US military goes on offense against ransomware
The military, including Cyber Command, has taken action against some ransomware groups after recent attacks on American companies, according to the nation’s top cyber-defense executive.
Agencies have stepped up their efforts against ransomware groups after recent attacks on Colonial Pipeline and meat processor JBS, said Gen. Paul Nakasone, the head of Cyber Command and the director of the National Security Agency, according to the New York Times. Nakasone’s acknowledgment of Cyber Command’s effort is the first public disclosure of offensive cybersecurity operations against ransomware groups.
Nakasone didn’t detail what actions the military was taking against ransomware groups, but he said the recent attacks have been “impacting our critical infrastructure.” He did say that Cyber Command, the NSA, and other agencies are focused on gathering intelligence on ransomware groups.
The goal of the actions against ransomware groups is to “impose costs” on them, Nakasone added.
It’s no surprise that the military would take offensive action against ransomware gangs, given the series of recent, high-profile attacks, several cybersecurity experts said.
The U.S. and other governments have run “hack-back” campaigns against cyber-criminals in the past. Still, the governments generally haven’t acknowledged those efforts, said Lavi Lazarovitz, head of security research at CyberArk Labs, a cybersecurity research firm. The disclosure of actions against ransomware gangs is new, he noted.
“I expect these types of actions to increase in frequency in the future,” he told the Washington Examiner. “Considering ransomware’s impact on organizations and the economy overall, it has become a real and growing threat that must be answered both defensively and offensively.”
Others cheered Nakasone’s comments.
“The kid gloves are off. The U.S. and its allies are taking on this problem head-on and ready to fight,” said Brad LaPorte, a strategic adviser at cybersecurity vendor rThreat and a longtime adviser to the Department of Defense.
Agencies have a “long history” of disrupting cyberthreats, but their actions have typically been out of the spotlight, he told the Washington Examiner. “There is now a monumental shift towards a comprehensive strategy to combating these threats, and it is expanding to allies and making an impact in a big way,” he added.
Laporte said that the government working with allies would have a “multiplying effect” on disrupting ransomware. “A key strategy to combating ransomware threats is international collaboration, and [it] cannot be done in a vacuum.”
While Nakasone didn’t disclose Cyber Command’s methods, there are several actions that the U.S. military could take, Lazarovitz said. The military could compromise or shut down ransomware command-and-control services, which manage botnets and other tools used by ransomware groups. The military would also track ransomware affiliates to find more information on the groups’ targets and mechanisms.
In addition, ransomware defenders could release encryption keys to help organizations hit by ransomware recover from the attacks, he said.
Cyber Command can also share intelligence with law enforcement agencies as it collects information, added Jim Richberg, public sector field CISO and vice president of information security at cybersecurity vendor Fortinet.
Using its foreign intelligence capabilities, Cyber Command can help identify the command-and-control infrastructure being used by ransomware groups, he said. Then, network defenders can block traffic from ransomware infrastructure, “and in the case of infrastructure that is being used without the owner’s knowledge, alerting the victim to the need to clean up the infection,” he told the Washington Examiner.
Like LaPorte, Richberg called for a coordinated approach to fighting ransomware.
“Ransomware has grown in scope and sophistication because it is cost-effective and relatively easy for criminals to conduct,” he said. “Because of the growing impact on critical infrastructure targets that we have seen over the past year, it has become a threat that can have a significant impact on national security.”
