Justice Department Disrupts Russian Malware With Help from Private Sector

The Department of Justice (DOJ) announced last Wednesday it had detected and preemptively disabled Russian-installed malware on thousands of network devices in the United States and around the world. The DOJ operation leveraged the U.S. government’s partnerships with both allies and the private sector to disable the malware before it caused any damage.

The DOJ attributed the attack infrastructure to “Sandworm,” an elite hacking group within the Russian military intelligence agency (GRU). Sandworm has grown in notoriety thanks to numerous attacks on Western governments, companies, and reporters as well as the International Olympic Committee. FBI Director Christopher Wray noted that this group “has a long history of outrageous, destructive attacks,” including the 2017 NotPetya attack, which caused $10 billion in damages worldwide. Sandworm’s latest operation sought to employ a botnet, or network of compromised computers that hackers exploit to conduct operations.

Over the past month, DOJ, acting through the FBI and working with private cybersecurity firm WatchGuard, received court orders to remove malware from what are known as “command-and-control” servers, or devices that each command a group of other devices. By removing the malware from these servers, the U.S. government cut off Sandworm’s control over thousands of compromised devices the hackers had conscripted into their bot army. The DOJ operation successfully disabled the botnet “before it could do any harm,” Wray confirmed, noting the importance of the U.S. government’s partnership with the private sector in this operation. Assistant Attorney General Matthew Olsen similarly commended the collaboration between WatchGuard and government agencies in both the United States and United Kingdom.

This is not the first time the U.S. government has preemptively disabled malicious Russian cyber operations. In 2018, DOJ and the FBI disrupted another Russian botnet, also controlled by Sandworm. In 2020, U.S. Cyber Command (USCYBERCOM) incapacitated the Trickbot botnet run by a Russia-based ransomware group known as Conti, a criminal enterprise. General Paul Nakasone, the commander of USCYBERCOM and director of the National Security Agency, also testified before Congress last week that American cyber forces worked with their Ukrainian counterparts to disrupt malicious Russian activity and harden Ukrainian networks during the lead-up to Russia’s invasion.

DOJ’s April 6 announcement regarding the Sandworm botnet came on the heels of numerous government advisories about Russian cyber threats and the White House’s warning that “evolving intelligence” indicated the Kremlin might launch cyberattacks to retaliate against Western sanctions. While not unprecedented, the DOJ operation demonstrated how public-private partnerships and collaboration with allies can thwart malicious cyber actors and help secure domestic networks against attacks by foreign adversaries. Last week, the Department of the Treasury similarly demonstrated the importance of collaboration with interagency partners and allies — in this instance, the German Federal Criminal Police — when it announced the shutdown of “the world’s largest and most prominent darknet market” used by Russian cyber criminals, along with the seizure of $25 million worth of bitcoin.

Building on these successes as well as the Cybersecurity and Infrastructure Security Agency’s “Shields Up” initiative to consolidate U.S. government threat advisories and provide timely information to the private sector, the Biden administration has an opportunity to build momentum in public-private collaboration. DOJ’s operation embodied the hallmarks of what the U.S. government needs to enhance U.S. cybersecurity: carefully tailored law enforcement operations that leverage the strengths of foreign partners and the private sector to keep malicious actors from attacking American interests.

Annie Fixler is a research fellow at the Foundation for Defense of Democracies (FDD) and deputy director of FDD’s Center on Cyber and Technology Innovation (CCTI). Graham Kennis is a CCTI intern, public policy master’s student at the Harvard Kennedy School, and Air Force officer. For more analysis from the authors and CCTI, please subscribe HERE. Follow Annie on Twitter @afixler. Follow FDD on Twitter @FDD and @FDD_CCTI. FDD is a Washington, DC-based, nonpartisan research institute focusing on national security and foreign policy.