Cyber Indictments and Threat Intel: Why You Should Care

Back in December, I sought out to create a list of “cyber” indictments and asked for help on Twitter after I struggled to remember previous indictments. I soon didn’t feel so badly about not being able to remember “all the cyber indictments” because it turns out there have been quite a few of them over the past 8+ years.

I won’t bury the lede. If you just want the list and don’t want the background on how I got there or why indictments matter, here you go: Work-in-Progress List of DOJ Indictments of Interest to CTI Analysts. But I know you do want to know because you’re a curious person, so you’ll keep reading.

Why should we care about indictments?

So, why should we as cyber threat intelligence (CTI) analysts and network defenders care about cyber indictments in the first place? Others may have different reasons, but here’s why I cared about making this list in the first place. For this blog and list, I’m focusing on indictments from the US DOJ, but legal documents from other countries could serve similar purposes.

1. They give us unique info about adversaries.

Just like different cybersecurity companies have different visibility into adversaries, governments have unique visibility and sources. Though indictments don’t name those sources, by reading them, we can learn new things about adversaries that I might not have known through other sources. One example of this is from the GRU indictment:

Threat intel about CLOUD! Jackpot!

As a CTI analyst, cloud is one of those things that terrifies me, but I don’t have great data to back up why I’m so terrified of it. The GRU indictment gives an example of how actors stole data from the DNC by using cloud snapshots. A common requirement for CTI analysts is to find new adversary tactics, techniques, and procedures (TTPs) that we can share with defenders to point out where they should focus efforts and improve. After reading this indictment, you have an example of something an adversary did, and you should think about how you could detect it or defend against it in your own org. (Actually, in that indictment there are a lot of TTPs you should discuss! I won’t go full-blown $dayjob on you, so I’ll just leave this here.)

Indictments also provide another source for information you may have through other means. A basic principle of good intelligence analysis is that analysts should use multiple sources. If different sources confirm the same information, it may increase your confidence that an assessment based on that information is correct.

2. They might affect international relations and adversary targeting patterns.

Ah, international relations, the “other” IR. Being as CTI analyst is tough: you can’t just know PowerShell and YARA, but you also have to know what’s going on in the South China Sea or Crimea. Though I don’t want to go into IR extensively (there are books upon books on these topics), I think basic concepts are important for CTI analysts to understand, so I’ll try to break them down in plain language for anyone who doesn’t have an IR background. (IR wonks, please chill for a moment, and then you can go back to reading your copy of “On War.”)

Indictments are part of how countries “message” to each other. Legal actions like indictments are just one “instrument” the US government can use to try to influence other countries in order to achieve its foreign policy objectives. Academics, politicians, and military thinkers disagree on which of those “instruments of power” to use as part of a country’s strategy, but there’s wide agreement that a country should use many instruments to try to assert their influence rather than just a single one. For example, when the US DOJ issued the Mabna Institute indictment in March 2018, the US Department of Treasury also issued economic sanctions against the actors — it wasn’t just a legal action, it was also an economic one.

There are differing opinions on how much of a deterrent effect the “instrument” of indictments have on influencing cyber adversaries to stop targeting US entities. (And for good reason — we can only make assessments about what changes adversary behavior, we can’t know this for sure.) IR nerds love to talk about “deterrence theory,” and there’s a lively debate about how applicable classic research on deterrence theory is in cyberspace.

Simply stated, indictments from the US DOJ are worth watching because of the messages they send to other countries, which could deter or change adversary behavior. How other countries react to US DOJ indictments could mean changes for you as a CTI analyst or network defender. The FireEye report Red Line Drawn: China Recalculates Its Use of Cyber Espionage provides an example of how analysts examined the 2014 indictment of PLA Unit 61398 along with other forces that may have contributed to their observed decrease in successful network compromises by China-based groups.

That’s why you should watch US DOJ indictments. Could an indictment against APT10 mean they will slow down their ops tempo? Could an indictment against the GRU mean they will increase their targeting of US victims? Could an indictment of a botnet operator make other operators decide to throw in the towel? (Or will the defendants completely ignore the indictments?) Of course, we can’t predict the future, but as CTI analysts we might be asked to anticipate targeting shifts. We should watch when indictments come out, make assessments based on our organization’s own threat model, and empower our leadership with that intelligence.

My Quest for “Cyber” Indictments

So naive.

I wanted a list of “cyber” indictments for the reasons I’ve discussed above along with the fact that my memory often fails me. I tried to find one but didn’t have any luck, so I turned to the Twitterverse. When I tweeted that I wanted a list of “cyber” indictments, I found that a bunch of other people were interested in this topic as well. For days, I got replies and DMs with people adding new indictments to the list and giving me suggestions, which was an awesome example of why I adore this community. I’ve since had the good fortune to connect with Garrett Hinck, whose team is also working on a cyber indictments list, but from a policy perspective (and with a much more academic focus than I have):

State-linked Cyber indictments list from Garrett Hinck and his team (https://twitter.com/garretthinck/status/1096050268540715008)

A key takeaway is that there are a lot of cyber-related indictments, and I didn’t know exactly what I was looking for when I started. A kind person from the Free Law Project directed me to a useful site: https://www.courtlistener.com/. Most legal researchers use PACER or other paid databases, but those cost $$$, so Court Listener was a great alternative. Per a helpful suggestion, I started to search on a couple of the statues listed on the press releases, like these from the PLA Unit 61398 indictment:

Search these statues → find a lot of court documents

After doing a few searches, I quickly realized just how absurd my initial ask of “all cyber indictments” really was. What I actually meant was that I wanted a list of “key cyber indictments that tell me about actor TTPs or have a state-sponsored aspect to them.” Those were the indictments I cared about for the reasons I mentioned above — they help me know more about adversary TTPs and could have implications for targeting shifts.

A Start of a Cyber Indictment List

I compiled the list of indictments to help myself out in the future with inevitable questions like “I know there was that one indictment from 2016 that mentioned that thing….” Since I already created it, I figured I’d share in case it could be useful to others, so here it is: US DOJ Indictments of Interest to CTI Analysts. I’ve been intentionally vague on what indictments are included. I heavily focused on those with some type of state nexus, but I added some others that contributors mentioned since they might be useful for CTI analysts to know about. My hope is to add context over time in order to help myself and others identify the ones they’re interested in. It’s a work-in-progress, so I know it’s incomplete, and I hope to update it over time. If this is an interest area for you as well, let me know and I’m happy to add trusted, verified people as editors.

I started by tracking simple things: date (using the press release date first, or the indictment filing date if I didn’t have a press release link); notes on why it was notable; who contributed it; and links to the DOJ/FBI press release, full indictment, and other sources. I initially tried adding a column indicating “Criminal” versus “State-Sponsored,” but I struggled to assign this based on a binary scale and felt like whatever I wrote wouldn’t be accurate since those lines are so murky. I then thought of Jason Healey’s Spectrum of State Responsibility that describes the range of responsibility a state might have over cyber activity. In the future, I think it would be useful to assign one of those ten categories to each indictment (along with a source/statement about why that assessment was made)…but I didn’t have time to do that. Maybe later.

I hope this list will be useful to some in the community who are as interested in indictments as I am. Whether you scour these carefully or just give a quick look, I hope you’ll consider indictments as both a source of intel and a possible instigator of changes in adversary behavior.

*****

Thank you to those who gave me suggestions and contributions for this list: Garrett Hinck, Kyle Ehmke, Andrew Stanley, Timo Steffens, Phil Hagen, Patton Adams, and the Free Law Project.

*****

The author’s affiliation with The MITRE Corporation is provided for identification purposes only and is not intended to convey or imply MITRE’s concurrence with, or support for, the positions, opinions, or viewpoints expressed by the author.