Ignoring Sanctions, Russia Renews Broad Cybersurveillance Operation
The new campaign came only months after President Biden imposed sanctions on Moscow in response to a series of spy operations it had conducted around the world.,
SEA ISLAND, Ga. — Russia’s premier intelligence agency has launched another campaign to pierce thousands of U.S. government, corporate and think-tank computer networks, Microsoft officials and cybersecurity experts warned on Sunday, only months after President Biden imposed sanctions on Moscow in response to a series of sophisticated spy operations it had conducted around the world.
The new effort is “very large, and it is ongoing,” Tom Burt, one of Microsoft’s top security officers, said in an interview. Government officials confirmed that the operation, apparently aimed at acquiring data stored in the cloud, seemed to come out of the S.V.R., the Russian intelligence agency that was the first to enter the Democratic National Committee’s networks during the 2016 election.
While Microsoft insisted that the percentage of successful breaches was small, it did not provide enough information to accurately measure the severity of the theft.
Earlier this year, the White House blamed the S.V.R. for the so-called SolarWinds hacking, a highly sophisticated effort to alter software used by government agencies and the nation’s largest companies, giving the Russians broad access to 18,000 users. Mr. Biden said the attack undercut trust in the government’s basic systems and vowed retaliation for both the intrusion and election interference. But when he announced sanctions against Russian financial institutions and technology companies in April, he pared back the penalties.
“I was clear with President Putin that we could have gone further, but I chose not to do so,” Mr. Biden said at time, after calling the Russian leader. “Now is the time to de-escalate.”
American officials insist that the type of attack Microsoft reported falls into the category of the kind of spying major powers regularly conduct against one another. Still, the operation suggests that even while the two governments say they are meeting regularly to combat ransomware and other maladies of the internet age, the undermining of networks continues apace in an arms race that has sped up as countries sought Covid-19 vaccine data and a range of industrial and government secrets.
“Spies are going to spy,” John Hultquist, the vice president for intelligence analysis at Mandiant, the company that first detected the SolarWinds attack, said on Sunday at the Cipher Brief Threat Conference in Sea Island, where many cyberexperts and intelligence officials met. “But what we’ve learned from this is that the S.V.R., which is very good, isn’t slowing down.”
It is not clear how successful the latest campaign has been. Microsoft said it recently notified more than 600 organizations that they had been the target of about 23,000 attempts to enter their systems. By comparison, the company said it had detected only 20,500 targeted attacks from “all nation-state actors” over the past three years. Microsoft said a small percentage of the latest attempts succeeded but did not provide details or indicate how many of the organizations were compromised.
American officials confirmed that the operation, which they consider routine spying, was underway. But they insisted that if it was successful, it was Microsoft and similar providers of cloud services who bore much of the blame.
A senior administration official called the latest attacks “unsophisticated, run-of-the mill operations that could have been prevented if the cloud service providers had implemented baseline cybersecurity practices.”
“We can do a lot of things,” the official said, “but the responsibility to implement simple cybersecurity practices to lock their — and by extension, our — digital doors rests with the private sector.”
Government officials have been pushing to put more data in the cloud because it is far easier to protect information there. (Amazon runs the C.I.A.’s cloud contract; during the Trump administration, Microsoft won a huge contract to move the Pentagon to the cloud, though the program was recently scrapped by the Biden administration amid a long legal dispute about how it was awarded.)
But the most recent attack by the Russians, experts said, was a reminder that moving to the cloud is no solution — especially if those who administer the cloud operations use insufficient security.
Microsoft said the attack was focused on its “resellers,” firms that customize the use of the cloud for companies or academic institutions. The Russian hackers apparently calculated that if they could infiltrate the resellers, those firms would have high-level access to the data they wanted — whether it was government emails, defense technologies or vaccine research.
The Russian intelligence agency was “attempting to replicate the approach it has used in past attacks by targeting organizations integral to the global information technology supply chain,” Mr. Burt said.
That supply chain is the chief target of the Russian government hackers — and, increasingly, Chinese hackers who are trying to replicate Russia’s most successful techniques.
In the SolarWinds case late last year, targeting the supply chain meant that Russian hackers subtly changed the computer code of network-management software used by companies and government agencies, surreptitiously inserting the corrupted code just as it was being shipped out to 18,000 users.
Once those users updated to a new version of the software — much as tens of millions of people update an iPhone every few weeks — the Russians suddenly had access to their entire network.
In the latest attack, the S.V.R., known as a stealthy operator in the cyberworld, used techniques more akin to brute force. As described by Microsoft, the incursion primarily involved deploying a huge database of stolen passwords in automated attacks intended to get Russian government hackers into Microsoft’s cloud services. It is a messier, less efficient operation — and it would work only if some of the resellers of Microsoft’s cloud services had not imposed some of the cybersecurity practices that the company required of them last year.
Microsoft said in a blog post scheduled to be made public on Monday that it would do more to enforce contractual obligations by its resellers to put security measures in place.
“What the Russians are looking for is systemic access,” said Christopher Krebs, who ran the Cybersecurity and Infrastructure Security Agency at the Department of Homeland Security until he was fired by President Donald J. Trump last year for declaring that the 2020 election had been run honestly and with no significant fraud. “They don’t want to try to pop into accounts one by one.”
Federal officials say that they are aggressively using new authorities from Mr. Biden to protect the country from cyberthreats, particularly noting a broad new international effort to disrupt ransomware gangs, many of which are based in Russia. With a new and far larger team of senior officials overseeing the government’s cyberoperations, Mr. Biden has been trying to mandate security changes that should make attacks like the most recent one much harder to pull off.
In response to SolarWinds, the White House announced a series of deadlines for government agencies, and all contractors dealing with the federal government, to carry out a new round of security practices that would make them harder targets for Russian, Chinese, Iranian and North Korean hackers. Those included basic steps like a second method of authenticating who is entering an account, akin to how banks or credit card companies send a code to a cellphone or other device to ensure that a stolen password is not being used.
But adherence to new standards, while improved, remains spotty. Companies often resist government mandates or say that no single set of regulations can capture the challenge of locking down different kinds of computer networks. An effort by the administration to require companies to report breaches of their systems to the government within 24 hours, or be subject to fines, has run into intense opposition from corporate lobbyists.