Russia's Little Cyber Green Men Versus the U.S. Digital Army

The United States is mired in a new kind of conflict with Russia, one in which non-state actors are launching cyber attacks under the cover of a digital smokescreen that complicates attribution and efforts to retaliate against the enemy.

In the eyes of the U.S. Intelligence Community, to a certain extent this enemy includes the Kremlin itself, but mostly it spans an array of shadowy groups whose direct association to the Russian President Vladimir Putin's government is suspected but not entirely clear, much less demonstrable.

But the intelligence officials Newsweek spoke to are certain about one thing: The situation works to Moscow's advantage.

Their reasoning is twofold.

"First, because of global perception as they are trying to increase influence and standing in the world," one U.S. military intelligence official, who asked not to be named, told Newsweek. "Secondly, Russian cyberattacks can typically be traced either directly or indirectly to the Kremlin and even Putin himself. They would not want the Russian government connected to an event like that, so they need a non-attributable method or means to achieve their desired effects."

Obfuscating attribution has been a key element of Russia's military strategy, even in the physical realm.

A recent example of this technique was seen in Ukraine following the political unrest in 2014 that ousted a Kremlin-friendly government that had resisted Western overtures. Sensing a threat to Russia's interests in Crimea, a largely ethnic Russian peninsula that houses the headquarters of the Black Sea Fleet, Putin deployed patchless troops that came to be known to locals as "little green men" or "the polite people"—a term that Russia's own military circles would ultimately embrace.

Within weeks, a referendum would see Crimea annexed by Russia, though the results of this vote remain unrecognized by Ukraine or its western partners, including the U.S. Today, such hybrid warfare techniques appear to be playing out with far more sophistication in cyberspace, and their scope has grown to include the U.S. homeland.

This U.S. military intelligence official with whom Newsweek spoke described the process of ascertaining to what degree Russian involvement was suspected in some of the recent cyberattacks against the country, including last year's SolarWinds hack, in which countless institutions from federal agencies to Fortune 500 companies were believed to have been affected.

"An intel assessment is made with varying levels of confidence based on the analysis of information derived from multiple sources," the official said. "It is used to establish predictive patterns or a tool for informed decision-making, whereas a criminal investigation is collecting testimony and evidence to connect a specific activity to a specific individual, entity, or group of actors, or to determine no criminal activity was performed."

But even if the investigation produces strong leads, building a case to fight is another issue. Such an intelligence assessment, the official said, "could provide a level of confidence, but it would not be used as prosecuting material."

"An assessment does not equate to evidence," the official added.

Little, green, men, guard, Ukraine, base, Crimea
Armed soldiers without identifying insignia keep guard outside of a Ukrainian military base in the town of Perevevalne near the Crimean city of Simferopol on March 17, 2014. Voters on the autonomous Ukrainian peninsular of Crimea voted overwhelmingly yesterday to secede from their country and join Russia as such "little green men" or "polite people" later revealed to be Russian forces and pro-Russia militias were deployed to the peninsula. Spencer Platt/Getty Images

J.D. Cook, a former senior CIA official, also acknowledged the unprecedented complexity of proving the perpetrator of an advanced cyber operation. This stems not only from the inherent origin-tracing challenge on the digital front, but also in inadvertently revealing the secrets of U.S. cyber tools and methods in the process.

"Attribution is hard, because true disclosure would reveal sources and methods," Cook told Newsweek, "therefore tipping the opposition off. "

He saw the answer in the work of other non-state actors, not the criminal kind lurking in the shadows, but the private sector forces operating on behalf of companies, and sometimes governments as well.

"The research of private sector firms such as Kaspersky, CrowdStrike, ESET and Mandiant/FireEye provides governments open source methods to disclose the cyber activities of, say, the Russians or North Koreans," Cook said.

Leading cybersecurity firm FireEye was the first to disclose last December that its supply chain had been infiltrated by an elite hack, which was used to penetrate and trojanize a software update of software company SolarWinds' Orion product. The discovery led to a series of events that saw U.S. agencies including the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency, Department of Justice's FBI and the Pentagon's U.S. Cyber Command scramble to shore up the nation's digital defenses.

Even before coming to office, President Joe Biden vowed not only to double down on efforts to prevent such intrusions, but also to hold those behind them accountable. For SolarWinds, he called out Russia directly and issued sanctions against entities and individuals in April.

The following month, however, the nation was targeted by back-to-back ransomware attacks affecting the country's largest gas artery, the Colonial Pipeline, and U.S. locations of the world's top beef producer, JBS. Both companies were paralyzed, and ultimately paid out millions of dollars to resume operations.

It's not necessarily the money, however, but the implications for U.S. infrastructural security that resounds in the national conscience, and raises the most serious geopolitical questions regarding Washington and Moscow's rivalry.

These ransomware attacks were claimed by DarkSide and REvil, respectively, two hacker collectives believed to be operating within Russia or in nearby satellite states of the former Soviet Union. In these two cases, the Biden administration has stopped short of blaming Russia outright for orchestrating the attacks, but has demanded that Putin work to crack down on such activities within his jurisdiction.

When the two men met for their debut bilateral summit earlier this month, both had cyber issues on their agenda.

In the days since their high-level sit-down, Russian officials have appealed for greater bilateral contact on cyber issues, a key request that Putin has reiterated for months, dating back to Trump's last days in office. On Thursday, the Russian leader's security chief pledged Thursday to take action against any such illicit activity within Russia's borders as part of an arrangement that Biden has said he would reciprocate ahead of the summit.

"We are carrying out steps as part of the agreements reached between our presidents," Federal Security Service (FSB) Director Alexander Bortnikov said during the Moscow International Security Conference, according to the state-run Tass Russian News Agency. "So, we will be working jointly and hope for reciprocity,"

But on Monday, Russian Deputy Foreign Minister Sergei Ryabkov told another Russian outlet, RIA Novosti, that the U.S. side would only "extremely rarely" respond to Moscow's requests for action, while expecting "that we should react to all their claims."

"This is a harmful position," Ryabkov said, "it will not lead to any progress."

With commitments on either side to cybersecurity cooperation unclear, two of the world's top military powers remain on guard for unexpected malware assaults, even if recourse remains uncertain.

One U.S. military cyberwarfare officer who spoke to Newsweek on the condition of anonymity said that "plausible deniability" leaves the legality of retaliation muddled for national governments, but, generally speaking, "from the signature of the software of the malware itself, and the way it's constructed, the way it's coded, we can tell, generally speaking" who's behind certain attacks.

As such, the officer urged for greater resolve in laying out what the protocols are of a still largely undefined battlefield.

"If the government's going to be serious about pushing cyber to the forefront of negotiations with other nation states," the officer said, "we have to clearly define that red line."

The closest the public has seen to such an ultimatum is Biden passing to Putin a list of 16 targets that were entirely off-limits to cyber-meddling. The list itself has not been disclosed, nor has the planned U.S. response should a nation-state like Russia be accused of violating the terms of the de facto deal between the White House and the Kremlin.

Asked by reporters last week why Biden did not also reveal to his Russian counterpart a list of viable Russian targets, White House Press Secretary Jen Psaki said "because we don't preview our punches."

Russian Foreign Ministry spokesperson Maria Zakharova responded days later, saying Moscow was "deeply perplexed" by the statement.

"The impression is that, despite the first signs of pragmatism emerging in relevant bilateral contacts, the United States is still trying to reserve the right to deliver cyberattacks on the basis of groundless fabricated accusations of the same, which they so often level against Russia," Zakharova told reporters Wednesday. "Strictly speaking, it will not be a response by the United States but rather an undeclared and perfidious attack they will be the first to carry out. We want these words to be treated by Washington as seriously as possible."

The U.S. has the cyber capabilities to respond in kind to such obfuscated efforts on the part of an adversary.

The cyberwarfare officer explained that it would take all of 20 minutes and around $100,000 to set up a dark web network capable of launching sophisticated ransomware attacks. The only issue is that U.S. law currently restricts any such activities coming from a third party, and the Pentagon would be the only entity with the authority to mount such an operation.

Authorized measures by the U.S. military are referred to computer network defense response actions, and U.S. Cyber Command has a broader doctrine known as "defend forward" that utilizes a strategy called "persistent engagement."

"We conduct Hunt Forward operations, where our defensive cyber teams are invited by other nations to gather insights from their government networks on adversary behavior," a U.S. Cyber Command spokesperson recently told Newsweek. "These operations are one part of our 'defend forward' strategy—where we see what our adversaries are doing, and share with our partners in the homeland to bolster defense."

Such operations have deliberately targeted Russian state arms such as the Foreign Intelligence Service, or SVR, as was the case in an operation revealed in April in direct response to SolarWinds.

A Defense Department spokesperson also described the strategy to Newsweek.

"The Department is continuously defending itself from malicious activity and, more broadly, defending the country from significant malicious actions through persistent engagement," the spokesperson said. "Our persistent engagement activity generates insights that are shared with Federal and private sector partners, making us all more secure. The President may direct the Department to conduct additional cyber operations when he deems them necessary."

US, Navy, Cyber, Command, watch, floor
A graphic highlights the watch floor of the U.S. Navy Fleet Cyber Command, the official cyberwarfare branch of the U.S. Armed Forces. Oliver Elijah Wood/Petty Officer 2nd Class William Sykes/U.S. 10th Fleet/U.S. Fleet Cyber Command

In his remarks following the U.S.-Russia summit, Putin charged that the U.S. was the source of most of the world's cyberattacks, followed by Canada, two unnamed Latin American countries and the United Kingdom. His own country, on the other hand, "is not on the list" of top cyberattack culprits.

Proving Putin wrong may take a shift in U.S. strategy, as long as Russia follows its signature techniques, which one cyber threat researcher who previously worked with secure networks in the U.S. military said "operationally, really is the definition of 'little cyber green men.'"

"You're creating a third-party army, if you will," the researcher, who now focuses on large-scale threat intelligence, human intelligence and cyber incident response, said, "and you're giving them sort of the marching orders, you're giving them protection from prosecution, as long as their attacks are within a certain level of boundaries. So if that's the Russian process, it also helps with confusing the attribution, because now whoever the target is, say the U.S., is having a harder time."

"Then you have to say, 'Okay, is this just straight up criminal enterprise, and they're just in it for the money?" the researcher said, "'Or is how they're attacking and what they're attacking an indication of where they're getting their marching orders from?'"

Until there's a way to expose the "little cyber green men" operating out of Russia as agents of the state beyond a reasonable degree of doubt—a threshold yet to be clearly determined—the U.S. remains mired in what is essentially a digital guerilla war.

Another current Pentagon intelligence official referenced a 2002 science fiction film to illustrate the conundrum.

"It's almost like 'Minority Report,'" the official told Newsweek, "where you can find a path of likely outcomes to build a reasonable conclusion, but unless a crime has been committed, it isn't a crime."