The United States has been largely mum on its offensive capabilities when it comes to cybersecurity operations. But recently, the Director of the National Security Agency and Cyber Command, General Nakasone, referenced such capabilities and described how his operational elements were engaged in assisting Ukraine in their cybersecurity defense before the Russian invasion. In addition, the recent successful clawback of Bitcoin ransoms paid by the FBI is demonstrative of the United States’ ability to take offensive cybersecurity action.
Cutting Off Hydra
On April 6, 2022, U.S. Attorney General Merrick B. Garland shared another aspect of the U.S.’s offensive cybersecurity capabilities when he announced the KleptoCapture Task Force successfully disrupted the Russian military intelligence (GRU) botnet. The United States, together with Germany, seized the Hydra darknet market. The AG described Hydra as “the world’s largest illegal marketplace on the dark web.” Additionally, charges were filed against Dmitry Pavlov who allegedly is the administrator of Hydra’s technical infrastructure. The indictment estimated that Hydra-controlled cryptocurrency wallets received approximately $5.2 billion worth of cryptocurrency from 2016 through 2022, “accounting for an estimated 80% of all darknet market-related cryptocurrency transactions.”
At the same time, FBI director Christopher Wray provided additional color as he described a separate takedown, and how the FBI had removed “malware from devices used by thousands of mostly small businesses for network security all over the world. And then we shut the door the Russians had used to get into them.” He described how the botnet was built by the GRU; specifically, a team of security researchers known as Sandworm Team. The Sandworm team implanted malware (Cyclops Blink) on Watchguard Technologies Firebox devices and used those devices to launch denial-of-service attacks. This was not a solo FBI effort, but rather included liaison and collaboration across borders, with the UK’s National Cyber Security Centre, NSA, DHS/CISA all playing an important role.
The Department of Justice leveled indictments on six members of the GRU Sandworm group in October 2020 for their role in taking down the Ukrainian government and critical infrastructure in the cyberattacks of 2015-2016. In the April 2022 takedown, the warrant package highlighted how the Sandworm team, GRU Military Unit 74455, hosted the cybersecurity researchers and operational personnel.
Secretary of State Antony Blinken commented that the collaboration with Germany on the neutralization of Hydra was “coordinated with our allies and partners—disrupts ransomware infrastructure and actors and targets the abuse of virtual currency to launder ransom payments.” He added that the U.S. Department of Treasury has designated Hydra and Garantex (virtual currency exchange). Secretary of Treasury Janet Yellen, in her statement explaining the sanctions, said, “Our actions send a message today to criminals that you cannot hide on the darknet or their forums, and you cannot hide in Russia or anywhere else in the world. In coordination with allies and partners, like Germany and Estonia, we will continue to disrupt these networks.”
While the ability of Russia to reconstitute a cryptocurrency marketplace such as Hydra and to continue the operational activities of the Sandman group have been disrupted, it would be folly to consider them destroyed. Rather, it’s prudent to consider that they are instead in the process of taking stock of their losses and rethinking how they go about their business. It is here where Nakasone’s groups, the NSA and U.S. Cyber Command will earn their keep, as they strive to stay one step ahead of the GRU.