Cyberwarfare and Defense

Ukrainian Minister Has Turned Digital Tools Into Modern Weapons of War

After war began last month, President Volodymyr Zelensky of Ukraine turned to Mykhailo Fedorov, a vice prime minister, for a key role.

Mr. Fedorov, 31, the youngest member of Mr. Zelensky’s cabinet, immediately took charge of a parallel prong of Ukraine’s defense against Russia. He began a campaign to rally support from multinational businesses to sunder Russia from the world economy and to cut off the country from the global internet, taking aim at everything from access to new iPhones and PlayStations to Western Union money transfers and PayPal.

To achieve Russia’s isolation, Mr. Fedorov, a former tech entrepreneur, used a mix of social media, cryptocurrencies and other digital tools. On Twitter and other social media, he pressured Apple, Google, Netflix, Intel, PayPal and others to stop doing business in Russia. He helped form a group of volunteer hackers to wreak havoc on Russian websites and online services. His ministry also set up a cryptocurrency fund that has raised more than $60 million for the Ukrainian military.

The work has made Mr. Fedorov one of Mr. Zelensky’s most visible lieutenants, deploying technology and finance as modern weapons of war. In effect, Mr. Fedorov is creating a new playbook for military conflicts that shows how an outgunned country can use the internet, crypto, digital activism and frequent posts on Twitter to help undercut a foreign aggressor.

McDonald’s have withdrawn from Russia, with the war’s human toll provoking horror and outrage. Economic sanctions by the United States, European Union and others have played a central role in isolating Russia.

Mr. Zelensky was elected in 2019, he appointed Mr. Fedorov, then 28, to be minister of digital transformation, putting him in charge of digitizing Ukrainian social services. Through a government app, people could pay speeding tickets or manage their taxes. Last year, Mr. Fedorov visited Silicon Valley to meet with leaders including Tim Cook, the chief executive of Apple.

Russia invaded Ukraine, Mr. Fedorov immediately pressured tech companies to pull out of Russia. He made the decision with Mr. Zelensky’s backing, he said, and the two men speak every day.

“I think this choice is as black and white as it ever gets,” Mr. Fedorov said. “It is time to take a side, either to take the side of peace or to take the side of terror and murder.”

On Feb. 25, he sent letters to Apple, Google and Netflix, asking them to restrict access to their services in Russia. Less than a week later, Apple stopped selling new iPhones and other products in Russia.

Russia damaged the country’s main telecommunications infrastructure. Two days after contacting Mr. Musk, a shipment of Starlink equipment arrived in Ukraine.

Since then, Mr. Fedorov said he has periodically exchanged text messages with Mr. Musk.

were put on pause following the invasion. Russia, a signatory to the accord, has tried to use final approval of the deal as leverage to soften sanctions imposed because of the war.

But while many companies have halted business in Russia, more could be done, he said. Apple and Google should pull their app stores from Russia and software made by companies like SAP was also being used by scores of Russian businesses, he has noted.

In many instances, the Russian government is cutting itself off from the world, including blocking access to Twitter and Facebook. On Friday, Russian regulators said they would also restrict access to Instagram and called Meta an “extremist” organization.

Some civil society groups have questioned whether Mr. Fedorov’s tactics could have unintended consequences. “Shutdowns can be used in tyranny, not in democracy,” the Internet Protection Society, an internet freedom group in Russia, said in a statement earlier this week. “Any sanctions that disrupt access of Russian people to information only strengthen Putin’s regime.”

Mr. Fedorov said it was the only way to jolt the Russian people into action. He praised the work of Ukraine-supporting hackers who have been coordinating loosely with Ukrainian government to hit Russian targets.

“After cruise missiles started flying over my house and over houses of many other Ukrainians, and also things started exploding, we decided to go into counter attack,” he said.

Mr. Fedorov’s work is an example of Ukraine’s whatever-it-takes attitude against a larger Russian army, said Max Chernikov, a software engineer who is supporting the volunteer group known as the IT Army of Ukraine.

“He acts like every Ukrainian — doing beyond his best,” he said.

Mr. Fedorov, who has a wife and young daughter, said he remained hopeful about the war’s outcome.

“The truth is on our side,” he added. “I’m sure we’re going to win.”

Daisuke Wakabayashi and Mike Isaac contributed reporting.

View

>>> Don’t Miss Today’s BEST Amazon Deals! <<<<

Volunteer Hackers Converge on Ukraine Conflict With No One in Charge

Ukraine has been more deliberate about recruiting a volunteer hacking force. In Telegram channels, participants cheer their collaboration with the government in going after targets such as Sberbank, the Russian state-owned bank. From Russia, where links between the government and hacking groups have long raised alarms among Western officials, there has not been the same kind of overt calls to action.

“We are creating an I.T. army,” Ukraine’s minister of digital transformation, Mykhailo Fedorov, tweeted on Saturday, directing cybersecurity enthusiasts to a Telegram channel that contained instructions for knocking Russian websites offline. “There will be tasks for everyone.” By Friday, the Telegram channel had more than 285,000 subscribers.

Inside the main English-language Telegram page for the I.T. Army of Ukraine is a 14-page introductory document providing details about how people can participate, including what software to download to mask their whereabouts and identity. Everyday, new targets are listed, including websites, telecommunications firms, banks and A.T.M. processors.

Yegor Aushev, the co-founder of the Ukrainian cybersecurity company Cyber Unit Technologies, said he was flooded with notes after posting on social media a call for programmers to get involved. His company offered a $100,000 reward for those who identify flaws in the code of Russian cyber targets.

Mr. Aushev said there were more than 1,000 people involved in his effort, working in close collaboration with the government. People were only allowed to join if somebody vouched for them. Organized into small groups, they were aiming to hit high-impact targets like infrastructure and logistics systems important to the Russian military.

“It’s become an independent machine, a distributed international digital army,” Mr. Aushev said. “The biggest hacks against Russia will be soon,” he added, without elaborating.

A government spokesman confirmed the work with Mr. Aushev.

Figuring out who is behind a cyberattack is always difficult. Groups falsely take credit or boast of a bigger impact than actually occurred. But this week there was a string of attacks against Russian targets. The country’s largest stock exchange, a state-controlled bank and the Russian Foreign Ministry were taken offline for a time after being targeted by Ukraine’s volunteer hackers.

View

>>> Don’t Miss Today’s BEST Amazon Deals! <<<<

Apple Security Update Closes Spyware Flaw in iPhones, Macs and iWatches

The consortium did not disclose how it had obtained the list, and it was unclear whether the list was aspirational or whether the people had actually been targeted with NSO spyware.

Among those listed were Azam Ahmed, who had been the Mexico City bureau chief for The Times and who has reported widely on corruption, violence and surveillance in Latin America, including on NSO itself; and Ben Hubbard, The Times’s bureau chief in Beirut, Lebanon, who has investigated rights abuses and corruption in Saudi Arabia and wrote a recent biography of the Saudi crown prince, Mohammed bin Salman.

It also included 14 heads of state, including President Emmanuel Macron of France, President Cyril Ramaphosa of South Africa, Prime Minister Mostafa Madbouly of Egypt, Prime Minister Imran Khan of Pakistan, Saad-Eddine El Othmani, who until recently was the prime minister of Morocco, and Charles Michel, the head of the European Council.

Shalev Hulio, a co-founder of NSO Group, vehemently denied the list’s accuracy, telling The Times, “This is like opening up the white pages, choosing 50,000 numbers and drawing some conclusion from it.”

This year marks a record for the discovery of so-called zero days, secret software flaws like the one that NSO used to install its spyware. This year, Chinese hackers were caught using zero days in Microsoft Exchange to steal emails and plant ransomware. In July, ransomware criminals used a zero day in software sold by the tech company Kaseya to bring down the networks of some 1,000 companies.

For years, the spyware industry has been a black box. Sales of spyware are locked up in nondisclosure agreements and are frequently rolled into classified programs, with limited, if any, oversight.

NSO’s clients previously infected their targets using text messages that cajoled victims into clicking on links. Those links made it possible for journalists and researchers at organizations like Citizen Lab to investigate the possible presence of spyware. But NSO’s new zero-click method makes the discovery of spyware by journalists and cybersecurity researchers much harder.

View

>>> Don’t Miss Today’s BEST Amazon Deals! <<<<

How China Transformed Into a Prime Cyber Threat to the U.S.

Nearly a decade ago, the United States began naming and shaming China for an onslaught of online espionage, the bulk of it conducted using low-level phishing emails against American companies for intellectual property theft.

On Monday, the United States again accused China of cyberattacks. But these attacks were highly aggressive, and they reveal that China has transformed into a far more sophisticated and mature digital adversary than the one that flummoxed U.S. officials a decade ago.

The Biden administration’s indictment for the cyberattacks, along with interviews with dozens of current and former American officials, shows that China has reorganized its hacking operations in the intervening years. While it once conducted relatively unsophisticated hacks of foreign companies, think tanks and government agencies, China is now perpetrating stealthy, decentralized digital assaults of American companies and interests around the world.

Hacks that were conducted via sloppily worded spearphishing emails by units of the People’s Liberation Army are now carried out by an elite satellite network of contractors at front companies and universities that work at the direction of China’s Ministry of State Security, according to U.S. officials and the indictment.

like Microsoft’s Exchange email service and Pulse VPN security devices, which are harder to defend against and allow China’s hackers to operate undetected for longer periods.

“What we’ve seen over the past two or three years is an upleveling” by China, said George Kurtz, the chief executive of the cybersecurity firm CrowdStrike. “They operate more like a professional intelligence service than the smash-and-grab operators we saw in the past.”

China has long been one of the biggest digital threats to the United States. In a 2009 classified National Intelligence Estimate, a document that represents the consensus of all 16 U.S. intelligence agencies, China and Russia topped the list of America’s online adversaries. But China was deemed the more immediate threat because of the volume of its industrial trade theft.

But that threat is even more troubling now because of China’s revamping of its hacking operations. Furthermore, the Biden administration has turned cyberattacks — including ransomware attacks — into a major diplomatic front with superpowers like Russia, and U.S. relations with China have steadily deteriorated over issues including trade and tech supremacy.

China’s prominence in hacking first came to the fore in 2010 with attacks on Google and RSA, the security company, and again in 2013 with a hack of The New York Times.

breach of the U.S. Office of Personnel Management. In that attack, Chinese hackers made off with sensitive personal information, including more than 20 million fingerprints, for Americans who had been granted a security clearance.

White House officials soon struck a deal that China would cease its hacking of American companies and interests for its industrial benefit. For 18 months during the Obama administration, security researchers and intelligence officials observed a notable drop in Chinese hacking.

After President Donald J. Trump took office and accelerated trade conflicts and other tensions with China, the hacking resumed. By 2018, U.S. intelligence officials had noted a shift: People’s Liberation Army hackers had stood down and been replaced by operatives working at the behest of the Ministry of State Security, which handles China’s intelligence, security and secret police.

Hacks of intellectual property, that benefited China’s economic plans, originated not from the P.L.A. but from a looser network of front companies and contractors, including engineers who worked for some of the country’s leading technology companies, according to intelligence officials and researchers.

It was unclear how exactly China worked with these loosely affiliated hackers. Some cybersecurity experts speculated that the engineers were paid cash to moonlight for the state, while others said those in the network had no choice but to do whatever the state asked. In 2013, a classified U.S. National Security Agency memo said, “The exact affiliation with Chinese government entities is not known, but their activities indicate a probable intelligence requirement feed from China’s Ministry of State Security.”

announced a new policy requiring Chinese security researchers to notify the state within two days when they found security holes, such as the “zero-days” that the country relied on in the breach of Microsoft Exchange systems.

arrested its founder. Two years later, Chinese police announced that they would start enforcing laws banning the “unauthorized disclosure” of vulnerabilities. That same year, Chinese hackers, who were a regular presence at big Western hacking conventions, stopped showing up, on state orders.

“If they continue to maintain this level of access, with the control that they have, their intelligence community is going to benefit,” Mr. Kurtz said of China. “It’s an arms race in cyber.”

View

>>> Don’t Miss Today’s BEST Amazon Deals! <<<<

Colonial Pipeline Hack Reveals Weaknesses in US Cybersecurity

For years, government officials and industry executives have run elaborate simulations of a targeted cyberattack on the power grid or gas pipelines in the United States, imagining how the country would respond.

But when the real, this-is-not-a-drill moment arrived, it didn’t look anything like the war games.

The attacker was not a terror group or a hostile state like Russia, China or Iran, as had been assumed in the simulations. It was a criminal extortion ring. The goal was not to disrupt the economy by taking a pipeline offline but to hold corporate data for ransom.

The most visible effects — long lines of nervous motorists at gas stations — stemmed not from a government response but from a decision by the victim, Colonial Pipeline, which controls nearly half the gasoline, jet fuel and diesel flowing along the East Coast, to turn off the spigot. It did so out of concern that the malware that had infected its back-office functions could make it difficult to bill for fuel delivered along the pipeline or even spread into the pipeline’s operating system.

What happened next was a vivid example of the difference between tabletop simulations and the cascade of consequences that can follow even a relatively unsophisticated attack. The aftereffects of the episode are still playing out, but some of the lessons are already clear, and demonstrate how far the government and private industry have to go in preventing and dealing with cyberattacks and in creating rapid backup systems for when critical infrastructure goes down.

nearly $5 million in digital currency to recover its data, the company found that the process of decrypting its data and turning the pipeline back on again was agonizingly slow, meaning it will still be days before the East Coast gets back to normal.

seeks to mandate changes in cybersecurity.

And he suggested that he was willing to take steps that the Obama administration hesitated to take during the 2016 election hacks — direct action to strike back at the attackers.

“We’re also going to pursue a measure to disrupt their ability to operate,” Mr. Biden said, a line that seemed to hint that United States Cyber Command, the military’s cyberwarfare force, was being authorized to kick DarkSide off line, much as it did to another ransomware group in the fall ahead of the presidential election.

Hours later, the group’s internet sites went dark. By early Friday, DarkSide, and several other ransomware groups, including Babuk, which has hacked Washington D.C.’s police department, announced they were getting out of the game.

Darkside alluded to disruptive action by an unspecified law enforcement agency, though it was not clear if that was the result of U.S. action or pressure from Russia ahead of Mr. Biden’s expected summit with President Vladimir V. Putin. And going quiet might simply have reflected a decision by the ransomware gang to frustrate retaliation efforts by shutting down its operations, perhaps temporarily.

The Pentagon’s Cyber Command referred questions to the National Security Council, which declined to comment.

The episode underscored the emergence of a new “blended threat,” one that may come from cybercriminals, but is often tolerated, and sometimes encouraged, by a nation that sees the attacks as serving its interests.That is why Mr. Biden singled out Russia — not as the culprit, but as the nation that harbors more ransomware groups than any other country.

“We do not believe the Russian government was involved in this attack, but we do have strong reason to believe the criminals who did this attack are living in Russia,” Mr. Biden said. “We have been in direct communication with Moscow about the imperative for responsible countries to take action against these ransomware networks.”

With Darkside’s systems down, it is unclear how Mr. Biden’s administration would retaliate further, beyond possible indictments and sanctions, which have not deterred Russian cybercriminals before. Striking back with a cyberattack also carries its own risks of escalation.

The administration also has to reckon with the fact that so much of America’s critical infrastructure is owned and operated by the private sector and remains ripe for attack.

“This attack has exposed just how poor our resilience is,” said Kiersten E. Todt, the managing director of the nonprofit Cyber Readiness Institute. “We are overthinking the threat, when we’re still not doing the bare basics to secure our critical infrastructure.”

The good news, some officials said, was that Americans got a wake-up call. Congress came face-to-face with the reality that the federal government lacks the authority to require the companies that control more than 80 percent of the nation’s critical infrastructure adopt minimal levels of cybersecurity.

The bad news, they said, was that American adversaries — not only superpowers but terrorists and cybercriminals — learned just how little it takes to incite chaos across a large part of the country, even if they do not break into the core of the electric grid, or the operational control systems that move gasoline, water and propane around the country.

Something as basic as a well-designed ransomware attack may easily do the trick, while offering plausible deniability to states like Russia, China and Iran that often tap outsiders for sensitive cyberoperations.

It remains a mystery how Darkside first broke into Colonial’s business network. The privately held company has said virtually nothing about how the attack unfolded, at least in public. It waited four days before having any substantive discussions with the administration, an eternity during a cyberattack.

Cybersecurity experts also note that Colonial Pipeline would never have had to shut down its pipeline if it had more confidence in the separation between its business network and pipeline operations.

“There should absolutely be separation between data management and the actual operational technology,” Ms. Todt said. “Not doing the basics is frankly inexcusable for a company that carries 45 percent of gas to the East Coast.”

Other pipeline operators in the United States deploy advanced firewalls between their data and their operations that only allow data to flow one direction, out of the pipeline, and would prevent a ransomware attack from spreading in.

Colonial Pipeline has not said whether it deployed that level of security on its pipeline. Industry analysts say many critical infrastructure operators say installing such unidirectional gateways along a 5,500-mile pipeline can be complicated or prohibitively expensive. Others say the cost to deploy those safeguards are still cheaper than the losses from potential downtime.

Deterring ransomware criminals, which have been growing in number and brazenness over the past few years, will certainly be more difficult than deterring nations. But this week made the urgency clear.

“It’s all fun and games when we are stealing each other’s money,” said Sue Gordon, a former principal deputy director of national intelligence, and a longtime C.I.A. analyst with a specialty in cyberissues, said at a conference held by The Cipher Brief, an online intelligence newsletter. “When we are messing with a society’s ability to operate, we can’t tolerate it.”

View

DarkSide, Blamed for Colonial Pipeline Attack, Says It Is Shutting Down

Since the DarkSide account was opened in March, Elliptic said, it had received $17.5 million from 21 Bitcoin wallets, indicating the number of ransoms it had collected just this spring. Cybersecurity analysts assess that the group has been active since at least August, and has most likely used a number of different Bitcoin wallets to receive ransoms.

The intense scrutiny that followed the Colonial Pipeline attack has clearly unsettled ransomware groups. This week, the operators behind two major Russian-language ransomware platforms, REvil and Avaddon, announced strict new rules governing the use of their products, including bans on targeting government-affiliated entities, hospitals or educational institutions.

The administrator of XSS, a popular Russian-language cybercrime forum, announced an immediate ban on all ransomware activity on the forum, citing, among other things, the bad press associated with the industry. In a statement posted in the forum, the administrator called the attention a “critical mass of harm, nonsense, hype and noise,” saying even the spokesman for President Vladimir V. Putin of Russia had weighed in on the Colonial Pipe attack. (The spokesman, Dmitri S. Peskov, denied that the Kremlin had been involved in the attack on the pipeline.)

“The word ransom has become associated with a whole series of unpleasant things — geopolitics, blackmail, government cyberattacks,” the XSS administrator wrote. “This word has become dangerous and toxic.”

Even if DarkSide has shut down, the threat from ransomware has not passed. Cybercriminal networks often disband, regroup and rebrand themselves in an effort to throw off law enforcement, cybersecurity experts say.

“It’s likely that these ransomware operators are trying to retreat from the spotlight more than suddenly discovering the error of their ways,” said Mark Arena, Intel 471’s chief executive. “A number of the operators will most likely continue to operate in their own close-knit groups, resurfacing under different aliases and ransomware names.”

Indeed, DarkSide gave no indication that its members were getting out of the ransomware business or even letting victims currently infected with the group’s malware off the hook. In its statement, DarkSide said it would hand over its decryption tools to affiliates, giving these intermediaries, who were responsible for infecting computer systems with the group’s malicious software, the ability to negotiate ransoms with victims directly.

“You will be given decryption tools for all the companies that haven’t paid yet,” the statement read. “After that, you will be free to communicate with them wherever you want in any way you want.”

Julian Barnes contributed reporting.

View

Biden Signs Executive Order to Bolster Federal Government’s Cybersecurity

WASHINGTON — As the East Coast suffered from the effects of a ransomware attack on a major petroleum pipeline, President Biden signed an executive order on Wednesday that placed strict new standards on the cybersecurity of any software sold to the federal government.

The move is part of a broad effort to strengthen the United States’ defenses by encouraging private companies to practice better cybersecurity or risk being locked out of federal contracts. But the bigger effect may arise from what could, over time, become akin to a government rating of the security of software products, much the way automobiles get a safety rating or restaurants in New York get a health safety grade.

The order comes amid a wave of new cyberattacks, more sophisticated and far-reaching than ever before. Over the past year, roughly 2,400 ransomware attacks have hit corporate, local and federal offices in extortion plots that lock up victims’ data — or publish it — unless they pay a ransom.

The most urgent fear is an attack on critical infrastructure, a point made clear this week to Americans, who were panic-buying gasoline. A ransomware attack on Colonial Pipeline’s information systems forced the company to shut down a critical pipeline that supplies 45 percent of the East Coast’s gasoline, diesel and jet fuel for several days.

SolarWinds hack, in which Russia’s premier intelligence agency altered the computer code of an American company’s network management software. It gave Russia broad access to 18,000 agencies, organizations and companies, mostly in the United States.

The new order also requires all federal agencies to encrypt data, whether it is in storage or while it is being transmitted — two very different challenges. When China stole 21.5 million files about federal employees and contractors holding security clearances, none of the files were encrypted, meaning they could be easily read. (Chinese hackers, investigators later concluded, encrypted the files themselves — to avoid being detected as they sent the sensitive records back to Beijing.)

Previous efforts to mandate minimum standards on software have failed to get through Congress, notably in a major showdown nine years ago. Small businesses have said the changes are not affordable, and larger ones have opposed an intrusive role of the federal government inside their systems.

But Mr. Biden decided it was more important to move quickly than to try to fight for broader mandates on Capitol Hill. His aides said it was a first step, and industry officials said it was bolder than they expected.

Amit Yoran, the chief executive of Tenable and a former cybersecurity official in the Department of Homeland Security, said the question on everyone’s mind was whether Mr. Biden’s order would stop the next Colonial or SolarWinds attacks.

“No one policy, government initiative or technology can do that,” Mr. Yoran said. “But this is a great start.”

Government officials have complained that Colonial had poor defenses, and while it established a hard shell around its computer networks, it had no way of monitoring an adversary who got inside. The Biden administration hopes the standards set out in the executive order, requiring multifactor authentication and other safeguards, will become widespread and improve security globally.

Senator Mark Warner, Democrat of Virginia and the chairman of the Senate Intelligence Committee, praised the order but said it would need to be followed by congressional action.

Mr. Warner said recent attacks “have highlighted what has become increasingly obvious in recent years: that the United States is simply not prepared to fend off state-sponsored or even criminal hackers intent on compromising our systems for profit or espionage.”

The new order is the first major public part of a multilayered review of defensive, offensive and legal strategies to take on adversaries around the world. This executive order, however, focuses entirely on deepening defenses, in hopes of deterring attackers because they fear they would fail — or run a higher risk of being detected.

The Justice Department is ramping up a new task force to take on ransomware, after the discovery in recent months that such attacks are more than just extortion, they can bring down sectors of the economy.

Mr. Biden announced sanctions against Russia for the SolarWinds hack, and his national security adviser, Jake Sullivan, has said there will also be “unseen” consequences. So far, the United States has not taken similar action against China’s government for its presumed involvement in another attack, exploiting holes in a Microsoft system used by large companies around the world.

The executive order was first drafted in February in response to the SolarWinds intrusion. That attack was especially sophisticated because hackers working for the Russian government managed to change code under development by the company, which unsuspectingly distributed the malware in an update to its software packages. It was discovered during Mr. Biden’s transition and led him to declare he could not trust the integrity of federal computer systems.

The review board created under the executive order will be co-led by the secretary of homeland security and a private-sector official, based on the specific episode it is investigating at the time, in an effort to win over industry executives who fear the investigations could be fodder for lawsuits.

Because it was created by an executive order, not an act of Congress, the new board will not have the same broad powers as a safety board. But officials are still hopeful it will be valuable in learning of vulnerabilities, improving security practices and urging companies to invest more in improving their networks.

Much of the executive order is focused on information sharing and transparency. It aims to speed the time companies that have been victimized by a hack or discover vulnerabilities share that information with the Cybersecurity and Infrastructure Security Agency.

View

FBI Confirms DarkSide as Colonial Pipeline Hacker

President Biden said on Monday that the United States would “disrupt and prosecute” a criminal gang of hackers called DarkSide, which the F.B.I. formally blamed for a huge ransomware attack that has disrupted the flow of nearly half of the gasoline and jet fuel supplies to the East Coast.

The F.B.I., clearly concerned that the ransomware effort could spread, issued an emergency alert to electric utilities, gas suppliers and other pipeline operators to be on the lookout for code like the kind that locked up Colonial Pipelines, a private firm that controls the major pipeline carrying gasoline, diesel and jet fuel from the Texas Gulf Coast to New York Harbor.

The pipeline remained offline for a fourth day on Monday as a pre-emptive measure to keep the malware that infected the company’s computer networks from spreading to the control systems that run the pipeline. So far, the effects on gasoline and other energy supplies seem minimal, and Colonial said it hoped to have the pipeline running again by the end of this week.

The attack prompted emergency meetings at the White House all through the weekend, as officials tried to understand whether the episode was purely a criminal act — intended to lock up Colonial’s computer networks unless it paid a large ransom — or was the work of Russia or another state that was using the criminal group covertly.

the Washington, D.C., Police Department, have also been hit.

The explosion of ransomware cases has been fueled by the rise of cyberinsurance — which has made many companies and governments ripe targets for criminal gangs that believe their targets will pay — and of cryptocurrencies, which make extortion payments harder to trace.

In this case, the ransomware was not directed at the control systems of the pipeline, federal officials and private investigators said, but rather the back-office operations of Colonial Pipeline. Nonetheless, the fear of greater damage forced the company to shut down the system, a move that drove home the huge vulnerabilities in the patched-together network that keeps gas stations, truck stops and airports running.

A preliminary investigation showed poor security practices at Colonial Pipeline, according to federal and private officials familiar with the inquiry. The lapses, they said, most likely made the act of breaking into and locking up the company’s systems fairly easy.

executive order in the coming days to strengthen America’s cyberdefenses, said there was no evidence that the Russian government was behind the attack. But he said he planned to meet with President Vladimir V. Putin of Russia soon — the two men are expected to hold their first summit next month — and he suggested Moscow bore some responsibility because DarkSide is believed to have roots in Russia and the country provides a haven for cybercriminals.

“There are governments that turn a blind eye or affirmatively encourage these groups, and Russia is one of those countries,” said Christopher Painter, the United States’ former top cyberdiplomat. “Putting pressure on safe havens for these criminals has to be a part of any solution.”

Colonial’s pipelines feed large storage tanks up and down the East Coast, and supplies seem plentiful, in part because of reduced traffic during the pandemic. Colonial issued a statement on Monday saying its goal was to “substantially” resume service by the end of the week, but the company cautioned that the process would take time.

mounted a not-so-secret effort to put malware in the Russian grid as a warning.

But in the many simulations run by government agencies and electric utilities of what a strike against the American energy sector would look like, the effort was usually envisioned as some kind of terrorist strike — a mix of cyber and physical attacks — or a blitz by Iran, China or Russia in the opening moments of a larger military conflict.

But this case was different: a criminal actor who, in trying to extort money from a company, ended up bringing down the system. One senior Biden administration official called it “the ultimate blended threat” because it was a criminal act, the kind the United States would normally respond to with arrests or indictments, that resulted in a major threat to the nation’s energy supply chain.

By threatening to “disrupt” the ransomware group, Mr. Biden may have been signaling that the administration was moving to take action against these groups beyond merely indicting them. That is what United States Cyber Command did last year, ahead of the presidential election in November, when its military hackers broke into the systems of another ransomware group, called Trickbot, and manipulated its command-and-control computer servers so that it could not lock up new victims with ransomware. The fear at that time was that the ransomware group might sell its skills to governments, including Russia, that sought to freeze up election tabulations.

On Monday, DarkSide argued it was not operating on behalf of a nation-state, perhaps in an effort to distance itself from Russia.

“We are apolitical, we do not participate in geopolitics, do not need to tie us with a defined government and look for our motives,” it said in a statement posted on its website. “Our goal is to make money and not creating problems for society.”

The group seemed somewhat surprised that its actions resulted in closing a major pipeline and suggested that perhaps it would avoid such targets in the future.

“From today we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future,” the group said, though it was unclear how it defined “moderation.”

DarkSide is a relative newcomer to the ransomware scene, what Ms. Neuberger called “a criminal actor” that hires out its services to the highest bidder, then shares “the proceeds with ransomware developers.” It is essentially a business model in which some of the ill-gotten gains are poured into research and development on more effective forms of ransomware.

The group often portrays itself as a sort of digital Robin Hood, stealing from companies and giving to others. DarkSide says it avoids hacking hospitals, funeral homes and nonprofits, but it takes aim at large corporations, at times donating its proceeds to charities. Most charities have turned down its offers of gifts.

One clue to DarkSide’s origins lies in its code. Private researchers note DarkSide’s ransomware asks victims’ computers for their default language setting, and if it is Russian, the group moves along to other victims. It also seems to avoid victims that speak Ukrainian, Georgian and Belarusian.

Its code bears striking similarities to that used by REvil, a ransomware group that was among the first to offer “ransomware as a service” — essentially hackers for hire — to hold systems hostage with ransomware.

“It appears this was an offshoot that wanted to go into business for themselves,” said Jon DiMaggio, a former intelligence community analyst who is now the chief security strategist of Analyst1. “To get access to REvil’s code, you’d have to have it or steal it because it’s not publicly available.”

DarkSide makes smaller ransom demands than the eight-figure sums that REvil is known for — somewhere from $200,000 to $2 million. It puts a unique key in each ransom note, Mr. DiMaggio said, which suggests that DarkSide tailors attacks to each victim.

“They’re very selective compared to most ransomware groups,” he said.

View

Biden Clashes With China and Russia in First 60 Days

Its pathway to power is building new networks rather than disrupting old ones. Economists debate when the Chinese will have the world’s largest gross domestic product — perhaps toward the end of this decade — and whether they can meet their other two big national goals: building the world’s most powerful military and dominating the race for key technologies by 2049, the 100th anniversary of Mao’s revolution.

Their power arises not from their relatively small nuclear arsenal or their expanding stockpile of conventional weapons. Instead, it arises from their expanding economic might and how they use their government-subsidized technology to wire nations be it Latin America or the Middle East, Africa or Eastern Europe, with 5G wireless networks intended to tie them ever closer to Beijing. It comes from the undersea cables they are spooling around the world so that those networks run on Chinese-owned circuits.

Ultimately, it will come from how they use those networks to make other nations dependent on Chinese technology. Once that happens, the Chinese could export some of their authoritarianism by, for example, selling other nations facial recognition software that has enabled them to clamp down on dissent at home.

Which is why Jake Sullivan, Mr. Biden’s national security adviser, who was with Secretary of State Antony J. Blinken for the meeting with their Chinese counterparts in Anchorage, warned in a series of writings in recent years that it could be a mistake to assume that China plans to prevail by directly taking on the United States military in the Pacific.

“The central premises of this alternative approach would be that economic and technological power is fundamentally more important than traditional military power in establishing global leadership,” he wrote, “and that a physical sphere of influence in East Asia is not a necessary precondition for sustaining such leadership.”

The Trump administration came to similar conclusions, though it did not publish a real strategy for dealing with China until weeks before it left office. Its attempts to strangle Huawei, China’s national champion in telecommunications, and wrest control of social media apps like TikTok, ended up as a disorganized effort that often involved threatening, and angering, allies who were thinking of buying Chinese technology.

Part of the goal of the Alaska meeting was to convince the Chinese that the Biden administration is determined to compete with Beijing across the board to offer competitive technology, like semiconductor manufacturing and artificial intelligence, even if that means spending billions on government-led research and development projects, and new industrial partnerships with Europe, India, Japan and Australia.

View

Biden Administration to Impose Tough Sanctions on Russia

On Tuesday, Mr. Biden spoke with President Vladimir V. Putin of Russia, warning Mr. Putin about the Russian troop buildup on Ukraine’s border and in Crimea. Jen Psaki, the White House press secretary, said on Wednesday that the call was meant to emphasize the consequences of Russia’s activities, but it was unclear if Mr. Biden telegraphed any of his administration’s pending moves.

The Biden administration has already carried out one round of sanctions against Russia, for the poisoning of the opposition leader Aleksei A. Navalny.

Those sanctions were similar to a series of actions that European nations and Britain took in October and expanded in March. Allied officials said that while the American response on Mr. Navalny was closely coordinated, the sanctions imposed for the election interference, bounties and hacking were meant to be more unilateral.

While Biden administration officials were for a while considering taking action only in response to the hacking, they decided to join that move with retaliations for other Russian actions, according to officials. Additionally, penalties coordinated with allies for Russia’s increased threat to Ukraine were expected, said one person familiar with the announcement.

The C.I.A. presented the Trump administration with an intelligence assessment that Russia had covertly offered to pay bounties to militant fighters to incentivize more killings of Americans in Afghanistan. But while the National Security Council at the Trump White House initially led an interagency effort to come up with response options, months passed and the White House did not authorize anything — not even the mildest option, delivering a diplomatic warning.

After the existence of the C.I.A. assessment and the White House’s inaction on it became public, there was bipartisan outrage in Congress. As a candidate, Mr. Biden raised the issue of the suspected bounties, and once in office, he ordered his intelligence officials to put together a full report on Russian efforts against Americans.

While the Biden administration has not released any new information on the suspected bounties, it did make public a report on Russian election interference. That report said that Mr. Putin had authorized extensive efforts to hurt Mr. Biden’s candidacy during the 2020 election, including by mounting covert operations to influence people close to President Donald J. Trump.

View

REPUBLICA PRESS
Your Business & Political News

Cyberwarfare and Defense

Let Us Help You Protect Your Digital Life