The U.S. intelligence community relied on American technology companies to battle Russian cyberattackers targeting Ukraine to prevent a catastrophic cyber war capable of spreading across the Atlantic, The Washington Times has learned.
Details are still emerging about what the U.S. government described as a “power collaboration” teaming private companies, including Microsoft, with the National Security Agency against Russian cyberattackers. The NSA cybersecurity officials’ work with Microsoft and others was intended to stop Russia dead in its tracks before devastating attacks could eviscerate Ukrainian networks and serve as a launchpad for an assault on the United States, according to U.S. officials.
NSA cybersecurity Director Rob Joyce told The Times that the agency’s Cybersecurity Collaboration Center partnered with cybersecurity and information technology service providers to “identify and eradicate malicious operations in cyberspace.”
Microsoft’s role alongside the U.S. intelligence community in Ukraine was divulged earlier this month by Nathaniel C. Fick, U.S. ambassador-at-large for cyberspace and digital policy, at a German Marshall Fund event. However, the depth of the collaboration is just now being revealed as the company refrained from publicizing the work of the partnership in Ukraine.
Mr. Joyce said in a statement that the NSA’s collaboration center engaged in “deep analytic exchanges” with the companies and shared actionable threat indicators that enabled the cyber warriors to pursue digital attackers.
“These interactions made big impacts defending Ukrainian networks, as Ambassador Fick noted,” Mr. Joyce said. “They also broadly addressed capabilities that could be used against U.S. government, industry and critical infrastructure. The unique NSA insights, partnered with industry’s visibility and capacity to act is a power collaboration, making us all safer at scale.”
Government officials and tech executives have not disclosed a specific event that they prevented or responded to in Ukraine as part of the collaboration, but the vulnerability of civilian infrastructure has been a top concern.
The collaboration between government and business came in the wake of blowback from Russian cyberattacks in 2021 on American networks, and security professionals’ expectation of a larger digital onslaught.
Before Russia invaded Ukraine last year, Russia’s state-sponsored hackers victimized U.S. government networks and Russian cybercriminals hit a major gas pipeline and other components of America’s critical infrastructure.
After Russia’s assault on Ukraine began, however, an expected large-scale cyber conflict did not immediately materialize. Senate intelligence committee Chairman Mark Warner, Virginia Democrat, said in March 2022 that the government could not fully explain the lack of a major cyberattack.
A big reason was because of the government’s new collaboration with the tech sector, according to Mr. Fick. He said this month that attacks have happened, they just were not successful.
“People have wondered why Russian cyberattacks seem not to have been effective, or as effective in Ukraine or in Europe,” Mr. Fick said at the German Marshall Fund event. “And in Ukraine, one of the reasons is that Microsoft and others were able to push updates at scale in near real-time based on collaboration with U.S. intelligence community that allowed them to blunt these attacks.”
The collaboration is sensitive and may put a target on the backs of private American tech companies and their workers, who are reluctant to speak about their work with the U.S. intelligence community.
Microsoft has decided to hide details of its work with the U.S. intelligence community from public view. After initially saying that Microsoft corporate Vice President of Security and Trust Tom Burt would speak with The Times, the company later refused to make him or anyone else available for an interview.
A Microsoft spokesman shared previous statements from company executives about Microsoft’s work in Ukraine, but none of the statements mentioned the U.S. intelligence community. Mr. Burt wrote in an April 2022 company blog post that Microsoft’s security teams had worked closely with Ukrainian officials and “cybersecurity staff at government organizations.”
Another Big Tech company combating cyberattackers in Ukraine is the Google-owned cybersecurity team Mandiant, which has received credit for uncovering in 2020 the Solarwinds hack of federal agencies that the Biden administration attributed to Russia’s Foreign Intelligence Service.
Mandiant would not directly answer if it was involved with the U.S. intelligence community’s effort against Russia in Ukraine.
“Mandiant has been working with our partners in Ukraine and elsewhere since before the invasion to protect our customers and community from Russian cyber espionage and cyberattack,” said Mandiant executive John Hultquist in a statement. “Within the context of this campaign and others we have found that an intelligence lead approach is effective in identifying threats and even thwarting attacks.”
It is unclear whether tech workers linking arms with the federal government have received compensation for their joint effort against the Russian cyberattackers.
Both Microsoft and Google’s Mandiant are members of the Biden administration’s Joint Cyber Defense Collaborative, created in August 2021 to partner companies with government agencies including the NSA and the Department of Defense to fight hackers and cyber attackers aiming at the U.S. The government has described the role of the participating companies as defensive rather than offensive, designed to prevent attacks and limit the fallout.
The new partnership was formed in the aftermath of the Russia-linked DarkSide ransomware gang hitting major U.S. fuel supplier Colonial Pipeline, and both Mandiant and Microsoft were initial members.
The group’s government website defines its success stories as including the creation of a “Russia-Ukraine Tensions Plan” in early 2022, running a tabletop exercise gaming out its execution, and creating a list of free cybersecurity tools.
Cybersecurity expert Paul Rosenzweig said Microsoft’s collaboration with the intelligence agencies to blunt cyberattacks is relatively new, and he said all companies working alongside the government in a similar capacity deserve to be commended.
Mr. Rosenzweig, who worked in the Bush administration from 2005 to 2009 and teaches at George Washington Law School, said the tech companies’ work runs the risk of causing Russia to view them as aiding an enemy but he does not think it would inflame the war.
“I don’t think there are risks of escalation,” Mr. Rosenzweig said. “And I think the benefits outweigh the risks.”
Big tech companies are not shy about disclosing their assistance to Ukraine and are expected to reveal more in the coming days as the one-year anniversary of Russia’s invasion approaches.
For example, Google hosted Ukraine’s minister of digital transformation Mykhailo Fedorov at the company’s offices in Washington, D.C., in December. The company said then that its Mandiant team was providing direct assistance to the Ukrainian government, including helping to defend and diminish cyberattacks and provide incident response services, among other things.
Microsoft, meanwhile, said in November that its total support for Ukraine amounted to “more than $400 million since the war began in February.”
But American Big Tech’s battle against Russia may not be enough to stop a cyber conflict from spreading throughout the West soon.
In December, Microsoft’s Clint Watts said Russian military intelligence-affiliated cyberattackers had struck at energy, water, and other infrastructure organizations’ networks while missiles took out power and water supplies. He also said destructive cyberactivity had spread outside Ukraine to Poland, in a potential effort to halt supplies and weapons moving into the country.
“We should also be prepared for the possibility that Russian military intelligence actors’ recent execution of a ransomware-style attack — known as Prestige — in Poland may be a harbinger of Russia further extending cyberattacks beyond the borders of Ukraine,” Mr. Watts wrote on the company’s blog. “Such cyber operations may target those countries and companies that are providing Ukraine with vital supply chains of aid and weaponry this winter.”
Mr. Watts wrote in December that civilian infrastructure has not been off-limits from Russian cyberattacks, and Microsoft observed roughly 50 Ukrainian organizations hit with destructive wiper malware by Russian military operators since February 2022.
A majority of those targeted organizations represented Ukraine’s critical infrastructure, including networks belonging to the emergency services, energy, healthcare, law enforcement, water and transportation sectors.
The U.S. is among the countries providing Ukraine with vital support. Alongside weaponry sent by the federal government, U.S. Cyber Command conducted defensive operations with Ukrainian cyber officials.
The State Department said last year that U.S. and Ukrainian cyber officials sat side-by-side from December 2021 to February 2022 to improve Ukraine’s cyber resilience.
The U.S. government provided more than $40 million in “cyber capacity development assistance” between 2017 and February 2022, according to the State Department, and America’s cyber defenders do not appear poised to abandon Ukrainian cyber officials anytime soon.
• Ryan Lovelace can be reached at rlovelace@washingtontimes.com.