After Biden Meets Putin, U.S. Exposes Details of Russian Hacking Campaign

WASHINGTON — Two weeks after President Biden met President Vladimir V. Putin of Russia and demanded that he rein in the constant cyberattacks directed at American targets, American and British intelligence agencies on Thursday exposed the details of what they called a global effort by Russia’s military intelligence organization to break into government organizations, defense contractors, universities and news media companies.

The operation, which the agencies described as a crude but broad effort, is “almost certainly ongoing,’’ the National Security Agency and its British counterpart, known as GCHQ, said in a statement. It identified the Russian intelligence agency, or G.R.U., as the same group that hacked into the Democratic National Committee in 2016 and released emails in an effort to influence the presidential election in favor of Donald J. Trump.

Thursday’s revelation is an attempt to expose Russian hacking techniques, rather than any specific new attacks, and it includes pages of technical detail to enable potential targets to identify that a breach is underway. Many of the actions by the G.R.U. — including, in this case, an effort to get into data stored in Microsoft’s Azure cloud services — have already been documented by private cybersecurity firms.

But the political significance of the statement is larger: It is a first challenge to Mr. Putin since the summit in Geneva, where Mr. Biden handed him a list of 16 areas of “critical infrastructure” in the United States and said that it would not tolerate continued Russian cyberattacks.

“We’ll find out whether we have a cybersecurity arrangement that begins to bring some order,” Mr. Biden said at the end of that meeting, only minutes after Mr. Putin declared that the United States, not Russia, was the largest source of cyberattacks around the world.

From the data provided by the National Security Agency, it was not clear how many of the targets of the G.R.U. — also known as Fancy Bear or APT 28 — might be on the critical infrastructure list, which is maintained by the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency. At the time of the attacks on the election system in 2016, election systems — including voting machines and registration systems — were not on the list; they were later added in the last days of the Obama administration. American intelligence agencies later said Mr. Putin had directly approved the 2016 attacks.

But the National Security Agency statement identified energy companies as a primary target, and Mr. Biden specifically cited them in his talks with Mr. Putin, noting the ransomware attack that led Colonial Pipeline to shut down in May, and interrupting the delivery of gasoline, diesel and jet fuel along the East Coast. That attack was not run by the Russian government, Mr. Biden said at the time, but rather by a criminal gang operating from Russia.

In recent years, the National Security Agency has more aggressively attributed cyberattacks to specific countries, particularly when they are conducted by adversarial intelligence agencies. But in December, it was caught unaware in the most sophisticated attack on the United States in years, the SolarWinds hacking on federal agencies and many of the nation’s largest companies. That attack, which the agency later said was conducted by the S.V.R., a competing Russian intelligence agency that was an offshoot of the Soviet K.G.B., was a stealthy and successful effort to alter the code in popular network-management software, and thus into the computer networks of 18,000 companies and government agencies.

There is nothing particularly unusual about the methods the United States says the Russian intelligence unit used. There is no bespoke malware or unknown exploits by the G.R.U. unit. Instead, the group uses common malware and the most basic techniques to break into computer networks: brute-force password spraying, which is an effort to gain access to accounts using passwords that have been stolen or leaked.

The government did not identify the targets of the G.R.U.’s recent attacks but said that it included government agencies, political consultants, political party organizations, universities, defense contractors, energy companies, think tanks and news media companies.

The attacks appear to mostly be about gathering intelligence and information. The National Security Agency did not identify any ways that the Russian hackers damaged systems.

The recent wave of G.R.U. attacks has gone on for a relatively long time, beginning in 2019 and continuing through this year.

Once inside, the G.R.U. hackers would gain access to protected data and email — as well as to cloud services used by the organization.

The group of G.R.U. hackers were responsible for the primary hacking of the Democratic National Committee in 2016 which resulted in the theft, and release, of documents meant to damage the campaign of Hillary Clinton.

On Thursday, the National Security Agency released a list of evasion and exfiltration techniques used by the G.R.U. to help information technology managers identify — and stop — attacks by the group.

That lack of sophistication means fairly basic measures, like multifactor authentication, timeout locks and temporary disabling of accounts after incorrect passwords are entered, can effectively block brute force attacks.

 Source link

Back to top button