Russia’s premier intelligence agency has launched another campaign to pierce thousands of US government, corporate and think-tank computer networks, Microsoft officials and cybersecurity experts warned Sunday, only months after President Joe Biden imposed sanctions on Moscow in response to a series of sophisticated spy operations it had conducted around the world.
The new effort is “very large, and it is ongoing,” said Tom Burt, one of Microsoft’s top security officers. Government officials confirmed that the operation, apparently aimed at acquiring data stored in the cloud, seemed to come out of the SVR, the Russian intelligence agency that was the first to enter the Democratic National Committee’s networks during the 2016 election. But the officials cautioned that there was little evidence it had been broadly successful at stealing data from US and other Western targets.
Earlier this year, the White House blamed the SVR for the so-called SolarWinds hacking, a highly sophisticated effort to alter software used by government agencies and the nation’s largest companies, giving the Russians broad access to 18,000 users. Biden said the attack undercut trust in the government’s basic systems and vowed retaliation for both the intrusion and election interference. But when he announced sanctions against Russian financial institutions and technology companies in April, he pared back the penalties.
“I was clear with President Putin that we could have gone further, but I chose not to do so,” Biden said at time, after calling Russian leader Vladimir Putin. “Now is the time to de-escalate.”
US officials insist that the type of attack Microsoft reported falls into the category of the kind of spying major powers regularly conduct against one another. Still, the operation suggests that even while the two governments say they are meeting regularly to combat ransomware and other maladies of the internet age, the undermining of networks continues apace in an arms race that has sped up as countries sought COVID-19 vaccine data and a range of industrial and government secrets.
“Spies are going to spy,” John Hultquist, the vice president for intelligence analysis at Mandiant, the company that first detected the SolarWinds attack, said Sunday at the Cipher Brief Threat Conference in Sea Island, where many cyberexperts and intelligence officials met. “But what we’ve learned from this is that the SVR, which is very good, isn’t slowing down.”
It is not clear how successful the latest campaign has been. Microsoft said it recently notified more than 600 organizations that they had been the target of about 23,000 attempts to enter their systems. By comparison, the company said it had detected only 20,500 targeted attacks from “all nation-state actors” over the past three years. Microsoft said a small percentage of the latest attempts succeeded but did not provide details or indicate how many of the organizations were compromised.
US officials confirmed that the operation, which they consider routine spying, was underway. But they insisted that if it was successful, it was Microsoft and similar providers of cloud services who bore much of the blame.
A senior administration official called the latest attacks “unsophisticated, run-of-the mill operations that could have been prevented if the cloud service providers had implemented baseline cybersecurity practices.”
“We can do a lot of things,” the official said, “but the responsibility to implement simple cybersecurity practices to lock their — and by extension, our — digital doors rests with the private sector.”
Government officials have pushed to put more data in the cloud because it is far easier to protect information there. (Amazon runs the CIA’s cloud contract; during the Trump administration, Microsoft won a huge contract to move the Pentagon to the cloud, though the program was recently scrapped by the Biden administration amid a long legal dispute about how it was awarded.)
But the most recent attack by the Russians, experts said, was a reminder that moving to the cloud is no solution — especially if those who administer the cloud operations use insufficient security.
Microsoft said the attack was focused on its “resellers,” firms that customize the use of the cloud for companies or academic institutions. The Russian hackers apparently calculated that if they could infiltrate the resellers, those firms would have high-level access to the data they wanted — whether it was government emails, defense technologies or vaccine research.
The Russian intelligence agency was “attempting to replicate the approach it has used in past attacks by targeting organizations integral to the global information technology supply chain,” Burt said.
That supply chain is the chief target of the Russian government hackers — and, increasingly, Chinese hackers who are trying to replicate Russia’s most successful techniques.
In the SolarWinds case late last year, targeting the supply chain meant that Russian hackers subtly changed the computer code of network-management software used by companies and government agencies, surreptitiously inserting the corrupted code just as it was being shipped out to 18,000 users.
Once those users updated to a new version of the software — much as tens of millions of people update an iPhone every few weeks — the Russians suddenly had access to their entire network.
In the latest attack, the SVR, known as a stealthy operator in the cyberworld, used techniques more akin to brute force. As described by Microsoft, the incursion primarily involved deploying a huge database of stolen passwords in automated attacks intended to get Russian government hackers into Microsoft’s cloud services. It is a messier, less efficient operation — and it would work only if some of the resellers of Microsoft’s cloud services had not imposed some of the cybersecurity practices that the company required of them last year.
Microsoft said in a blog post scheduled to be made public Monday that it would do more to enforce contractual obligations by its resellers to put security measures in place.
“What the Russians are looking for is systemic access,” said Christopher Krebs, who ran the Cybersecurity and Infrastructure Security Agency at the Department of Homeland Security until he was fired by President Donald Trump last year for declaring that the 2020 election had been run honestly and with no significant fraud. “They don’t want to try to pop into accounts one by one.”
Federal officials say that they are aggressively using new authorities from Biden to protect the country from cyberthreats, particularly noting a broad new international effort to disrupt ransomware gangs, many of which are based in Russia. With a new and far larger team of senior officials overseeing the government’s cyberoperations, Biden has been trying to mandate security changes that should make attacks like the most recent one much harder to pull off.
In response to SolarWinds, the White House announced a series of deadlines for government agencies, and all contractors dealing with the federal government, to carry out a new round of security practices that would make them harder targets for Russian, Chinese, Iranian and North Korean hackers. Those included basic steps like a second method of authenticating who is entering an account, akin to how banks or credit card companies send a code to a cellphone or other device to ensure that a stolen password is not being used.
But adherence to new standards, while improved, remains spotty. Companies often resist government mandates or say that no single set of regulations can capture the challenge of locking down different kinds of computer networks. An effort by the administration to require companies to report breaches of their systems to the government within 24 hours, or be subject to fines, has run into intense opposition from corporate lobbyists.