The Washington PostDemocracy Dies in Darkness
The Cybersecurity 202

A newsletter briefing on cybersecurity news and policy.

Russian hackers haven't backed off, administration official acknowledges

The Cybersecurity 202

A newsletter briefing on cybersecurity news and policy.

Placeholder while article actions load

Good morning and welcome to The Cybersecurity 202. Room Rater mostly liked CISA Director Jen Easterly's background. I still haven't decided if the shark head works.

Below: Facebook pushes back against whisteblower's stated national security concerns and a China-linked hacking group poses as the Indian government.

Biden's top cybersecurity official admits Russia isn't backing off

Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency (CISA), share four things everyone can do this Cybersecurity Awareness Month to shore up their systems. (Video: Washington Post Live)

Russia hasn’t significantly changed its behavior in cyberspace since President Biden’s warning to Russian President Vladimir Putin, Cybersecurity and Infrastructure Security Agency Director Jen Easterly said at a Washington Post Live event yesterday.

It’s a notable acknowledgment by a high-profile administration official that ransomware attacks from Russia are continuing to hit U.S. organizations, despite Biden's efforts.

“I have not seen any significant, material changes,” Easterly said. “We have seen ransomware gangs that seem to have gone offline for a period of time. That's not terribly unusual … this is a difficult, complicated problem.”

Russian hackers

For months, the U.S. government has offered differing levels of optimism when it comes to the Kremlin and ransomware attacks. During a June meeting, Biden stressed to Putin that the United States won’t hesitate to retaliate against criminal hackers who target U.S. critical infrastructure, such as pipelines, airports and power plants. 

  • Two months ago, deputy national security adviser Anne Neuberger said she saw ransomware group BlackMatter’s distancing itself from cyberattacks on critical infrastructure as a potential sign of progress.
  • Neuberger added that she and Biden believe that “the proof will be in the pudding.”
  • Other top U.S. officials have been cautious about declaring victory prematurely. “I think it’s too soon to say that we’re out of the woods,” National Cyber Director Chris Inglis noted in September.
They're not letting up 

The effects of ransomware are still ravaging companies and businesses around the United States. Ransomware groups are still hitting critical infrastructure, like hospitals and agriculture cooperatives, even though Biden said he gave Putin a list of critical infrastructure sectors that should be off-limits.

The idea “that there's some sort of red line on critical infrastructure does not seem to be holding,” said Dmitri Alperovitch, the chairman of the Silverado Policy Accelerator.

The latest target is an Indiana hospital that had to go from computers to pen and paper. Patient care hasn’t been compromised in the cyberattack, Johnson Memorial Health President and CEO David Dunkle told WTHR Channel 13 News’s Jennie Runevitch. But the hospital, which turned off its systems after detecting unauthorized behavior in its network, is still assessing the damage. It has received a ransom demand, Dunkle said.

Some U.S. officials and analysts are skeptical the problem is getting significantly better. In five years, the United States will have to deal with ransomware “every single day,” NSA Director and U.S. Cyber Command Commander Gen. Paul Nakasone said at a cybersecurity conference Tuesday.

Part of the problem is that many ransomware groups aren’t seeing consequences for their actions, officials say. In Russia, for example, ransomware groups are “operating in the permissive environment that they've created there,” FBI deputy director Paul Abbate said last month. 

“It’s getting worse, much worse,” Dmitry Smilyanets, a cyber threat analyst at Recorded Future, told me.

Russia: Meh

Ransomware groups don’t have an incentive to change their behavior, Smilyanets said. “Right now, they have no limits,” he said.

Alperovitch says part of the issue is that ransomware is not rising to the top of the U.S.-Russia agenda during bilateral discussions.

The Russian side appears to “think that ransomware is just one little issue on the agenda,” he said. “And we have not convinced them that it is much more important to us than that.”

Easterly also discussed Monday's Facebook outage, election security and private sector collaboration

Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency (CISA), says reporting of cyber incidents is critical for defense. “SolarWinds was largely about a lack of visibility, and if we can’t see it then we can’t effectively defend.” (Video: Washington Post Live)
  • She said CISA wasn't in touch with Facebook during the outage, though the agency's operations center monitored the disruption.
  • The agency has selected a new election security lead that Easterly hopes to announce “in the coming weeks.”
  • CISA is “going to be moving forward to bring on new partners and to do new sprints” for its Joint Cyber Defense Collaborative focusing on the pipeline, finance and energy sectors.

The keys

Facebook whisteblower cites ‘strong national security concerns’ 

Facebook whistleblower Frances Haugen told a Senate Commerce Committee panel on Tuesday that she believes the company’s “consistent understaffing” of its counterespionage, information operations and counterterrorism teams is a national security issue, Elizabeth Dwoskin reports.

“I have strong national security concerns about how Facebook operates today,” she told Sen. Dan Sullivan (R-Alaska). Haugen didn't offer many details but said her job involved trying to track how the Chinese might be using the platform to spy on Uyghurs, an ethnic minority that has been heavily surveilled and persecuted.

Sen. Richard Blumenthal (D-Conn.), who chairs the Senate Commerce Committee’s consumer protection subcommittee, said Haugen’s comments “may have just opened an area for another hearing.” Facebook head of security policy Nathaniel Gleicher responded in a lengthy Twitter thread. Here are excerpts: 

A China-linked hacking group posed as the Indian government sent phishing emails

The hackers sent Indian victims attachments about taxes or coronavirus advisories, CyberScoop’s Tim Starks reports. The Justice Department says the hacking group behind it is linked to China’s Ministry of State Security.

“The image we uncovered was that of a state-sponsored campaign that plays on people’s hopes for a swift end to the pandemic as a lure to entrap its victims,” said Blackberry, which published information about the campaign. “And once on a user’s machine, the threat blends into the digital woodwork by using its own customized profile to hide its network traffic.”

Lawmakers introduced a proposal requiring ransomware victims to report payments within 48 hours

Sen. Elizabeth Warren (D-Mass.) and Rep. Deborah K. Ross (D-N.C.) introduced the legislation in both chambers of Congress, CyberScoop’s Tonya Riley reports. It comes as lawmakers introduce a flurry of proposals to require critical infrastructure owners and operators to report breaches.

Under the bill introduced by Warren and Ross, the Department of Homeland Security would have to publish an annual, anonymized report on the total ransoms paid by U.S. organizations.

Global cyberspace

Researchers say they discovered a new Iran-linked hacking group

MalKamak has operated since at least 2018 and its operations have been unknown until now, Cybereason researchers say. The hacking group focused on targeting Middle Eastern aerospace and telecommunications firms, though it also targeted organizations in the United States, Europe and Russia.

National cyber adviser lays out goals for upcoming 30 nation meeting on ransomware (NextGov)

Cyber insecurity

Telegraph newspaper exposes 10TB of server, user data online (The Register)

Security researchers find another UEFI bootkit used for cyber-espionage (The Record)

Securing the ballot

Youngkin continues call for ‘audit’ of election machines in Virginia (Politico)

Industry report

Google to auto-enroll 150 million accounts into its 2SV feature


  • Colonial Pipeline CEO Joseph Blount and Accellion Chairman and CEO Jonathan Yaron speak at the Mandiant Cyber Defense Summit today.
  • CISA chief of staff Kiersten Todt speaks at the Uniting Women in Cyber 2021 event today.
  • CISA Director Jen Easterly and others speak on the first day of CISA’s four-week National Cybersecurity Summit today.
  • Top U.S. officials and lawmakers participate in the Aspen Cyber Summit today.
  • The Senate Commerce Committee holds a hearing on data security today at 10 a.m.
  • U.S. cybersecurity officials speak at the U.S. Cyber Challenge Awards Program and Cybersecurity Summit today at 1 p.m.
  • The Center for Strategic and International Studies hosts an event on sixth-generation network standards today at 3 p.m.
  • Homeland Security Secretary Alejandro Mayorkas, Easterly and other top U.S. government officials speak at the three-day Billington Cybersecurity Summit, which begins today.
  • European cybersecurity officials speak at Kaspersky’s EU Cyberpolicy Forum on Thursday at 5 a.m.
  • Silicon Flatirons hosts an event on encryption on Thursday at noon.
  • The House Oversight and Reform Committee holds a hearing on the partisan election review in Maricopa County, Ariz., on Thursday at 10 a.m.
  • Lawmakers and cybersecurity officials speak at a National Cyber Security Alliance event on Thursday at noon.

Secure log off

Thanks for reading. See you tomorrow.