Since Russia started its full-scale invasion of Ukraine in late February, a wave of predictable cyberattacks has accompanied this offensive, hitting everything from Ukrainian government agencies to satellite networks, with mixed results. Less expected, however, was the US government’s cyber counteroffensive—not in the form of retaliatory hacking attacks, but in a broad collection of aggressive legal and political moves designed to call out the Kremlin’s most brazen cyberattack groups, shut them down, and even outright interrupt their hacking abilities.
In the past two months, President Joe Biden’s executive branch has taken more action to deter and even temporarily neutralize Russia’s most dangerous hackers than perhaps any previous administration in such a short period of time. U.S. countermeasures have ranged from publicly blaming distributed denial-of-service attacks targeting Ukrainian banks on Russia’s military intelligence agency GRU to unsealing two indictments against members of notorious Russian state hacking groups to launching a rare FBI operation to removing malware from network devices that GRU hackers used to control a global botnet of hacked machines. Earlier this week, NSA and Cyber Command Director General Paul Nakasson also told Congress that Cyber Command had sent “pursuit” teams of US cybersecurity personnel to Eastern Europe to look for and eliminate vulnerabilities in network, which hackers can use both in Ukraine and in the networks of other allies.
Together, this adds up to “a concerted, coordinated campaign to use all the levers of national power against an adversary,” says J. Michael Daniel, who served as the Obama White House’s cybersecurity coordinator, advising the president on policy responses to any type of state-sponsored hacking threat. “They are trying to both disrupt what the adversary is doing now and potentially deter them from taking further, broader actions in cyberspace as a result of the war in Ukraine.”
Daniel says that compared to the Obama administration he served in, it’s clear that the Biden White House has decided to take a much faster, harder approach to countering Kremlin hackers. He attributes this change both to the US government’s years of experience dealing with Vladimir Putin’s regime and to the urgency of the Ukraine crisis, in which Russian state hackers pose a constant threat to Ukraine’s critical infrastructure and also to networks in the West, where Kremlin hackers may attack in retaliation for sanctions against Russia and military support for Ukraine. “The Russians have made it pretty clear that signaling and baby steps aren’t going to stop them,” Daniels says. “We learned that we have to be more aggressive.
The Biden administration’s heightened responses to Russian cyberattacks began in mid-February, before Russia had even begun its full-scale incursion. At a White House news conference, Deputy National Security Adviser Ann Neuberger called out Russia’s GRU for a series of denial-of-service attacks that had hit Ukrainian banks in the previous week. “The global community must be ready to shine a light on malicious cyber activity and hold actors accountable for any disruptive or disruptive cyber activity,” Neuberger told reporters. Coming just days after the GRU attacks, the reprimand represented one of the shortest periods of time between a cyber operation and a US government statement attributing it to a specific agency — a process that often takes months or even years.
Last month, the Justice Department unsealed indictments against four separate Russians in two state-linked hacking groups. An indictment names three alleged agents of Russia’s FSB intelligence agency who are accused of belonging to the infamous hacking group known as Berserk Bear or Dragonfly 2.0, which engaged in years of hacking that repeatedly targeted critical U.S. infrastructure, including multiple breaches of power lines. networks. A second indictment named another highly dangerous hacking campaign that used a piece of malware known as Triton or Trisis to target the safety systems of Saudi Arabia’s Petro Rabigh oil refinery, potentially endangering lives and leading to two shutdowns of operations the refinery. . The Justice Department pinned that attack on an employee at the Kremlin-linked Central Research Institute of Chemistry and Mechanics (known as TsNIIHM) in Moscow, along with other unnamed co-conspirators at the same organization.
At the same time, the Cybersecurity and Infrastructure Security Agency, the Justice Department, and the FBI have taken on a third Russian state hacking group even more directly. In February, CISA first issued a warning that a GRU hacking group known as Sandworm — with a track record of everything from triggering blackouts in Ukraine to releasing the NotPetya malware, which caused $10 billion in damage globally — has assembled a botnet of hacked network devices, along with guidance on how to detect and remove a malware known as Cyclops Blink. When that advice resulted in only a 39 percent drop in the number of devices hijacked by the botnet, the FBI took the rare step of mimicking the hackers’ communications to its command-and-control machines, sending commands to remove the hackers’ malware from those devices and through that way cuts off Sandworm’s access to at least part of its botnet.
The specific targeting of these three hacker groups – the FSB-linked Berserk Bear hackers, the TsNIIKhM hackers allegedly behind Triton, and the GRU-linked Sandworm group – shows how the US government is deliberately taking action to deter and disable Russian hackers pose the biggest threat not just to espionage or cybercrime, but to targeted, disruptive cyberwarfare, says John Hultquist, who leads threat intelligence at cybersecurity firm Mandiant and has tracked all three groups for years. “At a time when the United States is preparing for potential cyberattacks from Russia, the Department of Justice specifically charged two of these actors and conducted an operation against the third,” Hultquist said. “These are the actors who have a history and proven capability of disruptive and disruptive attacks. That is why the operations were and it should be focused on these actors.”
