Russian Hackers Hit The U.S. Yet Again — A Security Expert Details How To Respond
AILSA CHANG, HOST:
Another Russian hack of the U.S. government by a group that may have already broken into government systems, which raises the question, why does this keep happening? Earlier today, Microsoft announced that hackers linked to Russian intelligence infiltrated an email account at the U.S. Agency for International Development, or USAID. The hackers then used that account to target as many as 150 other government, development and human rights organizations globally. Chris Painter is president of the Global Forum on Cyber Expertise and joins us now. Welcome.
CHRIS PAINTER: Happy to be here.
CHANG: So a Microsoft cybersecurity official is attributing this attack to a Russian-based group called Nobelium and says that they've also seen some overlap with another Russian group called Cozy Bear, which was behind the SolarWinds attack last year. Tell me, how do experts determine who's responsible?
PAINTER: Well, they look at a range of things. And I think Microsoft looked at what the tactics and procedures of this group did, followed some of the electronic evidence, also looked at motives. And we certainly have seen, as you mentioned, no shortage of Russian government-sponsored malicious activity online. And this is just the latest chapter of that.
CHANG: Right. OK. So what was the key weakness that these hackers exploited in this case? Like, was it a pretty sophisticated breach?
PAINTER: Well, unlike the SolarWinds attack and intrusion that was very sophisticated, not really seen before, this one is really old-school. It seems to be the same actors, the Cozy Bear actors as they're called - bear because it's Russia. And they've been involved in election interference activities, SolarWinds activity. But here, they basically use what's called phishing, which is just simply sending out false emails pretending to be from, in this case, USAID, a government agency, to people. People think those emails are trusted because they look like they're from that agency. They click on them. They click on a little link that talks about something that's in that email. In this case, it was a report about election interference. And that downloads some malicious code, some malware, as they call it, that then allows the bad guys to get full access to your computer and really do all kinds of different things. Most take information, but do other things as well in the future.
CHANG: Yeah. OK. Well, what would you say is the main takeaway from this latest hack? Like, what does it expose about America's cybersecurity defenses, do you think?
PAINTER: Well, unfortunately - you know, look, we've been looking at this for a long time, and I've been involved in cyber issues for 30 years now. And we're getting better, but we're not nearly good enough. There has been too many of these intrusions, too many of these attacks, both by nation states like Russia and China, but also by criminal groups, what we've seen in the recent ransomware events with Colonial Pipelines, for instance, which means we've got to get a lot better in defending ourselves. We have to be better at causing consequences for the bad actors when they go after us, having some of the accountability.
You know, the Biden administration has promised to do all those things, and I think they're taking steps in that direction. But we are very vulnerable. We are the most connected country probably in the world, and that makes us very vulnerable. And we need to be able to protect ourselves better than we have.
CHANG: So with respect to this hack, what would a measured response by the U.S. look like here?
PAINTER: Well, it's interesting. Like I said, this is not particularly sophisticated. And it looks like - again, it's hard to ascribe what the motive is. It looks like it might have been espionage, intelligence gathering. Now, that doesn't mean we have to sit on our hands and say, that's OK. We can still respond. But that's different than an attack that is disruptive, one that - like the Colonial Pipelines...
PAINTER: ...Issue, one that really disrupts infrastructure. So, you know, we have a summit coming up between the president and President Putin. I think it could be raised there with the other malicious activity we've seen from Russia. But I think we do have to respond because otherwise, we'll just see these things increase, continue and become more severe. If there's no cost for the bad guys doing this and they're getting a benefit, which they clearly are, that's a problem.
CHANG: Chris Painter is president of the Global Forum on Cyber Expertise. Thank you very much.
PAINTER: Thank you. Transcript provided by NPR, Copyright NPR.