Good morning! I’m filling in for Joe today. If you weren’t able to stay up until the wee hours of the morning to follow yesterday’s primary elections, here‘s a handy explainer.
Analysis | U.S. allies blame Russia for a cyberattack early in its Ukraine invasion
Below: Spain’s spy chief is ousted amid a scandal over spyware, and the NSA is looking into use of Kaspersky software.
The Biden administration and allies blame Russia for a hack directed at Ukraine
As Russia invaded Ukraine in late February, a cyberattack affected the modems of tens of thousands of customers in Ukraine and Europe, the Ukrainian military, some government agencies and even European wind turbines.
Now the European Union and a smattering of other countries have formally said Russia was behind the hack, which was directed at satellite firm Viasat.
Viasat said yesterday it would “continue to work closely with relevant law enforcement and governmental authorities as part of the ongoing investigation” into the cyberattack.
The public announcements are a big moment for cybersecurity officials on both sides of the Atlantic. While Russia’s alleged role was previously known — U.S. officials told my colleague Ellen Nakashima in March that Russia’s military intelligence service was responsible — the E.U. and other countries are now formally pinning the blame on Russia, with some countries specifically saying Russian military intelligence hackers were responsible.
Here are three takeaways:
1. Statements include mentions of norms
Many of the statements differed in substance and some didn’t even mention Viasat by name. But almost all criticized the spillover effects of the hack, which impacted Europe, and apparent violations of international norms. Here’s a quick breakdown of the major differences in the statements:
- European Union: The E.U. said Russia was behind the attack, which “took place one hour before” it invaded Ukraine.
- Canada: Ottawa said the “Russian military” was behind the cyberattack.
- Estonia: The European Union member went further. The country pinned the attack specifically on Russia’s military intelligence service with “high certainty” and said the hack had “run counter to international law.”
- United Kingdom: The U.K. National Cyber Security Centre is “almost certain” Russia was responsible for the Viasat hack, the U.K. said, citing “new U.K. and U.S. intelligence.” Meanwhile, “Russian Military Intelligence was almost certainly involved” in defacing Russian websites and launching destructive malware, it said.
- Australia and the United States: Australia’s government and the State Department didn’t mention Viasat in their statements, but said Russia was behind attacks on “commercial satellite communications networks” that disabled terminals in Ukraine and Europe, where they “support wind turbines and provide Internet services to private citizens.” That’s an apparent reference to Viasat.
Here’s more from Thomas Rid, a professor of strategic studies at Johns Hopkins University’s School of Advanced International Studies:
2. Pressure on Russia builds
The public attribution sets the stage for additional pressure on Russia in cyberspace, including through sanctions, experts say.
The European Union said the cyberattack caused “significant impact,” which is how E.U. authorities define sanctionable cyberattacks, NBC News’s Kevin Collier reported.
Ukraine has called for sanctions on Russia. All countries “should unite their efforts to stop the aggressor, to make it impossible for them to keep attacking and be held responsible for their actions,” the country’s State Service for Special Communication and Information Protection said. “Only sanctions, coordinated activity, awareness of public institutions, businesses and citizens can help us reach this goal and truly achieve peace in the cyberspace.”
The statements also could be big in the world of cyber diplomacy. Here’s more from Alexandra Paulus, an international cybersecurity policy fellow at the German think tank Stiftung Neue Verantwortung:
✅️ naming + shaming Russia by pointing out that they, like all UN member states, agreed to these norms
✅️ bonus points for pointing to societal impact of the norm violation
Possible future steps: linking past/ future responses to norm violation./2
— Alexandra Paulus (@ale_paulus) May 10, 2022
Tying public attribution statements to norms violations are a “really good development,” Chris Painter, the Obama administration’s top cyber diplomat, told me.
3. The statements point to a major hack in the conflict
In the weeks since Russia invaded Ukraine, some cybersecurity experts have said that they haven’t seen big Russian cyberattacks. But the Viasat hack provides a key data point in the timeline of Russian cyberoperations as the war began.
“Perhaps the concept of a ‘cyberwar’ was overhyped,” Jeremy Fleming, the director of U.K. intelligence agency GCHQ, said at the CyberUK 2022 conference Tuesday. “But there’s plenty of cyber about, including a range of activity we and partners have attributed to Russia. We’ve seen what looks like some spillover of activity affecting other countries, and we’ve seen indications that Russia’s cyber operatives continue to look for targets in countries that are opposing their actions.”
Furthermore, the attribution “reinforces” the need for U.S. organizations to prepare for potential Russian cyberattacks, CISA Director Jen Easterly said:
Director of National Intelligence Avril Haines offered one potential explanation for the lack of devastating hacks on U.S. entities, telling senators at a Tuesday hearing that Russia has “had a long-standing concern about the potential for escalation in cyber vis-a-vis the United States.” Haines, however, cautioned “that doesn’t mean that they won’t attack at some point, but it has been interesting to see that they haven’t during this point.”
But one cybersecurity official also highlighted some good news Tuesday. “Ransomware is actually down” over the last couple months, NSA Cybersecurity Director Rob Joyce said at a cybersecurity conference. “There’s probably a lot of different reasons why that is, but I think one impact is this the fallout of Russia/Ukraine. As we do sanctions and it’s harder to move money and it’s harder to buy infrastructure in the West, we’re seeing them less effective.”
Spain’s government fires spy chief amid spyware scandal
The Spanish government has fired its spy chief Paz Esteban, amid two scandals relating to hacks with Pegasus spyware, Reuters reports. Esteban’s spy agency, the National Intelligence Center (CNI), reportedly used the smartphone hacking tool against leaders pushing for Catalan independence. Spanish government officials, including the country’s prime minister, were also targeted with Pegasus.
As we wrote last month, Spain’s autonomous Catalonia region has become a lightning rod in the global debate over NSO Group’s Pegasus spyware and the way governments have abused this tool to track journalists, activists and opposition politicians. Research group Citizen Lab recently found that more than 60 Catalan citizens were targeted with the spyware.
Spain’s leftist coalition government has been under heavy pressure from Catalan leaders to answer for why it used the Pegasus spyware. These leaders are also calling for international investigations into the hacks, citing multiple examples of governments using the spyware against citizens.
The NSA is investigating Russian anti-virus giant Kaspersky
The National Security Agency’s probe is looking at the degree to which Kaspersky software is used by U.S. organizations and companies, NSA Cybersecurity Director Rob Joyce told Bloomberg News’s Katrina Manson. The Russian cybersecurity firm, which calls itself the “world’s largest privately-owned cybersecurity company,” also faces a probe by the Commerce Department.
“I am still very worried about U.S. companies that are using Kaspersky,” Joyce told Bloomberg News. “We think that is ill-advised with this global situation.” Joyce also said that Kaspersky software is used “across random critical infrastructure and industry.”
The U.S. government has long had its eye on Kaspersky. It ordered civilian agencies in the federal government to remove Kaspersky anti-virus software in 2017. The Biden administration considered sanctioning the firm but held off amid concerns about the scope of such a move, the Wall Street Journal’s Vivian Salama and Dustin Volz reported in March.
U.S. intelligence agencies have said Kaspersky software could be used by the Kremlin for spying. The firm has denied the claim and says it doesn’t do the bidding of Russia’s government.
“As there has been no public evidence or due process to otherwise justify any actions against the company since 2017, Kaspersky believes any expansion of prohibitions or limitations are a response to the geopolitical climate rather than a comprehensive evaluation of the integrity of Kaspersky’s products and services,” a Kaspersky spokesperson told Bloomberg News.
E.U. wants to force tech companies to scan for child exploitation images
Under a proposal released today by the European Commission, tech companies including Google, Apple and Facebook parent Meta could be fined if they fail to detect, remove and report illegal images of child sex abuse, Politico Europe’s Clothilde Goujard reports.
Tech companies and children’s rights groups are closely watching for the final rules. Activists and tech companies worry European officials could try to find “back doors” to end-to-end encryption, which ensures that only the sender and recipient can read a message, Politico previously reported.
“The law has already been delayed by a year due to complex negotiations on a temporary bill which clarified that tech companies can voluntarily check for child abuse on their platforms,” Goujard and Manancourt write. “There was also internal pushback within the Commission over concerns on how legislation will affect privacy.”
U.S. lawmakers have been advancing similar legislation called the EARN IT Act. But cybersecurity experts have raised some concerns about the legislation, saying it could prompt tech companies to stop offering end-to-end encryption. That’s because the bill would remove some long-standing protections the tech companies enjoy, potentially opening the door to more lawsuits over posts that include child sexual abuse material on their platforms.
National security watch
On the move
- Kemba Walden, who has worked as assistant general counsel in Microsoft’s Digital Crimes Unit, will be joining the office of National Cyber Director Chris Inglis as principal deputy national cyber director. Neal Higgins, who most recently worked at the CIA, and Rob Knake, an Obama administration cybersecurity official, are joining the office as deputy national cyber directors.
- LookingGlass Cyber Solutions has acquired Next5. Next5 founder Bryan Ware, a former CISA official, will be LookingGlass’s chief executive.
Secure log off
Thanks for reading. See you tomorrow.