WASHINGTON — The United States said on Wednesday that it had secretly removed malware from computer networks around the world in recent weeks, a step to preempt Russian cyberattacks and send a message to President Vladimir Putin of Russia.
The move, made public by Attorney General Merrick Garland, comes as U.S. officials warn that Russia could try to strike American critical infrastructure — including financial firms, pipelines and the electric grid — in response to the crushing sanctions that the United States has imposed on Moscow over the war in Ukraine.
The malware enabled the Russians to create “botnets” — networks of private computers that are infected with malicious software and controlled by the GRU, the intelligence arm of the Russian military. But it is unclear what the malware was intended to do, since it could be used for everything from surveillance to destructive attacks.
A U.S. official said Wednesday that the United States did not want to wait to find out. Armed with secret court orders in the United States and the help of governments around the world, the Justice Department and the FBI disconnected the networks from the GRU’s own controllers.
“Fortunately, we were able to disrupt this botnet before it could be used,” Garland said.
The court orders allowed the FBI to go into domestic corporate networks and remove the malware, sometimes without the company’s knowledge.
President Joe Biden has repeatedly said he would not put the U.S. military in direct conflict with the Russian military, a situation he has said could lead to World War III. That is why he refused to use the U.S. Air Force to create a no-fly zone over Ukraine or to permit the transfer of fighter jets to Ukraine from NATO air bases.
But his hesitance does not appear to extend to cyberspace. The operation that was revealed Wednesday showed a willingness to disarm the main intelligence unit of the Russian military from computer networks inside the United States and around the world. It is also the latest effort by the Biden administration to frustrate Russian actions by making them public before Moscow can strike.
Even as the United States works to prevent Russian attacks, some U.S. officials fear Putin may be biding his time in launching a major cyberoperation that could strike a blow at the American economy.
Until now, U.S. officials say, the primary Russian cyberactions have been directed at Ukraine — including “wiper” malware designed to cripple Ukrainian government offices and an attack on a European satellite system called Viasat. The details of the satellite attack, one of the first of its kind, are of particular concern to the Pentagon and U.S. intelligence agencies, which fear it may have exposed vulnerabilities in critical communications systems that the Russians and others could exploit.
The Biden administration has instructed critical infrastructure companies in the United States to prepare to fend off Russian cyberattacks, and intelligence officials in Britain have echoed those warnings. And while Russian hackers have sometimes preferred to quietly infiltrate networks and gather information, researchers said that recent malware activity in Ukraine demonstrated Russia’s increasing willingness to cause digital damage.
“They are engaged in a cyberwar there that is pretty intense, but it is targeted,” said Tom Burt, a Microsoft executive who oversees the company’s efforts to counter major cyberattacks and shut down an attack in Ukraine during the opening of the war.
Security experts suspect that Russia may be responsible for other cyberattacks that have occurred since the war began, including on Ukrainian communications services, although investigations into some of those attacks are ongoing.
In January, as diplomats from the United States prepared to meet with their Russian counterparts in an attempt to avoid military conflict in Ukraine, Russian hackers already were putting the finishing touches on a new piece of destructive malware.
The code was designed to delete data and render computer systems inoperable. In its wake, the malware left a note for victims, taunting them about losing information. Before U.S. and Russian representatives met for a final attempt at diplomacy, hackers had already begun using the malware to attack Ukrainian critical infrastructure, including government agencies responsible for food safety, finance and law enforcement.
Adam Meyers, the senior vice president for intelligence at CrowdStrike, who analyzed the malware used in the January attacks and linked the group to Russia, said the group intended to cause damage and aid Russian military objectives.
“It’s a relatively new group, clearly purpose-built with a disruptive capability in mind,” Meyers said. “The emergence of it is a progression of a continued demand from Russian forces for cyber operational support.”
Another attack occurred Feb. 24, the day that Russia invaded Ukraine, when hackers knocked Viasat offline. The attack flooded modems with malicious traffic and disrupted internet services for several thousand people in Ukraine and tens of thousands of other customers across Europe, Viasat said in a statement. The attack also spilled over into Germany, disrupting operations of wind turbines there.
Viasat said that the hack remained under investigation by law enforcement, U.S. and international government officials and Mandiant, a cybersecurity firm that it hired to look into the matter, and it did not attribute the attack to Russia or any other state-backed group.
But senior U.S. officials said all evidence suggested Russia was responsible, and security researchers at SentinelOne said the malware used in the Viasat attack was similar to code that has been linked to the GRU. The United States has not formally named Russia as the source of the attack but is expected to do so as soon as several allies join in the analysis.
In late March, a cyberattack again disrupted communications services in Ukraine. This time, the attack focused on Ukrtelecom, a telephone and internet service provider, knocking the company’s services offline for several hours. The attack was “an ongoing and intensifying nation-scale disruption to service, which is the most severe registered since the invasion by Russia,” according to NetBlocks, a group that tracks internet outages.
Ukrainian officials believe that Russia was most likely responsible for the attack, which has not yet been traced to a particular hacking group.
“Russia was interested in cutting off communication between armed forces, between our troops, and that was partially successful in the very beginning of the war,” said Victor Zhora, a top official at Ukraine’s cybersecurity agency, the State Service of Special Communications and Information Protection. Ukrainian officials said Russia had also been behind attempts to spread disinformation about a surrender.
In the United States, officials fear similar cyberattacks could hit critical infrastructure companies. Some executives said they hoped the federal government would offer funding for cybersecurity.
“I am perfectly well aware that if Russia as a nation-state decided it wanted to attack the national infrastructure of the U.S., including what I’m responsible for, I don’t have much chance of stopping them,” said Peter Fletcher, the information security officer for the San Jose Water Co., which is part of a group that manages water services in several states. “The entire Russian nation-state versus Peter? I’m going to lose.”
Fletcher said that he was prepared but that smaller water companies than his own often struggled to keep up with cybersecurity demands. Many of them rely on outdated technology to pump and treat water, which could make them attractive hacking targets, he said.
Community Electric Cooperative, a utility provider that serves about 12,000 customers in Virginia, estimated that it needed $50,000 to upgrade cybersecurity systems. The utility has already trained its staff on how to detect cyberattacks and has tested its systems, but representatives said the cooperative hoped to do even more in preparation for a potential cyberattack from Russia.
“If we don’t have the capabilities to prevent this stuff and we are the grid, it could be quite detrimental,” said Jessica Parr, Community Electric Cooperative’s communications director.
Despite the challenges, critical infrastructure providers said they were accustomed to handling disasters. “We deal with hurricanes and ice storms all year,” Parr said. “This is just a different type of storm.”