How Russia’s Invasion Triggered a US Crackdown on Its Hackers

Since Russia launched its full-blown invasion of Ukraine in late February, a wave of predictable cyberattacks has accompanied that offensive, striking everything from Ukrainian government agencies to satellite networks, with mixed results. Less expected, however, was the cyber counteroffensive from the US government—not in the form of retaliatory hacking, but in a broad collection of aggressive legal and policy moves designed to call out the Kremlin’s most brazen cyberattack groups, box them in, and even directly disrupt their hacking capabilities.

Over the past two months, President Joe Biden’s executive branch has taken more actions to deter and even temporarily disarm Russia’s most dangerous hackers than perhaps any previous administration in such a short space of time. US countermeasures have ranged from publicly pinning the blame for distributed denial of service attacks targeting Ukrainian banks on Russia’s GRU military intelligence agency to unsealing two indictments against the members of notorious Russian state hacker groups to undertaking a rare FBI operation to remove malware from network devices that GRU hackers had used to control a global botnet of hacked machines. Earlier this week, NSA and Cyber Command director general Paul Nakasone also told Congress that Cyber Command had sent «hunt forward» teams of US cybersecurity personnel to Eastern Europe to seek out and eliminate network vulnerabilities that hackers could exploit in both Ukraine and the networks of other allies.

Together, it adds up to “a concerted, coordinated campaign to use all of the levers of national power against an adversary,” says J. Michael Daniel, who served as the cybersecurity coordinator in the Obama White House, advising the president on policy responses to all manner of state-sponsored hacking threats. “They’re trying to both disrupt what the adversary is doing currently, and to also potentially deter them from taking further, more expansive actions in cyberspace as a result of the war in Ukraine.”

Daniel says compared to the Obama administration he served in, it’s clear the Biden White House has decided to take a far faster and harder-hitting approach to countering the Kremlin’s hackers. He attributes that shift to both years of US government experience dealing with Vladimir Putin’s regime and the urgency of the Ukrainian crisis, in which Russian state hackers pose an ongoing threat to Ukrainian critical infrastructure and also networks in the West, where Kremlin hackers may lash out in retaliation for sanctions against Russia and military support for Ukraine. «The Russians have made it pretty clear that signaling and small steps are not going to deter them,» says Daniels. «We’ve learned that we need to be more aggressive.»

The Biden administration’s ratcheted-up responses to Russian cyberattacks began in mid-February, before Russia had even launched its full-scale invasion. In a White House press conference, Deputy National Security Advisor Anne Neuberger called out Russia’s GRU for a series of denial of service attacks that had pummeled Ukrainian banks over the prior week. “The global community must be prepared to shine a light on malicious cyber activity and hold actors accountable for any and all disruptive or destructive cyber activity,” Neuberger told reporters. Coming just days after the GRU’s attacks, that rebuke represented one of the shortest-ever windows of time between a cyber operation and a US government statement attributing it to a particular agency—a process that has often taken months or even years.

Last month, the Department of Justice unsealed indictments against four individual Russians in two state-linked hacker groups. One indictment named three alleged agents of Russia’s FSB intelligence agency who are accused of belonging to an infamous hacker group, known as Berserk Bear or Dragonfly 2.0, that engaged in a years-long hacking spree that repeatedly targeted critical US infrastructure, including multiple breaches of power grid networks. A second indictment put a name to another highly dangerous hacking campaign, one that used a piece of malware known as Triton or Trisis to target the safety systems of the Saudi oil refinery Petro Rabigh, potentially endangering lives and leading to two shutdowns of the refinery’s operations. The Justice Department pinned that attack on a staffer at the Kremlin-linked Central Scientific Research Institute of Chemistry and Mechanics (known as TsNIIKhM) in Moscow, along with other unnamed coconspirators at the same organization.

At the same time, the Cybersecurity and Infrastructure Security Agency, Justice Department, and FBI were taking on a third Russian state hacker group even more directly. In February, CISA first issued a warning that a GRU hacking group known as Sandworm—with a track record that includes everything from triggering blackouts in Ukraine to the release of the NotPetya malware that inflicted $10 billion in damage worldwide—had assembled a botnet of hacked network devices, along with guidance on how to detect and remove the malware, known as Cyclops Blink. When that advisory led to only a 39 percent drop in the number of devices the botnet hijacked, the FBI took the rare step of actually impersonating the hackers’ communications to its command-and-control machines, sending commands to remove the hackers’ malware from those devices, and thus cutting off Sandworm’s access to at least part of its botnet.

The specific targeting of those three hacker groups—the FSB-linked Berserk Bear hackers, the TsNIIKhM hackers allegedly behind Triton, and GRU-linked Sandworm group—shows how the US government is intentionally taking actions to deter and disable the Russian hackers who present the greatest threat of not mere espionage or cybercrime, but targeted, disruptive cyberwarfare, says John Hultquist, who leads threat intelligence at the cybersecurity firm Mandiant and has tracked all three groups for years. «At a time when the US is bracing for potential cyberattacks from Russia, the Department of Justice has specifically indicted two of these actors and carried out an operation against the third,» says Hultquist. «Those are the actors that have the history and proven capability for disruptive and destructive attacks. That’s why operations have been and should be focused on those actors.»