A significant number of nation-state hackers were indicted in 2020 and early 2021, as pressure mounted to hold such threat actors accountable.
While suspected threat actors will not be extradited to stand trial, or likely even be arrested, some infosec professionals and law enforcement officials say the indictments hamper nation-state advanced persistent threat (APT) groups. Indictments put a name and possibly face to the attackers and can hinder the financial profits of those groups. The indictments also show the government takes nation-state threats seriously and provide insight into the specific tools and tactics these groups use.
Indictment activity reached its peak in 2018 when the Department of Justice (DOJ) released charges against more than 50 threat actors, 25 of whom were Russian nationals indicted for hacking and influence operations regarding the 2016 presidential election. The 2018 indictments also included one against the North Korean state-sponsored group behind the massive WannaCry hack. Though indictment activity slowed in 2019, indictments are now on the rise, with two already this year. In 2020, the DOJ unsealed seven indictments that included notable cases.
For example, one indictment charged four members of China’s military for hacking into the computer systems of credit reporting agency Equifax. The breach initially occurred in 2017 and compromised nearly 150 million Americans’ personal information. In addition, six Russian state-sponsored actors were indicted for developing and using what the DOJ referred to as “some of the world’s most destructive malware to date.” That included the destructive NotPetya attacks, among others.
However, many infosec experts and vendors also question the long-term effectiveness indictments carry.
The attribution component of such indictments are important, according to Kurt Baumgartner, security researcher at Kaspersky Lab. One reason is the strong starting point they provide for negotiations and discussions when it comes to foreign policy, without being too escalatory.
“They can establish a solid narrative for what has been stolen, destroyed, disrupted and what is appropriate or completely out of line. Indictments can help exclude hyperbole or distraction from any real discussion of an issue and can help draw attention to what is a serious threat,” he said in an email to SearchSecurity. “They don’t have to conclude with sentencing to provide some sort of value.”
Part of that value is deterrence. Austin Merritt, cyber threat intelligence analyst at Digital Shadows, told SearchSecurity that even though an individual is not arrested or extradited to face trial, an indictment can still have far-reaching effects. One example he provided was from 2019 when the Office of Foreign Assets Control (OFAC) sanctioned members of Evil Corp, which is known for the notorious Dridex malware as well as its association with Russian state-sponsored threat activity.
“Due to OFAC’s sanctions, Evil Corp’s victims face a tricky situation if they choose to pay the ransom as they would violate these sanctions. As a result, Evil Corp has begun distancing itself from its known ransomware variants and shifting to new tools that aid them in bypassing the sanctions imposed upon them,” he said in an email to SearchSecurity.
By making it known that anyone who facilitates transactions with the indicted threat actors may be subject to sanctions, this can limit the geographic sphere and personal network in which the threat actors use their financial influence, Merritt said. “So, in this case the indictment made it difficult to monetize some of their previous criminal endeavors.”
They can also make the world smaller for the indicted actors by impacting their ability to travel. But even if it does not directly impact the lives of the nation-state actors, it does send a message. Adam Meyers, senior vice president of intelligence at CrowdStrike, told SearchSecurity that it’s a signal to the originating nation of these attacks that the government has visibility into what they’re doing. Meyers said the people who are frequently being indicted fall into two categories.
“[For] super high-level kind of politicians, it might impact some of their business. In the case of the Russians, it might be oligarchs and it could have implications on their overseas businesses and bank accounts. The other category is low-level operators — does it mean they can’t go to Disneyland? Sure. But beyond that I don’t think it has significant impact.”
Adam MeyersSenior vice president of intelligence, CrowdStrike
While it may not affect their day-to-day lives, unsealed indictments can offer useful information. For example, they put individual names to the threat actors, and provide information on a particular type of activity that in some cases may be more than what is publicly available.
“They’re effectively sharing information through these indictments, which I think partly helps the community and industry on what’s going on because there’s a lot of information on what these adversaries were doing and how,” Meyers said.
Additionally, Meyers said there are political considerations in terms of what the impacts of these indictments are, and the timing is important to consider. “Were there bilateral, multilateral meetings occurring at the time these indictments came out that enabled diplomats to leverage the indictment and news to push on certain topics? I think there’s a lot of things I don’t think anyone will ever fully understand because I think it’s something being handled within the DOJ and broader U.S. government.”
According to Baumgartner, it seems that indictments are part of a longer game being played by governments. The indictments document alleged APT activity, along with locations, and can expose associated organizations. “These associations may cause future problems on the global stage for the APT. Perhaps we won’t find infrastructure being hosted in particular parts of the world where we have found them previously, or we may see cooperating ‘businesses’ and ‘money-men’ extradited, for example.”
Baumgartner said he believes at least short-term friction is generated for APT groups by indicting individuals.
Do indictments have long-term impact?
Many infosec experts say short-term consequences are the only effect of charging nation-state actors, if it deters them at all.
While it can hinder threat groups in certain ways such as monetary, Merritt said determined actors can eventually find a way to outmaneuver financial sanctions. “Critics would argue that indictments may be self-defeating and that sustained disruption operations are more effective.”
The 2019 CrowdStrike Global Threat Report found that in spite of some impressive indictments against several named nation-state actors, their activities show no signs of diminishing. One group it referenced was Russian state-sponsored group Fancy Bear, which was behind some of the election interference activity in 2016.
“Despite indictments from the U.S. DOJ and other public disclosures released by Western European governments, this adversary has continued to sustain operations targeting government, defense and military sectors of Europe and Eurasia, as well as organizations affiliated with NATO,” the report said.
According to Meyers, it’s more about sending a message than the material impact it has on the nation-state actors and their daily lives. And while the information sharing is important, Meyers said they don’t see a significant decrease in activity because of indictments. “This is their job. If they’re indicted for some criminal misconduct then sure, it’s going to mean they can’t travel as freely as they want, but that’s about it. They won’t get extradited.”
Earlier this year, the DOJ unsealed an indictment that expanded on a 2018 case that detailed an attack against Sony Pictures and the creation of WannaCry ransomware. The indictment against North Korean Lazarus group hackers referred to the actions of the now three defendants as a “series of destructive cyberattacks to steal and extort more than $1.3 billion of money and cryptocurrency from financial institutions and companies.”
On Thursday, the U.S. government announced sweeping actions against the Russian government in response to the recent SolarWinds supply chain attack. While there were no indictments of specific threat actors, the government formally attributed the attacks to the Russian Foreign Intelligence Service, or SVR, and imposed sanctions against 32 organizations within the country.
The U.S.’s heightened effort to hold nation-state hackers accountable may set a trend.
In Kaspersky’s Advanced Threat Predictions for 2021, published in November, the vendor anticipated more countries will use criminal indictments as part of their cyber strategy. According to the report, Kaspersky researchers predicted some years ago that the government would resort to “naming and shaming” to draw attention to the activities of APT groups. They have already seen several cases of it over the last year as represented in the high number of 2020 indictments.
“We think that U.S. Cyber Command’s ‘persistent engagement’ strategy will begin to bear fruit in the coming year and lead other states to follow suit, not least as ‘tit for tat’ retaliation to U.S. indictments,” the report said.
While the effects of charging nation-state actors may not be tangible, indictments offer a way to publicly acknowledge the attacks and emerging threats, and the individuals behind them.
“Generally speaking, these actions remind threat actors that cyberattacks will not occur without consequences,” Merritt said.