The US is unmasking Russian hackers faster than ever
Just 48 hours after banks and government websites crashed in Ukraine under the weight of a concerted cyberattack on February 15 and 16, the United States pointed the finger at Russian spies.
Anne Neuberger, the White House’s deputy national security advisor for cyber and emerging technology, said that the US has “technical information that links the Russian Main Intelligence Directorate (GRU)” with the DDoS attack that had overloaded and brought down the Ukrainian websites.
“GRU infrastructure was seen transmitting high volumes of communication to Ukraine-based IP addresses and domains,” she told journalists on February 18. It’s believed that the cyberattack was meant to sow panic in Ukraine as over 150,000 Russian troops massed at the border.
To support MIT Technology Review’s journalism, please consider becoming a subscriber.
The speed at which both US and UK officials were able to apportion blame reflects an enormous change from recent history, and it shows how attribution has become a crucial tool of cyber conflict for the United States. In recent years, the US has used this as a geopolitical tool more often than any other country in the world, often working with allies in the United Kingdom—especially when the target is Russia, as was the case last week.
“I will note that the speed with which we made that attribution is very unusual,” Neuberger said. “We’ve done so because of a need to call out the behavior quickly as part of holding nations accountable when they conduct disruptive or destabilizing cyber activity.”
This new policy has its roots in what happened in the wake of the 2016 US election. Gavin Wilde, formerly a senior National Security Council official focused on Russia, helped author the landmark intelligence community assessment that detailed Moscow’s hacking and disinformation campaigns aimed at influencing the election. It took an enormous effort prompted by President Obama himself, backed up by Director of National Intelligence James Clapper, just to kick-start the process of getting all the relevant US intelligence agencies in the same room to share information across a wide range of classification levels.
But the attribution of Russia’s campaign wasn’t made public until 2017, months after the US election itself.
“There was a feeling of helplessness [among US intelligence] when clearly the American public was the target audience for the Russians,” Wilde tells MIT Technology Review.
Even though it came late, the assessment was an impressive accomplishment compared with anything that had come before.
“But there was still a sense of failure that we weren’t able to defuse these activities before the narratives were well seeded by the Russians and amplified by people in positions of prominence,” Wilde says.
The long road
Hacking was an important facet of global politics for decades before public attribution was ever seriously considered. But a landmark cybersecurity report from a private-sector firm, which landed on the front page of the New York Times, finally changed the way the entire world thought about unmasking hackers.
The 2013 report on Chinese hackers known as APT1 by the American cybersecurity firm Mandiant was the first to publicly point the finger at a nation-state. It took a full decade of hacking by the group, beginning in 2002, for the accusation to go public.
When the APT1 report was published, the document was immensely detailed, even singling out the Chinese People’s Liberation Army cyber-espionage group known as Unit 61398. A year later, the US Department of Justice effectively backed up the report when it indicted five officers from the unit on charges of hacking and stealing intellectual property from American companies.
“The APT1 report fundamentally changed the benefit-risk calculus of the attackers,” says Timo Steffens, a German cyber-espionage investigator and author of the book Attribution of Advanced Persistent Threats.
“Prior to that report, cyber operations were regarded as almost risk-free tools,” he says. The report not only came up with hypotheses but clearly and transparently documented the analysis methods and data sources. It was clear that this was not a one-off lucky finding, but that the tradecraft can be applied to other operations and attacks as well.”
The consequences of the headline-grabbing news were far reaching. A wave of similar attributions followed, and the United States accused China of systematic massive theft. As a result, cybersecurity was a centerpiece of Chinese president Xi Jinping’s visit to the United States in 2015.
“Before the APT1 report, attribution was the elephant in the room that no one dared to mention,” says Steffens. “In my opinion it was not only a technical breakthrough, but also a bold achievement of the authors and their managers to go the final step and make the results public.”
It’s that final step that has been lacking, as intelligence officers are now well versed in the technical side. To attribute a cyberattack, intelligence analysts look at a range of data including the malware the hackers used, the infrastructure or computers they orchestrated to conduct the attack, intelligence and intercepted communications, and the question of cui bono (who stands to gain?)—a geopolitical analysis of strategic motivation behind the attacks.
The more data can be examined, the easier attribution becomes as patterns emerge. Even the world’s best hackers make mistakes, leave behind clues, and reuse old tools that help make the case. There’s an ongoing arms race between analysts coming up with new ways to unmask hackers and the hackers aiming to cover their tracks.
But the speed with which the Russian attack was attributed showed that previous delays in naming names were not simply due to a lack of data or evidence. The issue was politics.
“It boils down to a matter of political will,” says Wilde, who worked at the White House until 2019. “For that you need decisive leadership at every level. My interactions with [Anne Neuberger] lead me to believe she’s the type that can move mountains and cut through red tape when needed to augur an outcome. That’s the person she is.”
Wilde argues that the potential Russian invasion of Ukraine, which risks hundreds of thousands of lives, is pushing the White House to act more quickly.
“The administration seems to have gathered that the best defense is a good preemptive offense to get ahead of these narratives, ‘pre-bunking’ them and inoculating the international audience, whether it be the cyber intrusions or false flags and fake pretexts,” says Wilde.
Public attribution can have a very real impact on adversaries’ cyber strategy. It can signal that they’re being watched and understood, and it can impose costs when operations are uncovered and tools must be burned to start anew. It can also trigger political action such as sanctions that go after the bank accounts of those responsible.
Just as important, Gavin argues, it’s a signal to the public that the government is closely tracking malicious cyber activity and working to fix it.
“It creates a credibility gap, particularly with the Russians and Chinese,” he says. “They can obfuscate all they want, but the US government is putting it all out there for public consumption—a forensic accounting of their time and efforts.”