Cyber retaliation, cyber deterrence, and cyber diplomacy.

Summary

By the CyberWire staff

At a glance.

More notes on the probable impact of the Kaseya incident on US policy.
Russia's SVR suspected in attempt on the US Republican National Committee.

Further notes on policy and the Kaseya incident.

Yesterday President Biden told reporters he’ll “have more to say” about the Kaseya ransomware attack “in the next several days,” the Daily Mail reports. He announced Saturday that he’s “directed the full resources of the…Government to assist in the response,” and, according to MeriTalk, met today with an interagency ransomware taskforce.

Press Secretary Psaki shared that a “high level of our national security team has been in touch with a high level of Russian officials,” and “we expect to have another meeting next week focused on ransomware attacks.” She declined to specify whether any response would target the proximate threat actors or harboring state, but reiterated the President’s stance that host countries have “a responsibility” for domestic criminals.

Companies also have a responsibility for enacting cybersecurity best practices, she added, and the Administration’s position on paying ransom remains negative. The Christian Science Monitor observes potential for conflict and finger pointing between the public and private sectors, as the Government grows leery of leaving cybersecurity to the business community. Chamber of Commerce cyber officer Christopher Roberti hopes for a productive partnership, however.

The Monitor considers the installation of cyber czar Chris Inglis as a step “toward greater coordination” in a tumultuous time, noting that Inglis will organize the response of Homeland Security, Justice, and Treasury cyber officials with the help of seventy-five staff.

Russia’s challenge to the US Administration.

The New York Times calls the Kaseya incident—the “single largest global ransomware attack on record”—and Cozy Bear’s hit on a Republican National Committee vendor the awaited “test” of the Biden Administration’s red lines. The lines in question are President Biden’s warnings about sheltering ransomware gangs, and depending on Cozy’s intentions, either attacking democratic institutions or casting too wide a net (as in the Holiday Bear gambol).

In a Saturday speech, which onlookers consider his answer to the Geneva summit, President Putin asserted the legitimacy of undertaking “symmetrical and asymmetric measures” against “unfriendly actions.” Moscow’s new security strategy, unveiled concurrently, warns of Western attacks on Russia’s “traditional spiritual-moral and cultural-historical values.”

Center for Strategic and International Studies VP James Lewis said, “Biden did a good job laying down a marker, but when you’re a thug, the first thing you do is test that red line.” Lewis thinks the US has run out of warning shots, leaving only “more aggressive measures.”

The Administration is in the process of crafting a general toolbox of potential responses with approximately twenty international partners; the elephant in the room is, of course, escalation.

John Hultquist, VP of Analysis at Mandiant Threat Intelligence, commented on the attraction political parties hold for espionage services:

"Political parties are incubators for public policy, making them ideal targets for espionage actors trying to collect political, military, and economic intelligence. Though these organizations have been famously involved in aggressive hack and leak campaigns, more often than not, Russian hackers and others target them to quietly gather intelligence. While GRU actors made a big splash with the data they’d taken from the DNC in 2016 they were not alone. APT29 had also infiltrated that network in an operation that is more typical of cyber espionage."

Jerry Ray, COO of enterprise data security and encryption biz at SecureAge, thinks this latest incident arguably more important than other recent cyberespionage activity. For one thing, it appears to be another supply chain security incident:

"As if intending nothing other than to punctuate the insidious effectiveness of supply chain attacks, the Russian hacking group APT 29 or Cozy Bear’s most recent exploitation may be the most significant yet.

"That’s not because of the suspected reach into the computer systems of the Republican National Committee, which has downplayed the notion of any access to its data. It’s also not because of some high water technical achievement, which may or may not be the case. And it’s not because of the nature of attacking an upstream vendor to reach downstream customers, as that’s been the highest profile attack vector since Cozy Bear’s attack on SolarWinds in December 2020.

"Instead, this particular exploit of a large-scale software distributor, Synnex, points to yet another, more familiar category of vendor with whom foregone trust has been shattered.

"In the cases of SolarWinds and, more recently, Kaseya, both companies operated at and were used by IT professionals for software development or remote system management, respectively. From the standpoint of every day users, though, the products of both companies appeared too specialized and distant to inspire any immediate fear. While the downstream effects of both attacks could certainly compromise customer data on a mass scale, the public perception among those who had previously never heard of SolarWinds or Kaseya didn’t trigger personal alarms.

"Similarly, Synnex may not be an every day name familiar to most people who’ve read or heard stories about its connection to the potential hacking of RNC systems. But for those curious enough to learn more about the business model of Synnex, they'll soon recognize that remote software distribution accounts for nearly every application on their computers and mobile devices. From there, they’ll think back to the last time they purchased software in a physical form and notice the years that have passed since. Finally, they’ll realize that an intrusion into the systems and networks of those software distributors that offer the conveniences of remote purchases, activations, updates, and license key management puts the hackers into their own machines.

"While Synnex means far more to enterprise clients than individuals, its model is not distant from direct purchases and downloads from Microsoft or those from Apple’s App Store or Google Play. If Cozy Bear could have found its way into Synnex systems, what would prevent it from reaching those distributors touching nearly every desktop, laptop, tablet, or mobile phone on the planet?

"Pushing people to individually reach that conclusion to inspire doubt and fear with every software download or update may have been Cozy Bear’s ultimate goal with this latest attack. And the RNC connection, whether to the level of accessing or breaching its data, may not be the story at all. Far more reaching and important, the RNC may have been merely one among hundreds or thousands of Synnex customers potentially affected. A supply chain attack on trusted software distributors that have unfettered and most often automated connections to all of our devices could be the most destructive yet."

Selected Reading

Developments in the Kaseya ransomware attack: recovery and response. (The CyberWire) As Kaseya continues to move closer toward normal operations and capacity, the US considers defensive and retaliatory options.

Biden says ransomware attack caused 'minimal damage' to U.S. companies (Reuters) President Joe Biden said on Tuesday the ransomware attack centered on the Florida information technology firm Kaseya seems to have inflicted only "minimal damage" on American businesses.

Kremlin says no US inquiries received over hacker attack on IT software company (TASS) It was reported earlier that the enterpise based in Dublin and with US headquarters in Miami was attacked by the hackers that were demanding a ransom of $44,900

Who’s behind the Kaseya ransomware attack – and why is it so dangerous? (the Guardian) The breach has affected hundreds of businesses around the world, and experts fear the worst is yet to come

Biden: US damage appears minimal in big ransomware attack | Federal News Network (Federal News Network) President Joe Biden says damage to U.S. businesses in the biggest ransomware attack on record appears to be minimal but information is still incomplete…

RNC says contractor breached in hack, GOP data secure (TheHill) The Republican National Committee (RNC) on Tuesday acknowledged that one of its contractors had been breached by hackers linked to Russia but said its data had not been accessed.

Kubernetes Used in Brute-Force Attacks Tied to Russia’s APT28 (Threatpost) The ongoing attacks are targeting cloud services such as Office 365 to steal passwords and password-spray a vast range of targets, including in U.S. and European governments and military.

Security Agencies Warn on Russian GRU Global ‘Brute Force’ Campaign (MeriTalk) According to a joint advisory from the National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and U.K.'s National Cyber Security Centre (NCSC), hackers from the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit – widely known as Fancy Bear or APT28 – utilized Kubernetes clusters to infiltrate targets in their global brute force campaign from mid-2019 through early 2021.

Japan Looks to Boost Military Cyber Experts Amid Security Threat (Infosecurity Magazine) China and Russia blamed for increasingly hostile activity

The Cybersecurity 202: Now there’s even more pressure on Biden to punch back against Russian ransomware (Washington Post) Pressure is mounting on the Biden administration to respond forcefully to Russia-based ransomware attacks as U.S. businesses reel from the latest in a string of major hacks over the holiday weekend.

Attempted Hack of R.N.C. and Russian Ransomware Attack Test Biden (New York Times) The breach of a Republican National Committee contractor, also linked to Russia, and the global ransomware attack occurred weeks after a U.S.-Russian summit.

We just had another ransomware attack. It’s time Biden gave Putin an ultimatum. (Washington Post) If this becomes routine, businesses and the economy will suffer.

Combating China's Insider Threat: Can New Laws Curb IP Theft by Foreign Spies? (SecurityWeek) There are three primary prongs to Chinese acquisition intellectual property: straightforward hacking and cyber theft; the implant of physical insiders; and hiring western experts to work in China

Biden Builds on Trump’s Use of Investment Review Panel to Take on China (Wall Street Journal) The Committee on Foreign Investment in the U.S. is looking to share information with allies and is paying closer attention to the Biden administration’s priorities, including securing supply chains.

Readout of Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger’s Meeting with Bipartisan U.S. Conference of Mayors | The White House (The White House) Today, as part of ongoing engagement with stakeholders across the country, Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger met virtually with the bipartisan U.S. Conference of Mayors to speak to the cybersecurity challenges facing cities and towns across the nation, including the threat from ransomware. Neuberger described the Administration’s ransomware strategy…