There’s little that Russian hackers hate more than being seen as soft. So when U.S. military hackers saw a way to publicly portray them as bumbling and unthreatening in recent weeks, they seized the moment.
It all began when Cyber Command, the U.S. Department of Defense’s offensive cyber arm, started working with a graphics company to illustrate foreign government hackers. The military realized it could punch up the reports it releases on foreign hacking operations by adding illustrations, and try to embarrass or infuriate the foreign hacking shops along the way, one U.S. official told CyberScoop.
In one case, when Cyber Command started making plans to expose some state-sponsored espionage operations tied to Russia’s Federal Security Service (FSB), the country’s KGB successor, they turned to the graphics company to develop images that would goad the Russians, the official said.
“Russia hates to be seen as cuddly or cozy so we want to tick them off,” said the official, who was not authorized to speak with the press.
The best way to do that, the military hackers decided, was to represent the FSB hackers as an endearing, if bumbling, bear. (The cybersecurity community has long used names with references to bears to identify Russian hacking outfits, such as Cozy Bear and Fancy Bear, the hacking groups behind the 2016 breach of the Democratic National Committee.)
An implant dropper dubbed #ComRATv4 recently attributed by @CISAgov and @FBI to Russian sponsored APT, Turla. It was likely used to target ministries of foreign affairs and national parliament.
@CNMF_CyberAlert continues to disclose #malware samples on: https://t.co/fSgk1xpG8t pic.twitter.com/c2jmozTAyB
— USCYBERCOM Cybersecurity Alert (@CNMF_CyberAlert) October 29, 2020
Art that the cybersecurity community uses to portray Russian hackers has typically shown burly or ferocious bears, but Cyber Command wanted to avoid giving the Russian hackers an ego boost, the official said.
“We don’t want something they can put on T-shirts,” the U.S. official said. “We want something that’s in a PowerPoint their boss sees and he loses his shit on them.”
The result was an Oct. 29 report that shows a bear tripping over himself and spilling Halloween candy out of a pumpkin trick-or-treat bucket.
The effort to irritate the hackers is just the newest chapter in a broader Cyber Command effort to undermine foreign government cyber-operations. Cyber Command has been publishing samples of malicious software used by foreign hackers in recent years as part of an initiative aimed at getting the cybersecurity community to protect against adversaries’ malware, thereby making the hacking less effective. The program is also aimed at sending a warning shot to foreign hackers that the U.S. government is tracking them.
Historically, this kind of taunting has been a way to boost morale at home, according to Pablo Breuer, the former director of U.S. Special Operations Command Donovan Group.
“When you go back to the heyday of information campaigns, go to World War II, and you look at the messaging governments did to their own populace, it was either a positive messaging about yourselves or it was negative messaging against the adversary,” said Breuer, who previously worked at Cyber Command and the National Security Agency. “I think the silly graphics are more about messaging to the U.S. government and populace and branding: ‘If the adversary is not that good, then Cyber Command must be really good.’”
The first time Cyber Command wanted to share a mocking graphic about foreign hackers, the contractors had to redraft their sketches because the first one wasn’t silly enough, the U.S. official said. The graphics company’s task was to depict suspected Chinese government’s malware, which Cyber Command called “Slothful Media” for its lazy coding techniques. In the end, when the command released the novel image, Cyber Command’s Twitter followers reacted with jests and playful comments marveling at the portrayal.
“Our original graphic idea for ‘Slothful Media’ had to change because we realized it would be too cool,” the official said, in recognition of the fact that the government runs the risk of unnecessarily inflating the adversary if the graphics are improperly executed. “Better to mock.”
The official declined to share details about what made the original image too “cool,” but the graphics company eventually produced an image of a cartoon-like sloth wearing headphones and crawling over to a laptop.
A relatively new implant, which we have dubbed #SlothfulMedia, has been used to target victims in a number of countries, including: India, Kazakhstan, Kyrgyzstan, Malaysia, Russia and Ukraine.
— USCYBERCOM Cybersecurity Alert (@CNMF_CyberAlert) October 1, 2020
The graphics program is just over a month old, during which time Cyber Command only exposed hacking operations from Russia and China. That means the command has not, to date, published teasing graphics about hackers from Iran and North Korea, two of the country’s other chief digital adversaries.
Dan Hoffman, a former chief of station at the CIA, told CyberScoop he thinks the publication of these graphics may not be overwhelmingly upsetting to Moscow or Beijing.
“You’re definitely not going to influence the bad guys. They don’t care,” said Hoffman, whose tours of duty in the CIA included time in the former Soviet Union. “Maybe they don’t like to be named and shamed but at the end of the day what Vladimir Putin would do at least is say … ‘You named and shamed us? Ok we’re gonna grab a shot of vodka and go back to work.’”
But the graphics tactic could be effective in signaling there may be harsher consequences down the road, Hoffman added. In recent years Cyber Command has been working to bolster the arsenal of responses it can use to deter foreign government hackers. The strategy, known as “persistent engagement,” has led Cyber Command to shut down Russian social media trolls’ internet access in one case, and in another, to send direct messages to Russian government actors to deter them from running election-related influence campaigns.
“They’re talking about persistent engagement and that’s what they’re doing with the graphics — they’re taking the fight to the enemy and saying if you’re going to shoot at us we’re going to go find and shoot you in the face so you can’t shoot at us anymore,” Hoffman said. “We don’t want to go ‘cyber nuclear war’ with you … we’ll shut you down at a playful level first with graphics, and we can escalate.”
The cost of the cartoonish graphics alone, however, may not be great enough to change adversary behavior, according to Breuer.
“If Cyber Command is trying to send a message the adversary is trivial, the adversary is laughing on the way to the bank — because their cyber-operations are still remarkably successful,” said Breuer, who now works at Cognitive Security Collaborative. “What real consequence is there to China and Russia from doing this? Compared to the value our adversaries are getting from these cyber-operations, they’re just going to look at it as the cost of business.”
Even if the graphics don’t irk the foreign hackers, Cyber Command hopes they may prompt antivirus companies to pay more attention to the command’s malware warnings, the U.S. official said.
“It increases engagement in the community, which gets more attention on the malware, so worse for the actors. Wins all around,” the official said. “The community here is [having] fun with it, so that drives engagement on the stuff we want caught, and theoretically improves detection.”
A Cyber Command spokesperson said the command “develops visual imagery to engage with the cyber security community on malware disclosures and vulnerability alerts. We recognize the key role that industry plays in ensuring global cybersecurity defense against malicious cyber actors, and so we leverage social media best practices to enhance messaging with industry.”