U.S., private sector may still be a cyber target for Russia amid Ukraine fighting

Americans should expect escalating cyber operations targeting the private sector despite the apparent absence of large Russian cyberattacks so far in the Kremlin’s invasion of neighboring Ukraine, according to retired Adm. Michael S. Rogers.

Adm. Rogers, who formerly led the National Security Agency and U.S. Cyber Command, expects Russian-generated cyberattacks to spread in the weeks and months ahead. He said the public will know when such attacks occur.  

“You’re going to see more cyber action against governments and militaries, but most interesting to me, I think you’ll see an increase against economic targets in the U.S. and elsewhere in the world,” he said. 

Adm. Rogers said Russian President Vladimir Putin may use the threat of catastrophic cyber action as leverage against his opponents in the Ukrainian conflict and apply pressure on the U.S. homeland in response to sanctions imposed by the Biden administration and its allies. 

Russia’s invasion of Ukraine has not been accompanied by a visible cyberwar that some professionals feared would turn off the lights, disrupt essential services and shut down communications networks. Some cyber experts think the obscured cyberspace battlefield has blocked greater awareness of ongoing battles, while others suggest such devastation may still hit Ukraine and spread more broadly to Europe and the U.S.

Instead of nations openly battling in cyberspace, hacking groups have become prominent foot soldiers in the virtual war and have organized on social media and messaging platforms to disrupt targets associated with the Russian government. The activist hacking group Anonymous has already taken credit for knocking down Russian government websites since the fighting broke out just over a week ago. 

Hackers sympathetic to Russia have also suffered. After the ransomware gang Conti announced its support of the Russian government, its internal communications were leaked online amid speculation that a Ukrainian insider or security researcher was responsible. Conti was one of the gangs that hammered U.S. infrastructure last year, and the FBI has said it observed Conti going after American health care networks.

New information obtained from the leaks reveal more about the ransomware gang’s alleged associations with the Russian government and could provide U.S. law enforcement with new leads for taking down cybercriminals. Christo Grozev, lead Russia investigator at digital watchdog Bellingcat, said on Twitter that his group believes the Conti gang targeted one of Bellingcat’s contributors at the direction of the FSB, Russia’s Federal Security Service, based on the leaked info. 

Cybersecurity professionals digging into the leaks said it is too early to connect Russian intelligence definitively to specific Conti actions. 

Randy Pargman, counterintelligence vice president for the firm Binary Defense, said there certainly seems to be some cooperation between the two sides but it is premature to reach a strong conclusion. 

Mr. Pargman said among the most interesting revelations from the Conti leak thus far are its alleged use of an unnamed French company to acquire tech for the gang to test its attacks against and the Conti gang’s human resources operations, including how the group interviews job candidates. 

The leak data also include information about the gang’s financing and previously undisclosed victims. Drew Schmitt, GuidePoint Security principal threat intelligence analyst, said estimates that Conti raked in more than $2 billion from its ransomware extortion efforts are reasonable. 

Mr. Schmitt said messages referencing the gang’s money flow and cryptocurrency wallets will make it possible to trace the group’s financing. He also said reading through the chat logs will help the cybersecurity industry learn the gang’s behavior and understand better how to defend against ransomware in the future.