The newest GRU indictment is a roadmap for Election Day disruption
The US fired a warning shot at the Kremlin before the election — or maybe it’s a signal flare to alert Americans what may be coming

On Monday, the Department of Justice unsealed the indictment of 6 hackers from Russia’s GRU (military intelligence agency) — members of Unit 74455, otherwise known as the hacker group “Sandworm” — for the “worldwide deployment of destructive malware and other disruptive actions in cyberspace.” It was quickly noted that none of the activities listed related to the 2020 US elections. But the wrong read on the indictment is that it has nothing to do with US election interference in 2020 because it doesn’t say that on the front page. The contents of the new indictment and its timing are entirely about the upcoming US elections and what might come after. It’s warning us about the scope and scale of operations that the Kremlin’s units for cyber operations attached to political warfare efforts (or active measures campaigns), including election interference, are capable of conducting.
The indictment connected the dots between a wide array of global cyberattacks over the past five years — hacking electoral campaigns in France; taking down electrical grids and banking systems in Ukraine; spillover effects of cyberattacks on Ukraine that crippled a US hospital system and some shipping services; a massive attack on government servers and thousands of websites in Georgia (the country, not the state); targeted attacks against institutions documenting Russia’s use of the nerve agent novichok in the attempted assassination of GRU defector Sergei Skripal in the UK; widespread attacks against South Korean and 2018 Olympics targets after Russian athletes were banned for doping — attributing some of them officially to Russia for the first time. The indictment made clear that this was a multi-nation intelligence effort to expose “intrusions and attacks intended to support Russian government efforts to undermine, retaliate against, or otherwise destabilize” all the target nations listed above.
“Sandworm” may not mean much to non-cyber obsessed humans: trying to follow hacker group nicknames and bravado is kind of like trying to immerse yourself in the complete Marvel universe mythology after the age of 40. But the broad range of activities attributed to Sandworm shows how much leeway such units are given by the Kremlin to probe and beta-test and operationalize different kinds of cyber weapons to expansively contribute to Russia’s strategic (and sometimes just petty) objectives within defined parameters. The pattern is one we see in other hybrid domains: just do stuff, maybe it works, and if not there are probably minimal consequences, and the Kremlin will just huff and puff and blow out denials anyway. There is a high risk-taking threshold. Thus we get the list of above activities that seem scattershot, but are not. They have a common operational core. They feed back into the same training process.
Exposing the names and identities of individual members of the unit is a significant step (one which not all former US intelligence officers I spoke to, leery of getting into a Cold War-style tit-for-tat unmasking of intelligence operatives, are wild about). In this case, though, releasing the names seemed to do double duty. Both the unit and one of the individuals had been previously named in Mueller’s indictment of hackers connected to 2016 US election interference efforts, including efforts to hack the DNC and personal emails and efforts to gain access to state level election systems in all 50 states. This indictment connects those 2016 cyberattacks to global efforts — and to ongoing attacks.
US officials charged with communicating potential election threats to the public have been careful to use a “China/Russia/Iran” formulation when speaking of current threats; this is meant to placate the president, who doesn’t want to hear anything about Russia, by conflating and inflating other cyber and influence threats with the targeted, directional efforts of the Kremlin. But bookending Russia with other nations doesn’t change what we know they are capable of doing — and frankly, what we know they are considering doing — during the 2020 election if the Kremlin decides it is in their interest to do so.
Let’s go through some highlights from the indictment, in terms of how to assess the information presented, and its meaning.
* * * * *
Key takeaways from the indictment:
“Hiya! Five Eyes sees you!”
There is a lot of rich detail in the indictment. This sends a clear message to Russian intelligence: we see you; we know what you are doing; we know how you did it; we’re expending significant resources to watch you and track you. This is very much a continuation of the practice established by Robert Mueller’s indictments, laying out a lot of technical detail to backstop the charges being made. It also means that the Russian hackers have not been able to adapt their operational security to evade surveillance, or at least to evade attribution after an operation. The indictment also lays out that allies — Five Eyes partners (Five Eyes is the US, UK, Canada, Australia, New Zealand), South Korea, Georgia, Ukraine, and probably the Netherlands — were deeply involved in this investigation, and that private sector partners were contributing as well. This expenditure of effort in confirming attribution for these cyberattacks is significant. Additionally, it signals to the American public that whatever doubts there may be about the president’s fortitude when it comes to confronting Russia, the people whose job it is to do the actual work of determining adversary capabilities are still hard at it.
Russia is willing to use disproportionate responses to retaliate against perceived slights.
Think about what I wrote above — that this GRU unit developed and deployed cyber weapons that contributed to Russia’s strategic and petty objectives alike — and what it really means that they count these as equivalent. It’s like saying it’s fine to use a tactical nuclear weapon because you had a bad day, rather than as a proportional response to the use of nuclear weapons by an adversary. In at least two of the cases presented in the indictment, the Kremlin’s hackers deployed significant efforts and assets — part of the same arsenal they would use as part of a significant operation against a strategic competitor — to conduct cyberattacks in response to perceived insults to Russia.
South Korea happened to be hosting the Olympics when the entire Russian Olympic team was finally banned from the games for systematic doping; in the attacks on South Korean targets —an array of critical infrastructure, information systems, and government systems were targeted via a malware campaign, and individuals visiting for the Olympics were targeted both with malware and a “malicious mobile application.” The goal of this seemed to be disrupting the Olympics and embarrassing the hosts, but it could easily have provided access to significant national (and Olympic) systems.
In response to the identification of the nerve agent novichok being used on Skripal, the GRU hackers targeted the international and UK labs that helped confirm the use of novichok, again trying to gain access to these highly-secure systems.
Thus far, no one seems to know why the broad attack on Georgian government and private servers and websites in 2019 was timed when it was. It seems to be just because they could.
In all cases, this use of asymmetric tools is outside of the framing of proportionality. “No country has weaponized its cyber capabilities as maliciously and irresponsibly as Russia, wantonly causing unprecedented collateral damage to pursue small tactical advantages as fits of spite,” said John Demers, DoJ’s top national security official. This is offensive conduct. Nothing happened to them; they were just pissed that their bad behavior was exposed, and now you know about the doping and the assassinations, and also that they still really dislike former Georgian President Saakashvili.
Russian behavior has not been deterred or altered by any response they have met thus far.
“Time and again, Russia has made it clear: They will not abide by accepted norms, and instead, they intend to continue their destructive, destabilizing cyber behavior,” said FBI Deputy Director David Bowdich. Russia will continue to use these types of operations if it is in their interest to do so — unless there is a perceived cost for their actions in the cyber domain (or any domain). They have not felt this under the current or former administrations, so as far as they are concerned, we are all fair targets. It is imperative that we prepare — and be prepared to use — effective deterrent or punitive countermeasures against hybrid attacks.
The list of operational targets is a road map for what could happen on Election Day (or beyond).
In describing the cases, the indictment details a number of areas where this unit, which clearly has a mandate for various cyber activities including some related to election interference, has successfully conducted cyber attacks that have disrupted critical services and infrastructure, and others where they have tested and probed. This becomes a list of disruptive activities that we should be prepared for — and maybe should talk through and anticipate before Election Day — and it includes:
Low-level election interference (last minute hack-and-leak operations, spearphishing attempts on prominent individuals)
Disrupting government information systems, which could relate directly to elections or not
Disrupting power grids (there have been well-document incursions in the US power grid by Russia in the past, as we have also probed their systems)
Disrupting banking systems/payment systems
Disrupting government services and systems, or creating the perception of system vulnerabilities
Creating the perception of widespread internet disruption
Targeted technical attacks on media organizations
Disrupting hospital databases, which can disrupt or delay the delivery of care
Disrupting shipping, transportation, aviation, and other essential infrastructure (the recent accident in Virginia, where a road crew cut a critical data cable that took down the entire state voter registry on the last day when new voter registration was possible, exposed how our lowest-bidder infrastructure often has absurd choke points that can be targeted through a variety of means)
Its an expansive list. You wouldn’t need to disrupt everything listed above, and not all at once. By targeting a small number of similar, modest attacks at the same time, the perception of greater vulnerability than reality would be efficiently projected. The same is true if there’s just a persistent tempo of varying, low-level disruptions in different areas: we would start to assume something worse is coming, looking for patterns and shadowcasting fears.
The unit seemed to view private-sector and individual targets as interchangeable with national targets.
It seems like a minor point, and certainly viewing private sector entities as government targets may be a reflection of how Russia works more than anything else, but as with information warfare, this practice of targeting individuals and private enterprises again exposes the gap between the structures of national defense and targets of hybrid campaigns. It also increases the number of weak points where vulnerabilities exist, and the difficulty in removing those vulnerabilities.
They tried to mask themselves as other hackers to hide the attribution of their attacks.
Before deploying malware against South Korean targets in 2018, the GRU unit studied the malware code and tactics of a North Korean hacker group and attempted to emulate their style to pass off their activities as of North Korean attribution. Trying to muddle attribution or evade tracking is reasonably standard hacker fare, but trying to intentionally point attribution at someone else —say, another nation that could find themselves on the receiving end of the response from the target nation — could create lots of interesting problems if it were done successfully. Especially when our current administration is very eager for the answer to never be Russia, and very much too eager for it to be Iran.
And perhaps one additional point to ponder, which is how far-right US media and personalities keep finding themselves as the amplification network for GRU-obtained materials.
The indictment’s focus on the hack-and-leak operation connected to the French elections is a reminder of how, in that instance, the US alt-right media/social media landscape was teed up to push the leaked documents, including recruiting people with relevant language skills in advance, none of which made any sense. Why did “America First” trolls give a hoot about an alleged scandal in a French election? So there was DCLeaks, WikiLeaks, and the French operation where an American-led amplification network was integral to the efforts of Russian intelligence to broadcast its ill-gotten goods to the world. And obviously, this hasn’t changed a wit: the same outlets and personalities are still falling all over themselves to flack what is very likely Russian-sourced materials on Hunter Biden. Why do these groups always find themselves as willing participants in Russian intelligence operations? How do the cyber operations and the external information operations end up connected? How does Russian-obtained material become fodder for prepared operations in the information domain controlled by the hard right media ecosystem over and over? This is not an ideological alignment, as this a French data point shows, but a strategic and tactical one worthy of further exploration.
Finally, I will just say: so much for the “patriotic hackers” bullsh*t.
Can we stop amplifying this Putin-sourced fiction about Russians spontaneously working to hack Kremlin adversaries? It’s Russian intelligence.
* * * * *
This latest GRU indictment highlights a lot of tactics, targets, and trends we should be watching. We know Russian interference efforts are ongoing, we know how much importance they put in the cyber toolkit, and we should have every expectation that at least some of these options are well-prepared for use on US targets. (And indeed, just minutes before I posted this, we have confirmation that Russian hackers have targeted election systems, government systems, airports/aviation, and education systems via a variety of exploits.)
“The crimes committed by Russian government officials were against real victims who suffered real harm,” said Scott Brady, US Attorney for the Western District of Pennsylvania. If only our president occasionally remembered this, as he perpetually finds any other shiny object to look at that is not Russia or Vladimir Putin. Harm against individuals, harm against businesses, harm against infrastructure, harm against the nation.
“The FBI has repeatedly warned that Russia is a highly capable cyber adversary, and the information revealed in this indictment illustrates how pervasive and destructive Russia’s cyber activities truly are,” Bowdich warned. “But this indictment also highlights the FBI’s capabilities. We have the tools to investigate these malicious malware attacks, identify the perpetrators, and then impose risks and consequences on them. As demonstrated today, we will relentlessly pursue those who threaten the United States and its citizens.”
This statement from the FBI is both reassuring — a promise to hold malign actors to account — and unnerving — “to investigate” and “impose consequences,” but not to deter or pre-empt.
Now, I’m not saying this one statement is representative of the vast universe of things our various intelligence agencies are doing. It isn’t. There are, to be sure, plenty of things happening regarding Russia that the US President has no idea about, which continue on below the radar, not even a footnote in the Presidential Daily Brief because the President of the United States doesn’t give a hoot about countering a revanchist adversary. Whether it be election interference or Russian bounties on US soldiers in Afghanistan or US intelligence officers getting zapped with a Russian brain-scrambling directed energy weapon, Donald Trump doesn’t care to respond because someday — maybe someday — Vladimir Putin might decide to be his friend. In the meantime, his negligence has not only ignored but encouraged escalating attacks on American personnel in every region of the world — and even possibly just miles from the White House.
At the very best, this means that if we get a new President in January, this backlog of memos and intelligence product — all the collection and intercepts and analysis and plans our intelligence agencies have been producing on Russia and then shoving into a drawer because no one higher up the food chain wants to accept responsibility for them — will finally break through, and hopefully find more receptive ears instead of falling into the blackhole of a new reset or surging isolationism. Find their way onto the desks of a team willing to build the global strategy that gives appropriate seriousness to the immediate threat that the Kremlin poses to American interests, and understands that building this intelligence architecture against Kremlin hybrid threats is also a model for how we do it on more resourced and nuanced threats, like China.
This is not a given. Not even close. But in this instance, the indictment of the GRU hackers seems a clever way to force the issue into the public domain, where we all get to pour over the details and understand what a small unit in the GRU is able to do when no one ever calls their bluff. And that, really, we need to.
It’s a warning shot to the GRU: we see you. We know your Mr. Robot jokes. Don’t think the free ride lasts forever.
But it’s also a signal flare to a nation too wrapped up in internal division to give due credence to the systematic foreign interference that is underway, and the escalation capacity for disruption that is likely already built into the system. This disruption can come in many forms. Or it may not come at all — this time. Perception is a part of the game: the existence of this threat is part of their influence strategy. But as the indictment shows, it’s not all smoke and mirrors. The capability for disruption is evolving constantly. And we won’t be able to skate by with Macgyvered efforts forever. The next White House must be ready to lead the whole of government response required.
And in the meantime — Americans are wound pretty tight. We’re prepped to believe that someone will do something to disrupt the conduct of the election or the tallying of results or the transition of power. It wouldn’t take very much to create the perception of chaos, which can then easily become the reality of chaos. Our expectations and fears and anticipation are dry tinder, and any lights-out-at-the-Pompeo-confirmation-hearing moment can be a match.
Surely, the Kremlin knows this. Surely, they have options prepared. The only question at this point is what will determine if they act or not, and what we can do to do influence that decision.
—MM
