Biden faces ‘moment of reckoning’ over sprawling Russian cyberassault
The government’s cyber defenders face a daunting challenge: pressuring Russian President Vladimir Putin to crack down on criminal hacker gangs.
Russian cybercriminals’ latest massive ransomware attack is placing new pressure on President Joe Biden to follow through on his promise to make Moscow pay for turning a blind eye to digital assaults emanating from within its borders.
The cyberattack disclosed Friday on IT management software maker Kaseya, which may have affected as many as 1,500 companies whose vendors were using Kaseya’s product, prompted emergency meetings over the weekend between the FBI, DHS’ Cybersecurity and Infrastructure Security Agency and other agencies, as officials scrambled to assess the scale of the damage.
But while the government’s cyber defenders help affected companies recover their computer systems, senior Biden administration officials face a more daunting challenge: pressuring Russian President Vladimir Putin to crack down on criminals such as the REvil gang that took credit for infecting Kaseya with ransomware.
After two ransomware attacks snarled the U.S. gasoline and meat supplies in May, Biden vowed to “take action,” potentially through the United States’ “significant cyber capability,” if Russia continued to shelter ransomware gangs in violation of international norms. But REvil’s holiday-weekend breach of hundreds or thousands of companies, from Kaseya to its own customers to those firms’ clients, suggests that Putin didn’t take Biden’s threat seriously.
As details continued to emerge about the range of companies hacked through the Kaseya operation, Biden and his appointees declined to say whether the attack had crossed any sort of red line and remained vague about the administration’s next steps.
"It appears to have caused minimal damage to U.S. businesses but we're still gathering information to the full extent of the attack," Biden told reporters Tuesday, while promising to "have more to say about this in the next several days."
"I feel good about our ability to be able to respond," he added.
Earlier Tuesday, White House press secretary Jen Psaki told reporters that U.S. and Russian officials have discussed the Kaseya attack at a “high level” and plan to meet next week to discuss ransomware.
“If the Russian government cannot or will not take action against criminal actors [residing] in Russia, we will take action … on our own,” she said.
That response is unlikely to satisfy policymakers who say only bold action can deliver the wakeup call that Putin needs to receive.
“We’re facing a moment of reckoning when it comes to deterrence,” House Homeland Security ranking member John Katko (R-N.Y.) told the Daily Mail on Monday. “Adversaries like Russia are creating safe havens for bad actors and we must project strength.”
Biden on Wednesday will “convene key leaders” from multiple agencies, including the departments of State, Justice and Homeland Security and the intelligence community, “to discuss ransomware and our overall strategic efforts to counter it,” Psaki said.
So far, the Kaseya attack appears to be different from May’s digital strikes on Colonial Pipeline and the meatpacking giant JBS, at least in one key aspect: it has not affected the critical infrastructure facilities, such as power plants or hospitals, that Biden declared off-limits in his June 16 meeting with Putin in Geneva.
In fact, no major U.S. business has yet been identified among the many victims of the Kaseya breach. The most visible impact to date has been the shutdown of a Swedish supermarket chain. That also sets this attack apart from past major global ransomware outbreaks, which in recent years have crippled targets ranging from Pfizer to the shipping giant Maersk.
“In terms of critical function consequences we aren’t seeing anything at this stage,” said a U.S. official who requested anonymity to discuss an ongoing cyber incident.
A second U.S. official said the attack probably didn’t cross any administration red lines, both because it didn’t appear to target critical infrastructure and because there was no clear link to the Kremlin. But this official also said the administration needs to be clearer with the Russians about what its red lines truly are.
In remarks to reporters Saturday during a trip to Michigan, Biden appeared to focus on whether the Kremlin was directly responsible for the attack. “The initial thinking was it was not the Russian government, but we’re not sure yet,” the president said.
Still, some cyber researchers quickly labeled the Kaseya operation a major cyberattack — and an insidious one, given that, once again, the hackers exploited a trusted software provider to deliver their malware.
The government is “still trying to understand the extent of the issue,” according to a DHS official, who likewise requested anonymity given the matter’s sensitivity. “There's not currently a good way for CISA to know who is affected and how badly.”
Kaseya has been “very responsive” to federal inquiries, the first U.S. official said, calling the relationship “very good thus far.”
Even so, the attack is likely to fuel congressional efforts to mandate more reporting of cyber incidents, which experts say is vital for improving the government’s understanding of evolving threats. A bipartisan group of senator is preparing to introduce legislation after the upper chamber returns from its recess next week, and in the House, Democrats on the Homeland Security Committee are preparing their own bill.
Alex Ward, Jonathan Custodio and Nahal Toosi contributed to this report.