The cyber world has truly become the next geo-political battleground, and everyone is target, says Trevor Reschke, head of Threat Intelligence at Trusted Knight
Throughout the Cold War, terrorism was generally conducted by various anti-communist dictators, soviet sponsored communist groups and anti-democratic Islamic regimes which, for the most part, had a regional impact. Concurrently, significant clandestine efforts between the superpowers led by proxies and ‘advisors’ had a significant impact on global economic, security, and politics. These clandestine efforts, or shadow conflicts, were fought by non-standard forces whose intent was to destabilise countries that held strategic value to the opposing superpower – or to purely harass and distract the other superpower to expend and waste resources. Meanwhile, the world was transfixed on the very public arms race between the East and West.
We now have an entirely new ‘arms’ race, one where participation is not limited to the superpowers, but can also be joined by rogue nations, terrorist organisations and criminal elements. These groups engage in direct overt and clandestine activities, directly and indirectly supporting fringe governments with mercenary services to further their criminal, political and ideological goals.
We have entered an age where the risk, time, resources, and funding for traditional methods or operations provide significantly less return on investment than cyber efforts. In fact, the new cyber paradigm has the potential to cause significantly more damage to a target’s economic, political, financial, security and defence systems than any traditional method. However, the terror aspect has not materialised in quite way we usually imagine it. Traditional terrorism has been seen to require significant loss of life to be effective. When it comes to cyber, the countries who possess the capabilities to carry out such an attack are unwilling to risk providing that access to fringe elements, even in a remote government thanks to the potential global repercussions of those capabilities.
The invisible and untraceable threat
Much like the arms trade business, there are mass produced cyber weapons that usually originate from one of the super powers. It’s now common to see malicious code that has been modified over time, but its heritage can be traced back to a handful of Russian criminal software developers. This malware is often bought by different criminal elements – from teenagers in their bedrooms to nation states – and adapted to specific needs, often to the point where whole new families of malware are born. By using known, serviceable malicious code the attacker gains a significant level of covert status as the attribution is near impossible, especially when the target faces many threats.
That’s not to say attribution is impossible, but it is incredibly rare. To date, it has only been accomplished when the NSA and CIA have suffered internal leaks of their operational tools. Even then, as we saw with notpetya, it’s not always possible. In the case of notpetya, a newly leaked CIA exploit was used in an attack originally targeting the Ukraine, but containment was lost and the attack incidentally spread to many parts of the EU. It is largely believed that Russia was behind the attack, given the original target – the Ukraine – was engaged in traditional combat missions with ‘not-Russian’ soldiers, but it’s never been proven.
This level of capability dispersement is part of a larger campaign by nation states, particularly Russia, to cloud the attribution of attacks associated with government resources. This is similar to the spread of the AK-47, a weapon that’s use was so widespread that its provenance gradually became blurred. In the cyber world, for example, it’s now suspected that well-known hacks, such as the Sony hack, was not the work of the North Koreans, but in fact attributed to another source. North Korea had nothing to lose by accepting responsibility for the hack. In fact, it was a boon to the country’s status in the eyes of the world as most nations lack the capability to execute an attack of that magnitude. This gave North Korea a seat at a cyber capabilities table which still only has a select few nations sitting at it, thus allowing them to use the fear of cyber-attacks in retaliation to sanctions.
This illustrates the use of cyber capabilities in the modern world for terroristic uses. With minimal threat to loss of asset and the ability to mask the identity of the perpetrator, cyber attacks are the perfect weapon. Perpetrators are able to select targets that will cause significant strategic and financial damage, usually at magnitudes beyond what a traditional attack could inflict with little risk. While this initially seems like a neutered capability without the fear component, consider traditional attacks risk capture and defeat during the planning, recruitment, and coordination phase, as well as swift and significant retaliation for loss of life if successfully executed. Cyber attacks typically go un-countered, in fact there has never been a case where another nation has invaded or taken up arms over a cyber attack, despite most large-scale attacks causing more monetary damage and more frequently, on average, then most traditional terror attacks.
There’s no safety in numbers
Denial of Service (DoS) attack capabilities consist of a large collection of systems that have been compromised and then sent commands which enables them to send network traffic to a specific target. For example, if I have 100 user systems, I can use a control panel to send a command to all 100 systems telling them to send traffic to a specific website at a specific time in order to use up all the targeted systems resources, or to generate enough traffic to raise the cost of owning the site. In real life, the amount of compromised systems used to do this type of attack start in the hundred thousand and can grow into the millions. In the last few years, technical exploits and techniques that can then magnify this traffic and create mega attacks have also emerged, vastly expanding the possibility for serious damage.
The collection of compromised devices used to perform these forms of attack are easily accessible to anyone (such as nefarious individuals, groups, nation states) who know where to obtain them and who have the funds. There are no other requirements or restrictions.
This denial of service capability is used to target political sites, social causes, gaming and gambling sites, and a smattering of other issues or causes in which the attacker can collect money or damage someone. In fact, in 2017, we saw DDoS attacks more and more frequently used as a tool for political struggle. The Qatar crisis was accompanied by an attack on the website of Al Jazeera, the largest news network in the area. Le Monde and Le Figaro websites were targeted in the heat of the presidential election in France, and in Great Britain during the Brexit voter registration process, some citizens were excluded from the referendum because of continuous attacks on the website.
No skill required
In today’s cyber climate, attacks can be launched by almost anyone without any level of skill required – other than being able to access the ‘dark web’. Cyber crime has become commoditised and almost any element of an attack chain can be found for purchase or hire. Of the many pure criminal level services available on the ‘dark web’ and the true cyber underground, several easy to acquire services are hacking for hire, compromised server access, and harvested credentials.
These three services alone can be used to gain enough access to further your way into a specific targeted organisation. To illustrate this, during one of my intelligence efforts in the past, I had revolving access to targeted control panels, servers which were used to collect information from systems compromised by various criminal groups. One particular server contained information from a few hotel business centre computers. These computers were used by a handful of NASA JPL employees, while at an offsite conference, who accessed their work webmail, then their private email accounts, allowing me to be able to harvest enough personnel information on several scientists to target them individually and likely expand my access into their personal devices, and very likely their office computers; including the credentials to both their personal and work email account. As a ‘bad guy’ this would be the ultimate objective in obtaining a foothold inside a strategic target. I could do this simply by acquiring access to a run-of- the-mill criminal control panel for malware harvesting random credentials.
To illustrate the potential reward of cyber attacks, the web application used by the US government to collect and process security clearances was hacked and all individual background investigations packets were stolen for a significant period of time. These packets contain all the derogatory information on each applicant, their entire work history, their associates and friends at each stop and very private personal information. This level of information on a single individual or office would take a significant amount of time and resources to acquire by another nations espionage effort – and even longer or near impossible for a terrorist group or fringe nation. With one flaw in the web application design, decades of traditional efforts were overcome.
A solitary defence
Although awareness of the cyber threat has grown, many institutions do not fully recognise the evolving threat of cyber actors as the techniques, tools, and methods are moving targets and advance quickly, making it difficult to rely on ‘static security’ as we have in the past, such as lock it and forget it. The cyber world has truly become the next geo-political battleground and regardless of whether you are a government or financial institution, commercial entity, or individual, everyone is a target and currently we all stand apart, on our own to defend ourselves. Something to consider, are the superpowers drunk on the information they collect through their own cyber capabilities to the point that they allow commercial and personal cyber damages from other nations as a cost of doing business?
