After Biden meets with Putin, US reveals details of Russian hacking campaign
WASHINGTON – Two weeks after President Biden met with Russian President Vladimir V. Putin and asked him to curb the constant cyber attacks directed against US targets, US and UK intelligence agencies on Thursday unveiled details of what they were doing. called a global Russian military intelligence effort. organization to break into government organizations, defense contractors, universities and media companies.
The operation, described as crude but broad, is “almost certainly underway,” the National Security Agency and its UK counterpart, known as GCHQ, said in a statement. They identified the Russian intelligence agency, or GRU, as the same group that hacked the Democratic National Committee and published emails in an attempt to influence the 2016 presidential election in favor of Donald J. Trump.
Thursday’s revelation is an attempt to expose Russian hacking techniques, rather than specific new attacks, and it includes technical detail pages to allow potential targets to identify that a breach is in progress. Many of the GRU’s actions – including an effort to access data stored in Microsoft’s Azure cloud services – have already been documented by private cybersecurity companies.
But the political significance of the declaration is greater: it is a first challenge to Mr. Putin since the Geneva summit, where Mr. Biden handed him a list of 16 areas of “critical infrastructure” to United States and said it would not tolerate continued Russian cyberattacks.
“We will find out if we have a cybersecurity deal that begins to bring order,” Biden said at the end of that meeting, just minutes after Mr. Putin said the United States, not Russia, were the largest source. cyberattacks around the world.
It is not clear from the data provided by the National Security Agency how many GRU targets – also known as Fancy Bear or APT 28 – could be on the critical infrastructure list, which is maintained by the Department’s Cybersecurity and Infrastructure. of Homeland Security. Security agency. At the time of the attacks on the electoral system in 2016, electoral systems – including voting machines and registration systems – were not on the list; they were added later in the closing days of the Obama administration. U.S. intelligence agencies later said Putin directly endorsed the 2016 attacks.
But the National Security Agency statement identified energy companies as a primary target, and Mr. Biden specifically cited them in his talks with Mr. Putin, noting the ransomware attack that led to the Colonial Pipeline shutting down in May and stop the delivery of gasoline, diesel and jet fuel along the East Coast. This attack was not carried out by the Russian government, Mr Biden said at the time, but rather by a criminal gang operating from Russia.
In recent years, the National Security Agency has more aggressively attributed cyberattacks to specific countries, especially those by warring intelligence agencies. But in December, he was caught off guard by the most sophisticated attack on the United States in years, the SolarWinds hack, which hit federal agencies and many of the nation’s largest businesses. This attack, which the National Security Agency later said was carried out by the SVR, a competing Russian intelligence agency that was an offshoot of the KGB, succeeded in tampering with the code of a security management software. popular network, and therefore in the computer networks of 18,000 companies. and government agencies.
There is nothing particularly unusual about the methods the United States uses, according to the Russian intelligence unit. There is no custom malware or unknown GRU exploits. Instead, the group uses common malware and the most basic techniques, like brute force password pulverization, which uses stolen or leaked passwords to gain access to accounts.
The government did not identify the targets of the recent GRU attacks, but said they were government agencies, political consultants, political party organizations, universities, defense contractors. , energy companies, think tanks and media companies.
The attacks appear to focus primarily on intelligence and information gathering. The National Security Agency has not identified any means by which Russian hackers damaged the systems.
The recent wave of GRU attacks has been going on for a relatively long time, starting in 2019 and continuing throughout this year.
Once inside, GRU hackers would gain access to protected data and emails, as well as cloud services used by the organization.
The GRU hacker group were responsible for the Democratic National Committee’s main hack in 2016, which resulted in the theft and dissemination of materials intended to harm Hillary Clinton’s campaign.
On Thursday, the National Security Agency released a list of escape and exfiltration techniques used by the GRU to help information technology officials identify – and stop – the group’s attacks.
This lack of sophistication means that fairly basic measures, such as multi-factor authentication, timeout locks, and temporary deactivation of accounts after entering incorrect passwords, can effectively block brute force attacks.