGPcK
John Hultquist, vice president of intelligence analysis at the cybersecurity firm Mandiant, which has extensively tracked the hacking group: “We have never seen this actor actually carry out disruptive attack[s], just burrow into sensitive critical infrastructure for some future contingency. Our concern with recent events is that this might be the contingency we have been waiting for.”
And yet: The indictments are unlikely to alter the dangerousness or brazenness of Russian hacking operations, which have continued unabated despite numerous previous rounds of sanctions.
They are, however, chock full of chilling details about Russian hacking operations.
Here are some more details via Devlin:
The hackers in some cases relied on a particularly damaging form of malicious software called Triton. Here’s a deep dive on the malware by Blake Sobczak for E&E News.
U.S. intelligence analysts have concluded that Russian military hackers were behind a cyberattack on a satellite broadband service that disrupted Ukraine’s military communications, Ellen Nakashima reports. The U.S. government hasn’t announced its conclusion publicly.
The Russian military spy service, the GRU, was behind the compromise, officials said, speaking on the condition of anonymity because of the matter’s sensitivity.
Impact: “The recent outages, which began on Feb. 24 — the day Russia invaded Ukraine, resulted from the hack of satellite modems belonging to tens of thousands of people in Ukraine and other countries in Europe, according to an official with the U.S. firm Viasat, headquartered in Carlsbad, Calif.,” Ellen writes. “Agencies affected included civilians as well as Ukraine’s military and other government agencies, according to Ukrainian officials.”
Context: The Viasat hack marked the most significant use of cyber operations in the Russian invasion so far. Despite extensive Russian cyber capabilities, the military’s use of cyber tools has been less than many analysts predicted.
From Saloni Sharma, spokeswoman for the National Security Council: “We do not have an attribution to share at this time and are looking at this closely. As we have already said, we are concerned about the apparent use of cyber operations to disrupt communications systems in Ukraine and across Europe and affect businesses and individuals’ access to the Internet.”
In other Ukraine news:
The suspects have been released while police continue to investigate, the BBC’s Joe Tidy reports. The group has claimed responsibility for a string of hacks that compromised major tech companies, including Microsoft, Samsung and Nvidia.
Cybersecurity researchers identified one of the group’s apparent leaders after tracking the teen online. “We did it by watching the post history of an account and seeing older posts provide contact information for the guy,” Unit 221B chief research officer Allison Nixon told Tidy. The hacker’s mistakes in covering his tracks helped researchers, Nixon said.
CISA Director Jen Easterly posted audio from the three-hour briefing in an effort at transparency, she said. But she removed it the next day after evidently receiving complaints from industry officials who didn’t know it would be released.
Easterly said she appreciated “feedback” from people with concerns because she “failed to announce it.”
Some of those critical infrastructure partners asked blunt questions during the call. Agency officials said during the call that it was being recorded but also said it was “not intended for members of the media, and the content is not for reporting purposes.”
By the time Easterly apologized, the recording had gotten more than 4,700 views on YouTube.
Here’s more from Easterly:
I’m keenly aware of the importance of maintaining the trust of our community. You all have my sincere commitment to do better. 🙏
Context: CISA has historically striven to maintain a strong and cooperative relationship with industry — including keeping confidential industry reports about cyberthreats. But trust has been slower to develop with some industries, and the fracas over the audio release could make it even tougher.
From a CISA spokesperson: “Given the excellent dialogue with the community and the desire to make the content as widely available as possible given today’s current threat environment, we made the decision to post the call online. Given expressed concerns from stakeholders, however, we removed the Q&A portion of the call.”
Musician Claire Boucher, who goes by the moniker Grimes, said in a Vanity Fair interview that her friend helped her launch a 2012 denial-of-service attack that overwhelmed the snarky blog Hipster Runoff with traffic, Motherboard‘s Samantha Cole reports.
Boucher was upset that the blog posted photos of her kissing another woman. The blog did indeed go mysteriously offline around that time.
Launching denial-of-service attacks is a federal crime, but Boucher is “well beyond the statute of limitations,” Cole reports.
“We were like, we’re not gonna let you put your site back up until you take the story down,” the musician said in the interview. “And he did in fact take the story down, and it was like, my coolest hacker moment.”
FBI warns of online ‘sextortion’ cases targeting teens (Clarence Williams)
Pair charged for orchestrating $1.1M Frosties NFT rug pull, plotting another (Motherboard)
Dual North Korean hacking efforts found attacking Google Chrome vulnerability (CyberScoop)
Greece’s national postal service restoring systems after ransomware attack (The Record)
Russian spies in Brussels lie low ahead of Biden visit (Politico Europe)
Virginia Thomas urged White House chief to pursue unrelenting efforts to overturn the 2020 election, texts show (Bob Woodward and Robert Costa)
Attorney calls decertifying 2020 election ‘pointless’ (Associated Press)
Senate Armed Services advances Army Cyber Command nominee (The Record)
Today’s third @washingtonpost TikTok features the latest on peduncle elongation!
(this is a real thing i promise)
Cherry blossoms in D.C. have reached their peak bloom: https://t.co/L4uxTzLpTY pic.twitter.com/s3qh7H5MR5
Thanks for reading. See you guys on the other side.