As Cyber Command evolves, its novel malware alert system fades away
The 2018 midterms were days away, and Timothy Haugh wanted a big idea.
The Air Force general was the head of U.S. Cyber Command’s elite Cyber National Mission Force (CNMF) at the time and also served as the command’s co-lead of a newly minted joint election security task force with the National Security Agency.
The team, known as the Russia Small Group, was at the heart of the federal government’s efforts to shield the upcoming election from potential foreign meddling after the Kremlin’s multifaceted digital assault on the 2016 presidential race.
CNMF personnel had recently collected the initial tranche of malware samples from the first of their kind “hunt forward” missions, launched in partnership with Ukraine, Montenegro and North Macedonia. The goal of those operations was to protect the midterms by having U.S. operators scour foreign networks to obtain unfamiliar malicious code and glean adversary tools and techniques firsthand.
Now, walking down a hallway of NSA headquarters at Fort Meade, Maryland, Haugh turned to some of his aides and said he wanted to show the public, and the larger cybersecurity research community, concrete examples of the command’s election security work.
“I said, ‘Honestly, sir, I just want to take their malware, upload it somewhere and dox It all on Twitter. Let's get a Twitter account, put the CNMF logo on there and just start tweeting out stuff about their malware. We'll link through to samples that we'll host somewhere,’” according to Jason Kikta, who was then a major in the Marine Corps and one of the first members of the CNMF.
“He’s asked, ‘Can we stick it on VirusTotal?’” Kikta, now the chief information security officer at cybersecurity software company Automox, remembered.
“I said, ‘Hell yeah, we can stick it on VirusTotal!’”
A week later, the Twitter account was activated and samples of Russian malware were shared on the widely used, Google-owned repository via a dedicated laptop — one day before Election Day.
The initiative sparked genuine surprise and instant praise among cybersecurity researchers, who had grown accustomed to the secretive ways of the U.S. national security apparatus.
This Twitter account was created solely to provide alerts to the cybersecurity community that #CNMF has posted new malware to @virustotal. A log of our uploads can be found here: https://t.co/fSgk1xpG8t
— USCYBERCOM Cybersecurity Alert (@CNMF_CyberAlert) November 5, 2018
“Kicking it off and watching it work was exciting,” said a Defense Department official familiar with the alert system’s launch, adding that it was one of the results of talks between former Cyber Command and NSA chief Paul Nakasone and Defense Secretary Jim Mattis about how to execute the new election security mission quickly.
Retired Lt. Gen. Charlie “Tuna” Moore, Nakasone’s deputy at the time, emphasized that by 2018 the command finally had “policies and authorities in place to actually allow us to operate the way we really needed to, to defend the nation. We were obviously experimenting with a lot of things to try to figure out the best way to perform our mission.”
Or, as the Defense Department official put it: “I can't overemphasize how just fucking cool it was.”
The command would go on to post more Russian samples — including some linked to APT28, the same hacking group that breached the Democratic National Committee during the 2016 election cycle — as well as several from other longtime digital adversaries, like Iran and North Korea (including once on a day the country celebrates a national holiday). The Twitter account would also post memes — including candy hearts and cartoon animals — to troll foreign actors.
At some point, though, the initiative went quiet. Next week will mark two years since the CNMF has posted any malware samples, at least publicly, to VirusTotal.
The lack of action, however, isn’t a sign that the CNMF is paying less attention to threats or sharing less information overall. Its personnel are busier than ever. The tactic of publicly naming-and-shaming adversaries fell away as the command expanded other outreach efforts to the private sector and academia. While learning how to show off, the CNMF was fine-tuning how it reached outside Fort Meade.
Now Under Advisement
In April, Haugh, now the head of Cyber Command and the NSA, testified that cyber practitioners went on 22 hunt forward missions last year and collected over 90 malware samples. A recent CNMF announcement noted that an inaugural deployment to Zambia turned up a “specific vulnerability” in the nation’s network but did not offer more details.
Current and former CNMF members, speaking on anonymity to talk about matters they were not authorized to discuss publicly, told Recorded Future News that operators continue to upload samples to VirusTotal today.
They noted anyone can share to the site’s digital community without creating a public post, and antivirus companies automatically pull from VirusTotal uploads to help build signatures, which are then relayed to customers. The command also regularly adds the CNMF stamp to federal digital alerts and advisories with others, such as the FBI and the Cybersecurity and Infrastructure Security Agency (CISA).
And through Under Advisement, the command and private firms use tools like Slack and Microsoft Teams to communicate instantaneously on digital threats, these sources said.
In a statement, a CNMF spokesperson stressed the organization “maintains a variety of avenues for releasing information to the public and its private sector partners.”
“Historically, CNMF did primarily use VirusTotal as its release mechanism. However, Congress has given CNMF additional authorities to share information directly with industry partners, through our Under Advisement program,” the spokesperson explained, adding the military outfit is “experimenting with the most effective ways to communicate cyber threat information.”
The lack of public VirusTotal posts is “representative of this evolution.”
And whereas Twitter, now known as X, was once considered one of the quickest ways to inform the public and the cybersecurity community, as well as an innovative way to discourage potential adversary behavior, the platform’s reach has dropped since it was bought and renamed by Elon Musk. His content policies have led many users, including key digital researchers, to abandon the site.
Under Advisement shares data under the “Traffic Light Protocol” used by CISA and is a well-established industry standard. TLP classifications measure the sensitivity of threat information the government disseminates to the private sector.
“Rather than put out big news — because when we do post something to VirusTotal, or tweet something, that gets everybody's attention — we're having more impact because we're able to work with our partners to say, ‘Hey, this is some information that we think is important,’” according to a senior CNMF official.
The official said the U.S. military “absolutely cannot tell a private company what to do'' but noted firms are aware that the online community will be upset if they ignore the TLP marking and handling standards.
A former CNMF member said they could “see both sides” of the argument that the account has been replaced by Under Advisement as the main engine to broadcast disclosures.
“A lot of what Under Advisement does now is public in the sense that it's engaged in the private sector. But it's not exceptionally publicized,” they told Recorded Future News
Insiders say the overall goal remains the same as it was in 2018: move at the speed of the digital world.
“They’re just different tools in the toolkit,” said the senior CNMF official. In some cases, the command is “going out loud and proud” with public attribution but in other instances “we say it would just be best if we were able to get the information out to our partners so that a piece of malware stops working.”
“It's really about the level of detail,” said Moore, now a Distinguished Visiting Professor at Vanderbilt University. “The scale and depth with which I can share information in Under Advisement — and it'd be an ongoing back and forth information sharing collaboration -- often requires more than 280 characters, right?”
Still, that doesn’t mean “there's not a case to be made that if something big is going on, the command isn't going to use every communication tool that it has to get out baseline information so the public and private sector can all take action.”
Many partners
The Under Advisement team — sprinkled throughout Fort Meade, home to both Cyber Command and NSA — is “really doing good work with getting stuff out to industry, and also taking things in from industry, because now they’ve kind of shown that CNMF is a credible as a player here, and so industry is willing to play along with them,” said the former operator.
They credited former CNMF chief Lt. Gen. William Hartman, Cyber Command’s current No. 2, for “ruthlessly prioritizing” such work within the outfit as opposed to letting it go the larger command or the NSA because, while those two entities cooperate with the private sector, the mission force performs “the lion's share of actual operational collaboration with industry.”
Recorded Future News reported last year the Under Advisement planned to double in size before the end of 2023 due to its ongoing success dealing with the commercial sector.
The CNMF spokesperson said while the organization “won’t release the specific numbers associated” with the program “we can state that we have roughly doubled the total number of partners since last summer, and currently have more than 60 partners whom we work with closely to share cyber threat information and counter foreign malicious cyber activity.”
Another former CNMF member said it was “generally fair” to say Under Advisement, which Kikta began work on in 2019, has surpassed the original alert system.
“The challenge with that is the public trust portion. Being able to show them the command is doing something and giving opportunities to talk about things publicly and being a public voice and holding yourself up to that standard and not having your only true accountability being what senators are told in closed door hearings, that's important as well.”
For his part, Kikta said he hopes the command doesn’t lose the “positivity” that came with public disclosures.
CNMF “has an important voice to contribute. There is value in CNMF having something that forces it to be public and talk on technical bits and not just generals going to give speeches,” he said.
“I don't want CNMF to slip back into the shadows inadvertently.”
Martin Matishak
is the senior cybersecurity reporter for The Record. Prior to joining Recorded Future News in 2021, he spent more than five years at Politico, where he covered digital and national security developments across Capitol Hill, the Pentagon and the U.S. intelligence community. He previously was a reporter at The Hill, National Journal Group and Inside Washington Publishers.