A year after Russian government hackers compromised almost a dozen U.S. federal agencies, renewed efforts by the same group to target the global IT supply chain are painting a picture of a defiant Russia undeterred by U.S. efforts to clamp down on malicious cyber activity.
The Biden administration has imposed sanctions and there has been an unprecedented amount of international pressure on Russia to take action against both government-linked hackers and cybercriminals within its borders.
But the efforts appear to have done little to police the activity given Microsoft’s announcement Monday that the same Russian hacking group behind last year’s SolarWinds hack is continuing to target organizations.
“They have intelligence requirements that they are tasked with fulfilling, and they are unlikely to be deterred from doing that, that’s their job,” John Hultquist, the vice president of intelligence analysis at cybersecurity group Mandiant, told The Hill Monday.
“Until they think that they are not being spied on, Russia’s not going to give up espionage.”
Mandiant, previously known as FireEye, was the first to sound the alarm about what became known as the SolarWinds hack in December after the company itself was compromised.
The incident allowed Russian hackers to exploit vulnerabilities in SolarWinds software and access at least nine federal agencies and 100 private sector groups. Thousands of other companies were left vulnerable as part of an operation that went undetected for much of 2020.
On Monday, Microsoft said the same group behind SolarWinds, named Nobelium, had now launched a “larger wave” of attacks over the summer, with more than 600 customers attacked almost 23,000 times since the beginning of July. While most attacks were unsuccessful, Microsoft said 14 resellers and technology service providers had been compromised.
“This recent activity is another indicator that Russia is trying to gain long-term, systematic access to a variety of points in the technology supply chain and establish a mechanism for surveilling — now or in the future — targets of interest to the Russian government,” Tom Burt, corporate vice president of customer security and trust, wrote in a blog post published Monday.
These hacking efforts took place despite sanctions and pressure by President BidenJoe BidenSouth Africa health minister calls travel bans over new COVID variant 'unjustified' Biden attends tree lighting ceremony after day out in Nantucket Senior US diplomat visiting Southeast Asia to 'reaffirm' relations MORE during an in-person meeting with Russian President Vladimir PutinVladimir Vladimirovich PutinMore than 50 dead, one rescued in Russian mine explosion NATO to discuss ways to deter Russia: Lithuanian official Putin says he took experimental nasal COVID-19 vaccine MORE to take action against hackers within his nation’s borders. Multiple federal agencies have put stepping up cybersecurity front and center, and the White House recently spearheaded a meeting of more than 30 nations to discuss ransomware attacks.
While Russia has taken some hits, experts warn little has changed.
“Nobelium is in search of its next carrier,” Lotem Finkelstein, head of threat intelligence at Check Point Research, said in a statement provided to The Hill. “The company SolarWinds was just the carrier for Nobelium to reach a larger audience. Nobelium quickly learned that a company like SolarWinds can open doors into infiltrating its target audience, the target audience being federal agencies, cyber security companies, IT companies and more.”
“Now, the Russian-based group is looking for another popular vendor to play a similar role to that SolarWinds,” Finkelstein noted. “Hence, the search for the next carrier is on and intense.”
In light of how long the hackers were able to stay undetected in critical government systems, Putin himself may be unwilling to put a stop to these efforts.
“I think it’s reaffirmed to him that he’s probably got a good tool here,” Mark Montgomery, a senior fellow at the Foundation for Defense of Democracies, told The Hill.
The Biden administration came into office just over a month after discovery of the SolarWinds hack, and coupled with the rise in ransomware attacks against key organizations such as Colonial Pipeline, the new administration was forced to hit the ground running on addressing cyber threats.
In levying sanctions on Russia in connection to both the SolarWinds hack and election interference in April, administration officials made clear more steps could be taken if Russia continued to escalate. Biden reiterated this during a phone call to Putin in July.
White House principal deputy press secretary Karine Jean-PierreKarine Jean-PierreOSHA suspends enforcement of COVID-19 vaccine mandate for businesses Inflation raises focus on Biden Fed pick At White House, frustration over who gets to ask questions MORE on Monday stressed the work the administration is doing to confront cybersecurity threats and urged cloud service providers to implement “baseline cybersecurity practices” to help prevent incidents.
“Broadly speaking, the federal government is aggressively using our authorities to protect the nation from cyber threats,” Jean-Pierre told reporters aboard Air Force One.
House Homeland Security Committee Ranking Member John KatkoJohn Michael KatkoLawmakers increasingly anxious about US efforts against Russian hackers GOP senators appalled by 'ridiculous' House infighting House votes to censure Gosar and boot him from committees MORE (R-N.Y.) argued Monday that Biden's actions to deter Russia in cyberspace were not enough.
“It’s become explicitly clear that the Russian government has no intention of working to stop cyber aggression from actors operating out of their country," Katko said in a statement provided to The Hill. "Adversaries like Russia are creating safe havens for bad actors and the only way to respond is with strength. Russia will not stop attempting to undermine U.S. cyber space until they know the consequences will be dire."
It’s possible U.S. efforts have had some effect. The government and its allies also have drawn clear red lines on which companies are off-limits to attack, and reported coordinated government efforts to go after cybercriminal groups that cross those lines.
These efforts have included the Russian-based group REvil seeing its servers breached and forced offline last week as part of a joint operation to push back against a group linked to ransomware attacks this year on meat producer JBS USA and IT company Kaseya.
“We do see actors who are clearly starting to swear off certain targets publicly, they are saying we are not going to hit this target or that target because we recognize this is going to be bad for business, and that is probably coming from government pressure,” Hultquist said.
Montgomery pointed to the need to continue ramping up international pressure on Russia to corner the government into changing its tactics.
“I think you really have to get a coalition of willing allies and partners to agree what’s inappropriate in cyberspace and then impose costs on countries like Russia that violate those,” Montgomery said.
But as the hacking efforts continue unabated for the present, work remains to reach the goal of cutting down Russian espionage efforts in cyberspace.
“I think it’s going to be an uphill battle to stop it entirely, and that may be more than we can ask for,” Hultquist said.
-Updated at 6:40 p.m.