U.S. Military Has Acted Against Ransomware Groups, General Acknowledges

SIMI VALLEY, Calif. — The U.S. military has taken actions against ransomware groups as part of its surge against organizations launching attacks against American companies, the nation’s top cyberwarrior said on Saturday, the first public acknowledgment of offensive measures against such organizations.

Gen. Paul M. Nakasone, the head of U.S. Cyber Command and the director of the National Security Agency, said that nine months ago, the government saw ransomware attacks as the responsibility of law enforcement.

But the attacks on Colonial Pipeline and JBS beef plants demonstrated that the criminal organizations behind them have been “impacting our critical infrastructure,” General Nakasone said.

In response, the government is taking a more aggressive, better coordinated approach against this threat, abandoning its previous hands-off stance. Cyber Command, the N.S.A. and other agencies have poured resources into gathering intelligence on the ransomware groups and sharing that better understanding across the government and with international partners.

“The first thing we have to do is to understand the adversary and their insights better than we’ve ever understood them before,” General Nakasone said in an interview on the sidelines of the Reagan National Defense Forum, a gathering of national security officials.

General Nakasone would not describe the actions taken by his commands, nor what ransomware groups were targeted. But he said one of the goals was to “impose costs,” which is the term military officials use to describe punitive cyberoperations.

“Before, during and since, with a number of elements of our government, we have taken actions and we have imposed costs,” General Nakasone said. “That’s an important piece that we should always be mindful of.”

In September, Cyber Command diverted traffic around servers being used by the Russia-based REvil ransomware group, officials briefed on the operation have said. The operation came after government hackers from an allied country penetrated the servers, making it more difficult for the group to collect ransoms. After REvil detected the U.S. action, it shut down at least temporarily. That Cyber Command operation was reported last month by The Washington Post.

Cyber Command and the N.S.A. also assisted the F.B.I. and the Justice Department in their efforts to seize and recover much of the cryptocurrency ransom paid by Colonial Pipeline. The Bitcoin payment was originally demanded by the Russian ransomware group known as DarkSide.

The first known operation against a ransomware group by Cyber Command came before the 2020 election, when officials feared a network of computers known as TrickBot could be used to disrupt voting.

Government officials have disagreed about how effective the stepped-up actions against ransomware groups have been. National Security Council officials have said activities by Russian groups have declined. The F.B.I. has been skeptical. Some outside groups saw a lull but predicted the ransomware groups would rebrand and come back in force.

Asked if the United States had gotten better at defending itself from ransomware groups, General Nakasone said the country was “on an upward trajectory.” But adversaries modify their operations and continue to try to attack, he said.

“We know much more about what our adversaries can and might do to us. This is an area where vigilance is really important,” he said, adding that “we can’t take our eye off it.”

Since taking over in May 2018, General Nakasone has worked to increase the pace of cyberoperations, focusing first on more robust defenses against foreign influence operations in the 2018 and 2020 elections. He has said that his commands have been able to draw broad lessons from those operations, which were seen as successful, and others.

“Take a look at the broad perspective of adversaries that we’ve gone after over a period of five-plus years: It’s been nation-states, it’s been proxies, it’s been criminals, it’s been a whole wide variety of folks that each require a different strategy,” he said. “The fundamental piece that makes us successful against any adversary are speed, agility and unity of effort. You have to have those three.”

Last year’s discovery of the SolarWinds hacking, in which Russian intelligence agents implanted software in the supply chain, giving them potential access to scores of government networks and thousands of business networks, was made by a private company and exposed flaws in America’s domestic cyberdefenses. The N.S.A.’s Cybersecurity Collaboration Center was set up to improve information sharing between the government and industry and to better detect future intrusions, General Nakasone said, although industry officials say more needs to be done to improve the flow of intelligence.

General Nakasone said those kinds of attacks are likely to continue, by ransomware groups and others.

“What we have seen over the past year and what private industry has indicated is that we have seen a tremendous rise in terms of implants and in terms of zero-day vulnerabilities and ransomware,” he said, referring to an unknown coding flaw for which a patch does not exist. “I think that’s the world in which we live today.”

Speaking on a panel at the Reagan Forum, General Nakasone said the domain of cyberspace had changed radically over the past 11 months with the rise of ransomware attacks and operations like SolarWinds. He said it was likely in any future military conflict that American critical infrastructure would be targeted.

“Borders mean less as we look at our adversaries, and whatever adversary that is, we should begin with the idea that our critical infrastructure will be targeted,” he told the panel.

Cyber Command has already begun building up its efforts to defend the next election. Despite the work to expose Russian, Chinese and Iranian efforts to meddle in American politics, General Nakasone said in the interview that foreign malign campaigns were likely to continue.

“I think that we should anticipate that in cyberspace, where the barriers to entry are so low, our adversaries are always going to be attempting to be involved,” he said.

The recipe for success in defending the election, he said, is to provide insight to the public about what adversaries are trying to do, share information about vulnerabilities and adversarial operations, and finally take action against groups trying to interfere with voting.

While that might take the form of cyberoperations against hackers, the response can be broader. Last month, the Justice Department announced the indictment of two Iranian hackers the government had identified as being behind an attempt to influence the 2020 election.

“This really has to be a whole-of-government effort,” General Nakasone said. “This is why the diplomatic effort is important. This is why being able to look at a number of different levers within our government to be able to impact these type of adversaries is critical for our success.”