Two reports published on Friday signaled the Trump administration may no longer consider Russia the US government’s top cyber foe, a development that would radically alter long-standing American global alliances to defend against nation-state threat actors in the digital realm.
For at least a decade, Russia has been widely viewed as a top cyber threat to the US and other Western nations. In its 2024 Annual Threat Assessment of the US Intelligence Community, the Office of the Director of National Intelligence underscored Russia’s threat, saying, “Russia will pose an enduring global cyber threat even as it prioritizes cyber operations for the Ukrainian war.”
Russian intelligence agencies, including the Federal Security Service (FSB) and the Foreign Intelligence Service (SVR), have directed groups known as NotPetya, Cozy Bear, Fancy Bear, Midnight Blizzard, and others to conduct destructive attacks on US targets, including the bold supply chain hack on leading US business software company SolarWinds.
The Kremlin also tacitly permits the ongoing operations of ransomware and other financially motivated cybercriminal gangs within its borders, including LockBit, one of the most destructive groups that, despite a significant global police disruption operation, has reconstituted itself and continues to wreak havoc.
Cybercom ordered to step down on Russian offensive cyber operations
Cybersecurity publication The Record reported that Defense Secretary Pete Hegseth ordered US Cyber Command chief Gen. Timothy Haugh to stand down from all planning against Russia, including offensive digital actions. According to the report, Haugh informed the outgoing operations director, Marine Corps Maj. Gen. Ryan Heritage, of the new guidance, which could significantly hamper Cybercom’s “hunt forward” operations, a major focus of the military unit, particularly involving Russia and the Ukraine war.
The Record reports that the order does not apply to the National Security Agency, which Haugh also leads, or its signals intelligence work targeting Russia.
Other news organizations, including The New York Times, The Washington Post, and CNN, confirmed The Record’s reporting. However, they cite current and former officials as saying the move is merely a clever ploy to draw Russian President Vladimir Putin into peace talks with Ukraine and a new relationship with the United States.
The Record’s report landed the same day Donald Trump and JD Vance berated Ukrainian President Vologymyr Zelenskyy for being “disrespectful” during a disastrous Oval Office meeting that has likely caused significant damage to the prospect of any further US-aided Russian-Ukraine peace talks.
Some Republican lawmakers are disputing the reports of Cybercom’s supposed retreat. Representative Mike Turner (R-OH), a strong supporter of the North Atlantic Treaty Organization (NATO) and Ukraine, said, “Considering what I know, what Russia is currently doing against the United States, that would I’m certain not be an accurate statement of the current status of the United States operations,” he said.
Purported shift at CISA away from reporting on Russian threats
Shortly after The Record issued its report, The Guardian reported that the US Cybersecurity and Infrastructure Security Agency (CISA) sent an internal memo setting out new priorities for the agency, including China but excluding Russia. One source said analysts at the agency were verbally informed that they were not to follow or report on Russian threats.
The purported shift at CISA follows a speech before a UN cybersecurity working group last week by Liesyl Franz, deputy assistant secretary for international cybersecurity at the State Department, that highlighted how the US is concerned by threats perpetrated by some states but only named China and Iran, with no mention of Russia. Franz also didn’t mention the LockBit ransomware group, which the US has called out in past UN forums as the most prolific ransomware group in the world.
In a post on X, CISA denied The Guardian’s report, saying, “CISA’s mission is to defend against all cyber threats to U.S. Critical Infrastructure, including from Russia. There has been no change in our posture. Any reporting to the contrary is fake and undermines our national security.”
In a statement sent to CSO, which was also posted on X, DHS spokesperson Tricia McLaughlin said, “The memo referenced in the Guardian’s ‘reporting’ is not from the Trump Administration, which is quite inconvenient to the Guardian’s preferred narrative. CISA remains committed to addressing all cyber threats to U.S. critical infrastructure, including from Russia. There has been no change in our posture or priority on this front.”
No benefit to the US in any way
Although crucial details of these developments are still not clear, experts suggest that any US move to disregard Russian cyber aggression will backfire. Former NSA hacker and enterprise risk management expert Jake Williams said, “Telegraphing who we are and aren’t tracking cyber threats from doesn’t benefit the US in any way.”
Moreover, Wiliams argued that attributing an event to any specific threat actor doesn’t occur until the end of investigators’ work, so there isn’t a way to stop tracking Russian threat activity. “The biggest procedural issue with ‘stop tracking Russian cyber threat actor groups’ (though there are many other issues) is that we don’t know until the end of the attribution lifecycle which data corresponds to which nations.”
In addition, all indications suggest that Russian malign activity in cyberspace against the US has continued through at least the end of January. For example, researchers at Volexity issued a report on Feb. 13 saying that starting in mid-January, they had observed the Russian nation-state threat group they call CozyLarch, which overlaps with other Russian APT groups known as DarkHalo, APT29, Midnight Blizzard, and CozyDuke, targeting sensitive Microsoft 365 accounts by impersonating individuals from US government departments, including the US Department of State.
Read More from This Article: US Cybercom, CISA retreat in fight against Russian cyber threats: reports
Source: News