Analysts predict that as the scope and sophistication of the incidents grows over the coming months and years, states such as Russia, China, Iran, North Korea and others are all likely to accelerate the use of the tactic to exact foreign policy concessions either directly from Washington, or from U.S. allies around the world.
“I think it’s a matter of time before key adversaries like Iran and North Korea are leveraging ransomware for political gain,” said Jenny Jun, a nonresident fellow at the Atlantic Council’s Cyber Statecraft Initiative.
It is important to understand the basic mechanics of a typical ransomware attack: A group of hackers bore into a company’s computer system, find sensitive data such as client bank account numbers, then lock that data up with an encryption key — or password — that makes it impossible for the company to access the data. The hackers then demand that the company pay a fee in exchange for the encryption key to unlock the data.
Ms. Jun maintains that the same processes present hostile forces — both state and non-state actors — with a new and affordable way to wreak havoc, particularly if the companies being targeted are involved in major critical infrastructure or other politically sensitive industries such defense production and high-level banking.
While recent months have seen hacking groups like “DarkSide” and “REvil” use ransomware to get U.S. companies to pay tens of millions of dollars for encryption keys to free up the companies’ data, Ms. Jun predicts foreign governments with influence over such hacking groups will soon be demanding something other than money.
Foreign adversaries could instead seek things like sanctions relief, prisoner releases and subtle policy shifts by U.S. allies designed to undermine American interests on the global stage, Ms. Jun said in an interview with The Washington Times.
“It could be a demand that a country concede its control over a particular piece of territory,” she said, adding that a foreign adversary could also use ransomware against an international bank to demand that the bank — or the country where it is located — stop cooperating with U.S. sanctions.
Iran already has a track record of engaging in such tactics outside the cyber realm, she said, noting how Tehran succeeded in pressuring South Korea to release nearly $7 billion in frozen Iranian assets early this year by seizing control of a South Korean-flagged oil tanker.
Ms. Jun called it a “no-brainer” that Iran — which has billions of dollars in funds frozen in overseas banks because of U.S. and Western economic sanctions — will eventually turn to ransomware attacks to achieve similar ends. “You can imagine a country having their facilities taken hostage through ransomware and then the Iranians saying, ‘We’ll release the encryption key if you release our money,’” she said. “It doesn’t have to be against the U.S., it could target U.S. partners.”
SUBHEAD: ‘Preparing the battlefield’
The future of cyberwarfare is coming quickly.
“In the coming years, the cyber domain may be the most important ‘battlefield,’” said David Maxwell, a former U.S. Special Forces officer who focuses on North Korea at the Foundation for Defense of Democracies. “For North Korea, it is just too tempting of an environment in which to operate. The benefits are high and so far the costs are extremely low.”
While North Korea is not yet known to have engaged in state-sponsored ransomware attacks, Mr. Maxwell says Pyongyang appears to be engaging in a range of hacking activities that are designed to conduct “reconnaissance” on South Korean, U.S. and other networks for potential future action that could be aimed at achieving specific geopolitical gains.
“They could be ‘preparing the battlefield,’ so to speak,” he told The Times. “Someday we could see major attacks on infrastructure that might be able to do an extremely high amount of damage,” damage that could, in turn benefit the regime’s “blackmail diplomacy.”
Stewart Baker, a former National Security Agency general counsel and Homeland Security Department policy chief now practicing technology law at the private firm Steptoe & Johnson, said in an interview that “it is not implausible” that foreign adversaries will seek subtle way to launch ransomware attacks for political ends.
“You’re not necessarily going to get geopolitical influence by locking up a piece of data and publicly demanding a policy change,” Mr. Baker said. “But could you do it quietly? Perhaps.”
And is it possible to imagine scenarios in which a private-sector ransomware incident could turn into a public policy football? “Yes,” Mr. Baker said, pointing to the Colonial Pipeline attack by Russia-based hackers that briefly halted the flow of gasoline across the southeastern United States in May.
The attack could have taken on a major geopolitical twist, Mr. Baker said, if it had been much more sophisticated and succeeded in tying up Colonial’s industrial control systems for weeks on end, taking over the the computer system that actually makes the pipeline open and close. Colonial officials acknowledged paying off the ransomware thieves in order to restore supplies after about a week.
Had the larger, longer shutdown occurred, Mr. Baker said, Russian President Vladimir Putin could well have come forward and told U.S. officials that Moscow had the capability to track and capture the Russian-based hackers and would do so on the l condition that, say, Washington agree to prevent American social media companies such as Twitter and Facebook from giving Russian dissidents a forum to criticize Kremlin policies.
SUBHEAD: Inside cyber geopolitics
U.S. cyber officials have thus far focused on the prospect that geopolitical developments, such as U.S. airstrikes or sanctions against a particular country, will trigger increases in cyber incidents against the United States — not that cyber or ransomware attacks themselves could preemptively become geopolitical weapons in the hands of foreign adversaries.
The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) circulated an “insights” document in January 2020 warning that “increased geopolitical tensions and threats of aggression may result in cyber and physical attacks against the homeland and also destructive hybrid attacks by proxies against U.S. targets and interests abroad.”
The document homed in specifically on the prospect of “disruptive and destructive cyber operations against strategic targets, including finance, energy and telecommunications organizations, and an increased interest in industrial control systems and operational technology” by foreign hackers.
It also warned of the ongoing threat of “cyber-enabled espionage and intellectual property theft targeting a variety of industries.”
Mr. Baker told The Times that China has long-engaged in such cyber-enabled espionage targeting American companies that contract with the Pentagon to work on U.S. defense and weapons development.
“It’s not that they go in and they call up [whomever they’ve hacked] to say, ‘Hey, woohoo, we have your data,’” Mr. Baker said. “No, instead, they’ve taken that data and handed it off to someone else and said, ‘Here you go, build this [weapon] for us now.’”
“So there’s a geopolitical impact in that,” Mr. Baker said.
For its own part, the United States has reportedly also pursued geopolitical goals through covert cyber actions over the past decade. The New York Times has reported that both the Obama and Trump administrations ordered the Pentagon to carry out offensive cyber strikes against North Korea’s missile program in hopes of sabotaging Pyongyang’s missile test launches in their opening seconds.
Analysts generally agree that it would be a geopolitical coup for Washington if such cyber attacks reliably neutralized the threat from nuclear-tipped North Korean intercontinental ballistic missiles. However, the effectiveness of the Pentagon campaign targeting Pyongyang’s launches remains a subject of debate in Washington.