27 June 2019

How cyberattacks are being used by states against each other

Abhijit Ahaskar

New Delhi: In May 2019, Israel bombed and destroyed a building in Gaza, Palestine, as it was being used by a Hamas-backed hacking group to target them. This was the first instance when a state retaliated to a cyber attack with a real attack. In another more recent incident from June, the US targeted Russia’s electric power grids using crippling malware in retaliation to Moscow-sponsored cyberattacks on US infrastructure. Russia has said it will retaliate.

States around the world have been retaliating to new and persistent cyberattacks sponsored by their arch-rivals.

“State-sponsored cyberattack, by national intelligence agencies, or groups affiliated with such agencies, is a growing concern. With their heightened capabilities, foreign hackers pose a powerful threat to government agencies and their employees, as well as individuals or organizations linked to dissidents or other perceived threats," warns Vitaly Kamluk, Director of Global Research and Analysis Team, Asia Pacific, Kaspersky Labs.


According to a Thomson Reuters Labs blog, published in January 2019, on state attributed cyberattacks, countries facing the highest number of attacks include US (65), UK (34), Germany (30), India (28) and South Korea (27). The blog claims that 22 countries are suspected of having sponsored cyber operations.

Many of these attacks have the support and financial backing of the state. A case in point is the Lazarus Group which incessantly targeted key industries including government bodies in the US, allegedly at the behest of North Korea government in 2017-18, according to a report by McAfee Security.

In some cases the cyberattacks were the handiwork of overzealous actors or terrorist groups and the country of origin may not have the resources to stop them. “There are cases, where a government lacks the capacity to curtail groups operating from their territory. The challenge then is to credibly signal that to other countries on the receiving end, and to show that one is trying to improve the capacity to respond. That may also entail accepting help from the country that was attacked," advises Dr. Florian Egloff, Senior Researcher in Cybersecurity at the Center for Security Studies, ETH Zurich.

Kamluk is of the opinion that if governments don't care or ignore certain threat actors operating from their country, it means they permit the attack group to exist and somehow legitimized their activities.

However, attributing a cyberattack is not easy. Even after the US suspected China’s role in Titan Rain, an advanced persistent threat targeting DoD computers to steal blueprints of a fighter jet, it was not established that the attacks were carried out by China, or were routed through servers in China.

In another incident, the opening ceremony of the Pyeongchang Winter Olympics in 2018 was disrupted by a cyber attack. Initially, North Korea was blamed due to prolonged hostilities between the two neighbouring countries, but US intelligence later found the attack was carried out by Russian military agency GRU, in retaliation to the ban on Russian team from participating in the winter games due to doping allegations. The attackers had routed the attack IPs in North Korea to make it appear like their handiwork.

“Attribution is very difficult when it comes to cyber domain. Attackers are protecting their anonymity, run operations under fake identities, etc. It is only when they make mistakes, they can be discovered," says Kamluk.

In the case of Lazarus group hacker, Park Kin Hoyk, who was charged by US Department of Justice in 2018 for various cyberattacks including the notorious WannaCry, the authorities found several links between Park’s real world email/social media accounts and his alias accounts which were used for communication with Lazarus group and to carry out the attacks. Also, he made the mistake of accessing both accounts from a common IP address.

Mistakes and small clues left behind by attackers are also vital in attribution, providing valuable intelligence about people behind a cyberattack and the possible connections between them.

Kamluk points out that some of the mistakes that can link a state or government agency to a cyberattack include very specific originating source IP address of the malware operator, time zone and dates of active operation, usernames or project names included into malware project build path and the type of information the attackers are looking for.

The objective behind the cyberattacks can be anything from stealing military intelligence, trade secrets, design blueprints to sabotaging or controlling important infrastructure.

The US-Israel backed Stuxnet program which was used to target Iranian nuclear facility in Natanz in 2010 is a case in point. The Stuxnet worm caused a malfunction in the uranium enriching centrifuges affecting their nuclear enrichment efficiency. The objective was to derail Iran’s nuclear program and force them to sign a non-proliferation agreement.

In August 2018, North Korean hackers stole $13.5 million from India’s Cosmos Bank through unauthorised ATM withdrawals. In December 2015, Ukraine’s power grids were targeted by what was believed to be a Russia sponsored cyberattack, causing power failure for several hours affecting over 200,000 people. A March 2019 report by UN Security Council claims North Korea used state-sponsored hacking to bypass international sanctions and steal $670 million in foreign currency and cryptocurrency between 2015 and 2018.

According to a Gartner report from January 2019, companies can incur $ 5.2 trillion in additional costs and revenue loss due to cyberattacks over the next five years.

There have been several instances, where enterprises have been victims of the cyberwar between states and lost billions of dollars. The total cost of WannaCry, which affected users in 150 countries, is estimated over $1 billion. NotPetya attack cost shipping company Maersk over $300 million in revenue loss.

According to Talinn Manual 2.0, a comprehensive non-binding guide written by nineteen international law experts for policy advisors and legal experts on how existing international law applies to cyber operations, use of government assets such as tanks or warships can be clearly attributed to a state. However, the same rule cannot apply in response as evidence can be easily spoofed. It acknowledges that the most difficult legal question in the area of attribution comes from non-state actors who may be working as proxies for a state or who are in some way acting on behalf of a state without clear legal authority to do so.

Egoff doesn’t think public attribution is a de-escalatory move. “However, where public attribution sits on the escalatory spectrum is dependent on the political relationship to the attackers and their sponsor. Sometimes, it will be perceived as escalatory, sometimes, it may just be ignored," he adds.

Council on Foreign Relations in global governance working paper, published February 2018, acknowledges that the next major international crisis could be caused by a state or terrorist group using ICT (Information and Communication Technology) to derail critical infrastructure. They paper recommends that governments should work together to prevent cyberwars and curb cyberoperations by non-state actors to alleviate the potential economic losses that may be incurred by state or companies due to such attacks in the future.

No comments: