Officials Say Russian Hackers May Retaliate for Sanctions

U.S. officials and security specialists are warning that Russian hackers may respond to new sanctions by attacking the computer networks of U.S. banks and other companies.

U.S. officials involved in a White House review of the effects of further penalties on Russia didn’t respond to questions about whether the study explores the risk of cyber-counterattacks. Even so, two people with knowledge of the review said it includes revisiting previous classified exercises in which small numbers of computer experts showed they were able to cripple the U.S. economy in a few days.

Cybersecurity specialists consider Russian hackers among the world’s best at infiltrating networks and say evidence exists that they already have inserted malicious software on computers in the U.S.

The Financial Services Roundtable, an industry group that includes Citigroup Inc. and Bank of America Corp., is watching for any signs of hacking attacks, although nothing appears imminent, Paul Smocer, head of the technology policy division of the Washington-based trade group, said in a telephone interview.

“A cyber-attack is a real concern that we all need to have,” Smocer said. “Nation states’ ability to launch cyber-attacks is certainly real nowadays, and so in any conflict, I think that the possibility exists as we worry about escalation.”

Additional Sanctions

The U.S. and its allies are preparing to impose additional sanctions on Russia this week over the conflict with Ukraine, according to a European diplomat and an American official. The penalties may target individuals with influence in sectors of the Russian economy that include banking, White House Deputy National Security Adviser Ben Rhodes told reporters accompanying U.S. President Barack Obama, who is traveling in Asia.

The Ukraine crisis intensified last week when Russian President Vladimir Putin warned the eastern European country that was part of the former Soviet Union to halt an offensive aimed at separatists. Ukrainian officials say Russia is helping fuel the separatist movement as part of efforts to destabilize their country.

If Russia decides to retaliate for new sanctions on its banks and Putin associates, it could be difficult to trace any cyber-attacks to his government because hackers can easily mask their identities and locations online.

Iranian Hackers

It took experts months to trace an eight-month series of distributed-denial-of-service, or DDOS, attacks on the largest U.S. banks in 2012 and 2013 to Iranian hackers calling themselves the Al Qassam Cyber Fighters and retaliating for U.S. and international sanctions on that country. Such attacks flood websites with Internet traffic to knock them offline.

“There’s been a history of cyber-attacks against the industry, so we’ve prepared in terms of both strong defenses and strong information-sharing,” Smocer said.

U.S. officials, though, say Congress’s failure to pass new legislation allowing companies to share information on cyber-attacks without fear of antitrust action or shareholder liability suits has hampered efforts to bolster the nation’s online defenses.

The officials, who requested anonymity to discuss policy matters that involve classified material, also said that while some of former National Security Agency contractor Edward Snowden’s revelations about U.S. cyber espionage exposed excesses, the resulting public backlash has made intelligence agencies reluctant to take more aggressive action.

Targeting Estonia

Russia, where Snowden now lives, has no such problem, the officials said, and its aggressive pursuit of offensive digital capabilities began in 2007 after a group of young Russian hackers launched a series of denial-of-service attacks on Estonia, the officials said. The hackers, they said, were angered by an Estonian plan to move a statue memorializing Soviet World War II soldiers from the capital of Tallinn to a more remote location.

While evidence indicates that those attacks were launched without Russian government involvement, since then Russia’s military and intelligence services have rapidly developed their capacity for offensive cyber-warfare, the officials said. Russia launched cyber-attacks against Georgia’s Internet infrastructure in 2008, and has used them again this year in Crimea and other parts of Ukraine, one of the officials said.

The attacks against Estonia used 100 megabytes per second, which is small compared to the capabilities that now exist, said Jaime Blasco, a malware researcher and labs director for AlienVault LLC, a network-security company based in San Mateo, California.

Larger Attack

An DDOS attack in December on unnamed companies in the U.S. and France used 400 gigabytes per second, Blasco said in a telephone interview. That’s 4,000 times larger than the Estonia attacks.

“Russia could launch denial-of-service attacks against critical infrastructure in the United States,” he said. “It could be much bigger than we have ever seen.”

Large DDOS attacks have spiked so far in 2014, according to new data compiled by network-security company Arbor Networks Inc. in Burlington, Massachusetts.

The company has tracked a 1.5 percent increase in attacks using at least 20 gigabytes per second in 2014 compared with all of 2013, the largest being a 325 gigabyte-per-second attack against a target in France in February that lasted four hours and 22 minutes, according to the company.

Dirt Jumper

A network of computers called Dirt Jumper that’s been used in denial-of-service attacks is believed to have been created in Russia, Dan Holden, director of security research for Arbor Networks, said in a telephone interview.

“Historically speaking, the Russians probably are the best spies in the world,” he said.

If Russian hackers wanted to attack U.S. targets, they would have thousands of Internet-connected devices to use, including off-the-shelf routers inside many American homes, Holden said. Hijacking multiple computers with malware to form a network that attacks websites is known as a botnet.

“You could have bot zombies in America attacking America,” he said. “Think of all the companies in the U.S. that are doing business on the Web, whether they’re selling computers or whether they’re selling pizzas.”

Russian hackers also are believed to have already infiltrated U.S. computer networks, said Jen Weedon, manager of threat intelligence at computer security company FireEye Inc., based in Milipitas, California.

Energy Industry

“A lot of the security community is tracking specific malware campaigns targeting the energy industry and attributing them to Russian actors,” Weedon said in a telephone interview. FireEye has seen similar campaigns targeting the computer technology, health-care and manufacturing industries, as well as local governments, she said.

The malware is believed to be of Russian origin, though direct attribution to the government is difficult to determine, and it creates “back doors” to access computers and steal data, she said.

Weedon said those back doors also could be used for carrying out destructive attacks. Even so, she doubted that destructive attacks would occur and that if freelance hackers tried to do so, the Russian government would intervene.

“If they were suddenly to attack U.S. assets, I think that would cross a red line,” she said. “What incentives do they have to allow that to happen or do it themselves? I think they would expect a U.S. response, and the U.S. probably would respond.”

Other experts are less confident.

“Our experience and evidence tends to support the notion that Russia is sufficiently organized and equipped to wage a very effective cyber-guerrilla campaign against the U.S. and avoid public attribution,” said Rodney Joffe, senior vice president and chief technologist for Sterling, Virginia-based Neustar Inc.