For decades, cyber warfare has been a constantly evolving phenomenon. While not the first, an example that immediately jumps to mind for most is the infamous 2010 Stuxnet hack. An immensely complex operation that managed to subtly interrupt Iranian nuclear centrifugal operations, Stuxnet completely warped our understanding of the use of cyber capabilities as a weapon. While conventional weapons could have halted Iran’s nuclear development program through use of force, they could never have done so without igniting a global conflict. Thus, cyberweapons have become the tool of choice for disrupting geopolitical adversarial operations, specifically because of their plausible deniability and discrete nature. With tensions rising in eastern Europe and a history of aggressive state-sponsored cyberattacks in the region, we think that now is a good time to look at what we see today and what the future might look like in the domain of cyberwarfare.
Who, how, and why?
To do this, we need to understand the motivations behind the usage of discrete cyberweapons. International relations, especially between adversarial entities, typically manifests as a game of political posturing, tit-for-tat retaliation, and a pursuit for prestige on the world stage. Cyberweapons are just the latest tactic used in this age-old game, and their use allows nations to flex their cyber capabilities in a subtle way that allows room for plausible deniability.
While APT groups are typically named and categorized by their nation of origin, and though it is usually understood that these groups are state sponsored, the link is usually tenuous enough that it allows the state in question to absolve themselves of responsibility. Even so, they get the worldwide press coverage that comes along with these big cyberattacks. In the arena of political gamesmanship, showing the world that you have the capability to take out a rival nations’ energy grid or shut down water treatment plants is a big show of force without the political ramifications of actual military action. Further, it shows the world that the victim may not be able to protect themselves from hostile cyberattacks.
Target selection and how cyber campaigns have been employed historically
This means that the incentive for hostile actors is to prioritize large, obvious targets whose lack of availability has big ramifications on the population, though preferably without undue harm to citizens. Therefore, critical infrastructure is perhaps the most desirable target of state-sponsored cyberattacks. Just this week, CISA published guidelines for critical infrastructure organizations that help protect against foreign influence and misinformation campaigns. The most obvious example, and perhaps the most pertinent given recent tensions in eastern Europe, is the successful attack on three Ukrainian power distribution companies that resulted in loss of power for over a million citizens on the 23rd of December, 2015.
According to the ISA, the attack started 8 months prior when BlackEnergy, an information gathering malware suite, gained access to the network of the power distribution company Prykarpattya Oblenergo via a tainted Excel email attachment. Following extensive network surveillance and information gathering operations, the attackers launched the full attack two days before Christmas by remotely powering off critical switches in the distribution network. Doing so took dozens of power substations offline leaving over a million Ukrainians without power just days before Christmas. Additionally, the malware locked out the network operator from regaining control by wiping hard disks (via KillDisk) and overwriting Ethernet interface firmware with random blocks of code, effectively destroying any chance that the operator could regain control of the distribution system.
The security takeaways from this specific attack aren’t very relevant for the topic at hand, but it demonstrates the political value in targeting these kinds of critical infrastructure. Today, it’s generally agreed on that the attack was Russian in origin, though some argue whether it was a state-sponsored attack or whether it was retaliation by Russian energy oligarchs for Ukraine’s attempt to nationalize their power grid. For weeks, the aftermath of the attack was paraded on news stations globally, which was fantastic publicity for Russia’s cyber capabilities, which was no doubt the intention.
The role of misinformation in modern cyber warfare
With increased technological prowess, misinformation has also become a preeminent concern for cyber professionals. Propaganda and misinformation have long been established practices in times of conflict, but with modern communications and the decentralization of media consumption, it has never been more prominent. Whether it be social engineering attacks to obtain privileged data or outright disinformation to muddy the news environment, disinformation is front and center in modern conflict. In just the last two weeks, the United States uncovered a plan by the Kremlin to fabricate an attack by Ukrainian forces, according to the Associated Press. Pentagon spokesperson John Kirby said that the Kremlin planned to use staged explosions and crisis actors to fabricate a pretext for Russian military action in the guise of retaliation for this false attack. But this is only the latest in terms of misinformation, as the pentagon has described that Russia has launched an immense social media disinformation campaign against Ukraine in recent weeks.
With this, we can now see a clearer picture of what peace-time cyber weapons look like. They largely focus on disrupting adversarial operations, obtain wall-to-wall media coverage for political gain, or change the media narrative through disinformation campaigns; all with the veil of plausible deniability that the pseudo-anonymous nature of digital communication affords them. For now, we can only speculate what these cyber operations might look like in wartime, and prepare ourselves by gaining better visibility into our security posture, maturing processes, and ensuring critical infrastructure and systems are as resilient as they need to be.