Russian cybercriminals’ latest massive ransomware attack is placing new pressure on President Joe Biden to follow through on his promise to make Moscow pay for turning a blind eye to digital assaults emanating from within its borders.
The cyberattack disclosed Friday on IT management software maker Kaseya, which may have affected as many as 1,500 companies whose vendors were using Kaseya’s product, prompted emergency meetings over the weekend between the FBI, DHS’ Cybersecurity and Infrastructure Security Agency and other agencies, as officials scrambled to assess the scale of the damage. Victims included a tech vendor that provides services to the Republican National Committee, although the RNC said Tuesday that none of its own data had been “accessed.”
But while the government’s cyber defenders help affected companies recover their computer systems, senior Biden administration officials face a more daunting challenge: pressuring Russian President Vladimir Putin to crack down on criminals such as the REvil gang that took credit for infecting Kaseya with ransomware.
After two ransomware attacks snarled the U.S. gasoline and meat supplies in May, Biden vowed to “take action,” potentially through the United States’ “significant cyber capability,” if Russia continued to shelter ransomware gangs in violation of international norms. But REvil’s holiday-weekend breach of hundreds or thousands of companies, from Kaseya to its own customers to those firms’ clients, suggests that Putin didn’t take Biden’s threat seriously.
As details continued to emerge about the range of companies hacked through the Kaseya operation, Biden and his appointees declined to say whether the attack had crossed any sort of red line and remained vague about the administration’s next steps.
“It appears to have caused minimal damage to U.S. businesses but we’re still gathering information to the full extent of the attack,” Biden told reporters Tuesday, while promising to “have more to say about this in the next several days.”
“I feel good about our ability to be able to respond,” he added.
Earlier Tuesday, White House press secretary Jen Psaki told reporters that U.S. and Russian officials have discussed the Kaseya attack at a “high level” and plan to meet next week to discuss ransomware.
“If the Russian government cannot or will not take action against criminal actors [residing] in Russia, we will take action … on our own,” she said.
Biden on Wednesday will “convene key leaders” from multiple agencies, including the departments of State, Justice and Homeland Security and the intelligence community, “to discuss ransomware and our overall strategic efforts to counter it,” Psaki said.
That response is unlikely to satisfy policymakers who say only bold action can deliver the wakeup call that Putin needs to receive.
“We’re facing a moment of reckoning when it comes to deterrence,” House Homeland Security ranking member John Katko (R-N.Y.) told the Daily Mail on Monday. “Adversaries like Russia are creating safe havens for bad actors and we must project strength.”
So far, the Kaseya attack appears to be different from May’s digital strikes on Colonial Pipeline and the meatpacking giant JBS, at least in one key aspect: it has not affected the critical infrastructure facilities, such as power plants or hospitals, that Biden declared off-limits in his June 16 meeting with Putin in Geneva.
In fact, no major U.S. business has yet been identified among the many victims of the Kaseya breach. The most visible impact to date has been the shutdown of a Swedish supermarket chain. That also sets this attack apart from past major global ransomware outbreaks, which in recent years have crippled targets ranging from Pfizer to the shipping giant Maersk.
“In terms of critical function consequences we aren’t seeing anything at this stage,” said a U.S. official who requested anonymity to discuss an ongoing cyber incident.
The RNC said Tuesday, as it had over the weekend, that one of its tech vendors was among the victims of a cyberattack. But the committee insisted again that a probe found no sign that hackers had gotten ahold of any data from the Republican Party organization.
“Over the weekend, we were informed that Synnex, a third party provider, had been breached,” RNC chief of staff Richard Walters said in a statement. “We immediately blocked all access from Synnex accounts to our cloud environment. Our team worked with Microsoft to conduct a review of our systems and after a thorough investigation, no RNC data was accessed. We will continue to work with Microsoft, as well as federal law enforcement officials on this matter.”
The RNC had made a similar comment in a statement to Bloomberg on Saturday.
A second U.S. official said the attack probably didn’t cross any administration red lines, both because it didn’t appear to target critical infrastructure and because there was no clear link to the Kremlin. But this official also said the administration needs to be clearer with the Russians about what its red lines truly are.
In remarks to reporters Saturday during a trip to Michigan, Biden appeared to focus on whether the Kremlin was directly responsible for the attack. “The initial thinking was it was not the Russian government, but we’re not sure yet,” the president said.
Still, some cyber researchers quickly labeled the Kaseya operation a major cyberattack — and an insidious one, given that, once again, the hackers exploited a trusted software provider to deliver their malware.
The government is “still trying to understand the extent of the issue,” according to a DHS official, who likewise requested anonymity given the matter’s sensitivity. “There’s not currently a good way for CISA to know who is affected and how badly.”
Kaseya has been “very responsive” to federal inquiries, the first U.S. official said, calling the relationship “very good thus far.”
Even so, the attack is likely to fuel congressional efforts to mandate more reporting of cyber incidents, which experts say is vital for improving the government’s understanding of evolving threats. A bipartisan group of senators is preparing to introduce legislation after the upper chamber returns from its recess next week, and in the House, Democrats on the Homeland Security Committee are preparing their own bill.
Alex Ward, Jonathan Custodio, Sam Sabin and Nahal Toosi contributed to this report.