President Joe Biden warned President Vladimir Putin of Russia on Friday that time was running out for him to rein in the ransomware groups striking the United States, telegraphing that this could be Putin’s final chance to take action on Russia’s harbouring of cybercriminals before the United States moved to dismantle the threat.
In Biden’s starkest warning yet, he conveyed in a phone call to Putin that the attacks would no longer be treated only as criminal acts, but as national security threats — and thus may provoke a far more severe response, administration officials said. It is a rationale that has echoes of the legal justification used by the United States and other nations when they cross inside another country’s borders to rout terrorist groups or drug cartels.
“I made it very clear to him that the United States expects when a ransomware operation is coming from his soil, even though it’s not sponsored by the state, we expect them to act if we give them enough information to act on who that is,” Biden told reporters.
Later, as he was leaving for Delaware for the weekend, Biden appeared to specify one of the ways the United States could respond. Asked if it might attack the servers Russian cybercriminals have used to hijack American networks — meaning knock them offline — Biden responded, “Yes,” according to a pool report.
The heightened tension over the ransomware attacks highlights the complexity of a new type of conflict unfolding between the United States and Russia, one in which the well-established rules and understandings of the Cold War no longer apply. Administration officials say Biden is conscious of the need to avoid an escalating series of actions that could damage both nations, but also of maintaining his credibility after repeatedly warning Putin, so far without success.
The very nature of the attacks also makes responding and deterring them difficult. While the ransomware criminals, in this case, may be operating from Russian territory as they devise their attacks and collect their ransoms in cryptocurrency transactions, the attacks themselves can be launched from computer servers anywhere around the world. And unlike US military incursions into Afghanistan to rout terrorists, or joint drug enforcement actions in Colombia or Mexico to dismantle drug cartels, the United States is not protected from retaliation by oceans or missile defences when it comes to cyberattacks.
Biden is under increasing pressure to take action to stem the costly hacks that threaten critical US infrastructure. After weeks of generic warnings and diplomatic manoeuvring, the phone call on Friday appeared to be a pointed ultimatum in advance of some kind of effort to dismantle the criminal enterprises that have threatened the flow of gasoline, the production of beef and now the networks that connect American businesses.
But that would be a complex and potentially risky task. Briefing reporters after the call between the two leaders, a senior administration official said any actions would be a mix of clandestine and public. “Some of them will be manifest and visible,” said the official, who spoke on the condition of anonymity. “Some of them may not be. But we expect that those take place in the days and weeks ahead.”
Biden’s ultimatum was prompted by a sophisticated ransomware attack last weekend by the Russian-speaking ransomware group Ravil, short for “Ransomware Evil,” that officials contend operates with impunity from inside Russia.
Friday’s call came only three weeks after the onslaught of ransomware attacks dominated Biden and Putin's first summit, in Geneva. Immediately after that meeting, Biden said he told the Russian president he would respond “in a cyber way” against Russia if Putin failed to take action against groups operating on its territory.
But that three-hour meeting was largely a generic discussion of the issue, and an effort to convince Putin that the presence of the criminal cybergroups on Russian networks was not in Moscow’s interest, either. By calling right after REvil’s latest attack, Biden was essentially creating a test of Putin’s willingness to act. But Biden declined to say whether the United States had asked for specific action against individuals that it believes are part of REvil.
While the United States and Russia have long sparred over state-sponsored attacks — including the SolarWinds espionage operation by Russia’s elite SVR intelligence agency, or the Russian military intelligence unit’s hacking of the Democratic National Committee and its release of embarrassing emails in 2016 — ransomware attacks are of a different nature. Administration officials fear that, if left unaddressed, they could cripple key sectors of the US economy. And they suspect that Russian authorities are tolerating the groups — and sometimes dipping into their talent pool for intelligence and other cyber operations.
The White House blamed a Russian ransomware group, called DarkSide, for the attack on Colonial Pipeline that halted gasoline and jet fuel deliveries up the East Coast this spring. Ravil is believed to have been behind the attack against one of the country’s largest meat processors, JBS, that briefly shut down production in late May. The company paid REvil $11 million in cryptocurrency.
But Ravil's attack over the Fourth of July holiday was an escalation, officials said, not only for its timing, following the Geneva summit, but because the attack was unusually advanced in technique and aggressive in scope. Instead of targeting one company directly, Ravil breached a Florida technology company that holds high-level access to tech firms that service thousands of other companies. Had the company, Kaseya, not caught the attack quickly, the effects could have been cataclysmic, officials and cybersecurity experts say.
Biden’s challenge to Putin could pose a major credibility test in coming weeks and further escalate a Cold War-like series of confrontations between the United States and Russia, now fought in cyberspace rather than across the Berlin Wall.
Until recently, the United States has largely treated ransomware as a criminal problem, indicting leading actors if it could identify them. Few ever saw the inside of a US courtroom.
But the Colonial Pipeline attack crystallized a change in thinking. While the ransomware attack was aimed at the company’s business operations — encrypting data, then demanding millions of dollars for a key to decrypt it — the firm took the preemptive step of shutting down the pipeline. The attack set off panic buying and gas shortages and could have halted chemical refineries and mass transit had the shutdown lasted even two days longer. Biden and his staff grew increasingly alarmed, knowing that ransomware actors — and governments — learn from each attack and often accelerate them.
That sped a shift already underway toward treating cybercriminals like terrorists or cartels that pose a fundamental threat to the United States — and thus put the response into hands of US Cyber Command, the military’s cyber arm, to disrupt their operations, even if that means acting on networks inside Russian territory. Biden handed Putin, in Geneva, the Department of Homeland Security’s list of 16 critical sectors, and warned him these had to be off-limits — the beginning of an effort to put what his national security adviser, Jake Sullivan, called “guardrails” on malicious action.
Officials said Biden did not specify to Putin which actions the United States might take against a target. But based on recent history, he could order Cyber Command to shut down the group’s command and control servers, freeze their bank accounts or seize their cryptocurrency wallets to deprive them of the illicit gains of their ransom demands.
Cyber Command took similar action in the run-up to the 2020 election, when it feared a Russian criminal group, called TrickBot, might lease out its infrastructure to ransomware groups, or the state, to freeze voter registration data or other systems to disrupt the presidential election. More recently, the FBI was able to grab back more than half of a $4 million ransom paid by Colonial Pipeline, in an operation still shrouded in some mystery.
But those moves failed to deter future attacks. After the TrickBot takedown, the group reassembled and its operators launched an aggressive ransomware assault on American hospitals. It froze patient records and prevented cancer patients from getting timely treatment.
And the FBI seizure of a Bitcoin wallet used by Darkside did not deter Ravil from accelerating its ransomware attacks. (The FBI has yet to recoup a subsequent $11 million ransom that JBS, the meat producer, said it paid REvil in its attack).
Before gaining the attention of the White House, Ravil accounted for less than 10% of known ransomware victims; now it accounts for 42%, according to Recorded Future, a cybersecurity company.
“It might feel like this problem is new but it’s been exhausting security teams for years now,” said John Hultquist, a director of threat intelligence at FireEye. “Ransoms have exploded and actors have become more audacious. Where we are now was entirely predictable. It has been like watching a slow-motion car crash.”
Inside the White House, Biden’s senior aides acknowledge that US cyber defences have been woefully neglected over the past three administrations, a period of time that includes Biden’s service as vice president. Now they say it is up to Biden to shore up those defences and make adversaries, state or criminal, pay a price for attacks on American targets.
But unlike strong-arm states like Russia, China, Iran and North Korea, the United States has less authority over how critical systems like gas, power and water — the vast majority of which are run by the private sector — are defended. Many still lack basic protections like multi-factor authentication and still use decade-old software that software makers, like Microsoft, stopped patching long ago.
Until his administration finds a way to shore up its defence, the risk of blowback from a US cyber strike remains high. On Saturday, the same day REvil’s latest attack was underway, Putin pledged to “take symmetrical and asymmetric measures” to prevent “unfriendly actions” by foreign states.
As Michael Sulmeyer, now a senior adviser to US Cyber Command, put it before he entered government, America still “lives in the glassiest of glasshouses.