A secret military group from the United States helps Ukrainians fight Russian cyber attacks: how it works

Despite many analysts' predictions, Russia failed to destroy Ukraine's computer systems with a massive cyberattack during this year's invasion. One of the reasons for this failure of the Russian Federation may be the work of a little-known unit of the US military, hunting opponents on the Internet, reports with the BBC.

Photo: IStock

The BBC received exclusive access to the cyber operators involved in these global missions.

In early December last year, a small US military team led by a young major arrived in Ukraine on a reconnaissance tour ahead of a larger operation. But the major quickly informed her that she needed to stay.

“Within a week, we had the whole team ready to go hunting,” recalls one of the team members.

They came to identify Russians on the Internet, but their Ukrainian partners made it clear that work must begin immediately.

“They assessed the situation and told me that the team would not go back,” says Major General William Hartman, who heads the US National Cyber ​​Mission. “Almost immediately we received a report that “everything is different in Ukraine now.” We didn’t redeploy the team, we strengthened it.”

On the subject: Washing machines, refrigerators, breast pumps: Russia takes parts for weapons from imported household appliances

Since 2014, Ukraine has experienced some of the biggest cyberattacks in the world. Among them was the first cyberattack in history, when the power plant was remotely shut down in the middle of winter.

At the end of last year, Western intelligence officials oversaw the preparations of the Russian military and became increasingly concerned that a new avalanche of cyberattacks would accompany the invasion, paralyzing communications, energy, banking and government services, thus paving the way for a power grab.

The US military cyber command wanted to find out if Russian hackers had infiltrated Ukrainian systems by hiding deep inside. Within two weeks, their mission became one of the largest operations ever, involving some 40 troops from across the U.S. military.

In January, they were at the forefront as Russia began to pave the way in cyberspace for a future invasion that would put Ukraine's cyber defenses to an unprecedented test.

Infiltration of computer networks was for many years primarily associated with espionage—the stealing of secrets—but recently it has become increasingly militarized and associated with more destructive activities, such as sabotage or preparation for war.

This means a new role for the US military, whose teams take part in the Hunt Forward missions, in which they scour the computer networks of partner countries for signs of infiltration.

“They are hunters and know the behavior of their prey,” explains an operator conducting defense work against Russia.

Since 2018, US military operators have been involved in special operations in 20 countries, usually close allies of the US, in Europe, the Middle East and the Indian-Pacific region. True, they did not include countries such as Great Britain, Germany or France, which have their own experience and are less likely to need or want outside help.

Much of their work was directed at fighting state hackers from China and North Korea, but Russia was their greatest adversary. Several teams of specialists were sent to some countries at once. Among these countries is Ukraine, where cyberattacks were for the first time associated with a full-scale war.

Inviting US military personnel to another country is a sensitive and even controversial issue, so many partners ask that the US presence remain secret - teams rarely wear uniforms. But increasingly, governments are choosing to report missions openly.

In May, Lithuania confirmed that the three-month work with defense and foreign affairs networks had been completed. Protecting these agencies has become a priority due to concerns about threats from Russia following the invasion of Ukraine.

Croatia hosted the last mission. “The hunt was thorough and successful, and we detected and thwarted malicious attacks on Croatian government infrastructure,” said Daniel Markic, head of the country’s Security and Intelligence Service.

“We were able to offer the US a new hunting ground and share our experience and acquired knowledge,” he adds.

But lukewarm public statements mask the reality that these missions often don't start out easy.

Even countries that are US allies can worry when they are forced to open up sensitive government networks to operators. In fact, revelations made by former intelligence officer Edward Snowden 10 years ago showed that the US was spying on friend and foe alike.

This suspicion means that young men and women who arrive on a mission often face a severe test of their diplomatic skills. They show up at the airport carrying dozens of boxes of mysterious technical equipment, and they need to quickly gain confidence in order to get permission for something sensitive - to install this equipment in the country's government computer networks to search for threats.

Simply put, the Americans must convince the hosts that they are there to help them, not to spy on them.

“I'm not interested in your emails,” is how Mark, who led two teams in the Indo-Pacific, describes the start of his negotiations. If the demo goes well, they can get to work.

Local partners sometimes sit with US teams in conference rooms and watch carefully to make sure nothing bad happens.

“We have to make sure we are trusted,” says Eric, who has 20 years of cyber operations experience. “Having people sitting next to us is a big factor in that.”

And although suspicions cannot be completely dispelled, a common enemy unites.

“The only thing our partners want is to throw the Russians out of their networks,” General Hartman recalls one of his team members saying.

US Cyber ​​Command helps to understand the plans of the Russians or other possible attackers by working closely with the National Security Agency, America's largest intelligence agency that controls communications and cyberspace.

In one case, evidence of penetration came in real time. An American operator named Chris, who led several European missions, recalls watching someone move suspiciously through the computer network of a partner country.

The odd thing was that it was one of the LAN administrators the team worked with. This man was standing right behind Chris. Could it be some kind of internal threat?

"It's you?" – asked Chris.

“This is my computer, but I swear it’s not me,” the administrator replied, unable to take his eyes off the screen. Someone stole his online identity.

“Finding someone on your network is difficult, especially if they are using your credentials,” Chris explains. This case showed the reality of the threat and in turn helped secure greater access.

American experts say they share what they find, allowing local partners to kick out the Russians (or other government hackers) instead of doing it themselves. They also use commercial tools so that local partners can continue to work after the mission is completed.

Good relationships pay dividends. At the end of one mission, US operators say they were given a farewell gift by local partners—a computer disk containing malware from another network the team was not familiar with.

Each mission is different. Sometimes the enemy can be found on the first day of the search, explains Shannon, who ran two missions in Europe. But it often takes a week or two to unearth more advanced hackers in deeper hiding.

With hackers from the Russian special services, who are especially skillful at changing tactics, they often play cat and mouse.

In 2021, it emerged that the Russians were using software from a company called SolarWinds to infiltrate the networks of customers who bought it, including governments.

American operators began to look for traces of their presence. General Hartman says a puzzle-loving tech sergeant at Cyber ​​Command noticed Russians burying their code in a European country. Having deciphered it, he was able to establish that the Russians were hiding in the network. After that, eight different samples of malware attributed to Russian intelligence were made public. This allowed the industry to improve protection.

The hunt is not an altruistic act by the US military. In addition to gaining practical experience, cyber specialists also help their military at home.

During one mission, a cyber operator discovered that the same malicious software they found in a European country was also present in a US government facility. The United States often tries to identify and patch vulnerabilities in its networks, industry, or government due to duplication of responsibilities between different agencies, even if they send their operators overseas.

Hunt Forward missions are classified as “defensive,” but General Paul Nakasone, who heads Military Cyber ​​Command and the National Security Agency, confirmed that they also carried out offensive missions after Russia’s invasion of Ukraine. The team does not disclose additional information about this.

In January of this year, a team in Ukraine witnessed a series of large-scale cyber attacks. “Be afraid and expect the worst,” said the hackers’ message on the Foreign Ministry’s website.

A US team watched in real time as an avalanche of Wiper malware, which renders computers unusable, hit numerous government sites.

“They were able to help analyze some of the ongoing attacks and facilitated the transfer of that information to partners in the United States,” says General Hartman.

The goal was to destabilize the country before the February invasion.

When Russian troops crossed the border, American specialists were withdrawn from Ukraine. Awareness of the physical risk for the remaining Ukrainian partners laid a heavy burden on them.

Hours before the February 24 invasion, a cyberattack blew up a U.S. satellite provider that backed the Ukrainian military. Many assumed that this would be the beginning of a wave of attacks aimed at destroying key infrastructure, such as the railway. But it didn't work out.

You may be interested in: top New York news, stories of our immigrants, and helpful tips about life in the Big Apple - read it all on ForumDaily New York.

"One of the reasons why the Russians may not have been as successful is because the Ukrainians were better prepared," says General Hartman.

“We are proud that they were able to defend themselves. Many people in the world thought that Ukraine would be defeated. But that didn't happen, says Al, a senior technical analyst who was a member of the task force in Ukraine. “They are resisting.”

Ukraine is constantly experiencing cyber attacks that, if successful, can affect infrastructure. But the country continued to defend better than many expected. Ukrainian officials say this is due in part to help from allies, including US Cyber ​​Command, and their own gradually growing expertise.

Now the US and other allies are looking to the Ukrainians to learn from them.

“We continue to share information with the Ukrainians, they continue to share information with us,” explains General Hartman. “That’s the idea behind this long-term partnership.”

As Ukrainian and Western intelligence officials express concern that Moscow may respond to recent military setbacks with an escalation of its cyberattacks, this partnership could still face further tests.

Read also on ForumDaily:

Russian rocket fired at Ukraine crashed on the territory of Moldova

In Alaska, a volcano woke up, which slept for 800 years: the cities around are at risk

How time conversion affects health and what to do to adapt faster

Do you want more important and interesting news about life in the USA and immigration to America? — support us donate! Also subscribe to our page Facebook. Select the “Priority in display” option and read us first. Also, don't forget to subscribe to our РєР ° РЅР ° Р »РІ Telegram  and Instagram- there is a lot of interesting things there. And join thousands of readers ForumDaily New York — there you will find a lot of interesting and positive information about life in the metropolis.