Remember when the Dutch did an insane PowerPoint burning a GRU Unit 26165 close access team? NSA and FBI decided to do the advisory version of that to some 26165 Linux-targeting malware.

https://media.defense.gov/2020/Aug/13/2002476465/-1/-1/0/CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDF

The doxxing of Drovorub is *not* about deterrence. What would it be deterring - cyber espionage that targets Linux systems? No. This is pure counterintelligence degradation targeting GRU Unit 26165 by burning a tool they clearly invested a lot of time and resources in.

The level of detail in Drovorub report supports another CI degradation impact: forcing the GRU to figure out just how the NSA and FBI got this much information on their tool. This means they have to expend their own defensive CI energy running this down. It degrades on 2 levels.

Case in point: Just some of the evidence that the call was coming from inside the house w/r/t to USG knowledge of Drovorub https://twitter.com/chrisrohlf/status/1293970641742434309

Another way of looking at it: an implant like Drovorub could reasonably be compared to a stay-behind network in HUMINT terms. Neither are easy to set up or maintain, and usually exist to serve a critical intelligence or operational requirement. https://twitter.com/US_CYBERCOM/status/1293973977178800130?s=20

The degradation impacts from the Drovorob report are as cascading as they are significant: https://twitter.com/mtoecker/status/1293975889781370881