The White House believes Russia is responsible for recent cyberattacks targeting Ukraine’s major banks and Ministry of Defense, a top administration official said Friday.
Deputy national security adviser Anne Neuberger made the attribution at the White House, as tensions escalated between Russia and Ukraine.
“We believe that the Russian government is responsible for widespread cyberattacks on Ukrainian banks this week,” Neuberger said. “We have technical information that links the Russian Main Intelligence Directorate or GRU. GRU infrastructure was seen transmitting high volumes of communication to Ukraine based IP addresses and domains.”
Neuberger noted that the denial of service or “DDoS” and spam attack had “limited impact” within Ukraine, but said the most recent incident of malicious digital activity could precede “more disruptive cyberattacks accompanying a potential further invasion of Ukraine’s sovereign territory.” The U.S. has shared underlying intelligence with Ukraine and with European partners, Neuberger added.
Top cyber officials said the U.S. had worked quickly to connect the dots on the GRU-linked attack in order to “call out the behavior quickly.”
The U.S.’ public attribution of the attacks to Russia coincided with a similar announcement by U.K. officials Friday.
“The decision to publicly attribute this incident underlines the fact that the UK and its allies will not tolerate malicious cyber activity,” Britain’s Foreign Commonwealth and Development Office (FCDO) said in a statement.
“This activity is yet another example of Russia’s aggressive acts against Ukraine,” the statement added.
Ukrainian officials called this week’s DDoS attacks the worst of their kind in the country’s history, despite the unsophisticated tactics behind the cyber harassment.
According to data collected by cybersecurity firm CrowdStrike, internet traffic hitting Ukrainian websites during the DDoS attack was “three orders of magnitude more than regularly observed traffic,” according to Adam Meyers, senior vice president of intelligence at CrowdStrike.
John Hultquist, vice president of Intelligence Analysis at cybersecurity firm Mandiant, said it’s important not to misjudge the purpose of these attacks. “The disruption they cause is designed to intimidate and undermine and is not an end unto itself,” Hultquist said in a statement to CBS News.
“Ultimately, we should not judge these incidents by their technical complexity. Though they turned off the lights in Ukraine, the GRU’s most important cyber operation may have been when they hacked and leaked information during the 2016 elections,” he added.
Earlier this week, Under Secretary for Political Affairs Victoria Nuland told “CBS Mornings” that the Russians were likely behind the attack, citing their past actions.
“Who is best at this, who uses this weapon all around the world? Obviously, the Kremlin,” Nuland said.
“I think what’s most important is that these cyberattacks were not very successful,” she noted, commending Ukrainian officials for responding quickly and helping the websites recover.
Ukraine’s Computer Emergency Response Team or “CERT” released a technical analysis of Wednesday’s campaign on Ukrainian government agencies and banks on Friday. Ukrainian officials confirmed that the Mirai botnet, malware commonly used in botnets during large-scale network attacks, was employed in these cyberattacks.
Neuberger told reporters Friday that there is currently no intelligence suggesting specific or credible cyber threats to the U.S. homeland. Over the past few months and weeks, U.S. cyber officials have redoubled outreach within the private sector, urging the nation’s critical infrastructure owners and operators to bolster cyber defenses.
“Given the rising tensions and the potential invasion of Ukraine by Russia, we’ve actually been leaning forward to inform our industry partners of potential threats,” Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly said Friday during an Aspen Institute panel. “It really is part of a paradigm shift that I’ve been talking about for awhile now — of moving from the government being reactive to being much more proactive.”
Easterly noted that outreach included “classified and unclassified briefings to our private sector and state and local partners regarding evolving cybersecurity risks.”
The Treasury Department convened an in-person briefing with CEOs of major U.S. banks, Thursday, alongside officials from the FBI, CISA and White House. Participants included J.P. Morgan and Citibank.
On Friday, CISA released an advisory warning critical infrastructure owners and operators of an uptick in sophisticated foreign influence operations employing misinformation, disinformation and mal-information (MDM).
Easterly pushed organizations to “lower their threshold” for reporting anomalous cyber activity to the U.S. government Friday. “Just get that information to the government,” she urged.