The Washington PostDemocracy Dies in Darkness
The Cybersecurity 202

A newsletter briefing on cybersecurity news and policy.

Hopes of Russian help on ransomware are officially dead

The Cybersecurity 202

A newsletter briefing on cybersecurity news and policy.

Placeholder while article actions load

Welcome to The Cybersecurity 202! It seems like Portland, Ore.-based author Nancy Crampton Brophy — who was recently convicted of murdering her husband — did herself no favors by penning an essay titled “How to Murder Your Husband.” 

Below: Cyber lawyer Michael Sussmann was acquitted in the largest test yet for a Trump-era probe into the FBI's investigation into the Trump campaign's Russia ties, and Costa Rica's health-care system is under cyberattack. 

Russia seems to be no longer going after REvil hackers

It’s over. Any lingering hope that Russian President Vladimir Putin might put a stop to the barrage of ransomware attacks hitting U.S. targets is officially dead.

Russian prosecutors appeared poised to suspend the only case they’d ever brought against top-shelf ransomware hackers, the Russian outlet Kommersant reports. The hackers were alleged members of the REvil gang, which U.S. officials have blamed for the largest ever U.S. ransomware attack, which hit IT service provider Kaseya last year. 

The prosecutors are now highly unlikely to bring charges for that or any other REvil hacks that hit U.S. victims, the Russian outlet reported. The prosecutors blamed the United States for not sharing enough information to continue with the cases, according to the Kommersant article, which was titled “America doesn’t care about Russian hackers.”

Adding insult to injury: The prosecutors are mulling a deal to put the hackers to work for state security services “in the fight against hackers from Ukraine.”

  • “The Russians were only going to cooperate if they thought it was in their interest. … And I don’t think they see any benefit right now,” Chris Painter, a former top State Department cyber official, told me. 

The upshot: This means the Biden administration will face an even tougher fight to curtail the damage of ransomware — going up against an enemy that can act with relative impunity as long as its members remain on Russian soil. 

Expectations were never high that a diplomatic approach would work with Russia on ransomware — even inside the Biden administration. But there was some optimism when Russian officials first arrested 14 alleged members of the REvil crew in January, saying the raids were conducted by U.S. request. 

  • The arrests came roughly six months after Biden demanded at a Geneva summit that Putin halt Russia-based ransomware attacks that target U.S. firms in critical sectors, such as finance, pipelines and transportation. He made the demand not long after an attack against Colonial Pipeline by the Russia-based DarkSide gang upended U.S. gas supplies and prompted panic buying.
  • The arrests came when Russia was preparing to attack Ukraine but had not yet launched its invasion. Analysts speculated the arrests may have been intended as a signal that cooperation on ransomware was possible — but only if the United States held back on imposing sanctions or other retaliation once the invasion occurred. That obviously wasn’t a bargain the Biden administration accepted.
  • Most cyber analysts agree that while Russia-based criminal ransomware gangs don’t report directly to the government, they operate with the Kremlin’s tacit approval and Putin could restrict their targets if he chose.

Russia’s reversal essentially brings U.S. officials back to a familiar but increasingly frustrating status quo — one in which they continually push for rules of the road in cyberspace that are routinely ignored by Russia, China and other adversaries. 

  • More than a decade of cyberspace negotiations with those adversaries have yielded almost no significant breakthroughs.
  • The sole exception is a deal former president Barack Obama struck with Chinese President Xi Jinping that restricted cyberespionage conducted solely for the economic benefit of Chinese and U.S. companies. That deal held for about a year, but China largely stopped complying with it early in the Trump administration.

“Things could change and Russia could see it as in their interest to cooperate. None of us can look in a crystal ball and know what’s coming. But that change doesn’t seem probable in the near future,” said Painter, who’s now president of the board of the Global Forum on Cyber Expertise.

What’s next? Without fear of a Russian crackdown, will there be more major ransomware attacks as disruptive as Colonial?

Maybe not.  

Ransomware gangs have their own political and economic considerations to worry about — and it’s generally agreed that hacks that draw a lot of attention from the U.S. government tend to backfire. 

In the case of Colonial, the Justice Department clawed back $2.3 million in ransom money the pipeline paid the DarkSide gang. The gang announced it was going out of business shortly after the attack but later returned under a new name. 

“If you can make a lot of money without generating a lot of heat, you’re generally better off,” Painter said. 

The keys

Jury finds cybersecurity lawyer not guilty of lying to FBI

The federal jury’s decision to acquit cybersecurity lawyer Michael Sussmann is a major setback for special counsel John Durham, who was appointed during the Trump administration to investigate potential wrongdoing by FBI agents who looked into former president Donald Trump’s 2016 campaign, Devlin Barrett reports

“Sussmann was accused of lying to a senior FBI official in September 2016 when he brought the FBI allegations of a secret computer communications channel between the Trump Organization and Russia-based Alfa Bank,” Devlin writes. “FBI agents investigated the data but concluded that there was nothing suspicious about it.” 

  • Durham accused Sussmann of lying to the FBI by telling them that he wasn’t providing the information on behalf of a particular client when, prosecutors say, he was actually doing so on behalf of tech executive Rodney Jaffe and Hillary Clinton’s presidential campaign.
  • Sussmann said that “justice ultimately prevailed in my case,” adding “I’m looking forward to getting back to the work I love.” 
  • Durham said in a statement that “while we are disappointed in the outcome, we respect the jury’s decision and thank them for their service.” 

In the fall, Durham plans on going to trial in a case involving a researcher who is accused of lying to the FBI about research into Trump. The researcher, Igor Danchenko, was a primary source for a 2016 dossier against Trump created by former British spy Christopher Steele.

German regulator warns banks about cyber fallout from Ukraine war

Germany’s financial regulator said it has seen “repeated attacks on IT infrastructure” recently,  Reuters’s Tom Sims and Frank Siebelt report

The statement marks an escalation in the regulator’s warnings about cyberattacks in the wake of Russia’s invasion of Ukraine — though it said many of the attacks came in the form of malicious traffic trying to overload websites, a relatively unsophisticated type of attack.

Banks are especially worried about being targeted for potential retaliation because of their countries’ moves to isolate Russia from the international financial system and Western markets

European banking executives have put their cybersecurity teams on alert. They have also become increasingly worried that the Brussels-based payment messaging system Swift could be targeted, the Financial Times reported in March. Swift, which connects banks and is vital to the international financial system, told the outlet that it takes its cybersecurity seriously.

Costa Rica health-care systems go down after hack

Costa Rica’s Social Security Fund (CCSS) had to shut down its online records system, affecting more than 1,000 hospitals, Reuters’s Alvaro Murillo reports. Government officials say they expect the system to be down for days.

“It was an exceptionally violent attack, but we have no evidence that a critical database or system was compromised,” Social Security Fund President Alvaro Ramos said at a news conference. 

A copy of the ransom notice indicates the attack was done by a group known as Hive, journalist Brian Krebs reports

The attack comes as Costa Rica reels from a broader cyberattack against government agencies. Costa Rica President Rodrigo Chaves declared a national emergency over the hacks by the Conti ransomware group. Conti has seemingly shut down with analysts suggesting the Costa Rica hack was a diversion while the group restructured behind the scenes.

Ransomware experts say there is good reason to believe the same cybercriminals are behind both attacks, and that Hive has been helping Conti rebrand and evade international sanctions targeting extortion payouts to cybercriminals operating in Russia,” Krebs writes.

Government scan

Correction: This item has been corrected to note the authors are graduate students.

Is 85 percent of critical infrastructure owned by the private sector? Not really.

It’s a standard talking point for cyber policy wonks that roughly 85 percent of critical infrastructure systems, such as energy plants and water utilities, are owned by the private sector. The figure is routinely trotted out to argue that government can only facilitate good cyber protections in many cases rather than taking the lead. 

But the figure is rarely put to the test. 

In fact, the public-private split varies a lot from sector to sector and publicly owned firms often serve a majority of Americans, according to a recent capstone project at George Washington University’s Elliott School of International Affairs. 

For example: Just 23 percent of Florida water utilities are publicly owned, but those utilities serve 92 percent of Floridians. 

The authors, Jacob Azrilyant, Melissa Sidun and Mariami Dolashvili, are graduate students who conducted research in coordination with the Cybersecurity and Infrastructure Security Agency (CISA) and with guidance from former government cyber official Paul Rosenzweig and Bob Kolasky, who was then a top CISA official. 

Check out the full paper here.

Seven years in the making, DHS's new cyber talent system boasts just one hire (FCW)

Space Force finally rolls out cyber standards for commercial SATCOM providers (Air Force Magazine)

Securing the ballot

Wealthy mobile voting advocate targets Charles Allen with negative ads over legislative dispute (Washington City Paper)

They insisted the 2020 election was tainted. Their 2022 primary wins? Not so much. (The New York Times)

Help wanted: State misinformation sheriff (The New York Times)

After partisan Arizona election review, election believers pitch new laws for better audits (Arizona Republic)

Global cyberspace

Ukrainian officials report 'shutdown of all communications' in Kherson region (Reuters)

Ukraine joins its first NATO cyber defense center meeting (The Hill)

Chinese Firm That Accused NSA of Hacking Has Global Ambitions (By Jamie Tarabay and Sarah Zheng | Bloomberg)

Cyber insecurity

Cybercriminal scams City of Portland, Ore. for $1.4 million (The Record)

The underground company that hacks iPhones for ordinary consumers (Motherboard)

New York couple accused of laundering $4.5 bln in crypto still in plea talks (Reuters)

Industry report

Why Commerce went against Microsoft on rule to control cyber exploits (NextGov)

On the move

  • Nicky Vogt has joined Moody’s as an assistant vice president for communications. Vogt previously worked as a senior adviser for public affairs at CISA.


  • FBI Director Christopher A. Wray and CISA Executive Director Brandon Wales speak at a Boston College cybersecurity conference today.
  • The R Street Institute hosts an event on the path forward for a federal privacy law today at noon.
  • The Atlantic Council hosts an event on the upcoming election for secretary general of the International Telecommunications Union on Thursday at noon.
  • National Cyber Director Chris Inglis speaks at a Foundation for Defense of Democracies event on Thursday at 2 p.m.
  • NATO Secretary General Jens Stoltenberg discusses cybersecurity at an event hosted by the Johns Hopkins School of Advanced International Studies on Thursday at 11 a.m.
  • The Atlantic Council’s Digital Forensic Research Lab hosts a two-day summit starting June 6. 
  • The Senate Homeland Security Committee hosts a hearing on ransomware and cryptocurrency payments on June 7 at 10 a.m. 

Secure log off

Thanks for reading. See you tomorrow.