Last Wednesday, a few hours before Russian tanks began rolling into Ukraine, alarms went off inside Microsoft’s Threat Intelligence Center, warning of a never-before-seen piece of “wiper” malware that appeared aimed at the country’s government ministries and financial institutions.
Within three hours, Microsoft threw itself into the middle of a ground war in Europe — from 5,500 miles away. The threat centre, north of Seattle, had been on high alert, and it quickly picked apart the malware, named it “FoxBlade” and notified Ukraine’s top cyberdefence authority.
Within three hours, Microsoft’s virus detection systems had been updated to block the code, which erases — “wipes” — data on computers in a network.
Then Tom Burt, the senior Microsoft executive who oversees the company’s effort to counter major cyberattacks, contacted Anne Neuberger, the White House’s deputy national security adviser for cyber- and emerging technologies. Neuberger asked if Microsoft would consider sharing details of the code with the Baltics, Poland and other European nations, out of fear that the malware would spread beyond Ukraine’s borders, crippling the military alliance or hitting west European banks.
Before midnight in Washington, Neuberger had made introductions — and Microsoft had begun playing the role that Ford Motor Company did in World War II, when the company converted automobile production lines to make Sherman tanks.
After years of discussions in Washington and in tech circles about the need for public-private partnerships to combat destructive cyberattacks, the war in Ukraine is stress-testing the system.
The White House, armed with intelligence from the National Security Agency and US Cyber Command, is overseeing classified briefings on Russia’s cyberoffensive plans. Even if American intelligence agencies picked up on the kind of crippling cyberattacks that someone — presumably Russian intelligence agencies or hackers — threw at Ukraine’s government, they do not have the infrastructure to move that fast to block them.
“We are a company and not a government or a country,” Brad Smith, Microsoft’s president, noted in a blog post issued by the company on Monday, describing the threats it was seeing. But the role it is playing, he made clear, is not a neutral one. He wrote about “constant and close coordination” with the Ukrainian government, as well as federal officials, the Nato and the EU.
“I’ve never seen it work quite this way, or nearly this fast,” Burt said. “We are doing in hours now what, even a few years ago, would have taken weeks or months.”
The intelligence is flowing in many directions.
Company executives, some newly armed with security clearances, are joining secure calls to hear an array of briefings organised by the National Security Agency and United States Cyber Command, along with British authorities, among others. But much of the actionable intelligence is being found by companies like Microsoft and Google, who can see what is flowing across their vast networks.
Biden’s aides often note that it was a private firm — Mandiant — that found the “SolarWinds” attack 15 months ago, in which one of Russia’s most cybersavvy intelligence agencies, the SVR, infiltrated network management software used by thousands of US government agencies and private businesses.
That gave the Russian government unfettered access.
Such attacks have given Russia a reputation as one of the most aggressive, and skilled, cyberpowers. But the surprise of recent days is that Russia’s activity in that realm has been more muted than expected, researchers said.
Most early tabletop exercises about a Russian invasion started with overwhelming cyberattacks, taking out the Internet in Ukraine and perhaps the power grid. So far, that hasn’t happened.
“Many people are quite surprised that there isn’t significant integration of cyberattacks into the overall campaign that Russia is undertaking in Ukraine,” said Shane Huntley, the director of Google’s threat analysis group. “This is mostly business as normal as to the levels of Russian targeting.”
Huntley said Google regularly observes some Russian attempts to hack accounts of people in Ukraine. “The normal level is actually never zero,” he said. But those attempts have not markedly increased in the past several days, as Russia has invaded Ukraine.
“We have seen some Russian activity targeting Ukraine; it just hasn’t been the big sets,” said Ben Read, a director at the security firm Mandiant.
It is not clear to American or European officials why Russia held off.
It could be that they tried but defences were stronger than they anticipated, or that the Russians wanted to reduce the risk of attacking civilian infrastructure, so that a puppet government they installed would not struggle to rule the country.
But American officials said a massive cyberattack by Russia on Ukraine — or beyond, in retaliation for the economic and technology sanctions imposed by the US and Europe — is hardly off the table.
Some speculate that just as Moscow steps up its indiscriminate bombing, it will seek to cause as much economic disruption as it can muster.
I
Last Wednesday, a few hours before Russian tanks began rolling into Ukraine, alarms went off inside Microsoft’s Threat Intelligence Center, warning of a never-before-seen piece of “wiper” malware that appeared aimed at the country’s government ministries and financial institutions.
Within three hours, Microsoft threw itself into the middle of a ground war in Europe — from 5,500 miles away. The threat centre, north of Seattle, had been on high alert, and it quickly picked apart the malware, named it “FoxBlade” and notified Ukraine’s top cyberdefence authority.
Within three hours, Microsoft’s virus detection systems had been updated to block the code, which erases — “wipes” — data on computers in a network.
Then Tom Burt, the senior Microsoft executive who oversees the company’s effort to counter major cyberattacks, contacted Anne Neuberger, the White House’s deputy national security adviser for cyber- and emerging technologies. Neuberger asked if Microsoft would consider sharing details of the code with the Baltics, Poland and other European nations, out of fear that the malware would spread beyond Ukraine’s borders, crippling the military alliance or hitting west European banks.
Before midnight in Washington, Neuberger had made introductions — and Microsoft had begun playing the role that Ford Motor Company did in World War II, when the company converted automobile production lines to make Sherman tanks.
After years of discussions in Washington and in tech circles about the need for public-private partnerships to combat destructive cyberattacks, the war in Ukraine is stress-testing the system.
The White House, armed with intelligence from the National Security Agency and US Cyber Command, is overseeing classified briefings on Russia’s cyberoffensive plans. Even if American intelligence agencies picked up on the kind of crippling cyberattacks that someone — presumably Russian intelligence agencies or hackers — threw at Ukraine’s government, they do not have the infrastructure to move that fast to block them.
“We are a company and not a government or a country,” Brad Smith, Microsoft’s president, noted in a blog post issued by the company on Monday, describing the threats it was seeing. But the role it is playing, he made clear, is not a neutral one. He wrote about “constant and close coordination” with the Ukrainian government, as well as federal officials, the Nato and the EU.
“I’ve never seen it work quite this way, or nearly this fast,” Burt said. “We are doing in hours now what, even a few years ago, would have taken weeks or months.”
The intelligence is flowing in many directions.
Company executives, some newly armed with security clearances, are joining secure calls to hear an array of briefings organised by the National Security Agency and United States Cyber Command, along with British authorities, among others. But much of the actionable intelligence is being found by companies like Microsoft and Google, who can see what is flowing across their vast networks.
Biden’s aides often note that it was a private firm — Mandiant — that found the “SolarWinds” attack 15 months ago, in which one of Russia’s most cybersavvy intelligence agencies, the SVR, infiltrated network management software used by thousands of US government agencies and private businesses.
That gave the Russian government unfettered access.
Such attacks have given Russia a reputation as one of the most aggressive, and skilled, cyberpowers. But the surprise of recent days is that Russia’s activity in that realm has been more muted than expected, researchers said.
Most early tabletop exercises about a Russian invasion started with overwhelming cyberattacks, taking out the Internet in Ukraine and perhaps the power grid. So far, that hasn’t happened.
“Many people are quite surprised that there isn’t significant integration of cyberattacks into the overall campaign that Russia is undertaking in Ukraine,” said Shane Huntley, the director of Google’s threat analysis group. “This is mostly business as normal as to the levels of Russian targeting.”
Huntley said Google regularly observes some Russian attempts to hack accounts of people in Ukraine. “The normal level is actually never zero,” he said. But those attempts have not markedly increased in the past several days, as Russia has invaded Ukraine.
“We have seen some Russian activity targeting Ukraine; it just hasn’t been the big sets,” said Ben Read, a director at the security firm Mandiant.
It is not clear to American or European officials why Russia held off.
It could be that they tried but defences were stronger than they anticipated, or that the Russians wanted to reduce the risk of attacking civilian infrastructure, so that a puppet government they installed would not struggle to rule the country.
But American officials said a massive cyberattack by Russia on Ukraine — or beyond, in retaliation for the economic and technology sanctions imposed by the US and Europe — is hardly off the table.
Some speculate that just as Moscow steps up its indiscriminate bombing, it will seek to cause as much economic disruption as it can muster.
New York Times News Service