Federal government officials say sanctions placed on Russia following its invasion of Ukraine may have positive effects on cybersecurity in the United States.
Leaders in both the National Security Agency (NSA) and FBI have said Russian sanctions are slowing down ransomware attacks and cyber attacks perpetrated by state-sponsored actors and cybercriminals since the beginning of its invasion. The White House issued wide-ranging economic sanctions against the country earlier this year. In addition, federal agencies have imposed cybersecurity sanctions on both the Russian government as well as private entities, including cryptocurrency exchanges and mixers, over ransomware activity and state-sponsored attacks stemming from the region.
Rob Joyce, the NSA’s director of cybersecurity, stated at the CyberUK event last month in Wales that from his perspective, ransomware has fallen over the last two months. He believes that Russian sanctions are one of several factors potentially impacting ransomware numbers.
“As we do sanctions and it’s harder to move money and it’s harder to buy infrastructure on the web, we’re seeing them be less effective — and ransomware is a big part of that,” Joyce said during a panel discussion. “We’ve definitively seen the criminal actors in Russia complain that the functions of sanctions and the distance of their ability to use credit cards and other payment methods to get Western infrastructure to run these [ransomware] attacks have become much more difficult.”
Joyce reinforced that message while speaking at RSA Conference 2022 last week.
“Sanctions related to Russia and their Ukraine problem have impacted the ransomware actors,” Joyce said during a session titled “State of the Hacks: NSA’s Perspective.” “They are finding it difficult to extract funds out of the ecosystem, get them converted as well as use payments that are accepted to buy the infrastructure they need to operate.”
Joyce said that the decrease in attacks caused by cybersecurity sanctions may lead to the Russian government going to ransomware as a service (RaaS) providers in order to gain access to their targets. He said that as threat actors become quicker at exposing potential vulnerabilities, this threat will grow even more.
Mike Herrington, section chief of the FBI’s cyber division, noted during an address with the Chamber of Commerce last month that while there are still attacks launched by Russian ransomware gangs like Conti, attacks coming directly from government agencies have slowed.
“A lot of the targeting of the United States has been largely opportunistic, not a concerted effort at this point,” Herrington said. “A lot of it has been centered around cybercriminals rather than Russian intelligence services. That teaches us a lot about how they view [cyber attacks] as a means of response for the actions the U.S. has taken up to this point, including sanctions, in support of Ukraine and how they may be wary of drawing us further into that conflict.”
However, Herrington warned that this pause from the Kremlin is far from permanent and that sanctions may eventually cause adverse effects. “As we continue to ratchet up sanctions in support of Ukraine, there is going to be increased pressure on Russia to respond in some way,” he said.
Herrington also said that by examining the tactics used by Russia, the U.S. is better prepared for potential future attacks. He said that while disruptive attacks on critical infrastructure in Ukraine have been the most newsworthy, attacks on personal finances and financial institutions have also become common.
Both the NSA and CISA declined to comment further on the effects of sanctions against Russia.
While the federal government’s data regarding ransomware attacks and other cyber threats is incomplete due to a lack of reporting from victims, research from the private sector supports some of the findings when it comes to ransomware.
Allan Liska, ransomware researcher at threat intelligence vendor Recorded Future, tracked worldwide ransomware attacks from the first five months of 2022 and compared those figures to the same range for 2021.
According to Liska, ransomware attacks are up 18.5% globally year over year. Liska also found that while the U.S. accounted for 54% of all victims in 2021, that number fell to just 38.5% in 2022.
“Anecdotally, there are reports that some ransomware groups are less likely to put a U.S. company on their extortion site, there is also the possibility that U.S. organizations have invested more heavily in defense (we see this reflected in the significant drop in attacks against state and local governments in the U.S.) which means ransomware groups could be looking for other targets elsewhere,” Liska said in an email to SearchSecurity.
SearchSecurity has seen a similar decrease in ransomware activity recently. According to monthly data collected by SearchSecurity, the number of public reports and disclosures of ransomware attacks against U.S. organizations has fallen significantly in April and May.
In his Chamber of Commerce speech, Herrington mentioned that while attacks in the U.S. are down, cyberthreats in Ukraine and the surrounding region have risen significantly since the start of the Russian invasion.
He also said that these attacks in the region could trickle down to other victims as they did during the Viasat and NotPetya attacks.
“Russia does have a history of poorly controlling some of their operations that are targeted more narrowly,” Herrington said. “As Russia falls under more pressure to show some progress in this war, there is a real risk that they become more aggressive not just in their military but cyber operations. Those may overflow more aggressively to affect people outside of that area of conflict.”