How a Wikileaks dump alerted foreign hackers to U.S. tactics
- By Derek B. Johnson
- Mar 09, 2020
An internal assessment at U.S. Cyber Command concluded that diplomatic cables published by Wikileaks probably revealed details that resulted in operational security changes by foreign, state-aligned hacking groups targeting the United States.
In 2010, Wikileaks began publishing hundreds of thousands of diplomatic cables between the State Department and 274 of its consulates, embassies and diplomatic missions stationed around the globe. The documents provided an unvarnished look at internal conversations between diplomats abroad and policymakers in Washington D.C.
The Situational Awareness Report -- obtained through a Freedom of Information Act request by the National Security Archives at George Washington University -- was drafted in early December 2010 by Fusion Cell, an intelligence arm of U.S. CyberCom just days after the cables began to leak. It determined that the release would likely provide foreign intelligence services and their hacking arms with "lessons learned" about how their activities were being tracked by the U.S. government.
"The release of the latest set of classified data will likely result in observable changes in [operational security] procedures, coordination and collaboration among Computer Network Operations organizations, Tactics, Techniques and Procedures and overall sophistication levels [redacted]" the report stated.
Though it is significantly redacted, the CyberCom report detailed how the National Security Agency and other agencies rushed to identify documents contained in the dump that "may disclose cyber operations equities" and urged other organizations to do the same. It provided a number of categories of information that were "likely exposed" by the leak, all of which are redacted in the version released to the public.
"The [redacted] cables clearly state that U.S. Government entities have knowledge of specific adversary [tactics, techniques and procedures], including malware, toolsets, IP addresses and domains used in intrusion activity," the report stated.
The document suggested that the release of the cables "led to a period in which the U.S. government was hindered in its ability to track the activities of at least one of the most sophisticated APTs operating on the geopolitical stage," wrote Michael Martelle, a research fellow at the National Security Archive's Cyber Vault Project.
Derek B. Johnson is a former senior staff writer at FCW.