The U.S. intelligence community relied on American technology companies to battle Russian cyberattackers targeting Ukraine to prevent a catastrophic cyberwar capable of spreading across the Atlantic, The Washington Times has learned.
Details are still emerging about what the U.S. government described as a “power collaboration” teaming private companies, including Microsoft, with the National Security Agency against Russian cyberattackers. The NSA cybersecurity officials’ work with Microsoft and others was intended to stop Russia dead in its tracks before devastating attacks could eviscerate Ukrainian networks and serve as a launchpad for an assault on the United States, U.S. officials said.
NSA Cybersecurity Director Rob Joyce told The Times that the agency’s Cybersecurity Collaboration Center partnered with cybersecurity and information technology service providers to “identify and eradicate malicious operations in cyberspace.”
Nathaniel C. Fick, ambassador at large for cyberspace and digital policy, divulged Microsoft’s role in Ukraine during a German Marshall Fund event this month, but the depth of the collaboration with U.S. intelligence is just now being revealed. The company refrained from publicizing the work of the partnership in Ukraine.
Mr. Joyce said in a statement that the NSA’s collaboration center engaged in “deep analytic exchanges” with the companies and shared actionable threat indicators that enabled the cyberwarriors to pursue digital attackers.
“These interactions made big impacts defending Ukrainian networks, as Ambassador Fick noted,” Mr. Joyce said. “They also broadly addressed capabilities that could be used against U.S. government, industry and critical infrastructure. The unique NSA insights partnered with industry’s visibility and capacity to act is a power collaboration, making us all safer at scale.”
Government officials and technology executives have not disclosed a specific event that they prevented or responded to in Ukraine as part of the collaboration, but the vulnerability of civilian infrastructure has been a top concern.
Government and business began collaborating in the wake of blowback from Russian cyberattacks in 2021 on American networks and security professionals’ expectations of a larger digital onslaught.
Before Russia invaded Ukraine last year, Russia’s state-sponsored hackers victimized U.S. government networks and Russian cybercriminals hit a major natural gas pipeline and other components of critical U.S. infrastructure.
After Russia began its assault on Ukraine, an expected large-scale conflict in cyberspace did not immediately materialize. Sen. Mark R. Warner, Virginia Democrat and chairman of the Senate Select Committee on Intelligence, said in March 2022 that the government could not fully explain the absence of a major cyberattack.
A big reason was the government’s collaboration with the technology sector, Mr. Fick said. He said this month that attacks were launched but were not successful.
“People have wondered why Russian cyberattacks seem not to have been effective or as effective in Ukraine or in Europe,” Mr. Fick said at the German Marshall Fund event. “And in Ukraine, one of the reasons is that Microsoft and others were able to push updates at scale in near real time based on collaboration with the U.S. intelligence community that allowed them to blunt these attacks.”
The collaboration is sensitive and may put targets on the backs of private American technology companies and their employees, who are reluctant to speak about their work with the U.S. intelligence community.
Microsoft has hidden details of its work with the U.S. intelligence community from public view. After saying Tom Burt, Microsoft corporate vice president of security and trust, would speak with The Times, the company refused to make him or anyone else available for an interview.
A Microsoft spokesman shared previous statements from company executives about Microsoft’s work in Ukraine, but none of the statements mentioned the U.S. intelligence community. Mr. Burt wrote in an April company blog post that Microsoft’s security teams had worked closely with Ukrainian officials and “cybersecurity staff at government organizations.”
Another Big Tech company combating cyberattackers in Ukraine is Mandiant. The Google-owned cybersecurity team has received credit for uncovering in 2020 the SolarWinds hack of federal agencies that the Biden administration attributed to Russia’s Foreign Intelligence Service.
Mandiant would not directly answer whether it was involved with the U.S. intelligence community’s effort against Russia in Ukraine.
“Mandiant has been working with our partners in Ukraine and elsewhere since before the invasion to protect our customers and community from Russian cyber espionage and cyberattack,” Mandiant executive John Hultquist said in a statement. “Within the context of this campaign and others we have found that an intelligence lead approach is effective in identifying threats and even thwarting attacks.”
It is not clear whether technology workers have received compensation for joining the federal government’s effort against the Russian cyberattackers.
Microsoft and Google’s Mandiant are members of the Biden administration’s Joint Cyber Defense Collaborative, created in August 2021 to partner companies with government agencies, including the NSA and the Department of Defense, to fight hackers and cyberattackers aiming at the U.S. The government has described the role of the participating companies as defensive rather than offensive and designed to prevent attacks and limit the fallout.
The partnership was formed after the Russia-linked DarkSide ransomware gang hit U.S. fuel supplier Colonial Pipeline. Mandiant and Microsoft were initial members.
The group’s government website says its success stories include the creation of a “Russia-Ukraine Tensions Plan” in early 2022, running a tabletop exercise gaming out its execution, and the creation of a list of free cybersecurity tools.
Cybersecurity expert Paul Rosenzweig said Microsoft’s collaboration with intelligence agencies to blunt cyberattacks is relatively new. He said all companies working alongside the government in similar capacities deserve to be commended.
Mr. Rosenzweig, who worked in the Bush administration from 2005 to 2009 and teaches at George Washington Law School, said the technology companies face the risk that Russia views them as aiding an enemy, but he does not think it would inflame the war.
“I don’t think there are risks of escalation,” Mr. Rosenzweig said, “and I think the benefits outweigh the risks.”
Big Tech companies are not shy about disclosing their assistance to Ukraine and are expected to reveal more in the coming days as the anniversary of Russia’s invasion approaches on Feb. 24.
Google hosted Ukraine’s minister of digital transformation, Mykhailo Fedorov, at its Washington offices in December. The company said its Mandiant team was providing direct assistance to the Ukrainian government to help defend and diminish cyberattacks and provide incident response services, among other support.
Microsoft said in November that its total support for Ukraine amounted to “more than $400 million since the war began in February.”
The Big Tech battle against Russia may not be enough to stop a cyberwar from spreading throughout the West.
In December, Microsoft’s Clint Watts said Russian military-intelligence-affiliated cyberattackers had struck at energy, water and other infrastructure organizations’ networks while missiles took out power and water supplies. He said destructive cyberactivity had spread outside Ukraine to Poland in an effort to halt supplies and weapons moving into the country.
“We should also be prepared for the possibility that Russian military intelligence actors’ recent execution of a ransomware-style attack — known as Prestige — in Poland may be a harbinger of Russia further extending cyberattacks beyond the borders of Ukraine,” Mr. Watts wrote on the company’s blog. “Such cyber operations may target those countries and companies that are providing Ukraine with vital supply chains of aid and weaponry this winter.”
Mr. Watts wrote in December that civilian infrastructure has not been off limits from Russian cyberattacks, and Microsoft observed that Russian military operators had hit roughly 50 Ukrainian organizations with destructive wiper malware since February 2022.
Most of the targeted organizations represented Ukraine’s critical infrastructure, including networks belonging to emergency services, energy, health care, law enforcement, water and transportation sectors.
The U.S. is among the countries providing Ukraine with vital support. Alongside the federal deployment of weaponry, U.S. Cyber Command has conducted defensive operations with Ukrainian cybersecurity officials.
The State Department said last year that U.S. and Ukrainian cybersecurity officials sat side by side from December 2021 to February 2022 to improve Ukraine’s cybersecurity resilience.
The U.S. government provided more than $40 million in “cyber capacity development assistance” from 2017 to February 2022, according to the State Department, and U.S. cyberspace defenders do not appear poised to abandon Ukrainian cybersecurity officials anytime soon.