with Aaron Schaffer

The Kaseya ransomware attack, which paralyzed hundreds of businesses over the Fourth of July weekend, marks a major strategic advancement for the criminal hacking gangs that have wreaked havoc on U.S. businesses. 

Most ransomware gangs exploit basic security flubs to lock up victims' computers and demand payments, such as shared and reused passwords. REvil, the Russia-based group responsible for this attack, however, exploited a computer bug that had never been used and was unknown to top cybersecurity experts. 

That’s a highly sophisticated sort of attack, known as a “zero day,” that’s more commonly used by nation-states looking to steal each other’s secrets than by financially motivated criminals. And it paid dividends — it's the largest ransomware attack to date, locking up computers at up to1,500 companies that work with the software management company Kaseya and its clients, and enabling a $70 million ransom demand.  

That probably is a sign of things to come as cybercrime gets more lucrative and cybercriminals gain more money and resources to pull off major heists

“A lot of ransomware actors have bigger budgets than some nation-state actors do, so this is the logical next step,” Allan Liska, senior threat intelligence analyst at the cybersecurity firm Recorded Future, told me. “They’re going to have to continue going after larger targets if they want multimillion-dollar ransoms and using zero days is one way of doing that.” 

Criminal hackers are unlikely to ever achieve the skills of top government hackers in the United States, the United Kingdom, Russia and China. But they could equal the capabilities and investments of some third-tier cyber powers such as Pakistan or Brazil, Liska said. 

The Kremlin could halt the advance. 

Experts widely agree that REvil and other major ransomware gangs operate on Russian territory with at least the Kremlin’s tacit approval. 

“There’s no reasonable doubt among the analyst community that these guys work with the approval of the Russian government, and having Russia crack down would be a big win,” Jake Williams, the founder of the cybersecurity company Rendition Infosec who has investigated those groups, told me. 

President Biden pressed Russian President Vladimir Putin to crack down on criminal hackers during their summit in Geneva last month and officials from the two nations have been in regular contact on the topic ever since. 

But it’s far from clear if Putin will comply or if the United States will compel him to do so. 

U.S. military hackers could also impede the ransomware gangs from launching bigger operations by seizing and dismantling the digital infrastructure they use. 

White House Spokeswoman Jen Psaki repeated a pledge from Biden this week that “if the Russian government cannot or will not take action against criminal actors residing in Russia, we will take action, or reserve the right to take action on our own.” 

It would be extremely difficult, however, for U.S. Cyber Command to consistently keep such groups offline, Williams, a former National Security Agency hacker, told me. 

That’s because many such gangs operate using hundreds of (often stolen) Internet domains that are closely integrated with noncriminal Internet operations, making it logistically and legally complicated to take everything down. And even if they did so, the groups could rebuild rather quickly, Williams said. 

As ransomware gangs become more sophisticated, it could throw a wrench in the common wisdom, which says basic cybersecurity protections are sufficient for most organizations. 

In effect, such attacks could produce a world where cybercriminals are willing to invest all their resources into hacking a company that will produce a big payday as governments do into hacking their adversaries. 

You’ll go back to the well if it continues to give water, and this has been very successful,” Kelvin Coleman, executive director of the National Cyber Security Alliance, a nonprofit organization that promotes cybersecurity, told me. 

It’s not clear how REvil got ahold of the zero day that gave it access to Kaseya. One likely possibility is that REvil hackers were spying on communications between Kaseya and a Dutch security research group that spotted the flaw independently and began warning Kaseya about it in April

In other cases, criminals might uncover such vulnerabilities through their own digging. Or they could buy them from independent researchers that find them and sell them to the highest bidder. Those researchers often sell such bugs to the company whose product is vulnerable or to intelligence agencies that want to use them for spying. But they've been known to sell them to criminal groups as well. 

“If I can encrypt 10,000 computers [at a major bank] and I had to spend $3 million on a zero day to do that, I know I’m going to make 10 times more than that,” Liska said

The keys

DHS and the FBI say there's no evidence yet that the Republican National Committee was breached.

The agencies “have not confirmed” that a security incident at an RNC vendor affected any of the campaign group's systems or data, DHS's Cybersecurity and Infrastructure Security Agency said in a statement. 

That backs up an earlier statement from the RNC which disputed a Bloomberg News report that Russia’s foreign intelligence service breached the GOP campaign arm

A person familiar with the matter told my colleague Ellen Nakashima that a Russian government hacking group was behind the breach of Synnex, the RNC contractor. That alone is not evidence the hackers were able to take the extra step of cracking into the RNC's own systems. 

Government spy agencies routinely seek to steal information from adversary nations' political campaigns to gather information about possible future political leaders. Such breaches have taken on added significance, however, following the Kremlin-backed 2016 operation that leaked stolen information from the Democratic National Committee and the Hillary Clinton campaign to damage her candidacy. 

A Pennsylvania lawmaker is pushing an Arizona-style partisan audit of voting machines. 

State Sen. Doug Mastriano (R) is seeking voting equipment from three counties, saying the machines are “needed to conduct a forensic investigation” of the 2020 election and this year’s primary, the Philadelphia Inquirer’s Andrew Seidman and Jonathan Lai report. It’s part of a wave of GOP efforts to launch partisan audits in the wake of a highly controversial audit in Maricopa County, Ariz., and baseless claims by former president Donald Trump that the election was rigged against him. 

“It’s much of what we saw in Arizona, which really set the standard on a forensic analysis,” Mastriano said. Pennsylvania’s Republican-controlled state Senate has looked into the prospect of using private funding for the review, the Associated Press reported.

Mastriano sent letters to the three counties that warned the Senate Intergovernmental Operations Committee, which he leads, could issue subpoenas if the counties don’t respond with a plan to turn over their voting machines by the end of the month. The review will almost certainly face legal challenges, including from the state’s Democratic attorney general, Josh Shapiro:

The Pentagon’s 3-D printing systems are vulnerable to hacking, a watchdog said.

Nearly 75 percent of the computers used for 3-D printing that a Pentagon watchdog reviewed had outdated operating systems, making them vulnerable to cyberattacks. 

The Pentagon’s inspector general also found a bevy of other issues. Nearly 70 percent of computers it reviewed were not checked regularly for vulnerabilities. And more than a dozen of the computers and printers used removable devices that were improperly secured.

Government scan

WikiLeaks founder Julian Assange won’t be held in a Supermax prison if he’s extradited to the United States, U.S. officials say.

The announcement could clear a major hurdle for Assange’s extradition to the United States on espionage charges, the Wall Street Journal’s Jason Douglas reports. It came as the British High Court agreed to hear an appeal by the U.S. government for his extradition, William Booth and Rachel Weiner report.

In January, a British judge blocked Assange’s extradition on the grounds that he was at risk of committing suicide and might not be protected from harming himself in a U.S. prison. 

U.S. authorities have charged Assange with 18 federal crimes, including one for trying to help Chelsea Manning crack a password. Critics say that’s a poor use of an overly broad hacking law. Assange supporters say he merely published leaked information that embarrassed the U.S. government.

Cyber insecurity

Industry report

Global cyberspace

Chat room

Thomas Rid, a professor of strategic studies at Johns Hopkins University's School of Advanced International Studies, posed this provocative question on Twitter:

John Hultquist, the vice president of analysis at FireEye’s Mandiant Threat Intelligence:

JD Work, the Bren Chair for Cyber Conflict and Security at Marine Corps University:

Booz Allen Hamilton's Nate Beach-Westmoreland:

More from Rid:

Lobbying report

  • Peter Kucik, a former senior sanctions adviser at the Treasury Department’s Office of Foreign Assets Control, has registered to lobby for Chinese surveillance giant Hikvision via Mercury Public Affairs. Hikvision, which is accused of helping the Chinese government surveil the Uyghur minority, has also hired former lawmakers as the U.S. government limits its ability to do business in the United States.
  • Glenn LeMunyon, a former Capitol Hill aide, has registered to lobby for Chinese telecom giant Huawei. He plans to lobby on telecommunications and infrastructure issues, according to a lobbying registration filing effective June 15.

Daybook

  • Carnegie Mellon University’s Center for Informed Democracy and Social-cybersecurity kicks off its two-day annual conference on July 12.
  • Defending Digital Campaigns hosts a cybersecurity training event for Oregon campaign and election officials on July 13 at 2 p.m.

Secure log off