US and UK Warn of Cybersecurity Threat From Russia
LONDON — The United States and Britain on Monday issued a first-of-its-kind joint warning about Russian cyberattacks against government and private organizations as well as individual homes and offices in both countries, a milestone in the escalating use of cyberweaponry between major powers.
Although Washington and London have known for decades that the Kremlin was trying to penetrate their computer networks, the joint warning appeared to represent an effort to deter future attacks by calling attention to existing vulnerabilities, prodding individuals to mitigate them and threatening retaliation against Moscow if damage was done.
“When we see malicious cyberattacks, whether from the Kremlin or other nation-state actors, we are going to push back,” Rob Joyce, a special assistant to the president and the cybersecurity coordinator for the National Security Council, said in joint conference call with journalists by senior officials in Washington and London. That would include “all elements of U.S. power available to push back against these kinds of intrusions,” he added, including “our capabilities in the physical world.”
Robert Hannigan, an executive with the cybersecurity company BlueVoyant and the former director of the British electronic spying agency GCHQ, said: “We have found the Russians in routers and deep inside networks for 20 years. But this is about saying to the Russians, ‘We know where you are prepositioned and if something happens, we will know it is you.’”
The sweep and urgency of the statements from both sides of the Atlantic called to mind a computer-age version of a Cold War air raid drill, but asking citizens to upgrade their passwords rather than duck and cover.
Ciaran Martin, chief executive of Britain’s National Cyber Security Center, said Russia had targeted “millions” of devices in both countries, often seeking to hack into individual homes or small businesses or to control their routers.
“Once you own the router, you own all the traffic, to include the chance to harvest credentials and passwords,” said Howard Marshall, deputy assistant director of the cyber division at the Federal Bureau of Investigation. “It is a tremendous weapon in the hands of an adversary.”
In particular, both governments said, the Russians were seeking to exploit the increasing popularity of internet-connected devices around homes and businesses — the so-called internet of things — “the kind of thing you and I have in our homes,” Mr. Joyce said.
The officials said the Kremlin was often utilizing what were known as man-in-the-middle attacks, in which hackers secretly inserted themselves into the exchange of data between a computer or server in order to eavesdrop, collect confidential information, misdirect payments or further compromise security.
“Russian state-sponsored actors are using compromised routers to conduct spoofing ‘man-in-the-middle’ attacks to support espionage, extract intellectual property, maintain persistent access to victim networks and potentially lay a foundation for future offensive operations,” the British government said in a prepared statement. “Multiple sources including private and public-sector cybersecurity research organizations and allies have reported this activity to the U.S. and U.K. governments.”
But the officials said that the extent of Russia’s successful penetration of Western computer networks was not fully clear, nor was the Kremlin’s ultimate intent. Russia might be tapping into millions of home or small business computers and other devices to gain the ability to use them later in a coordinated attack on government computers or critical infrastructure, the officials said.
The goal “is not always to steal information,” Mr. Joyce said. “Sometimes it is to facilitate other operations” or “for further aggressive acts.”
The warnings issued Monday, including the release of technical guidance to businesses and individuals, had been in the works for a long period and do not reflect any response to recent events, the officials said. But the finger pointing toward Moscow also comes at a moment of escalating tensions.
Russian diplomats have castigated the United States, Britain and France for their airstrikes last week on what they said were chemical weapons facilities in Syria, where the Kremlin is backing the government of President Bashar al-Assad. Russia and the Western governments have also recalled diplomats in a back and forth over British accusations that the Kremlin used a nerve agent to try to assassinate a former Russian spy living near London.
In Washington, both Democrats and Republicans have criticized President Trump for what they say is his reluctance to hold Russia accountable for its hacking of the Democrats during the 2016 presidential election; American intelligence agencies have also blamed the Kremlin for those attacks.
Against that backdrop, Washington and London have been moving together for months to publicize allegations of other malicious cyberactivities by the Kremlin. In February, they blamed Russia for a cyberattack the previous June that was known by the name NotPetya. Initially aimed at Ukraine, the attack spread through computer networks around the world, doing what the White House said was billions of dollars in damages in the United States, Europe and Asia.
Both the United States and Britain have accused the Kremlin of trying to penetrate the electrical grid in both countries, although without yet doing any damage.
After describing the Russian threats, officials of both governments on Monday repeatedly urged individuals and businesses to better protect their own networks. “We need to place as much emphasis on security as we do on ease and functionality,” Mr. Joyce urged manufacturers.