Russian hackers are accused of breaching a contractor for the Republican National Committee last week, around the same time that Russian cybercriminals launched the single largest global ransomware attack on record, incidents that are testing the red lines set by President Joe Biden during his high-stakes summit with President Vladimir Putin of Russia last month.
The RNC said in a statement on Tuesday that one of its technology providers, Synnex, had been hacked. While the extent of the attempted breach remained unclear, the committee said none of its data had been accessed.
Early indications were that the culprit was Russia’s SVR intelligence agency, according to investigators in the case. The SVR is the group that initially hacked the Democratic National Committee six years ago and more recently conducted the SolarWinds attack that penetrated more than a half-dozen government agencies and many of the largest U.S. corporations.
The RNC attack was the second of apparent Russian origin to become public in the past few days, and it was unclear late Tuesday whether the two were related. On Sunday, a Russian-based cybercriminal organization known as REvil claimed responsibility for a cyberattack over the long holiday weekend that has spread to 800 to 1,500 businesses around the world. It was one of the largest attacks in history in which hackers shut down systems until a ransom is paid, security researchers said.
The twin attacks are a test for Biden just three weeks after he, in his first meeting as president with Putin, demanded that the Russian leader rein in ransomware activities against the United States. At the meeting, Biden said later, he presented Putin with a list of 16 critical sectors of the American economy that, if attacked, would provoke a response – although he was cagey about what that response would be.
“If, in fact, they violate these basic norms, we will respond with cyber,’' Biden said at a news conference immediately after the meeting. “He knows.” But he quickly added of Putin that “I think that the last thing he wants now is a Cold War.”
White House officials were preparing to meet on Wednesday to discuss the latest ransomware attack, which used the innovative technique of getting into the supply chain of software used by governments, federal agencies and other organizations – a tactic that the SVR deployed in SolarWinds last year.
The White House didn’t immediately respond to a request for comment on the breach of Synnex, the RNC contractor, which was reported earlier by Bloomberg News.
The newest attacks appeared to cross many lines that Biden has said he would no longer tolerate. On the campaign trail last year, he put Russia “on notice” that, as president, he would respond aggressively to counter any interference in U.S. elections. Then in April, he called Putin to warn him about impending economic sanctions in response to the SolarWinds breach.
Last month, Biden used the summit with Putin to make the case that ransomware was emerging as an even larger threat, causing the kind of economic disruption that no state could tolerate. Biden specifically cited the halting of the flow of gasoline on the East Coast after an attack on Colonial Pipeline in June, as well as the shutdown of major meat-processing plants and earlier ransomware attacks that paralyzed hospitals.
The issue has become so urgent that it has begun shifting the negotiations between Washington and Moscow, raising the control of digital weapons to a level of urgency previously seen largely in nuclear arms control negotiations. On Tuesday, the White House press secretary, Jen Psaki, said U.S. officials will meet with Russian officials next week to discuss ransomware attacks – a dialogue the two leaders had agreed upon at their summit in Geneva.
On Saturday, as the attacks were under way, Putin gave a speech timed to the rollout of Russia’s latest national security strategy that outlines measures to respond to foreign influence. The document claimed that Russian “traditional spiritual-moral and cultural-historical values are under active attack from the U.S. and its allies.”
While the strategy reaffirmed Moscow’s commitment to using diplomacy to resolve conflicts, it stressed that Russia “considers it legitimate to take symmetrical and asymmetric measures” to prevent “unfriendly actions” by foreign states.
The remarks, cybersecurity experts said, were Putin’s response to the summit with Biden.
“Biden did a good job laying down a marker, but when you’re a thug, the first thing you do is test that red line,” said James A. Lewis, a cybersecurity expert at the Center for Strategic and International Studies in Washington. “And that’s what we’re seeing here.”
Lewis added that “low-end penalties” like sanctions had been exhausted. “The White House will have to use more aggressive measures, whether that is something in cyberspace, or a more painful legal or financial manoeuvre,” he said.
Stronger measures have long been debated, and occasionally used. When Russian intelligence agencies put malicious code into the American power grid in recent years – where it is believed to reside to this day – the United States in turn put code into the Russian grid, and made sure it was seen, as a deterrent. Before the 2020 election, U.S. Cyber Command took down the servers of a major Russian cybercriminal operation to prevent it from locking up voting infrastructure.
But harsher measures have usually led to debates about whether the United States was risking escalation. Participants in those discussions have said they usually result in decisions to err on the side of caution, because so much of American infrastructure is poorly defended and vulnerable to counterstrikes.
Without question, the tempo of the daily, short-of-war cyberconflict with Russia is accelerating. That has led the Biden administration to look for new diplomatic options. The State Department is in discussions with representatives from roughly 20 foreign governments to develop a menu of consequences to foreign cyberattacks that would include sanctions, diplomatic expulsions and more aggressive counterstrikes, including in the cyber arena.
The likely SVR breach of Synnex left unclear whether the RNC was the target or whether it was unintended collateral damage in a broader hack that may not have been directed at the Republicans.
In a statement, Synnex said the attempted breach of its systems “could potentially be in connection with the recent cybersecurity attacks.”
“Was this an unaimed shotgun blast, or was it a careful, targeted rifle shot at a foreign intelligence target?” said Bobby Chesney, director of the Robert S. Strauss Center for International Security and Law at the University of Texas in Austin.
If it was the former, he said, it may cross the line the White House set when it punished Russia for its breach of SolarWinds and its customers. If it was the latter, it may be considered the kind of intelligence gathering that all major states engage in – and thus not something the United States was likely to seek to punish.
When the Democratic National Committee was hit, first by the SVR in 2015 and then by Russia’s military intelligence unit, the GRU, in 2016, evidence revealed by the FBI showed that servers used by the RNC – also held by contractors – were also targeted. (There was no evidence that the servers held sensitive data, or that the data was stolen.)
The White House may face a more complex problem determining how to deal with the ransomware assaults that played out over the July Fourth weekend.
The attack, which began with a breach of Kaseya, a software maker in Florida, exhibited an unusual level of sophistication for ransomware groups, security experts said. REvil appeared to breach Kaseya through a “zero day”– an unknown flaw in the technology – according to the researchers, then used the company’s access to its customers computer systems to conduct ransomware attacks on its clients.
Researchers in the Netherlands had tipped Kaseya off to the flaw in its technology, and the company was working on a fix when REvil beat them to it, researchers said. It is unclear whether the timing was a coincidence or whether cybercriminals were tipped off to the flaw and worked quickly to exploit it.
In the past, REvil relied on more basic hacking methods – such as phishing emails and unpatched systems – to break in, researchers said. The group has demanded $70-million in bitcoin to release a tool that would allow all infected companies to recover, a sum that it had lowered to $50-million by Tuesday.
In her remarks on Tuesday, Psaki, the White House spokeswoman, warned companies against paying because it would give the criminals an incentive to keep going. “The FBI has basically told companies not to pay ransom,” she said.
Our Morning Update and Evening Update newsletters are written by Globe editors, giving you a concise summary of the day’s most important headlines. Sign up today.