How Russia’s Invasion Triggered a US Crackdown on Its Hackers

Since Russia launched its full-blown invasion of Ukraine in late February, a wave of predictable cyberattacks has accompanied that offensive, striking everything from Ukrainian government agencies to satellite networks, with mixed results. Less expected, however, was the cyber counteroffensive from the US government—not in the form of retaliatory hacking, but in a broad collection of aggressive legal and policy moves designed to call out the Kremlin’s most brazen cyberattack groups, box them in, and even directly disrupt their hacking capabilities.

Over the past two months, President Joe Biden’s executive branch has taken more actions to deter and even temporarily disarm Russia’s most dangerous hackers than perhaps any previous administration in such a short space of time. US countermeasures have ranged from publicly pinning the blame for distributed denial of service attacks targeting Ukrainian banks on Russia’s GRU military intelligence agency to unsealing two indictments against the members of notorious Russian state hacker groups to undertaking a rare FBI operation to remove malware from network devices that GRU hackers had used to control a global botnet of hacked machines. Earlier this week, NSA and Cyber Command director general Paul Nakasone also told Congress that Cyber Command had sent “hunt forward” teams of US cybersecurity personnel to Eastern Europe to seek out and eliminate network vulnerabilities that hackers could exploit in both Ukraine and the networks of other allies.

Together, it adds up to “a concerted, coordinated campaign to use all of the levers of national power against an adversary,” says J. Michael Daniel, who served as the cybersecurity coordinator in the Obama White House, advising the president on policy responses to all manner of state-sponsored hacking threats. “They’re trying to both disrupt what the adversary is doing currently, and to also potentially deter them from taking further, more expansive actions in cyberspace as a result of the war in Ukraine.”

Daniel says compared to the Obama administration he served in, it’s clear the Biden White House has decided to take a far faster and harder-hitting approach to countering the Kremlin’s hackers. He attributes that shift to both years of US government experience dealing with Vladimir Putin’s regime and the urgency of the Ukrainian crisis, in which Russian state hackers pose an ongoing threat to Ukrainian critical infrastructure and also networks in the West, where Kremlin hackers may lash out in retaliation for sanctions against Russia and military support for Ukraine. “The Russians have made it pretty clear that signaling and small steps are not going to deter them,” says Daniels. “We’ve learned that we need to be more aggressive.”

The Biden administration’s ratcheted-up responses to Russian cyberattacks began in mid-February, before Russia had even launched its full-scale invasion. In a White House press conference, Deputy National Security Advisor Anne Neuberger called out Russia’s GRU for a series of denial of service attacks that had pummeled Ukrainian banks over the prior week. “The global community must be prepared to shine a light on malicious cyber activity and hold actors accountable for any and all disruptive or destructive cyber activity,” Neuberger told reporters. Coming just days after the GRU’s attacks, that rebuke represented one of the shortest-ever windows of time between a cyber operation and a US government statement attributing it to a particular agency—a process that has often taken months or even years.

Last month, the Department of Justice unsealed indictments against four individual Russians in two state-linked hacker groups. One indictment named three alleged agents of Russia’s FSB intelligence agency who are accused of belonging to an infamous hacker group, known as Berserk Bear or Dragonfly 2.0, that engaged in a years-long hacking spree that repeatedly targeted critical US infrastructure, including multiple breaches of power grid networks. A second indictment put a name to another highly dangerous hacking campaign, one that used a piece of malware known as Triton or Trisis to target the safety systems of the Saudi oil refinery Petro Rabigh, potentially endangering lives and leading to two shutdowns of the refinery’s operations. The Justice Department pinned that attack on a staffer at the Kremlin-linked Central Scientific Research Institute of Chemistry and Mechanics (known as TsNIIKhM) in Moscow, along with other unnamed coconspirators at the same organization.