The U.S. Opens a Risky New Front in Cyberdefense

By Tim Culpan, Bloomberg

A U.S. operation to secretly remove malware from networks at home and overseas highlights the new front Washington is opening in its approach to global cyberdefense. It’s a much-needed strategy, but one that ought to be handle delicately if the U.S. is to maintain the cooperation necessary to keep pulling off such sneaky maneuvers.

The U.S. and its allies found malicious code developed and planted by Russia’s military intelligence agency, the GRU, in thousands of devices worldwide, Attorney General Merrick Garland revealed Wednesday. The U.S. and other nations have been on the alert for the possibility that Russia would conduct cyberattacks on businesses or critical infrastructure to retaliate against sanctions over the war in Ukraine. 

But the mission disclosed this week went further than identifying where malware had turned up. According to the New York Times, secret court orders allowed the U.S. to remove the malicious software from Russian control by taking steps that included entering corporate networks without the companies’ knowledge.

It’s a big shift from the time when Western governments mainly portrayed themselves as victims of hacking, incapable or unwilling to counter cyberthreats by intruding into foreign systems. The new proactive approach, including publicizing what authorities are doing to try to preempt attacks, reflects the realities of modern cyberwarfare.

What’s remarkable about this operation is the decision to surreptitiously enter companies’ computer networks. It’s one thing to have the police show up to your house when you aren’t at home to investigate and detain an intruder. It’s another thing entirely to cart away the intruder and never tell you about it. While U.S. allies might not mind, corporations both foreign and domestic could be forgiven for being alarmed at the prospect of U.S. authorities secretly rummaging around in their computers hunting for malware, even if it’s for a good cause.

The U.S. is able to get away with such maneuvers because its cyber capabilities are so robust, and its relationship with partners so close, that it has built up trust and respect. The strongest of these links is the Five Eyes alliance — Australia, Canada, New Zealand, the U.K. and the U.S. — in which intelligence is collated and shared.

Given the admission that it worked with allies, it’s unlikely that the U.S. intruded into overseas networks without those partners being aware. Still, foreign governments might have been unable to stop them, even if they wanted to. One reason is the importance of speed and secrecy in such operations. Once malware is found and a decision made to remove it, a team will want to work quickly and meticulously so as not to alert the adversary or spark them into activating the software’s nasty payload.

“No government would offer carte blanche, in-advance approval, but I could imagine the conversation would be such that they communicate and act if they spot malware in a partners’ network,” said Greg Austin, senior fellow in cyber, space and future conflict at the International Institute for Strategic Studies in Singapore.

That kind of collaborative approach is important not only to carry out the operation, but to keep partners amenable to further cooperation. Governments don’t like allowing outsiders, including friends, to encroach on their territorial sovereignty even in cyberspace.



Comments

Post a Comment

Popular posts from this blog

FBI, CISA warn US hospitals of targeted BlackCat ransomware attacks

Image
By Sergiu Gatlan,  Bleeping Computer Today, the FBI, CISA, and the Department of Health and Human Services (HHS) warned U.S. healthcare organizations of targeted ALPHV/Blackcat ransomware attacks. "ALPHV Blackcat affiliates have been observed primarily targeting the healthcare sector," the joint advisory cautions. Today's warning follows an April 2022 FBI flash alert and another advisory issued in December 2023 detailing the BlackCat cybercrime gang's activity since it surfaced in November 2021 as a suspected rebrand of the DarkSide and BlackMatter ransomware groups. The FBI linked BlackCat to over 60 breaches during its first four months of activity (between November 2021 and March 2022) and said the gang has raked in at least $300 million in ransoms from over 1,000 victims until September 2023. "Since mid-December 2023, of the nearly 70 leaked victims, the healthcare sector has been the most commonly victimized," the three federal agencies warned in today...
Read more

Nissan North America data breach impacts over 53,000 employees

Image
By Bill Toulas,  Bleeping Computer Nissan North America (Nissan) suffered a data breach last year when a threat actor targeted the company's external VPN and shut down systems to receive a ransom. The car maker discovered the breach in early November 2023 and discovered recently that the incident exposed personal data belonging to more than 53,000 current and former employees. “As shared during the Nissan Town Hall meeting on December 5, 2023, Nissan learned on November 7, 2023, that it was the victim of a targeted cyberattack. Upon learning of the attack, Nissan promptly notified law enforcement and began taking immediate actions to investigate, contain, and successfully terminate the threat,” the company said in a notification to impacted individuals. Nissan disclosed that the threat actor targeted its external VPN and then shut down certain company systems before asking for a ransom. The company notes that none of its systems were encrypted during the attack. Working with extern...
Read more

Why Your VPN May Not Be As Secure As It Claims

Image
By Krebs On Security Virtual private networking (VPN) companies market their services as a way to prevent anyone from snooping on your Internet usage. But new research suggests this is a dangerous assumption when connecting to a VPN via an untrusted network, because attackers on the same network could force a target’s traffic off of the protection provided by their VPN without triggering any alerts to the user. When a device initially tries to connect to a network, it broadcasts a message to the entire local network stating that it is requesting an Internet address. Normally, the only system on the network that notices this request and replies is the router responsible for managing the network to which the user is trying to connect. The machine on a network responsible for fielding these requests is called a Dynamic Host Configuration Protocol (DHCP) server, which will issue time-based leases for IP addresses. The DHCP server also takes care of setting a specific local address — known ...
Read more