This article reflects the lecture for CIS5930/CIS4930 “Offensive Security” at the Florida State University, covering some of the events that compose the history of what’s called “cyber warfare”.
Today’s lecture is about that term: cyber warfare, the history of it, the public perception of it, the reality and the problems we face.So, here we are in 2013, and the big buzzwords are: the big data, the cloud, and everything’s being connected, and we have like zettabytes of information generated each day, and we’re only analyzing 1% of it. Everyone’s thinking about more effective ways of analyzing that 99% of things. The 99% of things is all these new technologies and they’re being connected together – toasters are now connected to the Internet, perhaps, if you buy the right model. Before I go on, I want to have a disclaimer saying that the views I present in this lecture are not the opinions of my employers, nor is most of this really even my own opinion. Every single thing I say – news article saying: “This is what happened”. So this is just a lecture based on observation. We’re going to go over the brief history, we’re going to talk about advanced persistent threats, we’re going to talk about the weaponization of 0-days, basically cyber weapons, critical infrastructure problems and the Internet of things, the problem with perception and attribution, and we’re going to end with a debate on policy. This is not a complete history of cyber warfare, but I tried to go over a lot of really interesting events. I certainly don’t capture all the things that are going on in Europe and Asia; this is more of a Western perspective.
The events that I’m going to talk about are in this history of cyber warfare, because I consider them either to be covert operations between nations or groups, part of a civil war or revolution, or in some effect related to basically governments or government vs. insurgents, and the definition of insurgent actually is, from Merriam Webster, I think, a person who revolts against civil authority or an established government. So that’s interesting to think how that could be skewed for political reasons.Cyber warfare is essentially a politically motivated hacking to conduct sabotage or espionage (see right-hand image). For sabotage it could be disruptive activities, like DDoS. It could be actually destructive activities, like deletion of IP. It could be censorship. For espionage it could be for the purpose of more real-world espionage, in relating to “doxing” targets. “Doxing” means basically finding out who someone is online. So, if you have a forum username, finding out their actual identity would be “doxing”. That’s just a term that’s been used throughout the ages. Stealing industrial intellectual property, spying on financial systems… The history of cyber warfare dates back to the cold war (see left-hand image). In 1982 there was a rather interesting event called the Trans-Siberian Soviet Pipeline Sabotage. Essentially, if I get all my facts right, there was a massive KGB operation called Line X. The Soviet empire was basically a couple of decades behind on technology and microelectronics design. And they aimed to breach that gap by stealing all the IT for everything from the West. They trained basically an army of scientist moles to infiltrate companies, agencies, to steal blueprints.
The CIA was tipped off and it’s basically a story that you can read about if you go to the link here. Basically, KGB kind of flipped, gave up all these moles, and instead of arresting all of them what the CIA decided to do was the most brilliant move they could have done counter-intelligence wise, is that they, having known who they are, what they actually chose would be a win-win, either they find all them, arrest them all – the operation is ruined.
What they decided to do instead of arresting them – let them keep operating, but feed them bad info. Feed them schematics for things that they can build. But a week, a month, maybe a couple of months after production line it would fall apart. And so this actually sabotaged Line-X on the inside, because they started doubting the veracity of the information given to them by their own moles. And so the whole thing just kind of fell apart.
So it was an excellent choice. What happened with this Soviet Pipeline is that the CIA was tipped off that the KGB mole was aiming to steal the SCADA system blueprint for pipelines, like big, natural gas, oil pipelines, and they were going to use them somewhere in Russia.
So what the CIA did is they went to the company and were like: “Hey, you have this guy who’s stealing your stuff, so fire him, give him this document instead”. And the document had a little bug in the code, and it was basically a logic bomb that was set to fail. Now, they didn’t really plan it to go this way, but the Russians took it, they built it, they implemented it in their backbone for natural gas and oil coming from Siberia. And what resulted is they caused the pipeline to explode in the critical fork. The resulting explosion was 1/3 of the size of Hiroshima, and we actually detected that we thought it was a nuclear launch on our systems, so it was pretty funny. It’s a good read anyways.So, that goes back to 1982. In 1999, during the Kosovo War, a NATO jet actually bombed a Chinese Embassy in Belgrade (see right-hand image). They bombed it because it was providing communication support for the Yugoslav Army. 12 hours later the Chinese Red Hacker Alliance was formed, basically, among Chinese citizens, and they’ve been basically active to date.
Essentially they all gathered together on IRC channels and whatnot, and in basically a patriotic effort launched massive cyber attacks at the time against NATO countries. So, essentially, they took down US Government websites, English websites, everything else, as many as they could. And so this is important to talk about, because it culturally marks a much different atmosphere about hacking in the East and that it can often be a patriotic thing to do – we’ll talk about that in a few slides.And which brings us way ahead of time to 2007 (see left-hand image). Estonia had a park that had some old Soviet memorabilia in it, also a statue. It had a World War II-era Soviet soldier that was a bronze statue. It was removed from the park, and it offended many Russian citizens in the Federal States of Russia. And so, allegedly, what happened after that in response is that a combination of government organizations and Russian citizens collaborated to take down the Estonian Internet. The Russian government officially denies any involvement, but some describe it as the first actual war in cyber space, because it was a month long campaign of nation scale distributed denial-of-service and targeted hacking. A year later we saw the Russo-Georgian war (see right-hand image), and it’s noteworthy because there were combined cyber and kinetic attacks at the same time, and, basically, websites would get DDoS’ed to, perhaps, distract the enemy, and then the tanks would flank around and take the city.
So, it was a very interesting read. I have for the required reading, which I probably will have listed properly on the right day, a number of articles showing how forensic investigators in Georgia actually tracked down and doxed many of the Russian hackers. They were operating across the street from, basically, one of the main FSB’s sites. So, it’s an interesting read and it has some interesting implications.
In December 2008 there was Operation Cast Lead, and this was also simultaneous cyber and kinetic attacks launched by Israel against Hamas. They would take down, DDoS websites, take down the communications, perhaps the forums or the IRC channels, and at the same time have kinetic force, have troops move in tanks, artillery, etc.
So, the targets in both of these attacks included both state and non-state civilian actors, which is interesting. And it raises some questions about the ethics of cyber war. What is off limits?So, in 2009 there was a coordinated DDoS of the financial sector (see left-hand image), and we still don’t know who did it. Suspects include North Korea and criminal elements from the United Kingdom, and it was really never solved, and is still a mystery today.
In 2009 to early 2010 the Tulip Revolution II was basically a culmination of months of unrest leading up to Kyrgyzstan’s second revolution, and essentially it involved, basically, government cyber-crackdown on dissidents, when the government would target its civilians that happened to be expressing dissident opinions – dox them, find them out online. One incident, Gennady Pavlyuk, the guy’s email got hacked, and then they tracked him down and killed him. And what happened in the revolution is that the government was basically overthrown.This brings us to WikiLeaks (see right-hand image). In April 2010 it had a number of leaks since this. It’s not necessarily a cyber warfare, but it definitely influenced the cyber warfare and the cyber warfare policy, because this was the largest known leak of classified documents ever. Imagine if since Bradley Manning just confessed, I can say: imagine if Bradley Manning took it and sold it to another country instead of giving it to WikiLeaks, we would be none the wiser. But because he took it and gave it to WikiLeaks, everyone’s wiser about insider threats now. We also lost all that information, but we know we lost all our information. If he sold it, he could probably buy his own island, we’d all be none the wiser, and some other country would know all our secrets.
So, on the US government side, this was as big as 9/11 for obvious reasons: it woke everyone up on insider threats. But it’s interesting that the active leaking of all these documents on the Iraq and Afghanistan conflicts actually caused collateral damage. The Taliban used this information to find all the informants that they could and execute all of them. And so there is a number of articles that you can find about that.