Cyber investigators at Mandiant say they’re actively responding to more than a dozen live intrusions by Russian foreign intelligence services aimed at diplomats, military computers, defense contractors, and other targets, according to a Bloomberg report.
Mandiant is a security company that responds to breaches worldwide and says it works with more than 75 of America’s 100 highest-revenue companies.
Its update comes amid repeated Biden administration warnings that Russia is considering cyberattacks against critical US infrastructure.
One reason the Russian attacks aren’t making headlines is that, according to Mandiant’s findings, the actual number of them is roughly in line with normal levels. What’s changed recently is the focus.
As the world reacts to Russia’s invasion, Germany, Turkey and the UK are obvious targets for Russian spies who are desperate to eavesdrop on diplomats’ discussions about their own national positions and for any insight into military support, John Hultquist, Mandiant’s vice president for intelligence analysis, told Bloomberg.
“They want to know what they’re thinking,” he said.
Mandiant has identified Russians in “multiple” networks since February and is in the process of booting hackers out, he said, without being more specific.
Kevin Mandia, a former US Air Force officer who founded the company, which is now being bought by Google for $5.4 billion, added that suspected Russian cybercriminals are using ransomware to hit organizations “that you would call parts of or important to critical infrastructure.”
But overall all this activity—both ransomware and espionage—appears to be “the normal amount” and “the same as usual” out of Russia, he added.
Nearly three months into the invasion, assessments of how to think of Russian activity in cyberspace remain many and various.
The head of the UK’s eavesdropping agency, GCHQ, suggested last week that the concept of a cyberwar was perhaps “overhyped.”
Paul Nakasone, the army general who leads US Cyber Command, warned earlier this month that Russian cyberattacks aren’t yet “done” and that “this idea that nothing has happened is not right.”
Rob Joyce, the NSA’s director of cybersecurity, told a conference last week that ransomware attacks are “actually down,” in part because the impact of sweeping economic sanctions has made it harder for them to operate.
Ukraine has reported more than three times as many cyberattacks since the war began as in the same period last year.
An analysis released Tuesday by Ukrainian authorities indicated Moscow might have “already used up all their available resources for waging cyberattacks.”
Russian planners may not have even turned their attention to developing larger hacks targeting the US and others until after the failure of Russian President Vladimir Putin’s quick-win strategy to take Kyiv became clear, several days into his war on Ukraine, Hultquist said, adding that major cyber-espionage campaigns take months to plan.
“We have to be patient because this is not over,” he said.
As for longer-term solutions, Mandia said he thinks the best way to help prevent future attacks is to show that countries are ready to identify perpetrators.
That’s exactly what the US and Europe did last week when they pointed the finger at Russia for a cyberattack against Viasat modems at the onset of its Ukraine invasion.
Mandia says he finds recognizing the patterns of an intrusion as easy as reading a children’s book, and that he’s never seen a good false flag operation, in which one nation masquerades as another.
“I’ve always felt attributions are important to change behaviors; hold the nations accountable,” he said. That is also a prerequisite for imposing any official response, such as sanctions.
There is no question, he says, that if you have no risks or repercussions, “It’s just gonna go on forever.” Moscow has consistently denied involvement in cyber espionage.
