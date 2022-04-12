Those rascally Russians. Since at least the 2016 election the cybersecurity community, and most of all the U.S. government, has been trying to understand and mitigate “the Russia problem,” which is a signaling phrase in our arena that focuses on the problem of maintaining cybersecurity in the face of Russia’s technological capacity, and its mala fide aims.
Of course, the rather brief history of deliberating over the Russia problem ramped up considerably as of February 24, 2022. Since then, 24,000 deaths, 1,800 destroyed buildings, over a half-trillion dollars in damages, and millions of displaced human beings characterize the so-called conflict. It’s hard to continually write “conflict” to describe these horrors, atrocities, and barbaric results. One of the many, many other characteristics of the Russia-Ukraine conflict involves cyberwarfare, cyberespionage, and cyber threats and crimes.
The day before the conflict began, U.K. and U.S. cybersecurity agencies simultaneously published advisories about malicious software known as Cyclops Blink. Catchy name, eh? Silliness. Anyway, Cyclops Blink is malware with one intent. Once a machine is infected with Cyclops Blink it becomes under the control of the bad guys, and serves as a robot ready to spread the doors open to other, connected machines. The botnet—the network of connected, infected machines—then uses Cyclops Blink as a facilitator to download more malware, such as programs that keep the good guys’ defense solutions in a state of anemia. It infects, spreads, then builds variant defenses against potential cures. Sounds familiar.
Russia’s Main Intelligence Directorate of the General Staff of the Armed Forces, commonly known as the GRU, is its intelligence branch unlike all its others that report directly to Putin. The GRU’s organization is in Russia’s military domain, and it reports up to the Minister of Defense. It is its largest intelligence faction, with plants operating in foreign countries, presumably ours included, at a rate five times that of Russia’s other intelligence agencies.
The Russian GRU oversees the group of state-sponsored hackers known as Sandworm. Some argue that Sandworm is one person, but most indications are that it is a team, also known as Unit 74455. Sandworm isn’t new to the cyberwarfare scene. It claimed responsibility for taking out Ukraine’s power grid in 2015. It attacked the 2018 Winter Olympics. And, it created another botnet that infected 500,000 computers across the globe, known as VPNFilter, which then evolved to become Cyclops Blink.
Last week, the U.S. Department of Justice released a report that it successfully disrupted a global botnet of thousands of infected machines under the control of Sandworm. Russia, to belabor the point, is not exclusively focused on perpetrating crimes in Ukraine. Our countermeasures did not cut off the snake’s—err, the worm’s—head. Rather, those crafty cybersecurity experts first copied the Cyclops Blink malware, then removed it from the thousands of infected systems. It was not disclosed why, exactly, that was the approach. Loose lips, dontcha know. Logic would maintain that by first copying it, then altering it to affect its removal, the intervening steps before it was successfully removed went undetected.
Our government didn’t go it alone. It partnered with WatchGuard, a Seattle based company that’s been in the cybersecurity game since the 1990s. Sometimes, there’s no substitute for collaboration, and this public-private partnership exemplifies not only that truism but also shows how strong of a force the GRU can be. WatchGuard published its own release on February 23, 2022, in order to instruct any potentially infected device’s owners about how to remove the Cyclops Blink malware.
After removal operations, the next phase was to make sure the door locks provided greater fortress going forward. Justice and its partners shut down all the ports that Sandworm had used to sneak in. Their remote control of the infected machines was over. By all accounts, hundreds, if not more, of U.S. government officials and its partners combined forces for these ends. The Justice Department had its lawyers fighting for the court order that allowed for copying and removal. Its FBI agents from Pennsylvania, Georgia, and Oklahoma were involved. Its Cybersecurity and Infrastructure Security Agency and the National Security Agency were active in the investigation. Across the pond, the U.K.’s support was also vast and complex. Affected manufacturers had their security forces involved. What a cadre!
Also, please find yourself impressed that this one incident is one of many ongoing at any point in time. It is one in the minority of all those ongoing hacking campaigns that was actually known to be ongoing. When it comes to state-sponsored hacking endeavors—Russia’s not being all that unique from ours, North Korea’s, Germany’s, you know the long list—the energy, resources, and devastation can amass countless superlatives.
National security and defense are two paramount responsibilities of the U.S. government. When you consider this one operation’s expense and time, and then extrapolate that out to the unknown number of similarly damaging cyber-offenses you might just be able to start appreciating how much of the public funding it takes to maintain security. Remember that all this is over nothing more, at its base, than digital ones and zeroes. Don’t let that lull you though. It’s not meant to evoke a sense that the potential damage is “merely” digital in nature. Critical infrastructure is the phrase you should conjure up: nuclear plants, financial systems, the power grip, water treatment, and so on. Since those systems have all gone digital, they’re ripened targets at this point.
Someday, we will be waxing nostalgic about the simpler war times when it was “only” hardware—guns, missiles, heck hand-to-hand. I’m afraid that this one case of the one-eyed blinker will become de rigueur, and you might see by this example that those armory-based good ol’ days were, indeed, better.
Ed is a professor of cybersecurity, an attorney, and a trained ethicist. Reach him at edzugeresq@gmail.com.
