Intelligence reports suggesting one of Russia’s European allies perpetrated last week’s hacking of Ukrainian government websites are creating a new dilemma for the Biden administration — how to respond if other countries launch cyberattacks on Russia’s behalf.
Ukrainian officials suspect that a group called UNC1151, which has been linked to Belarusian intelligence, carried out the cyberattack that defaced and disabled around 70 government websites, Reuters reported. The targets included the sites of Ukraine’s foreign and education ministries.
While the U.S. and other governments have not confirmed Belarus’ involvement, its possible role creates a tougher call for President Joe Biden on when to hack back and whom to hit if tension over Ukraine breaks out into cyberwar. Russia’s use of Belarus or another third country to launch cyberattacks on Ukraine could muddy the waters on who to blame, making it harder for the U.S. to justify a counterattack.
Administration officials pledged this week to respond in kind if Russia launches cyberattacks against Ukraine, but the U.S. has not explained how it would handle attacks from countries coordinating with Russia or supporting its aggression against Ukraine.
Biden is already getting pressure from lawmakers to hit Russia and its allies alike.
“If Russia is behind the cyberattack against Ukraine, as I suspect is the case, they must be sanctioned immediately as is required by Congress,” House Foreign Affairs ranking member Michael McCaul (R-Texas) said in an email. “And the same should be done to any country helping Russia with its aggression.”
Biden told reporters Wednesday that if Russia launches cyberattacks against Ukraine, “we can respond the same way in cyber.”
White House press secretary Jen Psaki said Biden’s comments amounted to a promise to retaliate, saying in a statement that Biden “knows from long experience that the Russians have an extensive playbook of aggression short of military action, including cyberattacks and paramilitary tactics. And he affirmed today that those acts of Russian aggression will be met with a decisive, reciprocal and united response.”
The White House did not address whether the administration would be as forceful if an attack against Ukraine originated from Belarus or other Russian allies.
It’s a question that will likely continue to plague the Biden administration, given a history of Russian President Vladimir Putin using third countries as conduits.
“Part of the Kremlin’s cyber strategy is using proxy actors in third countries to launch attacks in tandem or on Moscow's behalf, whether undercover GRU operatives sent abroad, fake IT companies incorporated overseas or Putin-allied foreign intelligence services,” said Justin Sherman, a fellow at the Atlantic Council Cyber Statecraft Initiative.
“Russian aggression against Ukraine is such a high-level Kremlin issue that it’s very possible Putin leverages allied intelligence services in Belarus or elsewhere, or proxy actors stationed in Belarus or Ukraine, to launch operations,” Sherman said.
Yet drawing a definitive connection between Russia and other countries — who have their own agendas for cyber strikes — is still difficult.
UNC1151, for example, was linked to attacks on government agencies in Ukraine, Germany, Lithuania, Latvia and Poland in 2020, according to the cybersecurity firm Mandiant. Mandiant also concluded that the group was providing support to a campaign called “Ghostwriter,” which spread narratives endorsed by the Belarusian government, including anti-NATO sentiments.
And U.S. officials were careful to attribute cyberattacks on U.S. companies in 2021, such as Colonial Pipeline and meat producer JBS, to Russian-based hackers and not the Russian government, given the lack of clarity around Moscow’s direct involvement in many operations linked to Russia.
But John Hultquist, Mandiant’s vice president of intelligence analysis, said Belarus has conducted cyber operations that align with Russian interests in the past. And Belarus and its hard-line leader, Alexander Lukashenko, have benefited greatly from Russian support in recent years. Putin offered to send military support to the Belarusian president last year, and the Russian Federal Security Service claimed in April that it had prevented a military coup against Lukashenko.
“It’s clear Russia is preying on Lukashenko’s vulnerability and calling in some of those accumulated I-owe-you's,” a senior State Department official told reporters this week, warning that “there can be no doubt about Belarus’ role as an increasingly destabilizing actor in the region.” The official insisted on anonymity as a condition of the briefing.
The Belarusian embassy did not respond to a request to comment for this story.
The U.S. has shown it is willing and able to take action against Russia when the country has been clearly linked to malicious cyber activity. That includes a reported U.S. Cyber Command operation that took down a troll farm in St. Petersburg during the 2018 midterms to prevent further election interference, and sanctions that Biden levied last year in retaliation for Russia’s sprawling SolarWinds hack.
But Russian and U.S. officials appear to have made some progress over the past year in collaborating against those Russia-based ransomware gangs. Last week, Russia announced it had arrested individuals alleged to have carried out attacks on U.S. companies, including at least one linked to the ransomware attack on Colonial Pipeline.
While a State Department spokesperson would not directly comment on concerns around Belarusian cyberattacks, the person said the agency was watching threats to Ukraine closely.
"The United States and our allies and partners are concerned about malicious cyber activity targeting Ukraine,” the spokesperson said. “We are in touch with the Ukrainians and have offered our support as Ukraine investigates the impact and nature of the incidents and recovers."
Russia has launched cyberattacks against Ukraine before, and as it gets increasingly close to actual on-the-ground attacks, it may not shy away from direct cyber strikes. Russian hackers turned off the lights for around a quarter-million Ukrainians in the dead of winter in 2015 for several hours, and the Russian-linked NotPetya malware virus devastated the networks of Ukrainian government agencies, banks and other critical organizations in 2017.
Either way, Ukraine’s computer networks are getting pummeled. Microsoft said earlier this week that it had identified destructive malware in several Ukrainian government agency systems that could “render the infected computer systems inoperable”— activity that is likely linked to the defacement of government websites.