The Washington PostDemocracy Dies in Darkness

The Cybersecurity 202: The FBI is trying to thwart a massive Russia-linked hacking campaign

Placeholder while article actions load

with Bastien Inzaurralde


U.S. law enforcement is trying to seize control of a network of hundreds of thousands of wireless routers and other devices infected by malicious software and under the control of a Russian hacking group that typically targets government, military and security organizations. 

In a statement issued late Wednesday, the Justice Department said the FBI had received a court order to seize a domain at the core of the massive botnet, which would allow the government to protect victims by redirecting the malware to an FBI-controlled server.

The DOJ attributed the hacking campaign to the group known as Sofacy, also known as Fancy Bear. While the statement did not explicitly name Russia, Fancy Bear is the Russian military-linked group that breached the Democratic National Committee in the presidential election.

“This operation is the first step in the disruption of a botnet that provides the Sofacy actors with an array of capabilities that could be used for a variety of malicious purposes, including intelligence gathering, theft of valuable information, destructive or disruptive attacks, and the misattribution of such activities," said Assistant Attorney General for National Security John C. Demers.

And FBI Special Agent in Charge Bob Johnson said: "These hackers are exploiting vulnerabilities and putting every American’s privacy and network security at risk." Johnson encouraged people and businesses to update their network equipment and change their passwords -- though he cautioned "there is still much to be learned about how this particular threat initially compromises infected routers and other devices." 

The announcement of law enforcement's salvo came just hours after cybersecurity researchers from Cisco's intelligence unit Talos warned that sophisticated hackers had infected at least 500,000 devices in at least 54 countries with the malware dubbed "VPN Filter."

Much of the attention at first focused on the apparently imminent threat in Ukraine: The malware showed up in devices there at such "an alarming rate" in recent weeks that the researchers believed hackers linked to a state government were preparing an extensive cyberattack on the country, the researchers said. While the researchers themselves did not name Russia, they did say the "potentially descrutive malware" had some of the same hallmarks of recent Russian government-backed hacking campaigns that took out parts of the country's power grid.

“The code of this malware overlaps with versions of the BlackEnergy malware — which was responsible for multiple large-scale attacks that targeted devices in Ukraine,” Talos said in a blog post. The U.S. government and security experts have attributed those attacks to Russia.

The latest campaign fits a pattern of influence operations the Russian government has used in recent years to upend life in Ukraine as part of a strategy to exert influence on the digital stage, said Nina Jankowicz, a fellow at the Wilson Center.

“Ukraine has always been a proving ground for Russian cyberactivity,” she told me. “Russia is asserting its cyber prowess. It wants the United States and the West to know what it's capable of without having to launch an attack on a Western government, which would draw retribution.”

Yet in this case, it's not surprising that the threat was a priority for U.S. law enforcement -- and not just because Russia has been in the spotlight for its interference campaign in the 2016 election.

Earlier this year, the White House publicly blamed Russia for the NotPetya cyberattack in June 2017, when Russian military hackers shut down networks across Ukraine and wiped data from financial firms, government offices and other institutions around the world. The White House said it was the "most destructive and costly cyberattack in history" and vowed that it would "be met with international consequences."

Craig Williams, the head of Talos's security team, told me that under a worst-case scenario, the mass of infected devices was powerful enough to be used to carry out a "potential sequel" to the NotPetya attack.

"We’re rolling right up on the anniversary of that attack," Williams said. If hundreds of thousands of routers get knocked out simultaneously, he said, “that will have a very similar impact to NotPetya.”

Williams called VPN Filter the "Swiss army knife for malware." In addition to using it for espionage purposes, the malware has the potential to intercept communications on industrial control systems used throughout the energy sector and by manufacturers, water treatment facilities and other critical infrastructure operators. It also has a destructive capability known as "bricking" that allows the malware to permanently disable any device infected with it.  

By infecting consumer wireless routers, hackers were targeting an especially weak link in computer networking, said Michael Daniel, president of the Cyber Threat Alliance, of which Cisco is a member.

It's "particularly pernicious because it targets the kind of device that's difficult to defend," he told me. "They sit on the edge of the network or on the outside of the firewall. They don't really have antivirus for routers." 

The FBI and the Department of Homeland Security have notified trusted internet service providers of the malware, according to the DOJ. Cisco said users can disable the malware beyond its first stage by rebooting their routers. 


PINGED: The fallout continues from the FBI's exaggeration about the number of encrypted phones it claimed investigators couldn't access. FBI Director Christopher A. Wray has directed the bureau's inspection division to review the agency's inflation and the bureau's technology division is also reviewing the matter, The Wall Street Journal's Dustin Volz reports. "There is no indication that this was misconduct," an FBI official said Wednesday, Volz writes.

The Washington Post's Devlin Barrett reported on Tuesday that while Wray has said the FBI was unable to access almost 7,800 encrypted phones last year, the real figure is probably between 1,000 and 2,000. The wrong count stemmed from the fact that a contractor for the FBI searched three databases, a source with knowledge of the error told Forbes's Thomas Fox-Brewster

“In doing so, it not only took in duplicates of phones across the databases and counted them separately, it also included data from apps and files that couldn't be unlocked within phones,” Fox-Brewster writes. “For instance, if the FBI had broken through the passcode on an Apple iPhone, but there was an app with an extra password within that couldn't be cracked, the inaccessible software was included as a whole device in the final count.”

From Barrett:

Paul Abbate, the FBI's associate deputy director, said the bureau still sees encryption as a “major problem” regardless of the counting issue, Nextgov's Joseph Marks reports. “Whatever that number is, each one of those devices represents a potential terrorist attack that could have been prevented or a child who could have been protected from a predator or an act of violence that could have been prevented across a range of issues,” Abbate said.

Yet Sen. Ron Wyden wasn't convinced: “The government has long held discredited views about encryption,” the Oregon Democrat wrote in a letter yesterday. Now we see that the FBI is struggling with basic arithmetic — clearly it should not be in the business of dictating the design of advanced cryptographic algorithms." Wyden said the FBI's overestimation of encrypted phones that are inaccessible to its investigators means the bureau “is either too sloppy in its work or pushing a legislative agenda.” Wyden also requested that Wray answer questions about the extent of the problem by June 13. 

From Sen. Martin Heinrich (D-N.M.):

PATCHED: Twitter wants to avoid a rerun of the 2016 misinformation problems on its platform in this year's midterm elections. “Twitter said Wednesday it will begin verifying political candidates running for the House, Senate and governor in general elections, another sign of the company’s scramble to put new controls in place after the controversy over social media's role in the 2016 campaign,” Politico's Nancy Scola reports.

Twitter will apply a small icon picturing a government building on candidates' accounts and will specify which office they are running for and where, Bridget Coyne, senior public policy manager at Twitter, wrote in a blog post. The labels will begin to show up on May 30. “Providing the public with authentic, trustworthy information is crucial to the democratic process, and we are committed to furthering that goal through the tools we continue to build,” Coyne said.

“Twitter will rely on the website Ballotpedia to identify the legitimate accounts of those who've qualified for the ballot,” Scola writes. “It's part of a trend of tech companies outsourcing decision-making on political questions.”

PWNED: Federal agencies can’t rid government computer networks of Kaspersky Lab software even though the law says it needs to be done by October. “Multiple divisions of the U.S. government are confronting the reality that code written by the Moscow-based security company is embedded deep within American infrastructure, in routers, firewalls, and other hardware — and nobody is certain how to get rid of it,” the Daily Beast's Andrew Desiderio and Kevin Poulsen report.

The Department of Homeland Security said in September that it was “concerned about the ties between certain Kaspersky officials and Russian intelligence and other government agencies.” In December, a portion of the National Defense Authorization Act mandated that the government do away with “any hardware, software, or services developed or provided, in whole or in part” by Kaspersky, Desiderio and Poulsen write.

But Congress didn't direct any funding to federal agencies to perform this specific task, according to Desiderio and Poulsen. “A U.S. official with direct knowledge of the ban’s implementation says there’s plenty of blame to go around in the debacle,” they write. “The law ordering the full ban didn’t come with an appropriation to replace any products found inexorably entwined with the outlawed code.”

From Desiderio:

From cybersecurity reporter Kim Zetter:


— “We will not tolerate Russian interference in our 2018 elections,” Secretary of State Mike Pompeo told the House Foreign Affairs Committee on Wednesday. “Much work has been done, there is more to do. Rest assured that we will take the appropriate countermeasures in response to continued Russian efforts.”

Pompeo also said he agrees with the intelligence community's assessment that Russia sought to help elect Donald Trump when it interfered in the 2016 election, but his acknowledgment took some “prodding by lawmakers,” Bloomberg News's Nick Wadhams reports.

Pompeo said he agreed with the assessment "only after he initially said the judgment that Russian President Vladimir Putin wanted to help Trump win 'was the least confirmed, that is, there was the least support for that' in the report issued by the CIA, the FBI and the National Security Agency in January 2017, a few weeks before Trump took office," Wadhams writes. 

— More cybersecurity news about the public sector:

Trump violated the Constitution when he blocked his critics on Twitter, a federal judge rules (Brian Fung and Hamza Shaban)

Lawmakers roll out bill to protect children from online data collection (The Hill)

U.S. Launches Criminal Probe into Bitcoin Price Manipulation (Bloomberg)

CIOs push back on FITARA scores (FCW)


— Dragos, a cybersecurity firm focusing on industrial control systems, said hackers have targeted several industrial companies in the United States, CyberScoop’s Chris Bing reports. The attack comes from the same group, which Dragos calls Xenotime, that infected a petrochemical plant in Saudi Arabia last year, Bing writes. “The malware shows similarities to what’s commonly known as Trisis, which was used in an attack last year in Saudi Arabia,” Bing writes. “While Trisis exploited one particular industrial control system, researchers say a new variant impacts a variety of safety instrumented systems.” 

Dragos researchers didn’t say which companies the hackers group went after but it informed them as well as the federal government, Bing writes. Systems in the Middle East were also targeted by the malware. “People need to start thinking about auditing their safety systems,” Sergio Caltagirone, director of threat intelligence and analytics at Dragos, told Bing. “This is a much bigger problem than what we maybe all first thought it was.”

— The facial recognition technology that is selling to law enforcement agencies in Orlando and Oregon raises concerns about racial bias, according to the Verge's Russell Brandom. Matt Cagle, a technology and civil liberties attorney at the American Civil Liberties Union of Northern California who was involved in the ACLU report about the program, told Brandom that Rekognition is a problematic tool. “Face recognition is a biased technology,” Cagle said. “It doesn't make communities safer. It just powers even greater discriminatory surveillance and policing.” (Amazon founder and chief executive Jeffrey P. Bezos is the owner of The Post.)

“Police typically use facial recognition to look for specific suspects, comparing suspect photos against camera feeds or photo arrays,” Brandom writes. “But white subjects are consistently less likely to generate false matches than black subjects, a bias that’s been found across a number of algorithms. In the most basic terms, that means facial recognition systems pose an added threat of wrongful accusation and arrest for non-white people.”

From the Congressional Black Caucus:

— More cybersecurity news about the private sector:

Facebook suggests no compensation for European users affected by data breach (Reuters)

Exclusive: Facebook Opens Up About False News (Wired)


— Online accounts supporting the Islamic State group are spreading terrorist propaganda on Google Plus while they get shut down from Facebook and Twitter, the Hill's Ali Breland reports. “The Hill found dozens of pages across Google’s social media platform that explicitly show Islamic State in Iraq and Syria (ISIS) propaganda, give news updates directly pulled from ISIS media, spread messages of hate towards Jews and other groups or show extremist imagery,” Breland writes. “The Google Plus accounts and communities sharing ISIS-linked content did little to hide their affiliation. Many openly professed their support of the terrorist group. In many cases, accounts featured the ISIS flag and pictures of ISIS fighters.”

A Google representative told Breland that the company has “a strong track record of taking swift action against terrorist content” but added that it has “more to do.”

Google Plus has struggled against the competition from Facebook and Twitter. Tom Galvin, the executive director of the Digital Citizens Alliance, a group campaigning to make the Internet safer to use, told Breland that Google Plus is like an “abandoned warehouse where ISIS comes to work.”

— More international cybersecurity news:

How Japan’s Pacifist Constitution Shapes Its Approach to Cyberspace (Council on Foreign Relations)

Getting a Flood of G.D.P.R.-Related Privacy Policy Updates? Read Them (The New York Times)



Coming Soon

  • The European Union's General Data Protection Regulation goes into effect tomorrow.

Yulia Skripal, daughter of a Russian ex-spy, speaks out for first time since she and her father were poisoned: 

Yulia Skripal and her father, Russian ex-spy Sergei Skripal, were poisoned in March. On May 23, she told Reuters, “My life has been turned upside down.” (Video: Reuters)

Eruptions, lava and toxic gas continue to blight Hawaii:

Weeks after it first erupted on May 3, Kilauea’s dramatic volcano activity continued to threaten homes, with lava and dangerous gases. (Video: Taylor Turner/The Washington Post)

Judge orders adult son to move out of his parents' home:

An upstate New York judge ordered a 30-year-old man to move out of his parents’ house after they went to court to have him evicted on May 22. (Video: KRON 4)