Tech Companies Are Helping Ukraine Defend Against Cyber ​​Attacks

WASHINGTON — Just hours before Russian tanks began to enter Ukraine last Wednesday, alarms sounded at Microsoft’s Threat Intelligence Center, warning of a never-before-seen piece of “wipe” malware targeting the country’s ministries and financial institutions. . .

Within three hours, Microsoft threw itself into the middle of a land war in Europe – from 5,500 miles away. The threat center north of Seattle was on high alert and quickly separated the malware, dubbed “FoxBlade,” and notified Ukraine’s top cyber defense official. Within three hours, Microsoft’s virus-detection systems were updated to block code that wiped – “erased” – data on computers on a network.

Next, top Microsoft executive Tom Burt, who oversees the company’s efforts to counter major cyberattacks, contacted Anne Neuberger, the White House’s deputy national security adviser for cyber and emerging technologies. Neuberger asked if Microsoft would consider sharing details of the code with the Baltic, Poland and other European countries, out of fear that the malware would spread beyond Ukraine’s borders, paralyze the military alliance or hit Western European banks.

Before midnight in Washington, Ms. Neuberger made public appearances and Microsoft launched World War II, when Ford Motor Company converted its automobile production lines to make Sherman tanks. He began to play the role he played in World War II.

After years of debate in Washington and in tech circles about the need for public-private partnerships to combat devastating cyberattacks, the war system in Ukraine is stress-testing. Armed with intelligence from the National Security Agency and United States Cyber ​​Command, the White House oversees secret briefings on Russia’s cyberattack plans. Even if American intelligence agencies did catch the kind of crippling cyberattacks that someone—probably Russian intelligence agencies or hackers—had carried out on the Ukrainian government, they simply don’t have the infrastructure to act so quickly to thwart them.

“We are neither a government nor a country,” Microsoft president Brad Smith said in a blog post by the company on Monday, describing the threats he saw. But he made it clear that his role was not neutral. He wrote about “continuous and close coordination” with the Ukrainian government, federal authorities, the North Atlantic Treaty Organization and the European Union.

“I’ve never seen it work this way or that fast before,” said Mr. Burt. “What would have taken weeks or months even a few years ago, we now do in hours.”

Intelligence flows in many directions.

Company executives, some newly armed with security clearances, are joining the safe calls to listen to a series of briefings held by the National Security Agency and United States Cyber ​​Command, among others, and British authorities. But much of the actionable intelligence is found by companies like Microsoft and Google, who can see what’s flowing through their vast networks.

Mr. Biden’s aides often point out that a private company — Mandiant — found the “SolarWinds” attack 15 months ago, in which SVR, one of Russia’s most cyber-savvy intelligence agencies, infiltrated network management software used by thousands of US government agencies. and private businesses. This gave the Russian government unrestricted access.

Such attacks have earned Russia a reputation as one of the most aggressive and capable cyber powers. However, the researchers said the surprise of recent days was that Russia’s activity in this area has been quieter than expected.

Many of the first tabletop exercises on a Russian invasion began with crushing cyberattacks that wiped out Ukraine’s internet and perhaps even the power grid. So far, this hasn’t happened.

“Many people are quite surprised at the lack of significant integration of cyberattacks into Russia’s overall campaign in Ukraine,” said Shane Huntley, director of Google’s threat analysis group. “This is normal business, mostly based on Russian targeting levels.”

Mr. Huntley said Google regularly monitors some Russian attempts to hack the accounts of people in Ukraine. “The normal level is never actually zero,” he said. However, these attempts have not increased noticeably in the past few days since Russia invaded Ukraine.

“We have seen some Russian activities targeting Ukraine; “It wasn’t just the big sets,” said Ben Read, director of security firm Mandiant.

American or European officials do not know why Russia delayed it.

They may have tried but their defenses were stronger than they had anticipated or the Russians wanted to reduce the risk of attacking civilian infrastructure so a puppet government they had installed wouldn’t struggle to run the country.

But American officials said a major cyberattack by Russia on Ukraine — or more in retaliation for economic and technological sanctions imposed by the United States and Europe — is off the table. Some think it will try to cause as much economic disruption as it can muster, as Moscow hastened its indiscriminate bombings.

The longer and more effectively the Ukrainian resistance resists the Russian military, the more tempted Moscow may be to use a “navy of Russian cyber forces,” said Mark Warner, a Democrat from Virginia, who leads the Senate Intelligence Committee. week.

Facebook’s parent company, Meta, announced on Sunday that it had discovered hackers who had hijacked accounts belonging to Ukrainian military officials and public figures. The hackers tried to use their access to these accounts to spread disinformation by posting videos showing the Ukrainian military surrendering. Meta responded by locking accounts and alerting targeted users.

Twitter said it found signs that hackers were trying to hijack accounts on its platform, and YouTube said it removed five channels that posted videos used in the disinformation campaign.

Meta administrators said the Facebook hackers were linked to a group known as Ghostwriter, which security researchers believe is associated with Belarus.

Ghostwriter is known for his strategy of hacking the email accounts of public people and then using that access to compromise their social media accounts. Mr Read, who researched the group, said the group has been “heavily active” in Ukraine for the past two months.

While US officials are not currently assessing any direct threats to the US from Russia’s escalating cyber operations, that calculation could change.

US and European sanctions are biting more than expected. Mr Warner said Russia could respond “either by direct cyberattacks on NATO countries or, more likely, by unleashing massive ransomware attacks on virtually all Russian cybercriminals, which in turn denied them some degree of responsibility”.

Russian ransomware criminal groups carried out a devastating series of attacks on hospitals, a meat-processing company, and most notably the company that operates gas pipelines along the East Coast in the United States last year. Although Russia has taken steps to rein in these groups in recent months – after months of talks between Ms Neuberger and her Russian counterpart, Moscow has made some decisions. high profile arrests In January – pressure can easily reverse their efforts.

However, President Biden has increased his warnings to Russia against any kind of cyber attack against the United States.

“If Russia launches cyberattacks against our companies with which we have critical infrastructure, we are ready to respond,” Mr Biden said on Thursday.

This is the third time Mr Biden has issued such a warning since he won the election. While any Russian attack on the United States may seem like a reckless escalation, California Democratic Representative Adam B. Schiff, who leads the House Intelligence Committee, noted that Mr. Putin’s decisions so far have been weak.

“There is a risk that the cyber tools Russia uses in Ukraine will not stay in Ukraine,” he said in an interview last week. “We’ve seen this before, targeted malware is released into the wild and then takes on a life of its own. So we can fall victim to Russian malware that goes beyond its intended target.”