Critical Infrastructure Security , Cybercrime as-a-service , Cyberwarfare / Nation-State Attacks
US Confirms It Has Provided Cybersecurity Support to UkraineBoosting Ukraine's Cyber Space Is Not a Violation of Policy, White House Says
The U.S. has conducted offensive cyber activities in support of Ukraine, Cyber Command Director Gen. Paul Nakasone reportedly said on Wednesday. He made the comments at the ongoing annual NATO Cooperative Cyber Defense Center of Excellence conference - CyCon.
See Also: LIVE Webinar | Stop, Drop (a Table) & Roll: An SQL Highlight Discussion
White House press secretary Karine Jean-Pierre, in a press briefing held later in the day, said that the offensive cyber operations aim to strengthen Ukraine's cyber space, and are therefore not in violation of policies that seek to avoid direct military conflict with Moscow, Reuters reports.
Offense Is the Best Defense?
Nakasone, in the interview, says that the U.S. has "conducted a series of operations across the full spectrum: offensive, defensive, [and] information operations." This contradicts President Joe Biden's stance of not engaging with Russia directly, over fears of escalation.
But Jean-Pierre, in response to queries at the Wednesday press briefing on the offensive capabilities infringing on U.S. historical policies, says, "We don't see it as such."
She says the Kremlin has "not been pleased by the amount of security assistance we’ve been providing to the Ukrainians since far before this most recent phase of conflict began. But we are doing what exactly the President said he would do, which is - and he told President Putin directly - we would do - what we would do if he - if he attacked Ukraine, back in December, which is provide security assistance to the Ukrainians that is above and beyond what we are - what we were already providing to help Ukrainians defend their country."
'Hunt Forward' Operation
Neither Nakasone nor Jean-Pierre provided further details on these offensive cyber activities from the U.S. But Nakasone reportedly spoke on how the U.S. has separately conducted a "hunt forward" operation in Ukraine just before the war began. He says the operation has helped both the U.S. and Ukraine ramp up their cyber defenses.
"Hunt forward" operations are intel-driven and partner-requested defensive cyber operations. Cyber National Mission Force, or CNMF, cyber operators are deployed across 16 nations, including the Five Eyes alliance nations - the U.S., U.K., Australia, Canada and New Zealand - and other NATO countries.
In April, at a summit hosted by Vanderbilt University on modern conflict and emerging threats, Nakasone said that the CNMF had deployed a "hunt forward" team to Ukraine in December to conduct defensive cyber operations alongside partner cyber forces of Ukraine, The Hill reported. It said this team moved out of Ukraine just days before the Russian invasion began in February.
Cyber operative partners from these nations hunt on the networks of the host nation's choosing - with its permission, looking for malicious cyber activity and vulnerabilities. The insights gleaned from these sessions, including adversary tactics, techniques and procedures, are shared with the host nation and other cooperative member-nations, who further disclose them to the public and private sector networks. This helps bolster the homeland defense against cyberthreats before they reach their respective country's shores, according to a statement from Cyber Command when a "hunt forward" team that had been sent to Lithuania concluded its operations in the first week of May.
"This Hunt Forward operation is a great example of how cyber is a team sport and we have to play it together," U.S. Army Maj. Gen. and CNMF Commander Joe Hartman says. "With these missions, we see a broader scope of how these bad actors are trying to attack important government networks."
As of May 2022, the CNMF has conducted 28 "hunt forward" operations in 16 countries, including Estonia, Lithuania, Montenegro, North Macedonia and Ukraine, U.S. Cyber Command says in its May statement.
Nakasone, speaking in Tallinn, Estonia, says these operations have been highly instrumental for the U.S. to keep an eye on state-sponsored threat actors by identifying their TTPs and to conduct operations to dismantle Russian propaganda machineries that run disinformation campaigns to influence the upcoming midterm elections in 2022.
'Laser Focus' on Russia
FBI Director Christopher Wray, at the Boston College’s Conference on Cyber Security, spoke about the factors behind the U.S' "laser focus" on Russia.
Citing the NotPetya attack from 2017, Wray said that Russia and its military have a history of being reckless and having their attacks spill over away from the targets. "They targeted Ukraine but ended up also hitting systems throughout Europe, plus the U.S. and Australia, and even some systems within their own borders. They shut down a big chunk of global logistics.
"That reckless attack ended up causing more than 10 billion dollars in damages - one of the most damaging cyberattacks in the history of cyberattacks - and spread world-wide before anyone knew to do anything," Wray said.
He also said that Russia is using tools such as wiper malware for mass destruction - a trend that has been observed before (see: Russia-Ukraine War: Cyberattack Escalation Risk Continues). "And we’re watching for their cyber activities to become more destructive as the war keeps going poorly for them," Wray said.
To counter these issues, Wray said that the FBI and other agencies are jointly running a 24/7 cyber command post that pushes out real-time intelligence and technical indicators not just to government partners, but also to private companies and others.
"We've seen the Russian government taking specific preparatory steps towards potential destructive attacks, here and abroad. We're reaching out to potential targets to warn them about the looming threat, giving them technical indicators they can use to protect themselves. And we're moving rapidly to disrupt Russian activity," he says.
Wray also cited the Department of Justice’s takedown of the Cyclops Blink botnet from earlier this year - which was used by Russian GRU's Main Center for Special Technologies to control thousands of infected devices - as an example of how the U.S. government is responding to the cyber offensive from the Kremlin (see: DOJ Disrupts Russia-Linked APT's Malware, 'Cyclops Blink').