14 March 2020

USCYBERCOM: Cable-Gate Hindered U.S. Tracking of APT Intrusions


Selections from the US Code related to cyber security.

Selection of presidential orders related to communication and cyber policy.

A compendium of records from important cybersecurity-related legal cases.

White House and Department of Defense documents tracing the evolution of cyber strategy in the United States Government.

Washington D.C., March 9, 2020 - A USCYBERCOM Fusion Cell assigned to evaluate the impact of the 2010 WikiLeaks release of classified Department of State cables determined that information in the cables revealed U.S. intelligence on adversary cyberspace operations, according to a Situational Awareness Report released in response to a National Security Archive FOIA request. The assessment predicted that adversaries would, as a result, be able to more effectively shift their TTPs (tactics, techniques, and procedures) to evade detection by U.S. agencies.


The analysis specifically mentions that the leak revealed U.S. awareness of “specific adversary TTPs, including malware, toolsets, IP addresses, and domains used in intrusion activity.” These TTPs form the bulk of what digital forensic investigators rely on to identify, track, and attribute advanced persistent threats (APTs) conducting offensive cyber operations. While defenders may at critical moments find it advantageous to intentionally reveal their knowledge of an attacker’s TTPs, forcing the adversary to “burn” the tools and infrastructure which have become part of their identifiable signature, unplanned release of the intelligence used by a defender while building knowledge on a threat plays to the attacker’s advantage. In this case the USCYBERCOM analysis states that actors “are expected to modify their current infrastructure and intrusion techniques,” hampering the ability of U.S. agencies to track attacker activity until new intelligence on threat signatures can be developed. The WikiLeaks release in practice appears to have granted attackers a period of heightened advantage over the U.S.

The analysis as released is so significantly redacted that it is impossible to derive which specific actor or actors the USCYBERCOM Fusion Cell is referring to. However, researchers and journalists quickly linked the contents of at least one cable to an attack which came to be known as Operation Aurora. This attack, which impacted over 30 companies and led Google to review its presence in China, had been attributed to the PLA-linked Elderwood Group (a/k/a Beijing Group). The leaked cable connected the perpetrators of Operation Aurora with intrusion campaigns dating to 2002 targeting a wide array of entities including the U.S. government, Western corporations, and even the Dalai Lama, suggesting U.S. agencies had been tracking its activities over a long period of time.

This FOIA-released document, provided below, suggests that the illegal release of classified State Department cables in 2010 led to a period in which the U.S. government was hindered in its ability to track the activities of at least one of the most sophisticated APTs operating on the geopolitical stage.

No comments: