WASHINGTON >> Two weeks after President Joe Biden met President Vladimir Putin of Russia and demanded that he rein in ransomware attacks on American targets, U.S. and British intelligence agencies today exposed the details of what they called a global effort by Russia’s military intelligence organization to spy on government organizations, defense contractors, universities and media companies.
The operation, described as crude but broad, is “almost certainly ongoing,” the National Security Agency and its British counterpart, known as GCHQ, said in a statement. They identified the Russian intelligence agency, or GRU, as the same group that hacked into the Democratic National Committee and released emails in an effort to influence the 2016 presidential election in favor of Donald Trump.
Today’s revelation is an attempt to expose Russian hacking techniques, rather than any new attacks, and it includes pages of technical detail to enable potential targets to identify that a breach is underway. Many of the actions by the GRU — including an effort to retrieve data stored in Microsoft’s Azure cloud services — have already been documented by private cybersecurity companies.
But the political significance of the statement is larger: It underscored the scope of hacking efforts out of Russia, which range from the kind of intelligence gathering engaged in by the GRU and the intelligence agencies of many states, to the harboring of criminal groups like the one that brought down Colonial Pipeline. The company provides much of the gasoline, jet fuel and diesel used on the East Coast, and when it was attacked, it shut down the pipeline for fear that the malicious code could spread to the operational controllers that run the pipeline.
Ever since the pipeline attack, the Biden administration’s focus on cyberattacks shifted, homing in on the potential for disruption of key elements of the nation’s economic infrastructure. It has focused on Russia-based criminal groups like DarkSide, which took credit for the Colonial attack but then announced it was shutting down operations after the U.S. put pressure on the group. The FBI later announced it had recovered some of the more than $4 million in ransom that Colonial paid the hackers to unlock the company’s records.
Whether those ransomware attacks abate will be the first test of whether Biden’s message to Putin at the summit in Geneva sunk in. There, Biden handed him a list of 16 areas of “critical infrastructure” in the United States and said that the U.S. would not tolerate continued, disruptive Russian cyberattacks. But he also called for a general diminishment of breaches originating from Russian territory.
“We’ll find out whether we have a cybersecurity arrangement that begins to bring some order,” Biden said at the end of the meeting, only minutes after Putin declared that the United States, not Russia, was the largest source of cyberattacks around the world. Biden also repeatedly said that he was uncertain Putin would respond to the U.S.’ warning or the series of related financial sanctions imposed on Moscow over the past five years.
According to administration officials, the White House or intelligence agencies did not intend the advisory as a follow-up to the summit. Instead, they said, it was released as part of the National Security Agency’s routine warnings, said Charlie Stadtlander, an agency spokesperson, “not in response to any recent international gatherings.”
But that is unlikely to matter to Putin or the GRU as they try to assess the steps the Biden administration is willing to take to curb their cybercampaigns — and in what order.
It was unclear from the data provided by the National Security Agency how many of the targets of the GRU — also known as Fancy Bear or APT 28 — might be on the critical infrastructure list, which is maintained by the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency. At the time of the attacks on the election system in 2016, election systems — including voting machines and registration systems — were not on the list and were added in the last days of the Obama administration. U.S. intelligence agencies later said Putin had directly approved the 2016 attacks.
But the National Security Agency statement identified energy companies as a primary target, and Biden specifically cited them in his talks with Putin, noting the ransomware attack that led Colonial Pipeline to shut down in May, interrupting the delivery of gasoline, diesel and jet fuel along the East Coast. That attack was not by the Russian government, Biden said at the time, but rather by a criminal gang operating from Russia.
In recent years, the National Security Agency has more aggressively attributed cyberattacks to specific countries, particularly those by adversarial intelligence agencies. But in December, it was caught unaware by the most sophisticated attack on the United States in years, the SolarWinds hacking, which affected federal agencies and many of the nation’s largest companies. That attack, which the National Security Agency later said was conducted by the SVR, a competing Russian intelligence agency that was an offshoot of the KGB, successfully altered the code in popular network management software and thus into the computer networks of 18,000 companies and government agencies.
There is nothing particularly unusual about the methods the United States says the Russian intelligence unit used. There is no bespoke malware or unknown exploits by the GRU unit. Instead, the group uses common malware and the most basic techniques, like brute-force password spraying, which relies on passwords that have been stolen or leaked to gain access to accounts.
The statement did not identify the targets of GRU’s recent attacks but said that they included government agencies, political consultants, party organizations, universities and think tanks.
The attacks appear to mostly be about gathering intelligence and information. The National Security Agency did not specify ways that the Russian hackers damaged systems.
The recent wave of GRU attacks has gone on for a relatively long time, beginning in 2019 and continuing through this year.
Once inside, the GRU hackers would gain access to protected data and email — as well as to cloud services used by the organization.
The hackers were responsible for the primary breach of the Democratic National Committee in 2016 which resulted in the theft and release of documents meant to damage the campaign of Hillary Clinton.
This article originally appeared in The New York Times.