Cyber Command was worried that WikiLeaks dump would burn Operation Aurora intel, document shows
When WikiLeaks released a trove of diplomatic cables in 2010 on everything from terrorism to Russian President Vladimir Putin to computer intrusions, it set off shockwaves through the Department of Defense and intelligence community over the knowledge being dumped into the public domain.
Now we know that unauthorized release even impacted U.S. Cyber Command.
A document obtained through a Freedom of Information Act request details Cyber Command’s knowledge of what was revealed in the infamous WikiLeaks dump. The document, a Cyber Command fusion cell situational awareness report, suggests the Pentagon knew who was behind a broad cyber-espionage operation known as Operation Aurora and was worried about that information becoming public, and what adversaries could learn about sensitive U.S. cyber-operations as a result
The document, which was obtained by George Washington University’s National Security Archive and shared with CyberScoop, is a rare look into how Cyber Command, the DOD, and the intelligence community tracks adversaries in cyberspace and reacts when intelligence publicly leaks.
Operation Aurora, one of the first major industrial espionage campaigns, was first attributed to Chinese-based hackers by Google, which was among the operation’s 30 targets. Approximately one year later, a trove of classified State Department cables posted on WikiLeaks revealed the U.S. Embassy in Beijing had been informed by a source that the operation was the work of a Chinese government-linked hacking group.
But the newly-released document reveals that Cyber Command was concerned the WikiLeaks dump could let the hackers in question know that the U.S. government had been tracking them for some time, causing them to re-tool their actions or better hide their targeting activity.
“The [redacted] cables clearly state that U.S. Government entities have knowledge of specific adversary TTPs, including malware, toolsets, IP addresses, and domains used in intrusion activity,” the document assesses.
The report shows that the fledgling Cyber Command, which had only been established by the Pentagon months before the assessment was drawn up, was preoccupied with the idea that an adversary had gained an upper hand as a result of the information WikiLeaks had published.
The DOD was worried in particular that the adversary might adjust their hacking tactics, techniques, and procedures in an effort to avoid apparent U.S. government monitoring of their activities, raising the prospect that the U.S. could lose visibility on the adversary, according to the report.
“The release of the latest set of classified data will likely result in observable changes in OPSEC procedures, coordination and collaboration among Computer Network Operations (CNO) organizations, Tactics, Techniques, and Procedures (TTPs), and overall sophistication levels,” Cyber Command assessed in 2010.
The report is heavily redacted and does not explicitly name Operation Aurora or Chinese threat actors. But at least one cable in the WikiLeaks dump in question revealed the so-called Operation Aurora was “part of a coordinated campaign of computer sabotage carried out by government operatives, private security experts and Internet outlaws recruited by the Chinese government.”
On watch for shifts in adversary behavior
Cyber Command urged all the DOD and the intelligence community to be cautious of spearphishing emails following the leak, and to be “vigilant to changes, network traffic anomalies, or an[y] fluctuations in malicious activity relative to status quo” in adversary behavior.
“All organizations must be observant to potential efforts of our adversaries to leverage this new information against DoD in efforts to further their cyber initiatives,” the assessment says.
The report also notes that other countries’ intelligence agencies with offensive cyber capabilities might be interested in shifting their intrusion techniques after seeing the State Department cables, according to the document.
“[Cyber Command] expects that other Foreign Intelligence Services (FIS) active in [computer network operations] against the US will use this information to tailor their respective [redacted] as ‘lessons learned.’”