Updated: Jan 27
Former Deputy Director, NSA / CIG Principal
What’s top of mind for you in cyber right now and why?
One thing that I’m watching is the activities of the Russian government around the Ukraine invasion, and in particular cyber activities. In a recent blog post, Microsoft attributed ransomware activities directed against Ukraine and, significantly, Poland to the GRU, Russia’s military intelligence (and information operations) organization. This was significant because the GRU targeted organizations in Poland that were involved in logistics and transportation, presumably to interfere with their activities in support of the movement of supplies and weapons to Ukraine. It is a shift in targeting that may presage more intrusive and widespread cyber actions by Russia.
There are some unknowns here, although I can make some assumptions. First, there is no indication of whether any of the organizations affected by the ransomware tried to pay the actors and decrypt their data. If they did, I would be surprised if the actor responded and even more so if they were actually able to decrypt their data. One of the advantages to a “ransomware” deployment is that it masks the actor, which is undoubtedly in Moscow’s interest as it makes it harder for NATO to invoke Article 5 (an attack on one is an attack on all). Second, there is a lack of certainty in terms of future targeting. If this is viewed by the Russians as successful, will they continue their efforts, and perhaps expand them? My take is that they would, and that expansion would extend beyond the primary targets to secondary or even tertiary targets. This might include transportation and logistics entities in other NATO countries like Germany, the Baltics, or even the UK. It could also include private equity firms that own companies involved in supplying Ukraine.
Rick Ledgett served as the Deputy Director of the National Security Agency from January 2014 until his retirement in April 2017, culminating a nearly 40-year career in cryptology at NSA and in the U.S. Army. He previously led the Media Leaks Task Force, the Agency’s response to the Snowden leaks. He was the first National Intelligence Manager for Cyber at the Office of the Director of National Intelligence, and he directed NSA’s 24/7 cyber threat operations center.