At a glance.
- More notes on the probable impact of the Kaseya incident on US policy.
- Russia's SVR suspected in attempt on the US Republican National Committee.
Further notes on policy and the Kaseya incident.
Yesterday President Biden told reporters he’ll “have more to say” about the Kaseya ransomware attack “in the next several days,” the Daily Mail reports. He announced Saturday that he’s “directed the full resources of the…Government to assist in the response,” and, according to MeriTalk, met today with an interagency ransomware taskforce.
Press Secretary Psaki shared that a “high level of our national security team has been in touch with a high level of Russian officials,” and “we expect to have another meeting next week focused on ransomware attacks.” She declined to specify whether any response would target the proximate threat actors or harboring state, but reiterated the President’s stance that host countries have “a responsibility” for domestic criminals.
Companies also have a responsibility for enacting cybersecurity best practices, she added, and the Administration’s position on paying ransom remains negative. The Christian Science Monitor observes potential for conflict and finger pointing between the public and private sectors, as the Government grows leery of leaving cybersecurity to the business community. Chamber of Commerce cyber officer Christopher Roberti hopes for a productive partnership, however.
The Monitor considers the installation of cyber czar Chris Inglis as a step “toward greater coordination” in a tumultuous time, noting that Inglis will organize the response of Homeland Security, Justice, and Treasury cyber officials with the help of seventy-five staff.
Russia’s challenge to the US Administration.
The New York Times calls the Kaseya incident—the “single largest global ransomware attack on record”—and Cozy Bear’s hit on a Republican National Committee vendor the awaited “test” of the Biden Administration’s red lines. The lines in question are President Biden’s warnings about sheltering ransomware gangs, and depending on Cozy’s intentions, either attacking democratic institutions or casting too wide a net (as in the Holiday Bear gambol).
In a Saturday speech, which onlookers consider his answer to the Geneva summit, President Putin asserted the legitimacy of undertaking “symmetrical and asymmetric measures” against “unfriendly actions.” Moscow’s new security strategy, unveiled concurrently, warns of Western attacks on Russia’s “traditional spiritual-moral and cultural-historical values.”
Center for Strategic and International Studies VP James Lewis said, “Biden did a good job laying down a marker, but when you’re a thug, the first thing you do is test that red line.” Lewis thinks the US has run out of warning shots, leaving only “more aggressive measures.”
The Administration is in the process of crafting a general toolbox of potential responses with approximately twenty international partners; the elephant in the room is, of course, escalation.
John Hultquist, VP of Analysis at Mandiant Threat Intelligence, commented on the attraction political parties hold for espionage services:
"Political parties are incubators for public policy, making them ideal targets for espionage actors trying to collect political, military, and economic intelligence. Though these organizations have been famously involved in aggressive hack and leak campaigns, more often than not, Russian hackers and others target them to quietly gather intelligence. While GRU actors made a big splash with the data they’d taken from the DNC in 2016 they were not alone. APT29 had also infiltrated that network in an operation that is more typical of cyber espionage."
Jerry Ray, COO of enterprise data security and encryption biz at SecureAge, thinks this latest incident arguably more important than other recent cyberespionage activity. For one thing, it appears to be another supply chain security incident:
"As if intending nothing other than to punctuate the insidious effectiveness of supply chain attacks, the Russian hacking group APT 29 or Cozy Bear’s most recent exploitation may be the most significant yet.
"That’s not because of the suspected reach into the computer systems of the Republican National Committee, which has downplayed the notion of any access to its data. It’s also not because of some high water technical achievement, which may or may not be the case. And it’s not because of the nature of attacking an upstream vendor to reach downstream customers, as that’s been the highest profile attack vector since Cozy Bear’s attack on SolarWinds in December 2020.
"Instead, this particular exploit of a large-scale software distributor, Synnex, points to yet another, more familiar category of vendor with whom foregone trust has been shattered.
"In the cases of SolarWinds and, more recently, Kaseya, both companies operated at and were used by IT professionals for software development or remote system management, respectively. From the standpoint of every day users, though, the products of both companies appeared too specialized and distant to inspire any immediate fear. While the downstream effects of both attacks could certainly compromise customer data on a mass scale, the public perception among those who had previously never heard of SolarWinds or Kaseya didn’t trigger personal alarms.
"Similarly, Synnex may not be an every day name familiar to most people who’ve read or heard stories about its connection to the potential hacking of RNC systems. But for those curious enough to learn more about the business model of Synnex, they'll soon recognize that remote software distribution accounts for nearly every application on their computers and mobile devices. From there, they’ll think back to the last time they purchased software in a physical form and notice the years that have passed since. Finally, they’ll realize that an intrusion into the systems and networks of those software distributors that offer the conveniences of remote purchases, activations, updates, and license key management puts the hackers into their own machines.
"While Synnex means far more to enterprise clients than individuals, its model is not distant from direct purchases and downloads from Microsoft or those from Apple’s App Store or Google Play. If Cozy Bear could have found its way into Synnex systems, what would prevent it from reaching those distributors touching nearly every desktop, laptop, tablet, or mobile phone on the planet?
"Pushing people to individually reach that conclusion to inspire doubt and fear with every software download or update may have been Cozy Bear’s ultimate goal with this latest attack. And the RNC connection, whether to the level of accessing or breaching its data, may not be the story at all. Far more reaching and important, the RNC may have been merely one among hundreds or thousands of Synnex customers potentially affected. A supply chain attack on trusted software distributors that have unfettered and most often automated connections to all of our devices could be the most destructive yet."