WASHINGTON – Two weeks after President Biden met with President Vladimir V. Putin of Russia and demanded that he control the constant cyberattacks targeting American targets, the U.S. and British intelligence agencies on Thursday laid out the details of what they called a global effort by Russian military intelligence. organization to break into government organizations, defense contractors, universities and media companies.
The operation, described as crude but comprehensive, is “almost certainly underway,” the National Security Agency and its British counterpart, known as GCHQ, said in a statement. They identified the Russian intelligence agency, or GRU, as the same group that hacked into the Democratic National Committee and published emails in an effort to influence the 2016 presidential election in favor of Donald J. Trump.
Thursday’s disclosure is an attempt to expose Russian hacking techniques, rather than new attacks, and includes pages of technical details to allow potential targets to identify that a breach is taking place. Many of GRU’s actions, including an effort to recover data stored in Microsoft’s Azure cloud services, have already been documented by private cybersecurity companies.
But the political significance of the statement is greater: if the GRU attacks subside, it may well amount to a first test of whether Biden’s message to Putin at the Geneva summit was assimilated. There, Biden handed him a list of 16 “critical infrastructure” areas in the United States and said he would not tolerate continued Russian cyberattacks. But he also called for a general decrease in infringements originating on Russian territory.
“We will find out if we have a cybersecurity deal that starts to bring some order,” Biden said at the end of the meeting, just minutes after Putin declared that the United States, not Russia, was the most important source. cyberattacks around the world. Biden also repeatedly said he was not sure Putin would respond to the American warning or the series of related financial sanctions imposed on Moscow over the past five years.
According to administration officials, the White House or intelligence agencies did not intend the notice to be a follow-up to the summit. Instead, they said, it was issued as part of routine National Security Agency warnings about nation-state threats, said Charlie Stadtlander, an agency spokesman, “not in response to any recent international meetings.”
But that is unlikely to matter to Putin or the GRU as they try to assess the steps the Biden administration is willing to take to curb their cyber campaigns.
Jake Sullivan, the national security adviser, said days after the summit that it could take months to determine whether Putin’s warning resulted in a change in behavior. “We set the measure on whether, over the next six to 12 months, attacks on our critical infrastructure actually decrease from Russia,” he told CBS. “The proof of the pudding will be in eating, so we’ll see in the course of the next few months.”
It was unclear from data provided by the National Security Agency how many of the GRU targets, also known as Fancy Bear or APT 28, could be on the list of critical infrastructure, which is maintained by the Department of Security’s Cybersecurity and Infrastructure. National. Security Agency. At the time of the attacks on the electoral system in 2016, electoral systems, including voting machines and registration systems, were not on the list and were added in the last days of the Obama administration. US intelligence agencies later said that Putin had directly approved of the 2016 attacks.
But the National Security Agency statement identified energy companies as a primary target, and Biden specifically cited them in his conversations with Putin, pointing to the ransomware attack that led to Colonial Pipeline shutting down in May and halting delivery of gasoline. diesel and jet fuel along the east coast. That attack was not from the Russian government, Biden said at the time, but from a criminal gang operating out of Russia.
In recent years, the National Security Agency has more aggressively attributed cyberattacks to specific countries, particularly those of adversarial intelligence agencies. But in December, he was caught off guard by the most sophisticated attack on the United States in years, the SolarWinds hack, which affected federal agencies and many of the nation’s largest companies. That attack, which the National Security Agency later said was carried out by SVR, a competing Russian intelligence agency that was an offshoot of the KGB, successfully altered the code in popular network management software and thus, on the computer networks of 18,000 companies and the government. agencies.
There is nothing particularly unusual about the methods the United States says the Russian intelligence unit used. There is no custom malware or unknown exploits by the GRU unit. Instead, the group uses common malware and the most basic techniques, such as brute-force password propagation, which relies on passwords that have been stolen or leaked to gain access to accounts.
The statement did not identify the targets of the recent GRU attacks, but said they included government agencies, political consultants, party organizations, universities and think tanks.
The attacks appear to be primarily related to intelligence and information gathering. The National Security Agency did not specify the ways that Russian hackers damaged the systems.
The recent wave of GRU attacks has been going on for a relatively long time, starting in 2019 and continuing through this year.
Once inside, GRU hackers would gain access to protected email and data, as well as cloud services used by the organization.
Hackers They were responsible for the main violation of the Democratic National Committee in 2016 that resulted in the theft and release of documents intended to damage the Hillary Clinton campaign.
On Thursday, the National Security Agency released a list of evasion and exfiltration techniques that the GRU used to help information technology managers identify and stop attacks by the hacking group.
That lack of sophistication means that fairly basic measures, such as multi-factor authentication, time-out locks, and temporary account deactivation after entering incorrect passwords, can effectively block brute force attacks.