Hackers who learned skills in government service are branching out “for their own personal enrichment,” Pentagon cyber leader says.
Russian actors are behind many of the ransomware attacks that have led the Biden administration to prioritize efforts to head them off. But while the Russian government has trained and hired many hackers, some have left government service and are launching attacks “for their own personal enrichment,” as one Pentagon cyber leader put it. That makes it harder for the United States and its allies to respond.
Just how much control the Russian government has over these actors “is an open question,” Mieke Eoyang, deputy assistant defense secretary for cyber policy, said on Wednesday during a reporter roundtable.
Contrast that with China, whose government has staged a number of high-profile attacks but has largely avoided sanctions for a couple of reasons. Chinese attacks are aimed mostly at stealing intellectual property for Chinese industries, not destroying the target or its business operations. Eoyang also noted that China has closed down cryptocurrency exchanges whereas Russia has not.
In many Russian cyber attacks, the hackers are expressly doing the work of the government, as was the case with the SolarWinds hack, which the United States has attributed to the Russian intelligence services. But often attacks are carried out by individuals with military backgrounds, people who learned their tradecraft in service to the Kremlin and often work as contractors for the state. Here the relationship to the state can range. The hackers become similar to the old privateers or “pirates with papers” of the 18th century, operating under—if not exactly license—the tacit approval of the state so long as their targets reside in countries that the Kremlin doesn’t like.
“One of the challenges we in the department see—and then you see this in the indictments against some of these actors—some of them have connections to the Russian state.” Eoyang said. “They use their skills that they've developed for their own personal enrichment. And that is something the United States would never do. Anyone at Cyber Command or NSA who thinks that they're going to go home and, like, conduct a ransomware attack against the city in Russia, the FBI would like to have words with them because that is just not something that we would view as acceptable in the United States. And we would take law enforcement action against those individuals. We believe that responsible states have.... should take responsibility for the actions of their forces.”
The Biden administration, which has been putting pressure on Putin to crack down on ransomware actors, increasingly views ransomware attacks as a national security threat. Eoyang said that the complexity of the problem is part of the reason the government is attacking it from multiple agencies and offices.
“You see a whole-of-government effort, Treasury sanctions, FBI activity, aggressive use of law-enforcement arrests, across the government to take action,” she said.
There may be some indication that the approach is working. In May, Darkside, the Russian-linked group at the heart of the Colonial Pipeline attack, announced that it was shutting down. The FBI seized the proceeds from the attack.
Eoyang stopped short of crediting the Russian government with the group’s disappearance but didn’t deny it as a possible factor. “We have seen a number of events where actors go dark and rebrand and come back again later, irrespective of any activity in the Russian government.”