On Wednesday, the U.S. Department of Justice (DOJ) announced that it had “disrupt[ed] a two-tiered global botnet of thousands of infected network hardware devices under the control of a threat actor known to security researchers as Sandworm,” and identified by the U.S. government as “the Main Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation (the GRU).” This action is the latest in what appears to be a string of public moves to impose additional friction on malicious Russian actors in cyberspace since the invasion of Ukraine, and it’s also emblematic of the efforts by the United States over the last few months to shift the framing of some cybersecurity threats from purely criminal matters to national security concerns.
Some hints have emerged about what the United States may be doing to help Ukraine on cybersecurity. In congressional testimony last month, National Security Agency Director and Commander of Cyber Command Gen. Paul Nakasone said, “We had ‘hunt forward’ teams from U.S. Cyber Command in Kyiv. We worked very, very closely with a series of partners at NSA and the private sector to be able to provide that information.” He noted the engagement had been long-standing in saying, “We’ve worked very, very hard with Ukraine over the past several years.” And in testimony earlier this week, he explained that “a series of assumptions” the Russians “may have made,” “coupled with the defensive capabilities” the United States has built with Ukraine have contributed to the relative lack of significant successful cyber operations against Ukraine in recent weeks.
What’s more, the New York Times reported in early March that “[h]idden away on bases around Eastern Europe, forces from United States Cyber Command known as ‘cybermission teams’ are in place to interfere with Russia’s digital attacks and communications.” What exactly that such teams have done is not clear.
In addition to whatever may be happening in secret, the United States is also taking publicly announced actions that seem designed to make life more difficult for Russian cyber actors, both those working for the state and those with murkier associations.
In the takedown of the botnet linked to the GRU, DOJ acted pursuant to federal court authorization. In doing so, the department explained that it
copied and removed [“Cyclops Blink”] malware from vulnerable internet-connected firewall devices that Sandworm used for command and control (C2) of the underlying botnet. Although the operation did not involve access to the Sandworm malware on the thousands of underlying victim devices worldwide, referred to as “bots,” the disabling of the C2 mechanism severed those bots from the Sandworm C2 devices’ control.
Attorney General Merrick Garland emphasized that officials “disable[d] the GRU’s control over” compromised devices “before the botnet could be weaponized.” DOJ noted that in addition to releasing an advisory about the malware in conjunction with the UK’s National Cyber Security Centre, “the FBI has been attempting to provide notice to owners of infected … devices in the United States and, through foreign law enforcement partners, abroad” either directly or through internet service providers when the owner of an infected device is not publicly known.
This is not the first time the United States has engaged in a botnet takedown, and, as DOJ’s announcement notes, it’s not even the first one against a botnet operated by the GRU, though in announcing the prior botnet takedown in 2018, DOJ did not explicitly name the Russian government.
Now though, DOJ isn’t shy about targeting Russian government officials directly. An indictment unsealed on March 24 charged “an employee of a Russian Ministry of Defense research institute and his co-conspirators” with efforts to “damage critical infrastructure outside the United States, thereby causing two separate emergency shutdowns at a foreign targeted facility” and attempting similar hacks in the United States. The indictment reportedly relates to a 2017 hack that disabled safety systems at Saudi Arabia’s Petro Rabigh oil refinery. Another indictment unsealed the same day charged “three officers of Russia’s Federal Security Service (FSB) and their co-conspirators” with “target[ing] and compromis[ing] the computers of hundreds of entities related to the energy sector worldwide.” The indictments address conduct between 2012 and 2018—actions DOJ termed “two historical hacking campaigns.” One suspects that the decision to go public with the charges now, when the United States and allies are using many avenues to ratchet up pressure on Russia, is no coincidence.
Separately, the Treasury Department announced on April 5 that its Office of Foreign Assets Control, working with international partners, “sanctioned the world’s largest and most prominent darknet market, Hydra Market (Hydra), in a coordinated international effort to disrupt proliferation of malicious cybercrime services, dangerous drugs, and other illegal offerings available through the Russia-based site.” According to Treasury, “Hydra’s offerings have included ransomware-as-a-service, hacking services and software, stolen personal information, counterfeit currency, stolen virtual currency, and illicit drugs,” and Treasury’s investigation has “identified approximately $8 million in ransomware proceeds that transited Hydra’s virtual currency accounts.” Treasury also sanctioned Garantex, a virtual currency exchange that processed “over $100 million in transactions … associated with illicit actors and darknet markets, including nearly $6 million from Russian [ransomware-as-a-service] gang Conti and also including approximately $2.6 million from Hydra.” The announcement went out of its way to highlight that Garantex operated out of the same Moscow building as two previously sanctioned cryptocurrency exchanges and noted that the sanctions are part of an effort to “further cut off avenues for potential sanctions evasion by Russia.”
To whom is the U.S. government communicating, and what it is saying?
There are multiple audiences when the U.S. government attributes hacking campaigns to foreign governments or imposes sanctions, and these latest moves are no exception. They communicate to the targeted individuals and to the Russian government and other entities how much visibility the United States has into who is behind hacking campaigns and supposedly anonymous cryptocurrency transactions. The sanctions announcement in particular also seems intended for consumption by third parties who might consider helping Russia evade the massive sanctions that have been imposed since the invasion. And to accompany the March 24 indictments, the State Department announced rewards of up to $10 million from its Rewards for Justice program for “information leading to the identification or location of” the defendants. These efforts may not deter Russian state or non-state actors, but they can increase risks for bad actors and those who might deal with them going forward and certainly create friction for malicious operations—at least for a while. (Past botnet takedowns have not kept the botnets down for long.)
Outside of the specific Russia-Ukraine context, the latest botnet takedown fits into a broader shift by the U.S. government to treat issues like ransomware, cryptocurrency, and botnets as national security concerns, not purely law enforcement matters. In announcing the botnet takedown, U.S. Attorney for the Western District of Pennsylvania Cindy K. Chung stated, “Such activities are not only criminal but also threaten the national security of the United States and its allies.” In announcing ransomware indictments and the recovery of some funds paid as ransoms, Garland similarly said in November, “Cybercrime is a serious threat to our country: to our personal safety, to the health of our economy, and to our national security.” The national security framing suggests an attempted unity of effort between agencies across the U.S. government and between the cybersecurity actions that are publicly announced — like the botnet takedowns, indictments, and sanctions — and other actions that are kept secret. In this vein, U.S. Cyber Command has reportedly acted both against botnets and against ransomware gangs. Whether the national security framing and the whole-of-government approach that accompanies it will be effective at improving U.S. cybersecurity remains to be seen.