top of page


Nicholas Fegreus, Tiffany Dove, Dyuti Pandya, NORTHCOM Team; Pètra van de Gevel, Iris Raith, EUCOM Team

Week of Monday, November 22, 2021

Cyberattack Screenshot[1]

In recent years, the US has experienced an increasing number of cyberattacks that have targeted government agencies as well as private organizations.[2] Attacks such as the hacking of SolarWinds’ Orion software and the ransomware attack on Colonial Pipeline have demonstrated the growing threat posed by malicious cyber actors in harming US strategic and economic interests.[3] US intelligence and law enforcement agencies have accused Russian non-State actors as well as intelligence agencies such as the Main Intelligence Directorate (GRU) and the Foreign Intelligence Service (SVR) of coordinating and carrying out these attacks.[4] The Russian hacking groups, such as Cozy Bear and REvil, carrying out attacks suggest that the Russian government likely has a hand in facilitating these groups being able to operate freely within the country. Countering these threats will likely require broad changes that integrate government and private sector organizations as well as greater information sharing between the US and its allies. Building on these relationships will likely create a greater system of deterrence that can limit the scope and impact of future cyberattacks.

Critical infrastructure in both the public and private sectors of the US is being increasingly targeted by malicious cyberattacks.[5] These attacks have almost certainly led to large amounts of data being collected by foreign hackers and adversarial intelligence agencies containing sensitive information which will likely harm US interests in the future. The extent of these hacks will likely remain under investigation for the foreseeable future. Successful intrusions such as the cyberattack on SolarWinds breached several government agencies and penetrated department officials’ personal emails, demonstrating the extent to which hackers infringed affected agencies.[6] The 2021 attack on Colonial Pipeline likely demonstrates that private US companies are also vulnerable to cyberattacks and ransomware that will very likely affect US economic interests.[7] The ability for hackers to effectively gain control over public and private companies indicates that existing US cybersecurity measures are likely inadequate to counter increasingly sophisticated foreign hacking operations.

The source of many attacks has been attributed to Russian nationals operating both inside and outside of the Russian government.[8] The Russian government officially denies any knowledge or support for hacking operations originating within its borders.[9] However, it is likely that independent hackers are operating with at least tacit approval from the Russian government. In recent years, the US government has indicted a number of intelligence officials from Russian intelligence agencies such as the SVR and GRU for taking part in malicious cyber activities that have targeted other States.[10] Recently, many private Russian citizens were indicted for committing cyberattacks on private US companies.[11] It is likely that these independent hackers are being recruited by Russian intelligence services as a way to expand operational capabilities. This suggests that there is a roughly even chance that many of these operations are coordinated between independent hackers and Russian intelligence services.

Attackers have used a variety of strategies such as phishing campaigns and supply chain hacks to breach and gain control over secure networks.[12] These breaches have shown how malware can remain hidden within networks, which likely allows for the monitoring and collection of data while the information is also sent back to the hackers. Intrusions into the networks of government contractors and agencies have very likely given hackers access to personnel files and details of contracts that provide specifics on military and intelligence capabilities and objectives. This could very likely allow rival intelligence agencies to preempt or counter US actions in the future. Hackers have also targeted ransomware attacks against private US companies that support critical infrastructures.[13] Because these companies are not able to remain offline for long periods of time, they are more likely to pay the ransom. This will likely continue to cause millions of dollars in damage as well as contribute to the loss of production for affected companies.

The Federal Bureau of Investigation (FBI) accused the group DarkSide of being responsible for the Colonial Pipeline attack that forced the US company to shut down its entire East Coast fuel dispensing pipeline, causing a $5 million USD ransom to be paid.[14] The Departments of Energy and of Homeland Security found the pipeline would only be able to cease operations for three to five more days before mass transit would have to limit operations, likely increasing political pressure.[15] The lack of alternatives in place for truck drivers and tanker cars for distribution almost certainly increases the pressure to pay the ransom. These types of wide-scale attacks very likely stretch law enforcement and federal resources to capacity, even more so during the COVID-19 pandemic. Improving cybersecurity measures such as increased training for individuals and greater information sharing between government and private industries will likely help prevent similar attacks in the future.

The SolarWinds attack is one of the largest and most complex cyberattacks to date, having infected roughly 18,000 public and private organizations.[16] The supply chain attack turned the Orion software into a weapon, targeting third parties with access to multinational organizations and government systems, almost certainly exponentially increasing the malware spread throughout multi-party systems. It is very likely this hack will continue to be ongoing for several years as hackers had 14 months of unknown access that investigators are still pursuing to neutralize the malware.[17] Based on the nature of the attack, it is likely the hackers were seeking government secrets and/or future product plans of the targeted organizations, and a possible payout by obtaining employee and customer data. This attack demonstrates how vulnerable large-scale systems can be, likely inspiring future attacks by nefarious hackers and foreign entities towards critical infrastructure.

The Russian government’s response to cyberattacks carried out against US critical infrastructure likely depends on the government’s involvement itself, or its initial knowledge of imminent attacks by non-State groups. Russian intelligence agencies like GRU and the SVR have been shown to have influence over Russian criminal ransomware groups and are aware of their activities.[18] It is very likely that Russian intelligence services are maintaining close connections to various non-State hacking groups to recruit members and eventually gain access to the hacking operations. This development will very likely result in Russian intelligence services orchestrating more cyberattacks on US infrastructure.

Many Russian cyber operations result in hackers being able to target providers of cloud software services.[19] In January 2021, US intelligence stated that sensitive data, such as email accounts, networks, and unclassified information, was exposed as a result of the SolarWinds attacks.[20] Russian government actors are almost certainly acquiring the data that is being stolen through cyberattacks, making it very likely that Russia will continue trying to gain access to sensitive information from US government agencies, think tanks, and private corporations. As Russian intelligence agencies are aware of the activities of hackers and assert influence on them, hackers and Russian intelligence services likely have a systematic relationship that affects the activities of Russian hackers. Hacking groups are not dissuaded from hacking or provoking strong responses from the US as the Russian government likely gives hackers a measure of protection in turn for cybercrime. It is very likely that Russian criminal groups will continue to target critical infrastructure including private companies like FireEye, and departments of the US government, such as the Department of Homeland Security. If these cyberattacks continue, national security and infrastructure will very likely be under threat.

It is very likely that Russia is using its cyber operations to pursue strategic objectives, one of them being securing its own digital information space.[21] Russia very likely wants to gain access to sensitive information to eventually impose control over digital infrastructure as Russia perceives the information space in geopolitical terms.[22] Russia’s presence in cyberspace is likely viewed as a continuation of territorial State borders, making it almost certain that Russia will continue denying any activities in cyberspace to increase its offensive measures to gain superiority in this digital information space. This will allow for non-government hackers to persevere, likely resulting in Russia turning into a kind of cyber paradise, as it is unlikely for hackers to be pursued for their criminal cyber activities.

To detect the Russian cyberattack threats, the Certified Information Systems Auditor (CISA) is tracking and monitoring significant cyber incidents impacting enterprise networks across federal, state, and local governments, as well as other critical infrastructure entities.[23] This move will likely help establish a wide network of security measures to limit cyber threats. It is likely that the information gathered by CISA will lead to greater knowledge and information sharing between the government and private entities that are often targeted by malicious cyber actors. The security measures recommended by government agencies like CISA will also likely provide technical assistance by advising on specific threats and effective countermeasures to limit potential attacks.

Russia and the US have adopted measures such as bilateral engagements and dialogues to understand the cyber threats attacks.[24] Such dialogues will likely help in understanding the actions, target retaliations, and cyberattack repercussions. It is likely that with more integrated practices, corporations can be adapted to prevent future cyber attacks. Maintaining backups of critical information on alternate servers is advised so that information is not vulnerable to attacks. It is likely that the adoption of these rules will protect federal agencies and the protection will cover quasi-governmental entities from subsequent threats and attacks. It is likely that proper network defense between all the entities and information security will help in mitigating threats. CISA released guidance for managed service providers (MSPs) and small and mid-sized businesses for providing mitigation and hardening security.[25] It is likely that this will help the organizations strengthen their defenses and Information Technology (IT) systems.

In June 2021, the US Department of Justice (DOJ) elevated ransomware attacks to a national security concern similar to terrorism due to the surge in ransomware attacks this year.[26] This move will almost certainly expedite the process of formulating strategies to counter cyber threats. The DOJ recently implemented the National Cryptocurrency Enforcement Team to investigate cryptocurrency crimes, likely increasing deterrence and decreasing success in ransomware attacks.[27] It is almost certain that the US Department of Treasury and CISA will issue a joint advisory to inform the financial services sector about the malware and variants in the online daily transactions. Since the FBI, Secret Service, Cyber Command, and foreign organizations took down the Russian cyber gang REvil, other cybercriminals will likely take this group’s place in continuing ransomware attacks.[28] This almost certainly illustrates the importance and need for the US to acquire more cyber defense equipment and strategies. Encouraging agencies, organizations, and companies (AOCs) not to pay ransoms demanded by hackers will likely set a precedent that reduces the hacker incentives.

The Counterterrorism Group (CTG) NORTHCOM and EUCOM Teams recommend bolstering federal, public, and private cybersecurity policies, and increasing security awareness and defense training to better combat malware and ransomware attacks. Further, routine penetration testing and vulnerability assessments are advisable. These attacks will likely be better prevented if organizations can more thoroughly anticipate and understand motives. CTG recommends governmental implementation of increased regulations on cryptocurrencies to better monitor illicit actors taking advantage of cryptocurrency without affecting the technology and its everyday users. CTG advises organizations and government agencies to take necessary steps to detect and remove malicious entities from the network, largely through endpoint detection and response solutions.

CTG’s NORTHCOM and EUCOM Teams will continue to monitor the developments in Russia regarding the threat of Russian cyber operations on US infrastructure. The EUCOM Team will continue to monitor and adapt any recommendations made concerning the development of the threat. Additionally, CTG’s Worldwide Analysis of Threats, Crime, and Hazards (W.A.T.C.H) program is closely working with the EUCOM and NORTHCOM Teams to ensure an up-to-date analysis of global threats and their development.

________________________________________________________________________ The Counterterrorism Group (CTG)

[3] Ibid

[4] SolarWinds: US and UK blame Russian intelligence service hackers for major cyberattack, ZDNet, April 2021,

[6] SolarWinds hack explained: Everything you need to know, TechTarget, June 2021,

[7] Colonial Pipeline Cyberattack: Timeline and Ransomware Attack Recovery Details, MSSP Alert, June 2021,

[8] Russia Influences Hackers but Stops Short of Directing Them, Report Says, New York Times, September 2021,

[9] Hack, disinform, deny: Russia's cybersecurity strategy, France 24, May 2021,

[10] “Russia’s strategy in cyberspace,” NATO Strategic Communications Centre of Excellence, 2021,

[11] U.S. charges Ukrainian and Russian in major ransomware spree, seizes $6 mln, Reuters, November 2021,

[14] Colonial Pipeline Cyberattack: Timeline and Ransomware Attack Recovery Details, MSSP Alert, June 2021,

[15] Pipeline Attack Yields Urgent Lessons About U.S. Cybersecurity, The New York Times, June 2021,

[16] SolarWinds is ‘largest’ cyberattack ever, Microsoft president says, Politico, February 2021,

[17] SolarWinds hack explained: Everything you need to know, TechTarget, June 2021,

[18] Russia Influences Hackers but Stops Short of Directing Them, Report Says, New York Times, September 2021,

[19] Russian hackers launched a massive, ongoing wave of cyber attacks against the US, report says, Business Insider, October 2021,

[20] The US is readying sanctions against Russia over the SolarWinds cyber attack. Here's a simple explanation of how the massive hack happened and why it's such a big deal, Business Insider, April 2021,

[21] “Russia’s strategy in cyberspace,” NATO Strategic Communications Centre of Excellence, 2021,

[22] Ibid

[23] Supply chain compromise, CISA, n.d.,

[24] US-Russian Contention in Cyberspace, Belfer Centre for Science and International Affairs, June 2021,


[26] EXCLUSIVE Governments turn tables on ransomware gang REvil by pushing it offline, Reuters, October 2021,

[27] Deputy Attorney General Lisa O. Monaco Announces National Cryptocurrency Enforcement Team, The United States Department of Justice, October 2021,

[28] U.S. charges Ukrainian and Russian in major ransomware spree, seizes $6 mln, Reuters, November 2021,



bottom of page