“We expect panic.”

Russian hackers have laid the groundwork for significant disruptions after the election. We’re better prepared than 2016 — aren’t we?

In my last post, I wrote about the latest GRU indictment, and how it documented significant cyberattacks that have been conducted by Russian intelligence operators, and how it was meant to be a warning for the American public about the kinds of capabilities the Kremlin has to disrupt the election or transition, or to cause or inflame unrest in the period between the election and the inauguration. A potential roadmap to our Election Day fears, as it were. The indictment made clear that Russian behavior has been undeterred by any response they have met thus far, and that the Kremlin uses disproportionate displays of force in cyberspace. It also drew a clear list of the kinds of attacks these units have the capabilities to conduct — disrupting electrical grids, banking systems, government systems, and far more.

One of them stood out to me as a potential disruption whose time may have arrived: the use of malware/ransomware attacks to disrupt hospital services and delay the delivery of care. In fact, the indictment explicitly highlighted a case where a US hospital system had been disrupted by spillover effects of a prior Russian ransomware attack.

So when the FBI and CISA issued a warning on Wednesday that there is “credible information of an increased and imminent cybercrime threat to US hospitals and healthcare providers,” that another Russian-based “cybercriminal” unit has used malware to infect hospital and healthcare systems with ransomware, and that in the past week several hospitals have already been affected — well, this seems not great. Of course, the warning assiduously did not mention the word “Russia” even though the group responsible — UNC1878 or “wizard spider” (yeah, I know) —is Russian-based and Russian-speaking, because not mentioning Russian attribution while adding spangles and bells to CHINA and IRAN is how we have to roll these days, I guess.

But this malware/ransomware attack is a Russian threat to critical American systems.

Aside from the warnings in the indictment, there’s been a lot of activity directly connected to this threat actor and specific set of tools in the past month — signs that there was growing concern about this specific threat before the election.

First, US Cyber Command acted to disrupt the Trickbot botnet. A botnet is a network of computers that have been hijacked by malware that can then be used to do other things; the Trickbot network is the world’s largest. Trickbot malware has been in play since 2016. It allows its operators to copy credentials to access systems, copy mail and data, mine cryptocurrency, or plant ransomware (ransomware encrypts the data on a computer or system until the target pays a fee — a ransom — to have it unscrambled).

The threat actor known as “wizard spider” — which somehow I feel should only be spoken in emoji 🧙‍♂️🕷 — has been credited with “maturing” the use of ransomware attacks, up-scaling them beyond attacks on private enterprises to targeting things like schools, local governments, law enforcement, and government contractors. Over the past year, this has become more lucrative for the unit even as it has become more disruptive in its targeting. This Russian-based group uses a kind of ryuk ransomware as it shifts to “higher value targets.”

CyberCom moving against the Trickbot network was meant to temporarily disrupt the network in advance of the election. It’s a pretty big deal — part of what CyberCom Commander Gen. Paul Nakasone calls “persistent engagement,” or “the imposition of cumulative costs on an adversary by keeping them constantly engaged.” This concept of “defending forward” is an important aspect of how CyberCom is developing capabilities meant to defend against foreign election interference (amongst other things). What they did is actually very cool.

But if you, like me, are not really a “technical person,” what you really need to understand from this is: there was a Russian-based group running a malware network linked to an escalating series of ransomware attacks, and CyberCom threw a grenade into it. The network can rebuild, but it takes time and effort and that diverts the guys running the stuff during this period leading up to our election. Or at least, that’s the hope.

Second, parallel to the action CyberCom was taking against the Trickbot botnet, Microsoft went to court to gain permissions to takeover servers that had been infected with the malware. They estimated that the combined efforts disabled 94 percent of the network’s core infrastructure. Microsoft explicitly referenced concerns that the botnet was involved in efforts to target US election systems — voter rolls, etc — to delay the reporting of results or overall create the appearance of election disruption meant to undermine confidence in the results (but not the results themselves).

Finally, it became clear that these tools weren’t just targeting election systems, but other critical systems as well — including hospitals and healthcare systems. Five hospitals around the country have already been impacted in the past week, and internal communications show the unit wanted to target hundreds more. It’s at this point that the FBI and CISA issued their warning. This is seen as an extremely significant threat, in terms of actual risk, timing, and perception. CISA has clearly had their eye on this potential threat during COVID, hiring someone in July with expertise in healthcare systems to take over this portfolio.

What’s the potential point of such an attack? “We expect panic,” the group said in internal messages. And that would be the goal: to enhance the public perception that events are out of control as further fuel for internal unrest.

* * * * *

Outside of the US, there have been two main news threads about America since February: that the White House has abdicated the responsibility of responding to the pandemic, and that because of that government failure, hospitals, schools, businesses etc are essentially on their own to figure out what to do. This puts every hospital, school, etc on the frontlines of the pandemic, and makes each one of them a point of success or failure. The threat actors who are always on the lookout for a weakness to exploit interpreted this quite literally, it appears, making them prime targets of potential disruption campaigns.

So here we are, days from the election, with COVID rates spiking to their highest rate since the beginning of the pandemic. Only now, cases are far more spread out around the country, challenging the ability of small or rural hospitals to deliver care to everyone who needs it, particularly in mountain west and northern plains states where healthcare infrastructure is sparse because populations are small and dispersed. Maybe a third of the country listens to the president and doesn’t think COVID is real, rolling from one MAGA chickenpox party to the next, which is helping to drive infection rates up as temperatures fall and COVID fatigue sets in.

Disrupting hospitals is a real threat, targeting a real anxiety. So, what do we make of this?

Hackers won’t have to shut down hundreds of hospitals to get panic. Maybe they could, but more likely it’s a smaller number. They just have to target enough that it creates the appearance of a pattern that breaks through our regularly-scheduled program of endless clips of nonsense the president just said into the national news cycle. It’s a smart target if you are looking to stoke the appearance of chaos in a broader situation that feels out of control. As with COVID response, it falls to each individual institution to mitigate that panic, remain in control, and project calm into communities that could be on edge. Doctors and nurses and hospital workers have been tremendously innovative during this crisis, and in most cases will be able to continue to deliver care to patients — it will just likely involve more paper and running if electronic systems fall victim to ransomware attacks. But it’s so easy to feel as a nation that no one is doing anything when the White House, well, isn’t doing anything.

In 2016, basically everyone failed to protect the American people and our elections from the Russian attack on our democracy. This time, far more of our assets are engaged in tracking, exposing, and mitigating cyber threats, at least. But, are we watching the right thing? In 2016, the hacking operations targeting elections systems felt more like diversion operations than the main show, an effort to lay groundwork for narrative and options that weren’t needed when Trump won.

But 2020 is not 2016. Our trust in our institutions has eroded. The Kremlin and its proxies have every interest in accelerating that inward-looking foment. This revamped, more aggressive interference has never really been about picking an American winner, but creating options for disruption to weaken America no matter what variables change. And cyber attacks at scale — as seen before in Estonia and Ukraine and Georgia — could be an element.

* * * * *

Could there be more to this than the usual “sow discord” explanations? It’s worth thinking about. No matter what happens, the Kremlin will try to laugh it off as the commercial activities of hackers that have absolutely nothing to do with them. This isn’t really true — groups that operate in Russia do so knowing Russian intelligence pays attention to them, and in many cases are not fully independent from them, or they sell or lend access to their networks and tools when asked because there are consequences if they don’t.

The Kremlin has targeted civilian infrastructure, particularly hospitals and schools, as part of its bombing campaigns in Syria, erasing the lines between military and civilian targets when crushing the populace is viewed as a necessary objective to weaken the military force, or is itself viewed as a primary objective. The same approach is seen in hybrid campaigns, where civilians are often the target of below-threshold measures.

Directing cyberattacks against US hospitals and healthcare systems during a pandemic seems to combine these approaches. It’s not a justifiable use of force unless you want to argue that crushing the will of Americans is a necessary objective. If they do this — well, they’ve already done this, but if they decide to activate the attacks on hospitals at scale and impacts our ability to care for patients during the peak of a pandemic — I don’t ever want to hear about another “reset” again.

One final note: around the same time that the GRU indictment came out, there was this story reminding how Russian hackers have been masking their activity behind Iranian operations. There has been some good reporting in the past on how skilled Russian hackers have become at this practice (and hey, let’s never forget they also pretended to be ISIS online...). So, be cautious about attribution, especially if it is offered by one of the president’s loyalists instead of a credible intelligence professional.

I harp on and on about the failure of the US government — by which I mean in particular the White House — to protect the American public from hybrid Russian attacks, or to mobilize the public effectively to lessen vulnerabilities to these attacks, because this is such a stark and complete dereliction of duty. This attitude has encouraged more aggressive behavior by the Kremlin. It encourages precisely the panic that the Russians want as opposed to an organized and effective response that strengthens the social fabric that holds us together.

The White House dropped the shield, and the Kremlin takes advantage. In Afghanistan, Syria, and beyond, this has put a target on the back of every American soldier. In Moscow, Havana, and beyond, there is a target on US intelligence officers and diplomats. In America, it has meant more widespread and risky experiments with building capabilities for disruption, which makes every one of us and our communities more vulnerable.

These potential attacks may exploit existing weaknesses, or be smaller and more local, but this doesn’t make them any less potentially severe. Creating the perception or reality of widespread disruption — of decay, rot, mismanagement, decline — would not be a very hard task to accomplish with operational targets that are actually quite small. We transmit our vulnerabilities into the ether, and our adversaries listen.

As I mentioned last time: we need to be working to influence how the Kremlin does the math and decides to pull the trigger or not.

But in the meantime: be ready. Listen to the warnings we are getting about potential interference and disruption. Don’t panic.