The U.S. government linked Russia's government to recent DDoS attacks in Ukraine, said Anne Neuberger, deputy national security advisor for cyber and emerging technology, speaking during a White House press briefing Friday.
"We have technical information that links the Russian Main Intelligence Directorate, or GRU, as known GRU infrastructure was seen transmitting high volumes of communication to Ukraine-based IP addresses and domains," Neuberger said. The cyberattack disrupted operations at the Ukraine Ministry of Defense and state-owned banks.
Though the attacks had limited impact, the campaign is consistent with what a Russian effort could look like, laying the groundwork for more disruptive cyberattacks or a potential invasion, Neuberger said.
The GRU has nested DDoS attacks inside larger cyber campaigns, said John Hultquist, vice president of intelligence analysis at Mandiant, in a statement to Cybersecurity Dive. "Following their partial expulsion from the Olympics, Russia kicked off a campaign of cyberattack and other aggressive activity which began with DDoS but ended with an attempt to take the entire games in PyeongChang offline."
While the campaign this week had limited impact, it could join with other incidents and have more serious consequences over time, Hultquist said.
The international cyber attention comes amid a U.S. campaign to shore up the security of domestic critical infrastructure providers in the private sector. The U.S. has shared sensitive information and encouraged private sector owners and operators to shore up security.
"We're a very connected and digitized society, and as a society, we don't have the level of cyber resilience that we wish," Neuberger said.
Recent efforts from the Biden administration to improve security include cyber guidelines from the TSA for rail operators and an alert from the North American Electric Reliability Corporation to prepare for potential Russian cyberactivity targeting the power sector.
"There are no specific or credible cyberthreats against the homeland," Neuberger said, but there's consistent probes against U.S. technology.
Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency, during a virtual keynote address Friday before the Aspen Institute, said U.S. organizations should report any unusual activity that may not immediately appear to be an obvious attack.
Government officials may need to put the pieces together before they understand whether something more serious is underway, Easterly said. "Organizations need to lower their thresholds for escalating anomalous activity and sharing that information with the government."
The information can be reported to CISA or the FBI, Easterly said, noting that the agencies are very tightly connected and will promptly share that information to make sure they can protect national security.
Easterly conceded that early warnings of cyber campaigns against the U.S. are very likely to be reported by private sector companies before government agencies are able to understand what is underway. That is what happened early on in a number of cyber campaigns.
For example, FireEye originally discovered the threat activity targeting SolarWinds in December 2020 before the nation understood that a nation-state campaign was well underway.
In a related example, Microsoft originally notified 60 customers that they were under attack from the threat actors behind the SolarWinds campaign because it was able to see lateral movement that had entered its cloud environment.