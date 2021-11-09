It was one of the most aggressive moves yet following through on the administration’s pledge to treat ransomware as a top national security priority.
But don’t pop any champagne yet. If the moves do help curtail the barrage of ransomware hitting U.S. businesses, it will be like the first volley in a much longer battle.
“We’re still in the beginning of the beginning of this,” Mark Montgomery, executive director of the Cyberspace Solarium Commission and a senior fellow at the Foundation for Defense of Democracies, told me. “These efforts are an indication of serious intent by DOJ, which is great. But it’s still impacting only a microscopically small percentage of cybercriminal behavior.”
The actions focused on hackers affiliated with the REvil gang, which was responsible for a massive ransomware attack that first hit the Kaseya software firm, then spread to dozens of its clients.
Here’s what the administration announced:
- The arrest in Poland of Yaroslav Vasinskyi, a Ukrainian national who may be extradited to the United States and who conducted around 2,500 ransomware attacks where REvil demanded a total of $767 million from victims.
- An indictment against another REvil hacker, Yevgeniy Polyanin, who’s a Russian national.
- The arrest by European law enforcement of two other REvil-affiliated hackers in Romania who had pocketed about $600,000 in ransom payments.
- The seizure of at least $6.1 million in funds allegedly linked to ransom payments received by Polyanin.
- The Treasury Department announced sanctions against the Chatex virtual currency exchange and its affiliates for allegedly facilitating the financial transactions of ransomware hackers.
- The State Department added REvil to a bounty program that offers up to $10 million for information leading to the identification or location of its leaders.
“Our message should be clear: If you target victims here, we will target you,” Deputy Attorney General Lisa O. Monaco said during a press briefing. “And the Department of Justice won't give up until you are held accountable.”
More work
But the news conference also highlighted how much work’s left to do.
- The $6.1 million the Justice Department clawed back is just a pittance compared with the money REvil has collected in ransoms. One blockbuster attack against the meat processor JBS alone produced an $11 million ransom.
“These actions can contribute to a chilling effect,” Jeremy Kennelly, senior manager of analysis at the cybersecurity firm Mandiant, told me. “I wouldn’t imagine we’re there yet, but there’s a track record being established.”
- The administration has also made no clear progress in preventing the Kremlin and Russian President Vladimir Putin from providing safe haven to ransomware gangs, which operate with impunity in Russian territory.
“All of these things in combination are really impactful and create additional deterrent effects for criminals not based in Russia,” Dmitri Alperovitch, chairman of the Silverado Policy Accelerator, told me. “[But] as long as you have regimes providing safe haven like Russia … you’re not going to make much progress.”
During a June summit in Geneva, President Biden threatened retaliation if Putin doesn't crack down on such criminal operations and officials from the nations have been meeting periodically since then. While the Justice Department indicted Polyanin, it’s highly unlikely he’ll ever be arrested.
- There’s also been only limited progress on one key pillar of the Biden administration’s plan to counter ransomware — raising the cyber defenses of U.S. companies.
New rules
The administration has imposed a handful of new mandates in the pipeline sector and is planning others for rail and air systems. But it’s stopped short of imposing broader cybersecurity rules across critical industry sectors.
Congress is considering bills that would require companies in key industries to report when they’re hacked, but even that has received pushback from industry.
Justice officials endorsed those bills and urged companies to voluntarily share hacking information with them yesterday.
“When ransomware attacks do occur, law enforcement's ability to respond depends in large part on whether and how promptly the victim reports the attack,” Attorney General Merrick Garland said. “Failure to timely report also puts other victims in jeopardy and deprives investigators of information they need to stall or mitigate other attacks.”
The keys
The FBI defended its decision to withhold a decryption tool from Kaseya victims
That decision seemed to be aimed at ensuring that the FBI could conduct an operation against REvil, but the delay was criticized by victims who said the key came too late to be useful for unlocking their computer systems.
FBI Director Christopher A. Wray declined to provide a timeline or additional details about how the decision was made during Monday’s news conference. He said such actions can be delayed by working with other government agencies and international partners and by making sure the key itself doesn't contain malicious software.
“Ultimately, it all boils down to trying to make sure that we can maximize the impact on the ransomware actors and maximize the benefit to the most victims and the most potential victims,” he said.
The FBI held off on sharing the decryption key for nearly three weeks in the wake of REvil’s cyberattack, Ellen Nakashima and Rachel Lerman reported in September. That left some victims — who were reeling from the attack — in the lurch. “Without the key to restore encrypted data to a readable state, victims were forced to try to retrieve backup copies of data or to replace their systems — both expensive and time-consuming processes,” Ellen and Rachel wrote at the time.
WhatsApp’s lawsuit against NSO Group can proceed
WhatsApp sued the embattled Israeli spyware company in 2019, accusing it of allowing customers to hack at least 100 of its users around the world.
But the U.S. Court of Appeals for the 9th Circuit dismissed NSO’s argument that it should be immune from lawsuits because it provides its Pegasus spyware to foreign governments who have “sovereign immunity.” The court decision is a major blow for NSO, which could be forced to hand over sensitive documents in the discovery process.
NSO spyware was used in attempted and successful hacks of 37 smartphones belonging to activists, journalists, executives, and the two women closest to murdered Saudi journalist Jamal Khashoggi, according to an investigation by The Washington Post and 16 media partners this year.
NSO vowed to keep fighting the suit. The company “stands undeterred in its mission and will continue to vigorously fight for the truth,” it said in a statement.
NSO has hired legal muscle. Former deputy attorney general Rod J. Rosenstein counseled the company and assisted its defense team, according to a legal filing in the case.
Six Palestinian human rights activists were hacked by NSO’s Pegasus spyware
All six activists were hacked between July 2020 and April 2021, the University of Toronto’s Citizen Lab and Amnesty International’s Security Lab said. Three who agreed to be named belonged to rights groups that Israel’s government designated as terrorist organizations in October. That move was criticized by watchdogs in Israel and around the world.
Israeli government offices denied that NSO spyware was used to hack the Palestinians, the New York Times’s Ronen Bergman and Patrick Kingsley report. An NSO spokeswoman would not say who used the software and said the company did not have access to information about who the program targeted
The Biden administration last week blacklisted NSO, saying that its technology was used to “maliciously target” activists, journalists and government officials. The sanctions cut off NSO’s access to U.S.-built technology. The company responded that it respects human rights and has terminated contracts with governments that “misused” its tools.
Cyber insecurity
A breach of the stock trading app Robinhood affected millions of customers
The November 3 attack allowed hackers to steal some personal information from about 5 million customers, CNN’s Matt Egan reports.
About 10 customers had "more extensive account details revealed," the company said. The breach did not include Social Security numbers, bank account numbers or debit card numbers.
The hackers gained access to Robinhood’s internal system by tricking a customer service employee into sharing the access, the company said. After the company discovered the intrusion, "the unauthorized party demanded an extortion payment," to keep the breach secret. The company said it "promptly" informed law enforcement about the breach.
Securing the ballot
An auditor dinged the EAC for fuzzy definitions that made it tough to track some election security spending
The issue affected about 20 percent of the $400 million in election security and safety money the Election Assistance Commission distributed in the lead up to the 2020 election. Differences between how states categorized their spending made it difficult for the government to know for sure where those funds went, the Government Accountability Office said.
The EAC said in a response that it had done its best to distribute the funds during just three weeks and EAC prioritized “agile solutions” during the pandemic. Additional reporting from states and the agency’s internal auditor should clear up much of the confusion, the agency said.
Industry report
Global cyberspace
Daybook
- Palo Alto Networks chief cloud security officer Matt Chiodi discusses cloud supply chain cyberattacks at a Cyber Threat Alliance event today at 2 p.m.
- Former undersecretary of defense Michèle Flournoy, former Google CEO Eric Schmidt and Shield AI co-founder Brandon Tseng discuss the U.S. military's digital transformation at a Washington Post Live event on Thursday at noon.
- The Aspen Institute’s Commission on Information Disorder launches its final set of recommendations for addressing misinformation and disinformation on Nov. 15 at 3 p.m.
- Homeland Security Secretary Alejandro Mayorkas testifies before the Senate Judiciary Committee on Nov. 16 at 10 a.m.
Secure log off
Thanks for reading. See you tomorrow.