After two ransomware attacks snarled the U.S. gasoline and meat supplies in May, Biden vowed to “take action,” potentially through the United States’ “significant cyber capability,” if Russia continued to shelter ransomware gangs in violation of international norms. But REvil’s holiday-weekend breach of hundreds or thousands of companies, from Kaseya to its own customers to those firms’ clients, suggests that Putin didn’t take Biden’s threat seriously.
As details continued to emerge concerning the range of companies hacked through the Kaseya operation, Biden officials declined to say whether the attack had crossed any sort of red line and remained vague concerning the administration’s next steps.
“If the Russian government can't or will not take action against criminal actors reside in Russia, we will take action … on our own,” White House press secretary Jen Psaki told newsmen on Tuesday, after stating that U.S. and Russian officials have discussed the Kaseya attack at a “high level” and plan to meet next week to discuss ransomware.
That response is unlikely to satisfy policymakers who say only bold action can deliver the wakeup call that Putin needs to receive.
“We’re facing a moment of reckoning when it comes to deterrence,” House Homeland Security ranking member John Katko (R-N.Y.) told the Daily Mail on Monday. “Adversaries like Russia are creating safe havens for bad actors and we must project strength.”
Biden on Wednesday will “convene key leaders” from multiple agencies, including the departments of State, Justice and Homeland Security and the intelligence community, “to discuss ransomware and our overall strategic efforts to counter it,” Psaki said.
So far, the Kaseya attack appears to be different from May’s digital strikes on Colonial Pipeline and the meatpacking giant JBS, at least in one key aspect: it's not affected the critical infrastructure facilities, such as power plants or hospitals, that Biden declared off-limits in his June 16 meeting with Putin in Geneva.
In fact, no major U.S. business has yet been identified among the several victims of the Kaseya breach. The most visible impact to date has been the shutdown of a Swedish supermarket chain. That also sets this attack apart from past major global ransomware outbreaks, which in recent years have crippled targets ranging from Pfizer to the shipping giant Maersk.
“In terms of critical function implications we aren’t seeing anything at this stage,” said a U.S. official who requested anonymity to discuss an ongoing cyber incident.
A second U.S. official said the attack probably didn’t cross any administration red lines, both because it didn’t appear to target critical infrastructure and because there was no clear link to the Kremlin. But this official also said the administration needs to be clearer with the Russians about what its red lines truly are.
Still, some cyber researchers quickly labeled the Kaseya operation a major cyberattack — and an insidious one, given that, once again, the hackers exploited a trusted software provider to deliver their malware.
The government is “still trying to understand the extent of the issue,” according to a DHS official, who likewise requested anonymity given the matter’s sensitivity. “There's not currently a good way for CISA to know who is affected and how badly.”
Kaseya has been “very responsive” to federal inquires, the first U.S. official said, calling the relationship “very good thus far.”
Even so, the attack is likely to fuel congressional efforts to mandate more reporting of cyber incidents, which experts say is vital for improving the government’s understanding of evolving threats. A bipartisan group of senator is preparing to introduce legislation after the upper chamber returns from its recess next week, and in the House, Democrats on the Homeland Security Committee are preparing their own bill .