91ɫƬ

Fog of cyberwar: How nations really attack each other online

This is the age of world web wars, with nation states engaged in an arms race of cyber weapons. But the game is more shadowy than warmongers make out

Fog of cyberwar: How nations really attack each other online

(Image: Alex Williamson)

WHEN the attacks came in late April 2007, they were silent and sudden. Government websites disappeared. National newspapers and banks dropped offline. Name servers – the address books of the internet – stopped responding. A few days earlier, the Estonian government had removed a Soviet-era war memorial from the capital Tallinn. In response, Estonia was cut off from the internet. Never before had the digital infrastructure of a country been targeted so broadly by retaliatory cyberattacks. The incident became known as Web War 1.

It wasn’t the last. Georgia, 2008: as Russian troops advance across the Georgian border, Russian hackers knock out government websites and block media outlets. Iran, 2010: the Stuxnet computer virus – widely thought to have been deployed by the US, Israel or both – damages hundreds of centrifuges in a uranium enrichment facility in Natanz. US, 2014: in the biggest corporate attack ever, Sony Pictures Entertainment has its computer system hacked and data stolen, resulting in enormous losses; the US accuses North Korea. US, 2015: government computers are attacked and files on 4 million employees are stolen; the US accuses China and suspects the personal details will be used in future attacks.

President Obama has said that cyberattacks are one of the biggest threats facing the US. Earlier this year, . Meanwhile, US director of national intelligence, James Clapper, says Russia is setting up a military cyber base and that the West faces a growing threat from the likes of Iran, China and North Korea.

The impact of a full-blown cyberattack could be devastating: in a networked world, everything from power grids to air traffic control systems are potentially at risk. But defending yourself is expensive. Obama would like to spend $14 billion on cyber defence in 2016, up from $1 billion two years ago. This could rise to $150 billion by 2020. Is it worth it? Is worldwide cyberwar already under way, with state-sponsored hackers and rogue nations out to cripple their enemies? Or are things more complicated – and less scary – than the hawkish rhetoric implies?

Cyberspace sounds bright and futuristic, but the truth is it’s decidedly murky. Getting a clear picture of what’s going on is tricky. What is certain, though, is that cyberattacks happen all the time. Last year, security outfit Norse made public a real-time – bogus targets designed to pick up attacks levelled at a range of real systems. They show thousands of attempts every day.

A hacked Twitter account or defaced website can be embarrassing, but these are the equivalent of spray-painting an advertising billboard. All you need to do is hack a login. The real damage comes when malicious software gets inside a computer system and runs without the owners’ knowledge or permission. Once in place, this “malware” can do what it was built to do: steal data, provide access to connected devices so they can be controlled remotely, change the way a system operates or shut it down, and so on.

That code can get onto a target machine in a number of ways. The Stuxnet virus, for example, is thought to have been introduced to the Iranian nuclear facility via a USB stick, damaging the Iranian centrifuges by making them speed up and slow down.

Another approach is to target unimportant computers as a stepping stone to important ones. In Sony’s case, employee login details stolen in the course of a phishing campaign were later coded into the malware so the program could effectively log itself in to Sony computers (see “Internet pawns“). Once inside the company’s computer network, the hackers made off with 100 terabytes of data, including details of unreleased films and the private emails of company executives.

The group claiming to be responsible for the breach, Guardians of Peace, then demanded that Sony cancel the release of blockbuster The Interview. The film follows a US talk show host and his producer as they are recruited by the CIA to assassinate the leader of North Korea, Kim Jong-un. In an unprecedented move, Sony gave in to the hackers’ demands – although they later went ahead with the release.

“The Sony hack was a huge hack,” says Robert Graham at Errata Security. “We’ve never really seen that before, that sort of maliciousness.” We are likely to see it again, though, and the costs of such attacks are growing (see chart, below). This case soon escalated into something more than corporate sabotage, however. Treating it as an international incident, the FBI was quick to point the finger at North Korea. But many – including Graham – believe that good evidence for this accusation has yet to be released. Tracing the origin of cyberattacks is notoriously difficult. Some of the attacks on Estonia and Georgia were carried out by US computers, for example, which had been repurposed without their owners’ knowledge.

30280401

Graham is more concerned with preventing such attacks than playing the blame game. For more than a year now he has been scanning the internet for vulnerable systems. He has set up software to send a special message to all publicly accessible devices connected to the internet, designed to test for known ways hackers could gain control.

When the results come back he effectively gets a list of systems open to attack. These could be anything from power station machinery to traffic lights to office printers. Graham chose to set up his own test, but scanning the internet for vulnerable devices has never been so easy. An online tool called Shodan, which operates like a search engine but for computers rather than websites, lets anyone find out which systems are open to attack. “There is just an immense amount of stuff that people don’t know they’re leaving open on the internet,” says Graham.

“Scanning the internet for vulnerable devices has never been so easy”

What security professionals see scares them. “If I wanted to crash planes in the air, I could do that,” says Stuart McClure. It’s a remark that would sound chilling coming from most people, but coming from McClure it has an even greater resonance. In February 1989, McClure, along with 345 other passengers and crew, survived a deadly aviation disaster on a flight from Hawaii to New Zealand. Just minutes into the flight, at an altitude of 22,000 feet, a design flaw in the aircraft’s cargo door led to a pressure differential that blew it out, taking a huge section of fuselage with it. Ten seats in business class, and nine passengers, were ejected from the plane.

Human flaws

This catastrophic event has stayed with McClure ever since. He is now a cyber security researcher at Cylance, and the event has had a direct impact on his professional life. “Security by its very nature is basically trying to stop somone taking advantage of a design flaw,” he says. “These flaws aren’t just random, it’s because humans mistakenly designed it this way.”

It’s an attitude shared by his peers. “Every time I read the news about some incident, some issue with industrial equipment or missing planes, I think to myself, ‘How computerised was that system? Were they connected to the internet or not?’,” says Vitaly Kamluk at security firm Kaspersky.

In a recent report, Norse detailed a worrying rise in foreign states targeting medical equipment in US hospitals. But this isn’t an attempt to shut down MRI scanners or X-ray machines. Instead, it turns out that internet-connected machinery like this is relatively easy to hack into. It can then be used as a staging post to launch malware that infiltrates other systems, such as those in a bank. The malware can send stolen data back to the hospital systems for delivery to whoever planted it there. Installing a sleeper agent in a trusted network blurs the origins of the attack and makes it easier for hackers to remain hidden.

Making matters worse, information about such weaknesses is bought and sold commercially. Malta-based ReVuln is one company that provides governments with information on previously undetected vulnerabilities in industrial machinery. CEO Luigi Auriemma says that the firm is focused on finding vulnerabilities in software used in critical infrastructure, such as power stations. The information can help to make systems more secure. But it can go both ways. Auriemma is unwilling to say exactly what kind of exploits or attacks a government could launch based on information purchased from ReVuln. But one focus is looking for ways to execute code remotely.

Then there’s Hacking Team, based in Italy, which provides espionage software to governments around the world. The firm won’t divulge which governments have the software, but spokesperson Eric Rabe says it works by intercepting communications so that law enforcement investigators can snoop on criminals and fraudsters more easily. Some have alleged that Hacking Team’s products have been used to spy on peaceful activists, but Rabe stresses that the company vets potential clients.

Another new worry is the rise of terrorist hackers. “There are several hackers with skills and experience who have joined groups like ISIS,” says Mikko Hyponnen at security firm F-Secure in Helsinki, Finland. “It’s an educated guess they’re not joining to shoot with rifles.”

The US government has never shied away from rhetoric that suggests cyberwar is upon us. In a recent strategy document published by the , the US sets out its aim to develop significant offensive capabilities to deter and protect against the growing risk of an attack: “A disruptive, manipulative or destructive cyberattack could present a significant risk to US economic and national security, if lives are lost, property destroyed, policy objectives harmed, or economic interests affected.”

Such a scenario was conjured by a North Korean defector last month, who claimed that North Korea was capable of knocking out critical infrastructure, possibly with fatal consequences. Indeed, if hospitals, banks and transport systems stopped working, things would be dire. But on the evidence so far, the scenario is highly unlikely. And despite the great number of sitting ducks out on the internet, big attacks like that on Sony are very rare. Critical services continue to function. Bank accounts remain accessible. The internet is largely reliable.

For Thomas Rid at King’s College London, talk of cyberwar is already outmoded. “Usually when somebody uses the phrase they’re not someone who actually knows what they’re talking about,” he says. “It’s almost a giveaway for people who have limited insights.” Rid has written a book called Cyber War Will Not Take Place in which he argues that a lot of what have been considered acts of war in cyberspace are nothing of the sort. Rather they are just continuations of the information games states have always played in an attempt to upset the balance of power without having to unleash the full force of traditional conflict.

Rid points out that even much-discussed malware like Stuxnet, one of the most sophisticated cyber weapons ever, didn’t have the impact many might have expected. “If you measure Stuxnet on its pure merits, by how many years did it delay the Iranian nuclear enrichment programme?” he asks. “Did it stop it? No. If anything, it seems to have hardened Iran’s determination.”

For many, the real danger of cyberwar isn’t the hacks themselves, but the irritation they cause state leaders. Nigel Inkster, a former British Secret Intelligence Service officer who now works for military think-tank IISS, says that confusion over where attacks come from alongside revelations about cyber espionage could one day provoke more traditional attacks between states. “Is there a risk that red lines will inadvertently be crossed in ways that lead to escalation?” he asks. “Particularly if we’re talking about states that have space-based and nuclear capabilities.”

But nuclear bombs have only ever been used twice – and by the same logic, any truly destructive cyber weapon is unlikely to be used. There is also an incentive for cyberattacks to be surreptitious, as tools of espionage to steal state secrets, rather than explosive. This is what the US National Security Agency, the UK’s GCHQ and the Chinese equivalents spend their time on.

Just last month, for example, Kaspersky revealed that they had caught state-sponsored malware known as Duqu 2.0 trying to spy on their own computer network. The discovery led to the further revelation that Duqu had also been used to spy on computers at hotels used by delegates of recent talks on Iran’s nuclear capabilities.

We know that computer systems are vulnerable to attack. But identifying vulnerabilities is one thing – what happens next is much harder to predict. Malware might simply linger on a network, listening in. And not all vulnerabilities will be exploited. Ultimately, it makes sense to be alert to what’s possible. But to talk of states hacking states misses the fact that cyberwar isn’t an event. It is the background noise of our connected world.

Cyber spooks

1998 Moonlight Maze

Computers at the US Pentagon and NASA are spied on by software of unknown origin for two years. Military secrets are thought to have been stolen.

2003 Titan Rain

Computers at NASA and the FBI are spied on for at least three years. The US blames China, causing friction between the two countries.

2007 Web war 1

Cyberattacks shut down Estonia’s internet.

2010 Stuxnet

Discovery of a sophisticated computer worm thought to have damaged an Iranian nuclear facility. It was also reportedly used against facilities in North Korea, unsuccessfully.

2014 Sony Pictures Entertainment hacked

Data on unreleased films stolen, North Korea blamed.

2015 US government breach

Files on millions of public employees stolen from US government computers, including employees’ financial details, history of alcohol and drug use and contact information.

Internet pawns

Many cyberattacks – including those against the US government last month and Sony last year – are thought to have been carried out with the unwitting assistance of humans.

“We’ve had times when we’ve gone in to a system and the customer has thought everything is fine,” says Steve Lord of Mandalorian Security Services. “But you get there and it looks a bit odd – there are all these strange files everywhere.” This is often a calling card left behind by software that shouldn’t have been there. For people like Lord, it’s like finding a muddy footprint or lipstick on a glass.

So how can we keep intruders out? For a start, software should be kept up to date. When websites get vandalised, for example, the culprit is often a loophole in the software it uses that allows hackers to “inject” commands into the databases behind those sites.

Simple tricks such as phishing attacks – in which people click on a link that triggers something harmful – can be used to breach defences. Being alert to such tricks helps, yet a recent YouGov survey showed that only 6 per cent of employees receive training about phishing scams. Other helpful steps include frequently changing passwords and using two-factor authentication – which requires two login steps rather than one, as when using both a bank card and PIN to withdraw cash.

Topics: Computer crime