by Jeff Dougherty
Although hacking has been part of espionage since at least 1989[i], nation-state sponsored attacks have grown dramatically throughout the past decade[ii],[iii],[iv]. Nation-state sponsored groups are particularly worrisome to security professionals because they often operate as Advanced Persistent Threats (APTs)[v], a “slow burn” type of cyberattack many security experts consider the most dangerous for enterprises- or governments- with highly sensitive information to protect[vi],[vii],[viii]. However, a deeper look at the pattern of these attacks in recent years reveals a still more worrying trend. In the last decade, nation-state backed hacker groups have shifted away from pure information gathering and towards using cyberspace as a domain for a new kind of conflict called hybrid warfare.
Hybrid warfare is difficult to define, and some thinkers even doubt the utility of the concept[ix]. However, others have defined it as aggressive actions designed to exploit international law by deliberately falling short of the common definition of aggression that permits a response against a nation-state[x]. Hybrid warfare is a type of asymmetric warfare, in which a weaker opponent seeks to defeat a stronger one by indirect means without having to engage their main military forces.[xi] The concept's supporters frequently cite the civil war in Eastern Ukraine, where suspiciously well trained and equipped “pro-Russian separatists” have given Moscow effective control over large chunks of territory without a conventional invasion that could trigger the NATO treaty[xii]. Also commonly cited are “salami slicing” tactics used by China to slowly establish a position of effective dominance over disputed islands in the South China Sea,[xiii] including use of its fishing fleet to establish territorial claims.
Cyberspace is an especially rich field for hybrid warfare because the global and anonymous nature of the Internet makes it very difficult to prove a particular operation was state-sponsored. For example, a group codenamed APT28 has been identified as a Russian government operation based on their use of Russian-language programming tools, the fact that they keep 9-5 hours on Moscow time and observe Russian holidays, and the overlap between their operations and Russian interests[xiv]. Suggestive, but hardly the sort of thing you can take to the United Nations. Online, hybrid warfare can involve a variety of methods, including denial-of-service (DoS) attacks against a target's communications, obtaining and leaking embarrassing information about the target, or interfering with a target's critical infrastructure.
Most state-sponsored hacks discussed in the open security press originate from a relative handful of nations: China, Russia, Iran, North Korea, Israel, and the United States[xv],[xvi],[xvii]. An examination of recent actions by hackers affiliated with those countries reveals an increasing pattern of offensive action.
Of the nations listed, it is Russia that has taken by far the largest steps into online hybrid warfare. Beginning with a massive DoS attack against Estonia in 2007[xviii], Russia has used cyberwarfare as a major component of its operations in Georgia[xix], the Ukraine[xx], and Syria[xxi]. The scope of attacks has also widened with time. The 2008 Georgia attacks included more DoS against communications infrastructure, attempts to glean military intelligence from online sources, and propaganda defacement of websites. Attacks against Ukraine in 2015 repeated these tactics, but also saw Russian hackers shut down large portions of the Ukrainian power grid. 2015 also saw Russia shut down German government websites and a steel mill around the time of talks with the Ukrainian Prime Minister.[xxii] The next year brought the publicized attempts to influence the US Presidential election by selectively releasing illegally obtained documents about the Hillary Clinton campaign. Taken as a whole, it is clear that Russia does not simply regard cyberattacks as an information gathering tool, but as weapons to be used offensively in support of Moscow's geopolitical aims.
Similar patterns have appeared on a smaller scale from the other nations on the list. Most famously, the US and Israeli-developed Stuxnet worm was released onto the Internet in 2009, replicating itself until it reached the computer controllers for Iran's uranium enrichment centrifuges. Once there, it caused the centrifuges to overspeed while loaded with corrosive uranium gas, damaging them and seriously delaying the Iranian nuclear program[xxiii]. The same US-Israeli effort led to the creation of a piece of network reconnaissance malware called Flame, which provided information Israel later used to launch a unilateral attack on the Iranian oil industry in 2012 with a program called Wiper[xxiv]. Other information about these countries' cyberwar programs is hard to come by, but the April 2017 leaks from a group calling themselves ShadowBrokers revealed that both the American CIA and NSA have been actively developing their own ecosystem of tools and exploits[xxv].
The Stuxnet and Wiper incidents seem to have spurred Iran to create its own hacking program. The year after the attacks, Iran attacked banks and a dam in the United States[xxvi] as well as oil company systems in Saudi Arabia[xxvii],[xxviii] using malware descended from Israel's Wiper. Iranian hackers have also been implicated in a 2015 blackout that affected 40 million people in Turkey[xxix]. It is significant that the Iranian hacking program appears to be associated with the country's Revolutionary Guard Corps, or Pasdaran. Ever since the Iran-Iraq War of the 1980s, the Pasdaran has been the main Iranian force involved in all types of asymmetric warfare. The placement of Iran's hacking groups under their control may well indicate that the Iranian government views them primarily as weapons of war.
North Korea's cyber program is best known in the West for its 2014 hack of Sony Pictures[xxx], but has also been implicated in several other operations. These include the DarkSeoul attacks against South Korean infrastructure[xxxi] and spreading malware to create botnets for denial-of-service attacks[xxxii]. Many experts also believe North Korea is attempting to use its cyber program to finance its regime in the face of international sanctions- North Korean hacking groups have been tied to the WannaCry ransomware attack, the theft of $80 million from a bank in Bangladesh[xxxiii], and may also be targeting the crypto-currency Bitcoin[xxxiv].
At first glance, China's hacking efforts may seem the odd man out in this group. China has taken little overt action online, although it is a prolific practitioner of cyber espionage. Its’ operations have not been confined to traditional government and military targets, frequently targeting private companies to steal intellectual property that may improve the competitiveness of China’s state-run businesses.[xxxv],[xxxvi]. However, it is known that China's military planning documents anticipate intensive network operations in the event of a war, and at least one analyst has argued that China's current actions are preparing it for exactly that[xxxvii]. China appears to think that the US needs the Internet more than they do, and that an exchange that leaves both sides' networks severely degraded is a net win for them. They are probably right.
If these trends are alarming, there is little reason to think they will not continue. There have been some promising signs. The indictment of five Chinese army officers for hacking American servers led to an agreement between President Obama and Chinese President Xi Jinping under which China would reduce its attacks against American companies[xxxviii], and attacks did seem to decrease in the wake of the agreement[xxxix]. However, a similar indictment of seven Pasdaran-affiliated Iranian hackers in 2013 has failed to yield similar results[xl], and efforts to confront Russia over its ever more brazen attacks have also stalled in the face of official stonewalling. More broadly, a number of analysts[xli] have noted that the West has largely failed in its attempts to address hybrid warfare incidents that fall short of the clear aggression required to form international consensus. Given the nature of the Internet, cyberattacks are likely to remain one of the most difficult of all incidents to provably attribute to a government. The relative newness of the Internet also means that international law on acceptable online behavior between nations is still very much unset. Absent strong new norms of what is and is not acceptable between nation-states in peacetime, it is likely that both the number and severity of these cyberattacks will continue to escalate.
What does this mean for cybersecurity professionals? The first and most important lesson we can draw is that in a cyberwar, everybody is potentially on the front lines. Cyberattacks from all nations have made little distinction between government-owned and private systems, instead choosing to strike wherever necessary to accomplish their goals. Private companies, especially those in key infrastructure settings, need to be prepared to compete with teams of government-sponsored hackers from around the world. Second, to whatever extent this is unrealistic, there must be closer cooperation between the public and private sectors. The government may need to provide assistance with network hardening, penetration testing, and threat intelligence, not to safeguard private profit but to preserve critical national infrastructure. This assistance should be tied to a set of legally enforceable standards to make sure those trusted with critical information are taking adequate precautions to safeguard it. Finally, on the policy level, high-level leaders should work to create new standards for what is and is not acceptable in terms of hacking between nations at peace. This will not be an easy task, requiring both a willingness to engage with nations who show openness to the new standards and to take a firm line with those who do not. But if we fail to do so, the cyber realm we trust with more and more of our data may become a new theater of war. And if that happens, everyone and everything on the global Internet could become collateral damage.
No comments:
Post a Comment