On Wednesday, the U.S. Department of Justice (DOJ) announced that it had “disrupt[ed] a two-tiered global botnet of thousands of infected network hardware devices under the control of a threat actor known to security researchers as Sandworm,” and identified by the U.S. government as “the Main Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation (the GRU).” This action is the latest in what appears to be a string of public moves to impose additional friction on malicious Russian actors in cyberspace since the invasion of Ukraine, and it’s also emblematic of the efforts by the United States over the last few months to shift the framing of some cybersecurity threats from purely criminal matters to national security concerns. Some hints have emerged about what the United States may be doing to help Ukraine on cybersecurity. In congressional testimony last month, National Security Agency Director and Commander of Cyber Command Gen. Paul Nakasone said, “We had ‘hunt forward’ teams from U.S. Cyber Command in Kyiv. We worked very, very closely with a series of partners at NSA and the private sector to be able to provide that information.” He noted the engagement had been long-standing in saying, “We’ve worked very, very hard with Ukraine over the past several years.” And in testimony earlier this week, he explained that “a series of assumptions” the Russians “may have made,” “coupled with the defensive capabilities” the United States has built with Ukraine have contributed to the relative lack of significant successful cyber operations against Ukraine in recent weeks.
Kristen Eichensehr, Friction, Framing & U.S. Cybersecurity-Related Actions Against Russia, Just Security (April 7, 2022).