WASHINGTON — Hours before Russian tanks began rolling into Ukraine last Wednesday, an alarm went off in Microsoft’s Threat Intelligence Center warning of a never-before-seen “cleaner” malware that targeted the country’s government ministries and financial institutions. .
Within three hours, Microsoft had thrown itself into the heart of a European ground war from 5,500 miles away. The Threat Center north of Seattle was on high alert, and it quickly located the malware, named it “FoxBlade” and notified Ukraine’s top cyber defense authorities. Within three hours, Microsoft’s virus detection systems were updated to block code that erases—”erases”—data on computers on the network.
Then Tom Burt, Microsoft’s senior executive who oversees the company’s efforts to counter major cyberattacks, contacted Ann Neuberger, the White House’s deputy national security adviser for cyber and emerging technologies. Ms. Neuberger asked if Microsoft would consider sharing the details of the code with the Baltics, Poland and other European countries due to concerns that the malware would spread outside of Ukraine, damaging the military alliance or hitting Western European banks.
Before midnight in Washington, Ms. Neuberger introduced herself, and Microsoft began to play the role Ford Motor Company played in World War II when the company converted vehicle production lines to produce Sherman tanks.
After years of discussion in Washington and in tech circles about the need for public-private partnerships to combat devastating cyberattacks, the war in Ukraine is putting the system under stress testing. The White House, armed with intelligence from the National Security Agency and US Cyber Command, is watching secret briefings on Russian cyber offensive plans. Even if U.S. intelligence agencies have recorded devastating cyber attacks that someone — presumably Russian intelligence agencies or hackers — have staged against the government of Ukraine, they don’t have the infrastructure to act fast enough to block them.
“We are a company, not a government or a country,” said Brad Smith, president of Microsoft, in a blog post released by the company on Monday, describing the threats it faced. But the role he plays, he explained, is not neutral. He wrote of “permanent and close coordination” with the Ukrainian government, as well as federal officials, the North Atlantic Treaty Organization and the European Union.
“I’ve never seen it work this or nearly that fast,” Mr. Burt said. “Now we do things in hours that even a few years ago would have taken weeks or months.”
Intelligence flows in many directions.
Company executives, some of whom have recently received security clearances, are joining secure calls to hear a series of briefings organized by the National Security Agency and US Cyber Command, as well as by British authorities and others. But most of the useful information is in the hands of companies like Microsoft and Google, who can see what’s going on in their vast networks.
Biden’s aides often point out that it was the private firm Mandiant who discovered the SolarWinds attack 15 months ago, in which one of Russia’s most experienced intelligence agencies, the SVR, injected network management software used by thousands of US government agencies. and private enterprises. This gave the Russian government unfettered access.
Such attacks have earned Russia a reputation as one of the most aggressive and experienced cyber powers. But the surprise of recent days is that Russian activity in this area has been more muted than expected, the researchers say.
The earliest tabletop exercise about the Russian invasion began with a massive cyberattack that shut down the internet in Ukraine and possibly the power grid. Until this happened.
“Many are quite surprised that cyberattacks are not heavily integrated into the overall campaign that Russia is conducting in Ukraine,” said Shane Huntley, director of the Google Threat Intelligence Group. “That’s basically normal, as is the level of targeting Russia.”
Updated
February 28, 2022 8:14 pm ET
Mr. Huntley said that Google regularly monitors some of Russia’s attempts to hack people’s accounts in Ukraine. “The normal level is never actually zero,” he said. But over the past few days, the number of such attempts has not markedly increased since Russia invaded Ukraine.
“We are seeing some Russian activity in relation to Ukraine; it just wasn’t a big set,” said Ben Reid, director of security firm Mandiant.
American and European officials do not understand why Russia is slow.
Perhaps they tried, but the defenses were stronger than they expected, or the Russians wanted to reduce the risk of attacking civilian infrastructure so that the puppet government they had installed would not struggle to rule the country.
But US officials have said a massive Russian cyberattack against or outside Ukraine in retaliation for economic and technological sanctions imposed by the United States and Europe is unlikely. Some suggest that as Moscow intensifies its indiscriminate bombing, it will seek to cause as much economic disruption as possible.
The longer and more effectively the Ukrainian resistance resists the Russian army, the more Moscow may be tempted to start using the “armada of Russian cyber forces,” Senator Mark Warner, a Virginia Democrat who chairs the Senate Intelligence Committee, said in a last interview. week.
Meta, the parent company of Facebook, said on Sunday that it had discovered hackers hacking into accounts belonging to Ukrainian military and public figures. The hackers tried to use their access to these accounts to spread disinformation by posting videos that allegedly showed the surrender of the Ukrainian military. Meta responded by banning accounts and warning targeted users.
Understand Russia’s attack on Ukraine
Card 1 of 7
What is at the heart of this invasion? Russia considers Ukraine a part his natural sphere of influence, and is unnerved by Ukraine’s proximity to the West and the prospect of Ukraine joining NATO or the European Union. Although Ukraine is not part of either, it receives financial and military assistance from the US and Europe.
Are these frictions just beginning now? Antagonism between the two countries has simmered since 2014, when Russian troops crossed into Ukraine after an uprising in Ukraine replaced a Russian-friendly president with a pro-Western government. Then, Russia annexed Crimea and inspired separatist movement in the east. A ceasefire was signed in 2015but fighting continued.
How did Ukraine react? February 23, Ukraine declared a state of emergency for 30 days. how cyberattacks disabled government institutions. After the attacks began, Ukrainian President Volodymyr Zelensky martial law declared. The foreign minister called the attacks a “full-scale invasion” and called on the world to “stop Putin.”
Twitter said it found signs that hackers were trying to break into accounts on its platform, and YouTube said it removed five channels that hosted videos used in the disinformation campaign.
Meta executives said the Facebook hackers were linked to a group known as the Ghostwriter, which security researchers believe is linked to Belarus.
Ghostwriter is known for his strategy of hacking into the email accounts of famous figures and then using that access to hack into their social media accounts. According to Mr. Reed, the group’s researcher, the group has been “very active” in Ukraine over the past two months.
While US officials do not currently assess any direct threat to the United States from increased Russian cyber operations, that calculation could change.
US and European sanctions are stronger than expected. Mr. Warner said Russia could respond “either with direct cyberattacks against NATO countries or, more likely, actually provoke all Russian cybercriminals into mass-level ransomware attacks, which still allows them to deny responsibility to some extent.” .
Last year, Russian ransomware crime groups carried out a series of devastating attacks in the United States on hospitals, a meatpacking company and, most notably, a company operating gas pipelines along the East Coast. While Russia has taken steps in recent months to rein in these groups, after months of meetings between Ms Neuberger and her Russian counterpart, Moscow has held some high-profile arrests in January, he can easily reverse his efforts at repression.
But President Biden stepped up Russia’s warnings about any cyber attacks on the United States.
“If Russia continues cyberattacks on our companies, our critical infrastructure, we are ready to respond,” Mr. Biden said Thursday.
This was the third time Mr. Biden has issued such a warning since winning the election. While any Russian attack on the US seems like a reckless escalation, Rep. Adam B. Schiff, a California Democrat who chairs the House Intelligence Committee, said Mr. Putin has made bad decisions so far.
“There is a risk that any cyber tools that Russia uses in Ukraine will not stay in Ukraine,” he said in an interview last week. “We’ve seen this before, when targeted malware is released into the wild and then takes on a life of its own. Thus, we can become a victim of Russian malware that goes beyond the intended purpose.”