WASHINGTON — Last Wednesday, hours before Russian tanks began arriving in Ukraine, alarms went off inside Microsoft’s Threat Intelligence Center, warning of never-before-seen “windshield wiper” malware that appeared to be targeting the country’s ministries and financial institutions. .
In less than three hours, Microsoft was thrown into the middle of a ground war in Europe – 5,500 miles away. The Threat Center, north of Seattle, was on high alert, and it quickly identified the malware, named it “FoxBlade” and notified Ukraine’s top cyber defense authority. Within three hours, Microsoft’s virus detection systems had been updated to block the code, which erases — “erases” — data on computers on a network.
Next, Tom Burt, the senior Microsoft executive who oversees the company’s efforts to counter major cyberattacks, reached out to Anne Neuberger, the White House’s deputy national security adviser for cyber and emerging technologies. Ms Neuberger asked if Microsoft would consider sharing code details with the Baltics, Poland and other European countries, lest the malware spread beyond Ukraine’s borders, crippling the alliance. military or hitting the banks of Western Europe.
Before midnight in Washington, Ms. Neuberger had made presentations – and Microsoft had begun to play the role that Ford Motor Company had played during World War II, when the company converted automobile production lines to make Sherman tanks.
After years of talk in Washington and in tech circles about the need for public-private partnerships to fight destructive cyberattacks, the war in Ukraine is testing the system. The White House, armed with intelligence from the National Security Agency and US Cyber Command, is overseeing classified briefings on Russia’s cyberoffensive plans. Even if US intelligence agencies have detected the kind of crippling cyberattacks that someone – presumably Russian intelligence agencies or hackers – has launched against the Ukrainian government, they don’t have the infrastructure to act that quickly. to block them.
“We are a company, not a government or a country,” noted Microsoft President Brad Smith in a blog post the company published on Monday, outlining the threats it saw. But the role he plays, he said, is not neutral. He spoke of “constant and close coordination” with the Ukrainian government, as well as with federal officials, the North Atlantic Treaty Organization and the European Union.
“I’ve never seen it work this way, or nearly this fast,” Burt said. “We now do in hours what even a few years ago would have taken weeks or months.”
Intelligence flows in many directions.
Company executives, some newly armed with security clearances, join secure calls to hear a series of briefings from the National Security Agency and United States Cyber Command, as well as UK authorities, among others . But much of the actionable intelligence is found by companies like Microsoft and Google, which can see what’s circulating on their vast networks.
Mr. Biden’s aides often note that it was a private company – Mandiant – that uncovered the “SolarWinds” attack 15 months ago, in which one of Russia’s most cybersavvy intelligence agencies, the SVR , has infiltrated the network management software used by thousands of US government agencies. and private companies. This gave the Russian government unfettered access.
Such attacks have given Russia a reputation as one of the most aggressive and skilled cyberpowers. But the surprise in recent days is that Russian activity in this area has been more subdued than expected, researchers said.
Most of the early tabletop exercises for a Russian invasion began with overwhelming cyberattacks, knocking out Ukraine’s internet and possibly the power grid. So far this has not happened.
“A lot of people are quite surprised that there isn’t a meaningful integration of cyberattacks into the overall campaign that Russia is undertaking in Ukraine,” said Shane Huntley, director of Google’s Threat Analytics Group. “It’s mostly business as normal as Russian targeting levels.”
Mr Huntley said Google regularly observes some Russian attempts to hack accounts of people in Ukraine. “The normal level is never actually zero,” he said. But these attempts have not increased noticeably in the past few days as Russia invaded Ukraine.
“We have seen Russian activities targeting Ukraine; it just hasn’t been the big sets,” said Ben Read, director of security firm Mandiant.
American or European officials do not know why Russia resisted.
It may be that they tried but the defenses were stronger than they expected, or that the Russians wanted to reduce the risk of attacking civilian infrastructure, so that a puppet government they installed has no trouble governing the country.
But US officials have said a massive Russian cyberattack on Ukraine — or beyond, in retaliation for economic and technology sanctions imposed by the United States and Europe — is hardly on the cards. Some speculate that just as Moscow steps up its indiscriminate bombardment, it will seek to cause as much economic disruption as possible.
The longer and more effectively Ukraine’s resistance resists the Russian military, the more Moscow might be tempted to start using “the armada of Russian cyberforces,” said Sen. Mark Warner, the Virginia Democrat who heads the Intelligence Committee. Senate, in an interview last week.
Meta, Facebook’s parent company, revealed on Sunday that it discovered hackers were taking over accounts belonging to Ukrainian military officials and public figures. The hackers attempted to use their access to these accounts to spread disinformation, posting videos purporting to show the surrender of the Ukrainian military. Meta responded by locking accounts and alerting targeted users.
Understanding the Russian attack on Ukraine
What is behind this invasion? Russia considers Ukraine in its natural sphere of influence, and it has become unnerved by Ukraine’s proximity to the West and the prospect of the country joining NATO or the European Union. Although Ukraine is not part of either, it receives financial and military aid from the United States and Europe.
Twitter said it found signs that hackers were trying to compromise accounts on its platform, and YouTube said it removed five channels that posted videos used in the disinformation campaign.
Meta executives said the Facebook hackers were affiliated with a group known as Ghostwriter, which security researchers believe is associated with Belarus.
Ghostwriter is known for its strategy of hacking public figures’ email accounts and then using that access to compromise their social media accounts as well. The group has been “very active” in Ukraine over the past two months, said Mr Read, who is researching the group.
Although US officials currently do not assess any direct threat to the United States from increased Russian cyber operations, that calculation could change.
American and European sanctions are tougher than expected. Mr Warner said that Russia could respond “either with direct cyberattacks on NATO countries or, more likely, by unleashing all Russian cybercriminals on ransomware attacks at a massive level that still allows them some disclaimer”.
Russian ransomware criminal groups carried out a series of devastating attacks in the United States last year against hospitals, a meat processing company and, most notably, the company that operates oil pipelines along the East Coast. . While Russia has taken steps to contain these groups in recent months – after months of meetings between Ms Neuberger and her Russian counterpart, Moscow made high-profile arrests in January – it could easily reverse its crackdown efforts.
But President Biden has stepped up his warnings to Russia against any kind of cyber attack on the United States.
“If Russia pursues cyberattacks against our businesses, our critical infrastructure, we are ready to respond,” Biden said Thursday.
It was the third time Mr Biden had issued such a warning since winning the election. While any Russian attack on the United States appears to be a reckless escalation, Rep. Adam B. Schiff, the California Democrat who heads the House Intelligence Committee, noted that Putin’s decision-making up to present turned out to be mediocre.
“There is a risk that the cyber tools that Russia uses in Ukraine will not stay in Ukraine,” he said in an interview last week. “We’ve seen this before, where malware directed at a certain target is released into the wild and then takes on a life of its own. So we could be victims of Russian malware that has overshot its target.”