The newest GRU indictment is a roadmap for Election Day disruption [View all]

Link to tweet

https://www.greatpower.us/p/the-newest-gru-indictment-is-a-roadmap

On Monday, the Department of Justice unsealed the indictment of 6 hackers from Russia’s GRU (military intelligence agency) — members of Unit 74455, otherwise known as the hacker group “Sandworm” — for the “worldwide deployment of destructive malware and other disruptive actions in cyberspace.” It was quickly noted that none of the activities listed related to the 2020 US elections. But the wrong read on the indictment is that it has nothing to do with US election interference in 2020 because it doesn’t say that on the front page. The contents of the new indictment and its timing are entirely about the upcoming US elections and what might come after. It’s warning us about the scope and scale of operations that the Kremlin’s units for cyber operations attached to political warfare efforts (or active measures campaigns), including election interference, are capable of conducting.

The indictment connected the dots between a wide array of global cyberattacks over the past five years — hacking electoral campaigns in France; taking down electrical grids and banking systems in Ukraine; spillover effects of cyberattacks on Ukraine that crippled a US hospital system and some shipping services; a massive attack on government servers and thousands of websites in Georgia (the country, not the state); targeted attacks against institutions documenting Russia’s use of the nerve agent novichok in the attempted assassination of GRU defector Sergei Skripal in the UK; widespread attacks against South Korean and 2018 Olympics targets after Russian athletes were banned for doping — attributing some of them officially to Russia for the first time. The indictment made clear that this was a multi-nation intelligence effort to expose “intrusions and attacks intended to support Russian government efforts to undermine, retaliate against, or otherwise destabilize” all the target nations listed above.

“Sandworm” may not mean much to non-cyber obsessed humans: trying to follow hacker group nicknames and bravado is kind of like trying to immerse yourself in the complete Marvel universe mythology after the age of 40. But the broad range of activities attributed to Sandworm shows how much leeway such units are given by the Kremlin to probe and beta-test and operationalize different kinds of cyber weapons to expansively contribute to Russia’s strategic (and sometimes just petty) objectives within defined parameters. The pattern is one we see in other hybrid domains: just do stuff, maybe it works, and if not there are probably minimal consequences, and the Kremlin will just huff and puff and blow out denials anyway. There is a high risk-taking threshold. Thus we get the list of above activities that seem scattershot, but are not. They have a common operational core. They feed back into the same training process.

Exposing the names and identities of individual members of the unit is a significant step (one which not all former US intelligence officers I spoke to, leery of getting into a Cold War-style tit-for-tat unmasking of intelligence operatives, are wild about). In this case, though, releasing the names seemed to do double duty. Both the unit and one of the individuals had been previously named in Mueller’s indictment of hackers connected to 2016 US election interference efforts, including efforts to hack the DNC and personal emails and efforts to gain access to state level election systems in all 50 states. This indictment connects those 2016 cyberattacks to global efforts — and to ongoing attacks.

*snip*