30+ Years of Freedom of Information Action

USCYBERCOM: Cable-Gate Hindered U.S. Tracking of APT Intrusions

Operation Aurora on Cyber War map
CyberWar Map (National Security Archive)
Published: Mar 9, 2020

Edited by Michael Martelle

For more information, contact:
202-994-7000 or nsarchiv@gwu.edu

FOIA Release Reveals Fusion Cell Assessment of 2010 WikiLeaks Impact on Cyber Operations

USCYBERCOM Feared Risk to Sources and Investigations, Expected Adjustment in Adversary TTPs as Result of Leak

Washington D.C., March 9, 2020 - A USCYBERCOM Fusion Cell assigned to evaluate the impact of the 2010 WikiLeaks release of classified Department of State cables determined that information in the cables revealed U.S. intelligence on adversary cyberspace operations, according to a Situational Awareness Report released in response to a National Security Archive FOIA request. The assessment predicted that adversaries would, as a result, be able to more effectively shift their TTPs (tactics, techniques, and procedures) to evade detection by U.S. agencies.

The analysis specifically mentions that the leak revealed U.S. awareness of “specific adversary TTPs, including malware, toolsets, IP addresses, and domains used in intrusion activity.” These TTPs form the bulk of what digital forensic investigators rely on to identify, track, and attribute advanced persistent threats (APTs) conducting offensive cyber operations. While defenders may at critical moments find it advantageous to intentionally reveal their knowledge of an attacker’s TTPs, forcing the adversary to “burn” the tools and infrastructure which have become part of their identifiable signature, unplanned release of the intelligence used by a defender while building knowledge on a threat plays to the attacker’s advantage. In this case the USCYBERCOM analysis states that actors “are expected to modify their current infrastructure and intrusion techniques,” hampering the ability of U.S. agencies to track attacker activity until new intelligence on threat signatures can be developed. The WikiLeaks release in practice appears to have granted attackers a period of heightened advantage over the U.S.

The analysis as released is so significantly redacted that it is impossible to derive which specific actor or actors the USCYBERCOM Fusion Cell is referring to.  However, researchers and journalists quickly linked the contents of at least one cable to an attack which came to be known as Operation Aurora. This attack, which impacted over 30 companies and led Google to review its presence in China, had been attributed to the PLA-linked Elderwood Group (a/k/a Beijing Group). The leaked cable connected the perpetrators of Operation Aurora with intrusion campaigns dating to 2002 targeting a wide array of entities including the U.S. government, Western corporations, and even the Dalai Lama, suggesting U.S. agencies had been tracking its activities over a long period of time.

This FOIA-released document, provided below, suggests that the illegal release of classified State Department cables in 2010 led to a period in which the U.S. government was hindered in its ability to track the activities of at least one of the most sophisticated APTs operating on the geopolitical stage.

 

The document