U.S. Cyber Command Expands Operations to Hunt Hackers From Russia, Iran and China
Building on a 2018 effort, Cyber Command sent teams to Europe, the Middle East and Asia to learn more about how adversaries could threaten the election this year.
In addition to new operations in Europe to pursue Russian hackers, Cyber Command sent teams to the Middle East and Asia over the past two years to help find Iranian, Chinese and North Korean hacking teams and identify the tools they were using to break into computer networks.
Cyber Command was expanding on a push begun in 2018, when it sent teams to North Macedonia, Montenegro and other countries to learn more about Russian operations. The move also reflects a stepped-up effort to secure this year’s presidential election.
Cyber Command, which runs the military’s offensive and defensive operations in the online world, was largely on the sidelines in 2016. But for the 2018 midterm elections, the command took a far more aggressive posture. In addition to sending the teams to allied countries, it sent warning messages to would-be Russian trolls before the vote, in its first offensive operation against Moscow; it then took at least one of those troll farms offline on Election Day and the days afterward.
The 2018 operation was focused mostly on Russia, according to what is publicly known about it. But before the election this year, intelligence officials have described efforts by Iran and China, as well as Russia, to potentially influence the vote, and Cyber Command has also widened its focus.
“Since 2018, we have expanded our hunt forward operations to all major adversaries,” Lt. Gen. Charles L. Moore Jr., the deputy head of Cyber Command, said in an interview in his office at Fort Meade.
Cyber Command calls its work with allies to find enemy hackers “hunt forward operations.” After getting close to foreign adversaries’ own networks, Cyber Command can then get inside to identify and potentially neutralize attacks on the United States, according to current and former officials.
“We want to find the bad guys in red space, in their own operating environment,” General Moore said. “We want to take down the archer rather than dodge the arrows.”
Officials would identify only regions and not the countries they had operated in before the 2020 election. But Cyber Command officials said those efforts uncovered malware being used by adversarial hacking teams. Other government agencies used that information to help state and local officials shore up their election system defenses and to notify the public about threats.
Cyber Command sends teams of experts overseas to work with partner and allied nations to help them find, identify and remove hostile intrusions on their government or military computer networks.
For the allied nations, inviting Cyber Command operatives not only helps improve their network defenses but also demonstrates to adversaries that the United States military is working with them. For the United States, the deployments give their experts an early look at tactics that potential adversaries are honing in their own neighborhoods, techniques that could later be used against Americans.
The information gathered in the hunt forward operations was shared with the rest of the U.S. government to help defend critical networks before the election, Gen. Paul M. Nakasone, the head of Cyber Command, wrote in an article in Foreign Affairs in August.
Cybersecurity experts have argued that the deployments allow Cyber Command to work alongside partner teams that are under daily attack by Russia, Iran or China.
“The best way to get intelligence is through true cooperation and collaboration with other teams combating it,” said Theresa Payton, a cybersecurity expert and a former official under the George W. Bush administration. “They will have received different types of targeted attacks you may not have seen.”
Cyber Command officials said they continued to try to identify and stop foreign threats to the election after the midterm vote in 2018, adding new partners to their defensive network.
“The attacks are always ongoing; that is why Cyber Command’s ongoing work with other countries’ military cyberoperations is our best way to be on offense to protect American interests,” said Ms. Payton, whose book “Manipulated” examined emerging types of cyberattacks.
Some lawmakers and experts believe that foreign influence efforts could increase should there be a disputed election result, amplifying claims of fraud or demands for recounts.
Similarly, Cyber Command officials said their efforts to try to counter foreign threats would not end with the close of voting on Tuesday; they will continue as votes are counted and the Electoral College prepares to meet in December.
“We are not stopping or thinking about our operations slacking off on Nov. 3,” General Moore said. “Defending the election is now a persistent and ongoing campaign for Cyber Command.”
Julian E. Barnes is a national security reporter based in Washington, covering the intelligence agencies. Before joining The Times in 2018, he wrote about security matters for The Wall Street Journal. @julianbarnes