U.S. Military Has Acted Against Ransomware Groups, General Acknowledges

SIMI VALLEY, Calif. – The U.S. military has taken action against ransomware groups as part of its attack on organizations launching attacks on American businesses, the country’s leading cyber warrior said on Saturday, the first public recognition of offensive action against such organizations .

General Paul M. Nakasone, head of US Cyber ​​Command and director of the National Security Agency, said the government viewed ransomware attacks as a law enforcement agency nine months ago.

But the attacks on the Colonial Pipeline and JBS beef factories showed that the criminal organizations behind them “had tampered with our critical infrastructure,” said General Nakasone.

In response, the government is taking a more aggressive, coordinated approach to this threat and is abandoning its current stance. Cyber ​​Command, the NSA and other agencies have devoted resources to gathering information about the ransomware groups and sharing this better understanding with the government and international partners.

“The first thing we must do is understand the enemy and their insights better than ever before,” General Nakasone said in an interview on the sidelines of the Reagan National Defense Forum, a meeting of national security officials.

General Nakasone would not describe the actions taken by his commands, nor which ransomware groups were targeted. However, he said one of the goals is to “impose costs” the use of military officials to describe punitive cyber operations.

“Before, during, and since then, we have taken action and imposed costs on a number of elements of our government,” said General Nakasone. “This is an important piece that we should always keep in mind.”

In September, Cyber ​​Command rerouted traffic around servers used by Russia-based ransomware group REvil, officials informed of the operation said. The operation came after government hackers from an allied country broke into the servers, making it difficult for the group to collect ransom money. After REvil discovered the US action, it was closed, at least temporarily. This Cyber ​​Command operation was reported by the Washington Post last month.

Cyber ​​Command and the NSA also assisted the FBI and the Department of Justice in their efforts to confiscate and recover much of the cryptocurrency ransom money paid by Colonial Pipeline. The Bitcoin payment was originally requested by the Russian ransomware group DarkSide.

Cyber ​​Command’s first known operation against a ransomware group came ahead of the 2020 election when officials feared a computer network called TrickBot could be used to disrupt the vote.

Government officials disagreed on how effective the stepped-up measures against ransomware groups were. National Security Council officials said the activities of Russian groups had declined. The FBI is skeptical. Some outside groups saw a lull but predicted that the ransomware groups would be renamed and come back into force.

When asked if the United States was better able to defend itself against ransomware groups, General Nakasone said the country was “on an upward trend”. But opponents are changing their operations and trying to keep attacking, he said.

“We know a lot more about what our opponents can and could do to us. This is an area where vigilance is really important, ”he said, adding that“ we cannot take our eyes off it ”.

Since his acquisition in May 2018, General Nakasone has worked to accelerate the pace of cyber operations, initially focusing on more robust countermeasures against foreign influence operations in the 2018 and 2020 elections. He said his commandos were able to deliver comprehensive lessons to draw from these and other operations considered successful.

“Look at the broad perspective of the adversaries that we have pursued over a period of more than five years: They were nation-states, they were proxies, they were criminals, there was a whole range of people who each needed a different strategy “, he said. “The basic elements that make us successful against any opponent are speed, agility and unity of effort. You have to have these three. “

The discovery of the SolarWinds hacking last year, in which Russian intelligence agents implanted software in the supply chain that potentially gave them access to numerous government networks and thousands of business networks, was made by a private company and exposed vulnerabilities in American cyber defense. The NSA’s Cybersecurity Collaboration Center was set up to improve the exchange of information between government and industry and better detect future intrusions, General Nakasone said, although industry officials say more needs to be done to improve the flow of information.

General Nakasone said these types of attacks are likely to continue, from ransomware groups and others.

“What we’ve seen over the past year, and what the private sector has reported, is that we’ve seen a huge surge in implants, as well as zero-day vulnerabilities and ransomware,” he said, referring to an unknown coding bug for the one Patch does not exist. “I think this is the world we live in today.”

Speaking on a panel on the Reagan forum, General Nakasone said that the domain of cyberspace has changed radically in the past 11 months with the rise of ransomware attacks and operations like SolarWinds. He said it was likely that American critical infrastructure would be attacked in future military conflicts.

“Boundaries mean less when we look at our adversaries, and whatever adversary that is, we should start with the idea that our critical infrastructure is being targeted,” he told the panel.

Cyber ​​Command has already begun building its efforts to defend the next election. Despite efforts to expose Russian, Chinese and Iranian efforts to meddle in American politics, General Nakasone said in the interview that foreign malicious campaigns would likely continue.

“I think we should expect that our opponents will always try to interfere in cyberspace, where the barriers to entry are so low,” he said.

The recipe for success in defending the elections is to give the public insight into the intentions of opponents, share information about vulnerabilities and enemy operations, and finally take action against groups that are trying to disrupt the vote.

While this can take the form of cyber operations against hackers, the response can be more extensive. Last month, the Justice Department announced the indictment of two Iranian hackers whom the government identified as the backers for an attempt to influence the 2020 elections.

“This really has to be a state effort,” said General Nakasone. “That is why the diplomatic effort is important. For this reason, it is vital to our success that we examine a number of different levers within our government to influence these types of adversaries. “