https://www.nytimes.com/2022/04/06/us/politics/us-russia-malware-cyberattacks.html
U.S. Says It Secretly Removed Malware Worldwide, Pre-empting Russian Cyberattacks
The operation is the latest effort by the Biden administration to thwart actions by Russia by making them public before Moscow can strike.
By Kate Conger and David E. Sanger
April 6, 2022, 7:04 p.m. ET
WASHINGTON — The United States said on Wednesday that it had secretly removed malware from computer networks around the world in recent weeks, a step to pre-empt Russian cyberattacks and send a message to President Vladimir V. Putin of Russia.
The move, made public by Attorney General Merrick B. Garland, comes as U.S. officials warn that Russia could try to strike American critical infrastructure — including financial firms, pipelines and the electric grid — in response to the crushing sanctions that the United States has imposed on Moscow over the war in Ukraine.
The malware enabled the Russians to create “botnets” — networks of private computers that are infected with malicious software and controlled by the G.R.U., the intelligence arm of the Russian military. But it is unclear what the malware was intended to do, since it could be used for everything from surveillance to destructive attacks.
An American official said on Wednesday that the United States did not want to wait to find out. Armed with secret court orders in the United States and the help of governments around the world, the Justice Department and the F.B.I. disconnected the networks from the G.R.U.’s own controllers.
“Fortunately, we were able to disrupt this botnet before it could be used,” Mr. Garland said.
The court orders allowed the F.B.I. to go into domestic corporate networks and remove the malware, sometimes without the company’s knowledge.
President Biden has repeatedly said he would not put the U.S. military in direct conflict with the Russian military, a situation he has said could lead to World War III. That is why he refused to use the U.S. Air Force to create a no-fly zone over Ukraine or to permit the transfer of fighter jets to Ukraine from NATO air bases.
But his hesitance does not appear to extend to cyberspace. The operation that was revealed on Wednesday showed a willingness to disarm the main intelligence unit of the Russian military from computer networks inside the United States and around the world. It is also the latest effort by the Biden administration to frustrate Russian actions by making them public before Moscow can strike.
Even as the United States works to prevent Russian attacks, some American officials fear Mr. Putin may be biding his time in launching a major cyberoperation that could strike a blow at the American economy.
Until now, American officials say, the primary Russian cyberactions have been directed at Ukraine — including “wiper” malware designed to cripple Ukrainian government offices and an attack on a European satellite system called Viasat. The details of the satellite attack, one of the first of its kind, are of particular concern to the Pentagon and American intelligence agencies, which fear it may have exposed vulnerabilities in critical communications systems that the Russians and others could exploit.
The Biden administration has instructed critical infrastructure companies in the United States to prepare to fend off Russian cyberattacks, and intelligence officials in Britain have echoed those warnings. And while Russian hackers have sometimes preferred to quietly infiltrate networks and gather information, researchers said that recent malware activity in Ukraine demonstrated Russia’s increasing willingness to cause digital damage.
“They are engaged in a cyberwar there that is pretty intense, but it is targeted,” said Tom Burt, a Microsoft executive who oversees the company’s efforts to counter major cyberattacks and shut down an attack in Ukraine during the opening of the war.
Security experts suspect that Russia may be responsible for other cyberattacks that have occurred since the war began, including on Ukrainian communications services, although investigations into some of those attacks are ongoing.
In January, as diplomats from the United States prepared to meet with their Russian counterparts in an attempt to avoid military conflict in Ukraine, Russian hackers already were putting the finishing touches on a new piece of destructive malware.
The code was designed to delete data and render computer systems inoperable. In its wake, the malware left a note for victims, taunting them about losing information. Before U.S. and Russian representatives met for a final attempt at diplomacy, hackers had already begun using the malware to attack Ukrainian critical infrastructure, including government agencies responsible for food safety, finance and law enforcement.