"We expect panic."

Link to tweet

https://www.greatpower.us/p/we-expect-panic

In my last post, I wrote about the latest GRU indictment, and how it documented significant cyberattacks that have been conducted by Russian intelligence operators, and how it was meant to be a warning for the American public about the kinds of capabilities the Kremlin has to disrupt the election or transition, or to cause or inflame unrest in the period between the election and the inauguration. A potential roadmap to our Election Day fears, as it were. The indictment made clear that Russian behavior has been undeterred by any response they have met thus far, and that the Kremlin uses disproportionate displays of force in cyberspace. It also drew a clear list of the kinds of attacks these units have the capabilities to conduct — disrupting electrical grids, banking systems, government systems, and far more.

One of them stood out to me as a potential disruption whose time may have arrived: the use of malware/ransomware attacks to disrupt hospital services and delay the delivery of care. In fact, the indictment explicitly highlighted a case where a US hospital system had been disrupted by spillover effects of a prior Russian ransomware attack.

So when the FBI and CISA issued a warning on Wednesday that there is “credible information of an increased and imminent cybercrime threat to US hospitals and healthcare providers,” that another Russian-based “cybercriminal” unit has used malware to infect hospital and healthcare systems with ransomware, and that in the past week several hospitals have already been affected — well, this seems not great. Of course, the warning assiduously did not mention the word “Russia” even though the group responsible — UNC1878 or “wizard spider” (yeah, I know) —is Russian-based and Russian-speaking, because not mentioning Russian attribution while adding spangles and bells to CHINA and IRAN is how we have to roll these days, I guess.

But this malware/ransomware attack is a Russian threat to critical American systems.

Aside from the warnings in the indictment, there’s been a lot of activity directly connected to this threat actor and specific set of tools in the past month — signs that there was growing concern about this specific threat before the election.

First, US Cyber Command acted to disrupt the Trickbot botnet. A botnet is a network of computers that have been hijacked by malware that can then be used to do other things; the Trickbot network is the world’s largest. Trickbot malware has been in play since 2016. It allows its operators to copy credentials to access systems, copy mail and data, mine cryptocurrency, or plant ransomware (ransomware encrypts the data on a computer or system until the target pays a fee — a ransom — to have it unscrambled).

*snip*