Commentary
Discussing Russian hacking capabilities in a video discussion for the Heritage Foundation recently, Prof. Scott Jasper of the Naval Postgraduate School recalled a hack in 2018 in which the attackers succeeded in penetrating electrical power companies in the United States, as they did in Ukraine.
“We had evidence from
CISA (Cybersecurity and Infrastructure Security Agency) that Russian actors had penetrated up to 20 to 24 utilities by compromising vendors that had trusted relationships,”
Jasper said. “They had taken control to the point where they could have thrown switches. They did this in Ukraine and flipped the switches of substations. So, this is a real threat.”
Those are sobering words from an authority on Russian cybercrime, cyberespionage, and the financial threats caused by cyber-extortion. And the most recent large-scale ransomware hack shows the stakes of that problem.
It was a ransomware gang called REvil that recently targeted a Miami-based IT services provider called Kaseya. REvil demanded $70 million in ransom, the highest ever, but later reduced it to $50 million. This malicious Russia-based outfit also
sought ransom payments from thousands of affected customer organizations and managed service providers. Like the SolarWinds attack mentioned in the
Part One of this series, it was a classic “supply chain” attack, in which a trusted IT service provider for other companies instead becomes the unwitting source of an attack upon its own customers by cyber-predators that compromise their software maintenance updates.
While the term “Trojan Horse” is certainly appropriate to describe the malicious “Cobalt Strike” software that did the actual damage, another historical reference may better describe the situation where state-sponsored or state-condoned thieves prey on innocent businesses—the Barbary pirates.
In the early 19th Century, U.S. President Thomas Jefferson was confronted by the Barbary pirates of North Africa, who were known for capturing and ransoming sailors and vessels they attacked under the protection of the local pashas and the Ottoman Empire. In 1804, after “corsairs” seized the new U.S. frigate Philadelphia, which ran aground off Tripoli, U.S. Navy officers Edward Preble and Stephen Decatur led a daring raid on Tripoli’s harbor and blew up the captured warship, while inflicting heavy damage on the city’s defenses. Britain’s Admiral Lord Nelson himself called the raid “the most bold and daring act of the age.” Jefferson’s decision to fight the Barbary pirates was not without its detractors. Many Americans, including John Adams, believed it was better policy to pay the tribute. It was cheaper than the loss of trade.
As Adams put it, “We ought not to fight them at all unless we determine to fight them forever.”
The internet is not the south coast of the Mediterranean, and today’s digital corsairs can essentially operate from anywhere. But they are still the responsibility and, in many cases, the paid agents of Russian aggression against the United States and other sovereign nations. Sanctions and other punitive measures should address Russia’s refusal to sign onto the so-called
Budapest Convention, a pact that obliges signatories to prevent cybercrimes that are conducted within their borders. European Union nations and the United States are all signatories. Russia has resisted doing so, even as cybercrime traced to the Russian mafia and other “advanced persistent threat” actors is repeatedly traced to its soil. An
article from the February 2015 issue of Brigham Young University Law Review argues persuasively that “Russia has an obligation to monitor and prevent trans-boundary cybercrime under the standard of due diligence.” But Russia will not, because the cyber-hackers advance Vladimir Putin’s goal of creating havoc and depressing the morale of the countries he targets.
Something encouraging did happen after REvil’s attack: its website went off the air. By itself, this is not uncommon, since cybercriminals often “go dark” after a large-scale exploit like this one. In this case, though, an anonymous victim who paid a ransom demanded by REvil for the decryptor was unable to get a working code from REvil’s “customer service” address. Days later, however, Kaseya announced to its customers that it had received a universal decryptor
from a third party and offered it to its customers directly for free. Asked by a Reuters correspondent recently whether it would make sense to attack the Russian servers used in such intrusions, president Joe Biden paused, smiled, and said: “
Yes.”
Even two months later, no one in the security community will say for sure who might have taken the site down. In fact, the group’s dark web site partially
came back online as of Sept. 8, two months after disappearing. This leaves unanswered whether REvil was really punished or disabled, and who actually provided Kaseya with the decryption tool. Was it a chastened Russia? American intelligence operatives? Or was REvil paid by someone to go dark? No one is likely to say, for a variety of reasons. We can hope that a corner has been turned, but it’s much too early to say. Unfortunately, there are plenty of other hacking groups capable of duplicating the feat.
Cybersecurity experts continue to stress resilience and recovery from attacks, rather than pinning hopes on offensive strikes at hacker groups, regardless of whether they are acting on behalf of a government. The world of cybercrime is more complicated and fast-moving today than in the days of 18th and 19th Century “Musselman” privateers. The cat-and-mouse games played every day between cyber-crooks and cyber-cops cannot be ended by one daring raid. But as the stakes of the crimes rise with the world’s reliance on connected systems to operate more and more of its physical infrastructure, the urgent need to shove the pirates off the deck before they can burn the ship grows more pressing.
Views expressed in this article are opinions of the author and do not necessarily reflect the views of The Epoch Times.