Pages

26 December 2022

Cybercom disrupted Russian and Iranian hackers throughout the midterms

Ellen Nakashima

U.S. Cyber Command has begun to make routine use of offensive cyber actions to defend the nation, taking aim this fall at Russian and Iranian hackers before they had a chance to disrupt the midterm elections, according to three U.S. officials.

The 13-year-old command took down the digital platform of a Russian troll farm in the 2018 midterm elections to prevent it from seeding material on American social media sites intended to agitate the already divided electorate and to diminish confidence in the election.

Then in 2020, Cybercom moved against Iranian hackers working for the Islamic Revolutionary Guard Corps, shortly after they launched an operation posing as a far-right group to send threatening emails to American voters.

This year, the command’s Cyber National Mission Force (CNMF) went after many of the same foreign entities, including those affiliated with the Russian and Iranian governments and their proxies, according to the officials, who spoke on the condition of anonymity because of the matter’s sensitivity.

In a media roundtable this month at Fort Meade, Md., Gen. Paul Nakasone, who heads both Cybercom and the National Security Agency, the world’s most powerful electronic spying agency, talked about how Cybercom went on the offense during the midterms, though he did not specify targets.

“We did conduct operations persistently to make sure that our foreign adversaries couldn’t utilize infrastructure to impact us," said Nakasone. “We understood how foreign adversaries utilize infrastructure throughout the world. We had that mapped pretty well. And we wanted to make sure that we took it down at key times.”

Nakasone noted that Cybercom’s national mission force, aided by NSA, followed a “campaign plan" to deprive the hackers of their tools and networks. “Rest assured,” he said. “We were doing operations well before the midterms began, and we were doing operations likely on the day of the midterms.” And they continued until the elections were certified, he said.

“This is what ‘persistent engagement’ is,” he added. "This is the idea of understanding your foreign adversaries and operating outside the United States.”

In a joint statement, the two agencies said: “We do not comment on cyber operations, plans or activities and wouldn’t speculate where and who those cyber operations were directed towards.”

Maj. Gen. Joe Hartman, who leads the Cyber National Mission Force, in a news conference Monday sought to demystify offensive operations. “It is certainly one of the things we do on a daily basis," he said, explaining that his team targets the tools a hacker needs to conduct attacks: a computer, an internet connection, malware.

“We do everything we can to make it hard for our adversaries to use that ecosystem to threaten the U.S., allies and partners," he said, speaking at a ceremony to raise CNMF to the status of a “sub-unified” command, similar to Joint Special Operations Command.

Nakasone noted that although there were “plenty of foreign influence operations” in the midterms, compared to previous elections "there was a lessened degree of activity.” He did not elaborate on why that may be the case, for instance, whether it’s because Russia was occupied elsewhere or because of CNMF’s actions.

He did say, however, that he did not see new tactics or tools. “And I saw the same foreign adversaries that I’ve seen before, a lot of the same ones — the proxies and the elements of the Russian and Iranian governments that do this type of work,” he said.

One strategy that Nakasone has carried out is “hunting forward," or examining the computer systems of foreign partners, at their invitation, to look for malware and other tools that adversaries such as Russia use. “When we go to a foreign country, we want to see what adversaries are doing on other networks which might impact us," he explained.

Then Cybercom or NSA shares the malware with cybersecurity companies so they can help their clients in the broader private sector detect and remove it from their networks. “The exposure becomes an antidote,” he said. "I am trying to make it as costly for our adversaries to operate in terms of their time, money, and focus.”

CNMF carried out hunt forward operations in Ukraine at the beginning of the year before Russia’s February invasion, in Lithuania in the spring and Croatia in the summer, officials said. In total the force has deployed 38 times to 21 countries since 2018, officials said.

“Hunt Forward missions give you an ability to understand the importance and the fortitude of what your partner is dealing with," Nakasone said. "It also allows them to up their game with the security of their networks.”

Nakasone said CNMF told him in January that the cyberthreat to Ukraine was “really serious" and that at the team’s urging, the Ukrainians were moving to shore up defenses. “They’ve done a lot of work to look at the critical infrastructure and move data from inside Ukraine to cloud storage outside of the country,” he said.

Hartman said that since the invasion, CNMF and Ukraine’s cyber defenders have exchanged “thousands” of digital warning indicators to help Cybercom learn more about adversaries and Ukraine to thwart cyberattacks.

In the days leading up to the invasion, Russia scanned Ukrainian networks, disrupted government websites and satellite communications capability, and targeted the energy grid and transportation infrastructure, Nakasone noted.

But the combination of better defense, enabled by heightened information sharing between Ukraine and its partners, as well as smart tactics like moving data to the cloud, helped Kyiv withstand Russia’s cyberattacks.

Not to say there’s no future risk.

“This is an adversary that is not through,” Nakasone said at the Reagan National Defense Forum earlier this month in California. “And we remain very, very vigilant.”

No comments:

Post a Comment