Stop playing nice with Russian computer hackers
Russian hackers are still rummaging through global computer networks despite headline-grabbing Russian and Chinese attacks over the past several months that should have prompted corporations to tighten security and the White House to take more pointed and forceful action.
Sure, some companies have said they want to communicate better about digital breaches and the Biden administration slapped some mild sanctions on Russia last spring. Russia’s response to this tepid pushback? Merriment, it would seem. Just imagine the chuckles in the Kremlin when operatives there see how nonchalant and feckless their targets have remained.
Microsoft noted on its blog Sunday that a state-sponsored group of Russian hackers called Nobelium orchestrated the epic SolarWinds hack last year. That burglary involved hackers sneaking into digital back doors on government and corporate networks worldwide and planting malware that lay dormant for a time. When the code became active, in the guise of familiar, friendly software, it had the ability to execute files, profile and disable systems and reboot computers. Much public and private hand-wringing greeted that disclosure.
Nobelium doesn’t seem to have been bothered much by that collective angst. Microsoft said the group was even more active during the spring and summer and targeted cloud networks and software supply chains. Microsoft said it first spotted the new intrusions in May and notified 140 entities that they were targets. At least 14 of those wound up compromised. The company also said that Nobelium — using relatively unsophisticated tools such as phishing and password spraying — had launched at least 22,868 attacks between July 1 and Oct. 19 against 609 of its customers. That activity seems to have dwarfed earlier burglary efforts. In the three years before July 1, Microsoft had issued 20,500 warnings about hacks involving all of the nation-state actors it monitored.
Some caveats are in order. Microsoft said Nobelium’s recent success rate was “in the low single digits” and didn’t involve the novel and intricate hacking techniques that made the SolarWinds intrusion so frightening. Microsoft also said that improved coordination and information-sharing between the private and public sectors have made networks more resilient, as has the Biden administration’s sanctions.
But the hackers are clearly not going away. They never will, after all. Securing digital networks always involves playing an unending game of whack-a-mole. Microsoft itself was targeted in an extensive hack engineered by China that began in January and wasn’t uncovered for several weeks. And if hackers’ more recent attacks are being deflected, that still doesn’t seem to have lessened their appetites. In fact, their forays have ramped up, and the implications are clear. Microsoft said in June that Nobelium had scanned technology companies, financial services firms and governments in 36 countries, trying to pick digital locks. Nearly half of those attacks involved what the company described as U.S. interests.
“This recent activity is another indicator that Russia is trying to gain long-term, systematic access to a variety of points in the technology supply chain and establish a mechanism for surveilling — now or in the future — targets of interest to the Russian government,” Microsoft said on its blog on Sunday.
Those targets of interest haven’t just been mighty corporations and rival governments. Schools, colleges, fire and police departments, hospitals, laboratories and other institutions have also come under routine attacks. Remember the Colonial Pipeline hack in May, the one that briefly shut down the largest refined fuels pipeline in the U.S. and threatened energy supplies along the East Coast? The economic, social and security fallout from successful hacks is tangible and brutal — and there is little public evidence that the private and public sectors are being as aggressive as they should be about buttoning up things.
The federal government should issue regulatory requirements for all enterprises, regardless of size, to publicize the details of any hack. Corporations need to demonstrate publicly that they are sharing information with one another rather than hunkering down after they’ve been assaulted. They also need to submit to outside audits of their computer security protocols.
For its part, the White House should stop hoping for the best from nation-states eager to wreak digital havoc. Responding to hacks by bouncing some diplomats out of the country is a good first step, and firing mild economic sanctions across the Kremlin’s bow is fine. But there’s no reason not to show a little more muscle now before another digital salvo lands on our shores. Burning down some digital networks in Eastern Europe or elsewhere that are used to mount attacks doesn’t seem over the top at this point; neither does excommunicating rogue actors from the global banking and financial services system.
Those are blunt actions, I know. But this is serious stuff — and nobody seems to be listening.
Timothy L. O’Brien is a senior columnist for Bloomberg Opinion.