The Pentagon is bad at making memes, but it still tries. On October 29, 2020, U.S. Cyber Command’s Cyber National Mission Force—a DoD team that “ensures commanders can maintain the freedom to operate in the cyber domain”— posted a picture of a Soviet bear dropping a Halloween candy bucket full of malware. Candy labeled with words like “X-Agent,” “XTunnel,” and “ComRat” flew from the poor bear's candy basket. The tweet got 364 likes and was retweeted 190 times. Thanks to a Freedom of Information Act Request filed by Runa Sandvik, a senior advisor for Norway’s Armed Force Cyber Defense, we have a 23 page report detailing Cyber Command’s creation of the image.
The Pentagon doesn’t meme like you or I. Before the DoD’s cyber warriors can shitpost, images must be approved, tweets drafted and redrafted, and everything has to go through the chain of command. From conception to deployment, the picture of the Soviet bear dropping malware candy took 22 days.
The first email to mention the image comes from a redacted email sent on October 7, 2020 at 11:24 A.M. “Intended date of disclosure is 29 OCT,” the heavily redacted email said. The message contains the rough sketch of an idea—to tell the public about specific kinds of malware.
The next email is more explicit and comes on October 20, 2020. Both the sender and receiver are redacted. “Good morning, graphic team extraordinaire,” the email started. “[Bottom line up front]: Requesting a quick turn of three graphics, as described below. We are requesting the graphics [no later than] two days before the final request date, so we have time for commander review.”
The first requested meme is completely redacted, but the second and third are detailed. “Graphic concept: Cartoon bear in soviet uniform costume holding Halloween candy basket with malware names,” the email said. For the second picture, it wanted “image of the same bear in soviet uniform costume holding Halloween candy basket, now tripping with ‘treats’ (malware names) spilling out of candy basket.” In advance of the images going live on October 29, members of Cyber Command met on October 28 to workshop the tweet that would accompany it. The FOIA contains several emails detailing the drafting of the tweet.
The bumbling bear is part of an effort by U.S. Cyber Command to make Russian hackers look uncool online. “We don’t want something they can put on T-shirts, we want something that’s in a PowerPoint their boss sees and he loses his shit on them,” an anonymous U.S. official told CyberScoop in November, 2020.
The FOIA’d report on the creation of the bear mentions the CyberScoop article. “The article, while a bit tongue in cheek, is mostly accurate and does highlight the core purposes for the malware disclosures.”
Cyber Command’s response to the report contained a detailed explanation of why it’s making bad memes. According to Cyber Command, they “impose costs on adversaries by disclosing their malware,” and the graphics “are used and included to increase engagement and resonate with the Cybersecurity industry.” Though it did admit that “the graphics may not be shaping adversary behavior.”