U.S. military takes action against ransomware groups
SIMI VALLEY, CALIF.» The U.S. military has taken actions against ransomware groups as part of its surge against organizations launching attacks against American companies, the nation’s top cyberwarrior said Saturday, the first public acknowledgment of offensive measures against such organizations.
Gen. Paul M. Nakasone, head of U.S. Cyber Command and director of the National Security Agency, said that nine months ago, the government saw ransomware attacks as the responsibility of law enforcement.
But the attacks on Colonial Pipeline and JBS beef plants demonstrated that the criminal organizations behind them have been “impacting our critical infrastructure,” Nakasone said.
In response, the government is taking a more aggressive, better coordinated approach against this threat, abandoning its previous hands-off stance. Cyber Command, the NSA and other agencies have poured resources into gathering intelligence on the ransomware groups and sharing that better understanding across the government and with international partners.
“The first thing we have to do is to understand the adversary and their insights better than we’ve ever understood them before,” Nakasone said in an interview on the sidelines of the Reagan National Defense Forum.
Nakasone would not describe the actions taken by his commands nor what ransomware groups were targeted. But he said one of the goals was to “impose costs,” which is the term military officials use to describe punitive cyberoperations.
In September, Cyber Command diverted traffic around servers being used by the Russia-based Revil ransomware group, officials briefed on the operation have said. The operation came after government hackers from an allied country penetrated the servers, making it more difficult for the group to collect ransoms. After Revil detected the U.S. action, it shut down at least temporarily.
Cyber Command and the NSA also assisted the FBI and the Justice Department in their efforts to seize and recover much of the cryptocurrency ransom paid by Colonial Pipeline. The Bitcoin payment was originally demanded by the Russian ransomware group known as Darkside.
Government officials have disagreed about how effective the stepped-up actions against ransomware groups have been. National Security Council officials have said activities by Russian groups have declined. The FBI has been skeptical. Some outside groups saw a lull but predicted the ransomware groups would rebrand and come back in force.
Asked if the United States had gotten better at defending itself from ransomware groups, Nakasone said the country was “on an upward trajectory.”