The federal government isn’t always known for its speed in the cybersecurity realm. But last week it moved at a breakneck pace to pull back the curtain on foreign cyberthreats.
In a series of enforcement actions, the Department of Justice unsealed seven federal indictments charging 16 foreign nationals from China, Russia, Iran, and Malaysia with hacking-related crimes. The Treasury Department sanctioned 45 individuals associated with Iran’s APT39, as well as two Russian cryptojackers cited in one of the DOJ’s indictments. At the same time, the FBI, US-CERT, and Department of Homeland Security’s CISA distributed threat advisories, malware analysis reports, and flash alerts warning of new cyberthreats.
Those actions can be seen as a warning both to the governments that prop up hackers and the companies that are targeted in these attacks, said Keith Mularski, Advisory Executive Director of Cybersecurity at EY.
“The administration probably wants to put forward a strong message that the U.S. won’t tolerate this activity,” said Mularski, who worked on some of the nation’s first indictments against state-sponsored hackers while at the FBI’s Cyber Division. “In addition, this allows them to get that information out to private sector and foreign partners, to have that dialogue, to strengthen other defenders, and also to learn more from the private sector about the [tactics, techniques, and procedures] of these adversaries.”
The timing of any federal indictment is partly a matter of chance. It can take years for prosecutors to gather evidence and assemble a case. Six of the seven indictments unsealed last week detail criminal activity dating back more than three years.
Still, the flurry of indictments appears to be part of a new strategy for cyberspace unveiled by FBI Director Christopher Wray in a speech at the CISA Cybersecurity Summit last Wednesday.
“Our [new] strategy, in a nutshell, is to impose risk and consequences on cyber adversaries,” said Wray. “That means using our role as the lead federal agency with law enforcement and intelligence responsibilities to not only pursue our own actions, but to enable our partners to defend networks, attribute malicious activity, sanction bad behavior, and take the fight to our adversaries overseas.”
On Monday, Tonya Ugoretz, deputy assistant director in the FBI’s cyber division, confirmed the timing of the activity was coordinated to “cause maximum impact on the adversary” in an interview with Cyberscoop.
Much of what Wray and Ugoretz mentioned is not actually new. But if recent events are illustrative of what is to come, three elements of the “strategy” stand out.
The first is the volume of measures undertaken last week, said Brandon Valeriano, the Bren Chair of Military Innovation at the Marine Corps University. “The DOJ has been indicting people for the last six years or so, just not at such a fast pace,” he said.
Prior to last week’s indictments, the Justice Department had only unsealed 14 hacking-related charges this year. That compares to 21 such indictments in 2019, 58 in 2018, 15 in 2017 and 12 in 2016, according to data provided by the Foundation for the Defense of Democracies.
Second, the FBI and DOJ paired legal actions with a range of technical and operational measures designed to punish or debilitate criminals, and to assist partners in government and the private sector.
Prior to last week’s indictments, the Justice Department had only unsealed 14 hacking-related charges this year. That compares to 21 such indictments in 2019, 58 in 2018, 15 in 2017 and 12 in 2016.”
“Indictments are not going to eliminate or solve cybercrime, espionage, or any of those other things that go on through cyberspace,” said Michael Daniel, the President and CEO of the Cyber Threat Alliance and the former White House cybersecurity coordinator for the Obama administration. “But if you couple the use of indictments with other diplomatic, legal, economic tools then, yes, it can be a useful way to create friction for our adversaries. That’s really the goal.”
Daniel said the government still has a long way to go in terms of developing those additional tools, such as strengthening cooperation with telecommunications providers and cybersecurity companies. But he acknowledged that the other steps the government has taken showed how much its cybersecurity posture has matured in recent years.
Many of those advances have less to do with any recent policy shift at FBI or DOJ than organizational changes years in the making, such as the elevation of Cyber Command to a unified combatant command and the establishment of CISA and the NSA’s Cybersecurity Directorate—all of which have put information-sharing at the forefront of their missions.
Still, the government’s efforts to be more transparent about cyberthreats have accelerated. Last month, for example, the FBI and the NSA jointly exposed malware developed and used by Fancy Bear, the Russian hacking unit responsible for the 2016 hack of the Democratic National Committee.
If you’re trying to signal to an adversary, the signal has to be clear, and if you’re hitting everyone and everything, that really dilutes the message,” said Brandon Valeriano, the Bren Chair of Military Innovation at the Marine Corps University.
Lastly, all of the alleged hackers shared something in common: each worked entirely or in part for private gain.
Outsourcing hacking operations to independent contractors can provide states with plausible deniability in the event that the hackers get caught. By calling out states for not prosecuting known criminals within their borders, the DOJ turned that logic against the states in question.
“Unfortunately, our cases demonstrate that at least four nations—Iran, China, Russia, and North Korea—will allow criminal hackers to victimize individuals and companies from around the world, as long as these hackers will also work for that country’s government,” said Assistant Attorney General for National Security John C. Demers at the unsealing of one of last week’s indictments.
That argument is powerful politically but it may come at a price strategically, said Valeriano, who noted that the activities exposed by the government ran the gamut from petty hacktivism to major supply-chain hacks.
“If you’re trying to signal to an adversary, the signal has to be clear, and if you’re hitting everyone and everything, that really dilutes the message. And that really is the challenge in this space, to have clarity of message,” he said.
John Sakellariadis is a freelance writer and independent researcher covering cybersecurity and U.S. foreign policy. Covid-permitting, he will begin a Fulbright Student Research grant in January, when he will be conducting research on EU cyber policy in Athens, Greece.