U.S. Cyber Command saw an opportunity to strike a blow in the meme wars last October -- just in time for Halloween.
The command had identified two new pieces of Russian malware and was looking for a way to publicize the threat. A hoped-for bonus: Cyber Command wanted to land a sick burn on Russian hackers.
But according to internal communications obtained by the nonprofit open government organization MuckRock through the Freedom of Information Act, Cyber Command took more than three weeks to design and fine-tune the meme before posting it -- an eternity in the fleeting world of online feuding.
Read Next: GOP Lawmaker Cites Military Satire Site 'Duffel Blog' at Extremism Hearing
And though Cyber Command intended to create something to wound Russian hackers' egos and cause "their boss to ... [lose] their s*** on them" after seeing it, as an unidentified official told CyberScoop last year, what they posted was significantly less savage: A bumbling cartoon bear trick-or-treating in stereotypical Soviet get-up, tripping over itself and spilling candy labeled with Russian malware such as ComRAT and X-Agent.
An implant dropper dubbed #ComRATv4 recently attributed by @CISAgov and @FBI to Russian sponsored APT, Turla. It was likely used to target ministries of foreign affairs and national parliament.
— USCYBERCOM Cybersecurity Alert (@CNMF_CyberAlert) October 29, 2020
@CNMF_CyberAlert continues to disclose #malware samples on: https://t.co/fSgk1xpG8t pic.twitter.com/c2jmozTAyB
The overall effect was that of an adult trying way too hard to engage online with a younger crowd and missing the mark. Or, as decidedly middle-aged actor Steve Buscemi says in a famous scene from the TV show "30 Rock," "How do you do, fellow kids?"
Peter Singer, a senior fellow at the think tank New America and expert on cybersecurity and cyberwar, told Military.com on Thursday that the episode shows the government is starting to take some necessary steps forward, but still has a long way to go "in the new battle of 'likes' that actually have real-world impact."
Most notably, Singer said, the government needs to move a lot faster if it hopes to keep up in the fast-moving world of online discourse.
"On one hand, it shows that we are engaging in the war of ideas and virality in a manner that reflects the way that the internet now works," Singer, who wrote the 2018 book "LikeWar,’’ said. "On the other hand, our decision cycle of deployment is still behind the curve. Whether it is airpower or cyberpower, it is not just the weapon that matters, but your organization, your authorities and your speed."
The process of creating Cyber Command's cartoon bear began on Oct. 7, 2020, according to partially redacted emails obtained by MuckRock. Officials then began talking about publicly disclosing two malware samples: ComRAT, employed by Russian-sponsored hackers known as Turla, and another whose name was classified and redacted.
The malware was serious business, Cyber Command officials said in a later email, and likely already had been used to target embassies, foreign affairs ministries and other targets in eastern Europe and central Asia. It was believed to be used to steal sensitive documents from infected systems and execute its own programs, the email said.
U.S. intelligence agencies have repeatedly identified Russia and Russian-aligned agents as the source of hacking operations around the world, and the United States has levied or threatened sanctions to try to deter such attacks.
In 2018, for example, the Treasury Department sanctioned several Russian individuals and companies for allegedly supporting Moscow’s military and intelligence units’ cyberattacks, barring them from transactions involving the U.S. financial system and forbidding American citizens or companies from doing business with them. And last month, the Washington Post and other publications reported that the Biden administration is preparing sanctions against Russian entities for the SolarWinds cyberattack and other hacking operations.
The next released email, dated Oct. 20, asks Cyber Command's graphics team for a "quick turn" of three graphics to be posted the following week: The tripping bear cartoon; another cartoon of the bear simply holding the Halloween basket of malware "candy;" and a third image, the description of which was redacted.
By Oct. 28, the email chain on the cartoon bear was being sent to more than two dozen addresses across Cyber Command and the National Security Agency, including Brig. Gen. William Hartman, then a deputy commanding general at Army Cyber Command. Hartman was emailed the bear cartoon before a meeting to review it, along with a planned schedule for rolling out the government's messaging on the malware.
Cyber Command tweeted out the tripping cartoon bear image on its official cybersecurity alert account Oct. 29, at least 22 days after Cyber Command started discussing a public campaign against the malware.
The tweet didn't make much of a splash online, garnering fewer than 200 retweets. The initial responses were complimentary.
"Love the image!!" one person soon replied after it was posted. "Please give that person at CYBERCOM a raise."
But after the FOIA'd emails surfaced and a broader audience on Twitter discovered the cartoon this week, the eye-rolling and counter-meming began.
Only took me 22 minutes https://t.co/4RxbCXtXVI pic.twitter.com/pG23efBpmG
— Joshua (@LostLT1) March 24, 2021
The email to Hartman indicated Cyber Command considered following up by posting another cartoon on Halloween, this one of just a spooky jack-o’-lantern carved with the word "ComRAT," but it does not appear the command posted that image.
The next month, an unidentified Cyber Command official told the online cybersecurity publication CyberScoop that they chose the bumbling bear idea because "Russia hates to be seen as cuddly or cozy, so we want to tick them off." Other cybersecurity art previously depicted Russian hackers as "burly or ferocious bears," CyberScoop reported.
"We don't want something they can put on T-shirts," the official told CyberScoop.
It remains unclear whether any cartoon hacker bears currently adorn any T-shirts in Moscow.
-- Stephen Losey can be reached at stephen.losey@military.com. Follow him on Twitter @StephenLosey.
Related: NSA: Russian Agents Have Been Hacking Major Email Program