Menu
Browse

Cyber Threat Actor: US Cyber Command (USCC)

Aliases: 5 aliases
Actor Type Location Known Incidents
 Icon
Nation State
United States of America
7 incidents
Profile

US Cyber Command (USCYBERCOM), also known as CYBERCOM, U.S. Cyber Command, US Cyber Command, and USCC, is a United States military entity responsible for conducting cyber operations. Publicly reported activities demonstrate a focus on countering adversarial threats through offensive, defensive, and information operations, often in coordination with allied nations. Its operations consistently align with U.S. national security objectives, targeting foreign adversaries engaged in hostilities or cyber aggression against American interests or allies.

The threat actor’s targeting centers on disrupting military capabilities, election interference infrastructure, and terrorist networks. Strategic objectives include degrading adversarial command-and-control systems, preempting cyber threats through proactive intelligence gathering, and supporting allied nations under digital attack. Notable operations include the 2022 offensive cyber campaigns against Russian military cyber units during the invasion of Ukraine, which involved coordinated actions to identify and neutralize threats to Ukrainian critical infrastructure like satellite communications and government systems. Other operations include the 2019 disruption of Iranian rocket and missile launcher control systems following escalated tensions, the 2018 compromise of Russia’s Internet Research Agency (IRA) to dismantle its troll farm infrastructure ahead of U.S. midterm elections, and the 2016 cyber offensive against ISIS to overload its communications networks during coalition military operations.

Tactics, techniques, and procedures (TTPs) emphasize "hunt forward" missions—deploying teams to allied nations to identify adversary tools preemptively—and strategic information sharing with partners like NATO and the FBI. Initial access vectors include phishing campaigns, such as the IRA compromise where malicious email attachments enabled server infiltration. Destructive payloads involve RAID controller destruction, hard drive wiping, and cloud server formatting, as observed in the IRA operation. Coordination with civilian oversight and policy compliance is explicitly cited, distinguishing operations from adversarial disinformation campaigns. USCYBERCOM’s state affiliation is unambiguous, functioning under U.S. Department of Defense authority with public acknowledgments by senior officials confirming its role in lawful military cyber activities. The actor’s operations reflect a consistent emphasis on resilience-building partnerships and the exposure of adversary TTPs to strengthen collective defense.

Incidents
Attributed incidents available to members
6 incidents
Sources
Sources available to members
5 sources