SEA ISLAND, Georgia – Russia’s premier intelligence agency has launched another campaign to break through thousands of U.S. government computer networks, businesses and think tanks, Microsoft officials and cybersecurity experts warned on Sunday, some just months after President Biden imposed sanctions on Moscow in response to a series of sophisticated espionage operations he had carried out around the world.
The new effort is “very important and it is continuing,” Tom Burt, a senior security officer at Microsoft, said in an interview. Government officials have confirmed that the operation, apparently intended to acquire data stored in the cloud, appeared to come from SVR, the Russian intelligence agency that was the first to enter the Democratic National Committee’s networks during the elections of 2016.
While Microsoft has insisted the percentage of successful breaches is low, it hasn’t provided enough information to accurately measure the severity of the theft.
Earlier this year, the White House blamed the SVR for the so-called SolarWinds hack, a highly sophisticated effort to modify software used by government agencies and the country’s largest companies, giving Russians wide access to 18,000 users. Mr Biden said the attack had undermined confidence in basic government systems and promised retaliation for both intrusion and electoral interference. But when he announced sanctions against Russian financial institutions and tech companies in April, he lowered the sanctions.
“I was clear with President Putin that we could have gone further, but I chose not to,” Biden said at the time, after calling the Russian leader. “Now is the time to defuse. “
U.S. officials insist that the type of attack Microsoft reports falls under the category of the type of espionage that major powers routinely carry out against each other. Yet the operation suggests that even though the two governments say they meet regularly to tackle ransomware and other internet age diseases, the undermining of networks continues at a steady pace in an arms race. which accelerated as countries searched for data on the Covid-19 vaccine and a range of industrial and government secrets.
“The spies are going to spy,” John Hultquist, vice president of intelligence analysis at Mandiant, the company that detected the SolarWinds attack, said Sunday at the Cipher Brief Threat Conference in Sea Island, where numerous cyber experts and intelligence officials met. “But what we’ve learned from that is that the SVR, which is very good, doesn’t slow down.”
The success of the last campaign is unclear. Microsoft said it recently informed more than 600 organizations that they had been the target of approximately 23,000 attempts to access their systems. By comparison, the company said it had detected only 20,500 targeted attacks from “all actors in the nation-state” in the past three years. Microsoft said a small percentage of recent attempts were successful, but did not provide details or say how many organizations were compromised.
US officials have confirmed that the operation, which they consider routine espionage, is underway. But they insisted that if it was successful, it was Microsoft and similar cloud service providers who were largely to blame.
A senior administration official called the latest attacks “ordinary, unsophisticated operations that could have been avoided if cloud service providers had implemented basic cybersecurity practices.”
“There’s a lot we can do,” the official said, “but the responsibility for implementing simple cybersecurity practices to lock down their – and by extension our – digital doors lies with the private sector. “
Government officials lobbied to put more data in the cloud because it is much easier to protect information there. (Amazon manages the CIA cloud contract; during the Trump administration, Microsoft won a huge contract to move the Pentagon to the cloud, though the program was recently scrapped by the Biden administration amid a long dispute. legal about how it was assigned.)
But the most recent attack by the Russians, experts said, reminded that moving to the cloud is not a solution, especially if those who administer cloud operations are using insufficient security.
Microsoft said the attack was focused on its “resellers,” companies that personalize the use of the cloud for businesses or academic institutions. Russian hackers apparently calculated that if they could infiltrate resellers, these companies would have high-level access to the data they wanted – whether it was government emails, defense tech, or research. on vaccines.
The Russian intelligence agency “was attempting to replicate the approach it has used in past attacks by targeting organizations that are integral to the global information technology supply chain,” Burt said. .
This supply chain is the main target of Russian government hackers – and, increasingly, Chinese hackers who are trying to replicate Russia’s most effective techniques.
In the case of SolarWinds at the end of last year, supply chain targeting meant that Russian hackers had subtly altered the computer code of network management software used by businesses and government agencies, inserting surreptitiously the corrupted code as it was sent to 18,000 users.
Once these users updated to a new version of the software – like tens of millions of people updating an iPhone every few weeks – the Russians suddenly had access to their entire network.
In the last attack, the SVR, known as a stealth operator in the cyberworld, used techniques closer to brute force. As described by Microsoft, the incursion mainly involved the deployment of a huge database of passwords stolen in automated attacks intended to trick Russian government hackers into Microsoft’s cloud services. It’s a more complicated and less efficient operation – and it would only work if some of Microsoft’s cloud services resellers hadn’t imposed some of the cybersecurity practices the company forced on them last year.
Microsoft said in a blog post due to be released on Monday that it will do more to enforce its resellers’ contractual obligations to put security measures in place.
“What the Russians are looking for is systemic access,” said Christopher Krebs, who headed the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency until he was sacked by President Donald J. Trump l last year for declaring that the 2020 elections were held. perform honestly and without significant fraud. “They don’t want to try to access accounts one by one.”
Federal officials say they are aggressively using Mr. Biden’s new authorities to protect the country from cyber threats, particularly noting a new large-scale international effort to disrupt ransomware gangs, many of which are based in Russia. With a new and much larger team of senior officials overseeing the government’s cyber operations, Mr Biden has tried to impose security changes that should make attacks like the most recent much harder to pull off.
In response to SolarWinds, the White House announced a series of deadlines for government agencies and all contractors dealing with the federal government to implement a new set of security practices that would make them more difficult targets for Russians, Chinese, Iranians and North Koreans. hackers. These included basic steps like a second authentication method that enters an account, similar to how banks or credit card companies send a code to a cell phone or other device to get it. ensure that a stolen password is not used.
But compliance with the new standards, although improved, remains uneven. Businesses often resist government mandates or claim that no single set of regulations can meet the challenge of locking down different types of computer networks. Administration effort to force companies to report breaches of their systems to government within 24 hours, or face fines, has met stiff opposition from corporate lobbyists .