WASHINGTON — Last Wednesday, a few hours before Russian tanks began rolling into Ukraine, alarms went off at Microsoft’s Threat Intelligence Center, warning of a never-before-seen piece of “wiper” malware appearing and targeting on the country’s ministries and financial institutions. †
Within three hours, Microsoft plunged into the middle of a ground war in Europe – from 5,500 miles away. The threat center, north of Seattle, was on high alert and quickly dismembered the malware, calling it “FoxBlade” and notified Ukraine’s top cyber defense authority. Within three hours, Microsoft’s virus-detection systems were updated to block the code that wipes – “erases” – data on computers on a network.
Then Tom Burt, Microsoft’s senior executive who oversees the company’s efforts to counter major cyberattacks, reached out to Anne Neuberger, the White House’s deputy national security adviser for cyber and emerging technologies. Ms. Neuberger asked if Microsoft would consider sharing details of the code with the Baltic states, Poland and other European countries, fearing the malware would spread beyond Ukraine’s borders, cripple the military alliance or hit Western European banks. .
Before midnight in Washington, Ms. Neuberger had made introductions—and Microsoft began to play the part Ford Motor Company did in World War II, when the company converted car production lines to make Sherman tanks.
After years of discussions in Washington and in tech circles about the need for public-private partnerships to fight destructive cyber-attacks, the war in Ukraine is testing the system. The White House, armed with intelligence from the National Security Agency and the US Cyber Command, oversees secret briefings about Russia’s cyber offensive plans. Even if US intelligence agencies picked up the kind of crippling cyber-attacks someone – presumably Russian intelligence or hackers – threw at the Ukrainian government, they don’t have the infrastructure to act so quickly to block them.
“We are a company and not a government or a country,” Brad Smith, Microsoft’s president, noted in a blog post the company published Monday, describing the threats it faced. But the role it plays, he made clear, is not neutral. He wrote of “constant and close coordination” with the Ukrainian government, as well as federal officials, the North Atlantic Treaty Organization and the European Union.
“I’ve never seen it work like this, or nearly so fast,” Mr. Burt said. “We are now doing in hours what, even a few years ago, would have taken weeks or months.”
Intelligence flows in many directions.
Company executives, some newly armed with security clearances, participate in secure calls to hear a series of briefings hosted by the National Security Agency and the United States Cyber Command, among others, along with UK authorities. But much of the actionable information is found by companies like Microsoft and Google, who can see what’s flowing through their vast networks.
Biden’s aides often point out that it was a private company — Mandiant — that found the “SolarWinds” attack 15 months ago, in which one of Russia’s most cybersavvy intelligence agencies, the SVR, infiltrated network management software used by thousands of US government agencies. and private companies. That gave the Russian government unfettered access.
Such attacks have given Russia a reputation as one of the most aggressive and skilled cyber powers. But the surprise of recent days is that Russian activity in that empire has been more muted than expected, researchers said.
Most of the early tabletop exercises about a Russian invasion started with overwhelming cyberattacks, knocking out the internet in Ukraine and perhaps the electrical grid. So far that hasn’t happened.
“Many people are quite surprised that cyber-attacks have not been significantly integrated into Russia’s overall campaign in Ukraine,” said Shane Huntley, director of Google’s threat analysis group. “This is mostly normal practice regarding levels of Russian targeting.”
Mr Huntley said Google regularly observes Russian attempts to hack into people’s accounts in Ukraine. “The normal level is never actually zero,” he said. But those efforts have not increased remarkably in recent days, as Russia has invaded Ukraine.
“We’ve seen some Russian activity targeting Ukraine; it just wasn’t the big sets,” said Ben Read, director at security firm Mandiant.
It is not clear to US or European officials why Russia kept waiting.
It could be that they tried, but the defenses were stronger than they expected, or that the Russians wanted to reduce the risk of an attack on civilian infrastructure so that a puppet government they installed wouldn’t struggle to rule the country.
But US officials said a massive cyberattack by Russia on Ukraine — or beyond, in retaliation for economic and technological sanctions imposed by the United States and Europe — is hardly off the table. Some speculate that just as Moscow ramps up its indiscriminate bombing campaign, it will try to cause as much economic disruption as possible.
The longer and more effectively Ukrainian resistance holds out against the Russian military, the more tempted Moscow might be tempted to use “the armada of Russian cyber forces,” said Senator Mark Warner, the Virginia Democrat who heads the Senate intelligence committee. , in an interview last year. week.
Meta, the parent company of Facebook, announced on Sunday that it had discovered hackers who took over accounts of Ukrainian military officials and public figures. The hackers tried to use their access to these accounts to spread disinformation by posting videos purporting to show the Ukrainian military surrendering. Meta responded by locking down the accounts and warning the targeted users.
Understand the Russian attack on Ukraine
What is the basis of this invasion? Russia considers Ukraine to be within its natural sphere of influence, and it has become nervous about Ukraine’s proximity to the West and the prospect of the country becoming a member of NATO or the European Union. Although Ukraine is part of neither, it receives financial and military aid from the United States and Europe.
Twitter said it had found signs of hackers trying to compromise accounts on its platform, and YouTube said it had removed five channels posting videos used in the disinformation campaign.
Meta executives said the Facebook hackers were affiliated with a group known as Ghostwriter, which security researchers believe is associated with Belarus.
Ghostwriter is known for its strategy of hacking into the email accounts of public figures and then also using that access to compromise their social media accounts. The group has been “very active” in Ukraine for the past two months, Mr. Read, who is investigating the group.
While U.S. officials don’t currently estimate a direct threat to the United States from ramped-up Russian cyber operations, that calculation could change.
US and European sanctions hit harder than expected. Mr Warner said Russia could respond “with either direct cyberattacks against NATO countries or, more likely, unleashing in fact all Russian cybercriminals at a massive level for ransomware attacks, which would still allow them to deny their responsibility.”
Russian ransomware criminals carried out a devastating series of attacks in the US last year against hospitals, a meat-processing company and most notably the company that operates gasoline pipelines along the East Coast. While Russia has taken steps in recent months to rein in those groups — after months of meetings between Ms Neuberger and her Russian counterpart, Moscow made some high-profile arrests in January — it could easily reverse its crackdown.
But President Biden has stepped up his warnings to Russia against any kind of cyber-attack against the United States.
“If Russia pursues cyber-attacks against our companies, our critical infrastructure, we are ready to respond,” Biden said on Thursday.
It was the third time Biden issued such a warning since winning the election. While any Russian attack on the US appears to be a reckless escalation, Rep. Adam B. Schiff, the California Democrat who heads the House Intelligence Committee, noted that Mr. Putin’s decision-making so far has proved poor.
“There is a risk that all the cyber tools that Russia uses in Ukraine will not stay in Ukraine,” he said in an interview last week. “We’ve seen this before, where malware that targets a particular target is released into the wild and then takes on a life of its own. So we could fall victim to Russian malware that goes beyond its intended purpose.”