When the DoJ publishes your photo - about indictments and cyber operations

Observing the practice of the US administration in the field of use of political tools in regards to cyber operations against the States, indictments are one of the most visible elements. In recent years, we have even seen indictments against GRU officer, China's intelligence service or recently FSB officers. On the surface, it may seem that such actions do not make sense. After all, the indictment is rightly associated with court proceedings, convictions, and the consequences of a fine or imprisonment. If we are talking about an official of the Chinese Ministry of State Security, it is hard to expect that we will be able to get him behind bars. It is true that criminal prosecution is seldom achievable. This does not mean, however, that the indictments are completely useless. Let's look at them from two perspectives - cyberspace policy and response to cyber operations, and their usefulness for threat intelligence analysts.

When it comes to the first perspective, the matter is actually very controversial. The assumption that seems to guide the US administration is that the so-called "name and shame", i.e. disclosing the identity of operators, may be an element of response to cyber operations. The indictments are therefore intended to make the operations involve a certain cost, thus constituting an element of deterrence restraining from starting an operation, or rather from imposing the will (compellence) that other countries not try to conduct operations against the USA. So is it really so and what are the consequences of the indictment? Starting with the second question, the consequences naturally affect not entire organizations responsible for the attacks, but individual operators. The fact that the US judiciary is looking for them naturally significantly limits travel, so officials can forget not only about vacation in Miami but also about countries that have extradition agreements with the United States. And given how influential the US is, the pressure to extradite, ultimately, a hostile intelligence officer, can be expected to be strong and effective. Interestingly, confirmation of this nuisance came, so to speak, from the other side of the barricade. Jake Williams, who worked for NSA TAO, in social media and interviews for press loudly voiced his concern that officers and officers of US units would be treated in a similar way. Similar concerns were also expressed by other officers anonymously:

However, these are individual cases, additionally representing only the American point of view. More broadly, can indictments be an effective element of the strategy? One critic of this approach is Jack Goldsmith, who in his commentaries repeatedly drew attention to its shortcomings. He notes that the cost imposed on operators is not insignificant and that restricting travel will be a significant inconvenience for many, but that the cost is negligible given the losses caused by the activity underpinning the accusation. More importantly, such actions can paradoxically prove the weakness of the state and give the illusory feeling of being counteracted by "doing something". The crimes the perpetrators are accused of are often very serious operations with specific economic costs - in the most glaring example, billions of dollars caused by NotPetya. In this context, therefore, stopping at a largely symbolic document with little practical consequences is in fact definitely disproportionate and one gets the impression that the symbolic gesture here replaces costly measures such as the imposition of economic sanctions. Another argument that often appears in favor of indictments is that they show how deep the penetration of specific organizations by the US services is. This would have a cooling effect, suggesting that further escalation could lead to more radical steps. However, it is difficult to judge the effectiveness of this approach in the context of the lack of examples of the next steps.

In my opinion, however, the problem goes deeper and results from conflatingCNA and CNE operations . Among the crimes indicated in the indictments, we can distinguish two groups - destructive attacks such as NotPetya and Olympic Destroyer and acts of espionage such as actions by Chinese intelligence aimed at industrial espionage. While in the case of the first category, repression is to be expected and a clear signal that such operations will not be accepted, consider deterrence in the context of espionage. If we are talking about organizations such as SVR, GRU or MSS, and on the western side of the CIA, SIS, BND, collecting information for decision-makers is the clue of their existence. It is hard to realistically expect an end to espionage activity, which, according to the authors of the Tallinn Manual, does not constitute an armed attack, and is also practiced by Western countries. There is, however, a distinction to be made. The reason why the United States is paying so much attention is that industrial espionage by Chinese intelligence is used to support R&D. Thus, government agencies attack private entities and transfer information also to private entities in China, increasing their competitive advantage. This is something Western agencies do not practice and is an escalation from normal intelligence activity. It should be noted here that the indictments were part of a broader campaign. Administration The US imposed sanctions on Chinese technology companies and strictly controls export licenses. Efforts also included the conclusion agreements to end industrial espionage. According to the reportprepared by FireEye, the agreement was effective and limited the scale of activity. However, I must mention that I have heard opinions that the decline in activity was due to the reorganization of the People's Liberation Army during this period, and I am cautious with my conclusions. It should be emphasized, however, that the prosecution served here as one of the political means used to achieve a specific goal.

In the case of Russian espionage listed in the documents, the matter is simpler - the FSB, SVR and GRU are intelligence agencies, and attempts to force them to cease nomen omen intelligence as such will not be effective.

The US Department of Defense is also an advocate of the publication of indictments, as they support them the so-called "Defense forward" or the doctrine of conducting operations against hostile entities limiting their ability to operate in cyberspace. In this context, the indictment emphasizes the need for action by presenting the circumstances, motivations and objectives of the attackers' actions. This was the case operation "Synthetic Theology" aimed at Russian agencies dealing with the promotion of disinformation. It was preceded by an indictment against the Internet Research Agency documenting the target's activity in trying to influence American society.

In the middle between policymaking and CTI analysis, there is another, indirect, function of indictments. Through their publications and the environment related to directing the attention of the judiciary to given activities, they can influence the private sector, motivating organizations to increase the level of security in the organization.

So what about the perspective of a threat intelligence analyst? Here, things are quite different. The indictments are extremely important material for the CTI for several reasons:

1. Information contained in them is supported by the entire strength of the state apparatus, which means that we can find a lot of information inaccessible to the private sector. Moreover, since these are documents in court proceedings, the evidence behind the allegations must be very strong.
2. By linking data to cyber operations with specific military units and intelligence agencies, we get a picture of true attribution, which allows us to better profile activity groups, understand their goals, and check whether our internal arrangements.
3. It is a truism, but a crime requires a victim. The indictments allow us to gain insight into the victimology of specific groups and TTPs used against various victims.

A great example is the incident involving the Olympic Destroyer malware. Let's look at the indictment in which it is described here. Starting with attribution, thanks to the document, we directly learn who is behind the attack and what are the affiliations of the attackers:

Using the Diamond Model methodology, we can complete the socio-political axis - we know exactly the attackers and their motivations. Speaking of motivations, they are further indicated directly:

Moving on to the attack itself, we find a description of how the attackers gained access to the environment by means of spearpshishing. The document even includes details of the email accounts from which the files were sent, file names, and even screenshots showing the messages themselves:

Finally, we will also find out how the attackers moved around the environment:

and made the devastation:

So we can reconstruct the entire killchain of the attack as well as describe all the tops of the diamond, creating a very accurate picture of the situation. Much more accurate than we would find in any private sector APT report.

So let's go ahead and look at it posted on days indictment against FSB officers responsible for operations aimed at critical infrastructure and government institutions in the US and Europe. Among the alleged acts there are, for example: uthe life of the Triton malware, which was used in one of the most serious attacks on industrial systems in history. It was supposed to damage the safety systems of the refineries in Saudi Arabia, and, as a result, destroy equipment and possibly human casualties. From the indictment, I will learn how accurate diagnosis is a companion of this type of attack. We can say to read how the accused looked at two articles scientific prepared by the Office of Civil Defense on vulnerabilities in American refineries written in the 1960s and 1970s:

As we can see, this is the level of detail available to very few institutions.

The indictments related to cyber operations are a very interesting tool. On the one hand, their value as a tool to prevent operations is difficult to determine, but on the other hand, they have become a method of communication of information about operations by the US government. And the level of detail, coupled with the fact that these are court documents and are subject to very strong and formalized evidentiary requirements, make them a must-read for CTI analysts. When assessing their role, let us consider them not as independent events, but one of the many pieces in the puzzle of the state's response to cyber operations.

Finally, I recommend Katie Nickels' list of legal documents noteworthy for CTI analysts: https://docs.google.com/spreadsheets/d/12iZfDkc-DtVNXV5ZoOiKKZuNGcsb3yQ0V3DNBQIalSo/edit#gid=167758588