Cybersecurity

How the US has helped counter destructive Russian cyberattacks amid Ukraine war

A Joint Cybersecurity Advisory published by the Cybersecurity & Infrastructure Security Agency about destructive malware that is targeting organizations in Ukraine is photographed Monday, Feb. 28, 2022.

The U.S.’s increased efforts to assist Ukraine and other Eastern European countries in shoring up their cyber defenses amid Moscow’s war on Kyiv appear to have been successful in countering destructive Russian cyberattacks and mitigating their impact.

The U.S. and its European allies provided significant cyber expertise to Ukraine and other Eastern European nations prior to the war, but experts said those efforts seem to have increased following the invasion of Ukraine in February as the countries all geared up for Russian cyberattacks.

“My sense is that the U.S. and the U.K. have both been pretty helpful when it comes to hardening Ukraine’s cyber defenses during the war and have been reasonably successful at their counter maneuvers as well, including things like removing Russian malware from machines and helping thwart attacks on Ukraine’s electric grid,” said Josephine Wolff, an associate professor of cybersecurity policy at the Tufts University Fletcher School.

In recent months, U.S. agencies like the FBI and the U.S. Cyber Command have reported that they’ve sent out cybersecurity experts to help countries such as Croatia and Montenegro bolster their defenses against Russian cyberattacks. 

Most recently, the U.S. Cyber Command confirmed that it had deployed its operators known as the “hunt forward” team for the first time in Croatia to help the Balkan country strengthen its cyber defenses and networks against active threats. 

“It was an honor to send some of our best defensive operators to Croatia, to hunt for shared threats alongside our partners — we want to bring both expertise and talent to our partner nations, while seeing cyber adversaries who may be threatening our nation,” said U.S. Army Maj. Gen. William Hartman, commander of the U.S. Cyber Command’s Cyber National Mission Force, in a press release. 

The hunt forward team, a defensive cyber group made of U.S. military and civilian personnel, said it worked alongside Croatian intelligence and cybersecurity officials to look for malicious activity and vulnerabilities.

The U.S. Cyber Command said it often sends the team overseas to help allies bolster their cybersecurity defenses and gather intelligence on adversaries’ cyber activities. 

The agency has also indicated that as of August, its hunt forward team had conducted 35 operations in 18 countries, including Estonia, Lithuania, Montenegro, North Macedonia and Ukraine, adding that much of that work was done during the pandemic.

Attorney General Merrick Garland, accompanied by cybersecurity and defense officials, to discuss new and recent enforcement actions to disrupt and prosecute criminal Russian activity at the Justice Department in Washington on April 6, 2022.

Those recent cyber investments seem to have helped countries such as Estonia and Ukraine, which have both reported that they’ve successfully thwarted cyberattacks launched by hackers tied to Russia. 

“It’s hard to know exactly how much of that success is due to Ukraine, the U.S., other allies, and private companies, like Microsoft and ESET which have also offered support,” Wolff said.

“[But] clearly, it’s a joint effort and certainly there have been some failings but, on the whole, the defense strategy seems to have held up fairly effectively,” she added. 

James Turgal, vice president of cyber consultancy Optiv, explained that some of the assistance has included gathering intelligence and helping the countries deconstruct malware before it spread further into their critical infrastructure and government networks.

“They’re helping them break down the malware so that the Ukrainians and all of the other countries around there can protect themselves against these types of attacks,” Turgal said. 

The U.S. has also been involved in helping with offensive cyber operations in Ukraine, as Gen. Paul Nakasone, the head of the U.S. Cyber Command, recently confirmed

Nakasone said that his agency had conducted offensive cyber operations in support of Ukraine but did not provide specifics. He did, however, say that the operations were lawful and conducted with civilian oversight of the military. 

“We’ve conducted a series of operations across the full spectrum: offensive, defensive, [and] information operations,” Nakasone said during an interview with Sky News, a British television news channel. 

When it comes to cyber offensive operations, Jason Blessing, a research fellow at the American Enterprise Institute, said he doesn’t think that the U.S. has been directly involved in pulling the trigger, so to speak, but rather provided intelligence and technical skills to the Ukrainians so they can carry out the operations on their own.

“I think it’s much more likely that we provided intelligence that supported a Ukrainian-run offensive cyber operation versus the U.S. actually conducting it themselves disrupting Russian networks,” Blessing said. 

Blessing also said that helping those countries shore up their cyber defenses is a secondary priority for the U.S. in such collaborations with foreign nations, as its primary focus is intelligence gathering. 

Nakasone attends a Senate Armed Services hearing on Capitol Hill in Washington on Tuesday, April 5, 2022.

“We do it primarily because there is an intelligence need,” Blessing said.

“The U.S. has an intelligence need that drives these partnerships … and that’s why these countries are the ones that we’re going to because we’ve identified that there’s a specific intelligence need that we can fill by going and partnering with these countries,” he added. 

“And then as a secondary effect, it does help to build some of their defensive capacity,” he continued.

But regardless of where the U.S.’s priorities lie, experts agreed that the increased efforts to help those countries this year have paid off, as they have helped reduce the risks of potential damaging cyberattacks from occurring. 

“I’m sure they’re stepping up their efforts,” Turgal said. 

“And that’s why I think you’re not seeing, at least publicly, massive amounts of cyber attacks that have [major] impact because they have stepped it up,” he added. 

However, he was quick to warn that the defensive efforts haven’t stopped the Russians from trying to attack Ukraine and other neighboring countries.

“Don’t just think that the Russians have been sitting back just because you don’t see reporting of massive attacks,” he said. 

He noted, though, that the cyberattacks have had a minimal impact so far.

Although Russia has remained active in the cyber front, a senior cyber official at the Department of Defense recently said that Russian forces “underperformed expectations” in both the cyber and military space. 

“I think we were expecting much more significant impacts than what we saw,” said Mieke Eoyang, deputy assistant secretary of defense for cyber policy at the Department of Defense, at a cyber summit in November.

Eoyang explained that some of that underperformance could be tied to Russia’s underestimation of how long it takes to prepare for cyber operations and cyberattacks prior to a war.

Turgal, who had a different take on the matter, said that the lack of major Russian cyberattacks is not so much due to Moscow underperforming or having lesser cyber capabilities than in previous years, but rather to it now dealing with a country that has strengthened its cyber defenses over the years with the assistance of the U.S. and the European Union, which continues to provide that support, essentially making it harder for the Russians to strike effectively and have a greater impact.

“[Russia] is still waging a very active cyber war against Ukraine and others, we’re just collectively defending better,” Turgal said.