Foreign hackers pull off successful attack despite Cyber Command’s ‘defend forward’ strategy


The U.S. government was successfully hit this year as part of a massive global cyberespionage operation, despite the National Security Agency and U.S. Cyber Command ramping up their “defend forward” strategy in recent years and going on offense around the world.

The Department of Homeland Security issued a governmentwide directive just before midnight on Sunday to purge agency networks of potentially compromised servers after discovering the Treasury and Commerce departments were victims of a monthslong cyberattack campaign suspected by many to be a Russian hacking effort.

SolarWinds, an IT company that runs network management systems whose thousands of clients include the Justice Department, NASA, the Pentagon, and the State Department, acknowledged that its systems had been compromised.

In the days after the November presidential election, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency said it was the “most secure in American history” and that “there is no evidence that any voting system deleted or lost votes, changed votes, or was in any way compromised” as President Trump pushed claims that the election was rigged in favor of President-elect Joe Biden. But while the United States may have successfully thwarted any significant electronic foreign meddling in 2020’s election, hackers were quietly creeping their way into a host of federal agencies.

On Election Day, CISA pointed to its relationship with Cybercom as a reason why U.S. efforts to stop election meddling were largely effective in 2020.

“Cyber Command has been an incredibly helpful partner, not just for us, but also for our state and local partners out there. And a good example of the ‘hunt forward’ mission — it’s gone out to various countries, where there’s been foreign advanced persistent threat activity, Russian in the case that’s most immediate in my mind, where they can go on these networks and, with the authorization of the host country — Ukraine, Montenegro, North Macedonia — and they can watch Russian actors in the wild,” a senior CISA official said on Election Day. “And they can see the tools they’re using, the malware they’re using, but also, the target sets when you’re talking about election interference.”

When asked about election interference-related cyberoperations in 2016 versus 2020, the official said that “targeting election infrastructure has been much quieter — but that’s not to discount Russian cyberactivity in general.”

The official pointed to an FBI and CISA alert released in late October warning about the Russian-backed Energetic Bear hacking group scanning private-sector and federal agency networks, calling it “quite significant.”

The Justice Department was also active in the lead-up to the election, bringing charges in October against Russian military hackers, indicting Chinese hackers in July and September, charging Iranian hackers in September, and accusing Russian and Chinese hackers of trying to steal coronavirus vaccine research.

The U.S. intelligence community warned in August that the Russian government was aiming to denigrate Biden, while the Chinese Communist Party wanted Trump to lose reelection, and the Iranian regime sought to undermine Trump's presidency. Director of National Intelligence John Ratcliffe and FBI Director Christopher Wray held a surprise press conference in late October warning about Russian and Iranian cyberactors trying to meddle.

Malicious cyberactivity by the Russians is commonplace, and Microsoft and Cybercom disrupted a Russian cybercrime-linked TrickBot ransomware computer network just weeks ahead of the election.

Just before Election Day, the New York Times reported that Cybercom had “expanded its overseas operations aimed at finding foreign hacking groups before the election on Tuesday, an effort to identify not only Russian tactics but also those of China and Iran” and that “in addition to new operations in Europe to pursue Russian hackers, Cyber Command sent teams to the Middle East and Asia over the past two years to help find Iranian, Chinese, and North Korean hacking teams and identify the tools they were using to break into computer networks.” The outlet then reported in early December that Cybercom also “deployed operatives to Estonia in the weeks before the November election to learn more about defending against Russian hackers as part of a broader effort to hunt down foreign cyberattacks.”

Gen. Paul Nakasone, the head of the NSA and Cybercom, said on Election Day that he was “very confident in the actions that have been taken against adversaries over the last several weeks and several months to ensure they are not going to interfere in our elections.”

U.S. officials touted Cybercom’s actions just after the election, with the New York Times reporting that the U.S. military had “dived deep into Russian and Iranian networks in the months before the election, temporarily paralyzing some and knocking ransomware tools offline” and “then it stole Iran’s game plan and, without disclosing the intelligence coup behind the theft, made public a part of Tehran’s playbook when the Iranians began to carry it out.” The outlet cited “government officials and other experts” who suggested “a number of reasons for the apparent success” in avoiding meddling on Election Day, including the U.S.’s foreign adversaries were “deterred” in part because Cybercom and a small group of American companies “were so on the offensive that it was not worth the risk.”

The U.S. response to Russian cybermeddling in the 2016 election was criticized by many, including a Senate Intelligence Committee report in February. Robert Mueller’s 2019 special counsel report said that Russians interfered in the 2016 election in a “sweeping and systematic fashion” but “did not establish” criminal collusion between any Russians and anyone in Trump's orbit.

The Pentagon’s cyberstrategy in 2018 declared that the U.S. military “will defend forward to disrupt or halt malicious cyber activity at its source.” Cybercom said then that the U.S. must “defend forward as close as possible to the origin of adversary activity, and persistently contest malicious cyberspace actors.”

Nakasone penned an op-ed in August for Foreign Affairs, pointing to the creation of the Russia Small Group and highlighting Cybercom sending personnel out on “several hunt forward missions, where governments had invited them to search for malware on their networks.” He said these actions helped protect the 2018 midterm elections and would help defend 2020, too, saying the U.S. had evolved “from a reactive, defensive posture to a more effective, proactive posture called persistent engagement.”

CNN reported in October 2018 that Cybercom had “begun targeting Russian operatives believed to be attempting to influence the 2018 midterm elections as part of a broad effort in coordination with several government agencies.” The Washington Post reported in February 2019 that as voters went to the polls the previous November, the U.S. military “blocked Internet access” to the Internet Research Agency, a Russian troll farm, as “part of the first offensive cyber campaign against Russia designed to thwart attempts to interfere with a U.S. election.” Trump confirmed in an Oval Office interview with the Washington Post in June that he had authorized that cyberattack.

John Bolton, then the White House national security adviser, announced in September 2018 that Trump had signed a new presidential directive titled National Security Presidential Memorandum 13 and described it as “on offensive cyber operations” to loosen Obama-era restrictions on military cyberoperations, though much of the directive remains classified. It was reported by Yahoo News in July that the CIA was also granted broader cyberpowers in 2018 to counter the digital threats posed by Russia, China, Iran, and North Korea.

View original Post


Please enter your comment!
Please enter your name here