News & AnalysisNewsletterSecurity

Online Pandemic: When Countries Infect Each Other in Cyberspace

cybercrime

A decade ago, the world was caught off guard when news broke out that a computer virus had infected industrial sites in Iran. Named Stuxnet, the virus spread when a worker inserted an infected USB drive into his computer. One of the affected industrial sites was a nuclear plant in Iran.

Iran, according to security firm Symantec, bore the brunt of the virus with nearly 59% of the attacks directed at it. India, too, was impacted with 8.31% hits.

In October 2011, another worm called W32.Duqu was created from the same code base as Stuxnet that was primarily designed to sabotage industrial machinery. Duqu, on the other hand, was geared for information theft, specifically information related to industrial systems and other secrets.

In May 2012, researchers discovered a more potent virus christened W32.Flamer (also called sKyWIper and Wiper). This time, too, the worm’s primary target appeared to be Iran and other West Asian countries.

On 23 November 2014, Symantec alerted the world to the presence of the a remote access trojan (RAT) called Regin that was spying mostly on individuals and small businesses besides targeting telecom networks, airlines and even governments.

These computer viruses had a clear agenda. They all were heralding the age of cyber espionage. Moreover, they were also sending out a strong message, signaling that the geopolitical battle that countries fought regularly with arsenal like weapons, physical wars, trade wars and economic sanctions were now going to be fought online too with sophisticated cyberattacks.

For instance, the United States and Israel were alleged to have been responsible for the spread of the Stuxnet virus in Iran even though no clear evidence has emerged to support this view. However, if the idea was to deliver a blow to Iran’s nuclear programme, then Stuxnet performed the task effectively lending credence to the above theory.

Stuxnet, believed to have been in the works for at least 4-5 years (around 2005) before it was finally let loose on Iran in July 2010, targeted Supervisory Control and Data Acquisition (SCADA) devices and critical infrastructure. The virus has the potential to play havoc with Programmable Logic Controllers (PLCs) that are responsible for exchanging information between computers and industrial machinery. Thus, Stuxnet could alter the programming of PLCs and consequently destroy delicate equipment, which it did in the case of Iran.

Flamer, according to security firm Kaspersky, executed a complex set of operations including sniffing network traffic, taking screenshots, recording audio conversations, and intercepting keyboards.

Geopolitics in cyberspace

The above-cited examples are only a case in point. Even as our world is grappling to come to terms with the Covid-19 pandemic, there’s another pandemic that is plaguing cyberspace. And it’s only getting worse as computer viruses become more sophisticated and are being used by countries to attack rival nation states.

Do we have enough evidence to back such claims? The Center for Strategic and International Studies (CSIS) has documented hundreds of cases of “significant nation state-sponsored cyberattacks” spanning the last 15 years. In November, for instance, the U.S. Cyber Command and NSA launched cyber operations against Iran “to prevent interference in the upcoming U.S. elections”.

Palestinian Islamist political organization, Hamas, allegedly used a secret headquarter in Turkey to launch cyberattacks and counter-intelligence operations on Israel, according to CSIS. And suspected Chinese government hackers “conducted a cyber espionage campaign from 2018 to 2020 targeting government organizations in Southeast Asia”.

Even security firms with their impressive online arsenal are not being spared and falling prey to hackers.

On December 8, for instance, cybersecurity firm FireEye said it had been hacked and that its clients, which include the U.S. government, had been placed at risk. According to FireEye, “A highly sophisticated state-sponsored adversary stole FireEye Red Team tools.”

Red Teams and Blue Teams represent attackers and defenders in this simulated cyber attack. The idea is to exploit security holes and show how to plug these gaps, an exercise that is similar to what ethical hackers too. A Red Team, according to FireEye, comprises security professionals who are authorized to simulate a potential attack on an enterprise in a bid to improve enterprise cyber security. The defenders (Blue Team) learn how to counter these attacks in an operational environment.

FireEye has been performing Red Team assessments for its customers for over 15 years. “In that time, we have built up a set of scripts, tools, scanners, and techniques to help improve our clients’ security postures. Unfortunately, these tools were stolen by a highly sophisticated attacker,” the firm said on its website.

Even as it released “hundreds of countermeasures” to contain the potential abuse of these Red Team tools, FireEye put the blame squarely on “a highly sophisticated state-sponsored adversary”.

US under attack?

In December, multiple U.S. agencies and private firms were breached by Russian hackers who compromised software provider SolarWinds. The company’s software users include the Centers for Disease Control and Prevention, the U.S. State Department, the U.S. Justice Department, parts of the Pentagon and several utility companies.

“This attack was (a) very sophisticated supply chain attack, which refers to a disruption in a standard process resulting in a compromised result with a goal of being able to attack subsequent users of the software…We’ve been advised that the nature of this attack indicates that it may have been conducted by an outside nation state, but SolarWinds has not verified the identity of the attacker,” reads a SolarWinds advisory to its clients.

In a December 17 note, Microsoft president Brad Smith pointed out that based on telemetry from Microsoft’s Defender Anti-Virus software–which identifies customers who use Defender and installed versions of SolarWinds’ Orion software containing the attackers’ malware– roughly 80% of SolarWind’s customers are located in the U.S. Moreover, “the initial list of victims includes not only government agencies, but security and other technology firms”, Smith added in this note.

“This is not “espionage as usual,” even in the digital age. Instead, it represents an act of recklessness that created a serious technological vulnerability for the United States and the world. In effect, this is not just an attack on specific targets, but on the trust and reliability of the world’s critical infrastructure to advance one nation’s intelligence agency…it also provides a powerful reminder that people in virtually every country are at risk and need protection irrespective of the governments they live under,” Smith said.

Thomas P. Bossert, who was the homeland security adviser to President Trump and deputy homeland security adviser to President George W. Bush, wrote an opinion piece about this issue in The New York Times on December 16. Among other things, he claimed that “evidence in the SolarWinds attack points to the Russian intelligence agency known as the S.V.R.”

“An intrusion so brazen and of this size and scope cannot be tolerated by any sovereign nation. We are sick, distracted, and now under cyberattack. Leadership is essential,” Bossert concluded in his article.

Speaking on the ‘Mark Levin Show’, U.S. Secretary of State Mike Pompeo corroborated this theory, alleging Russia’s hand in this hack. President Donald Trump, however, played down this threat in a tweet, and termed this line of thinking as a creation of a ‘lamestream’ media. In contrast, U.S. President-Elect, Joe Biden, asserted, “There’s a lot we don’t yet know, but what we do know is a matter of great concern…Our adversaries should know that, as President, I will not stand idly by in the face of cyber assaults on our nation.”

AI, IoT will only queer the pitch

Incidentally, Smith made another significant point when he noted that these sophisticated nation-state attacks are being enhanced with artificial intelligence (AI). The technology is a double-edged sword. On the one hand, AI will help in tackling cybercrime. On the other hand, AI will also help cybercriminals stay a step ahead in the cybercrime race.

Further, we have billions of devices connected to each other in today’s world–a trend that we know as the Internet of Things (IoT). This clearly implies that we are a facing a very grave threat to our networked world than we did in 2010. Researchers and security firms continuously point out that IoT will increase the incidence of cybersecurity issues due to accidental information breaches and organised hacking attempts on automated systems such as power grids, smart cars and buses, health, education, banks, government, and other private and public systems.

We are already seeing this happen, and the SolarWinds case is only a stark reminder that governments should think about a United Nations (U.N.)-like body to handle these potential threats.

This, of course, is easier said than done.

Cyber war or Cyber Terrorism?

Meanwhile, one must accept the fact that cyber war is not a universally-accepted term. For instance, even if we do believe that an attack has surfaced from a specific country and have enough evidence to infer that the attack was sponsored by that nation state, it will be exceedingly difficult to ascertain if the attack was fully backed by the country’s government or only by a radical faction from that nation. Unless, of course, someone owns up to the crime which is hardly the pattern.

Second, some experts believe it is better to call such attacks ‘cyber terrorism’ rather than ‘cyber war’ since no humans are physically harmed in the process (though, one can argue that if you ruin a person financially with ransomware, it is equivalent to doing physical harm) and the attacks were not done for a protracted period (no back and forth attacks). One can counter, though, that AI-powered trojans could damage power grids, smart car factories, steal sensitive data from governments and even satellites up in the sky—all within hours, making ‘cyber wars’ last less than a day.

These arguments, however, would merely result in splitting hair over abstractions and detract from the main issue. As Anna-Maria Talihärm-a senior analyst of the Legal and Policy Branch at the NATO Cooperative Cyber Defence Centre of Excellence-argues, “Not being able to agree on common definitions of central terms such as “cyberattack” and “cyberwar” should not prevent states from expressing the urgency of preparing their nations for possible cyberincidents.”

In this context, NATO’s Cooperative Cyber Defence Centre of Excellence (CCDCE) has been conducting an annual cyber-simulation game since 2010. Called Locked Shields, It is aimed at enabling cyber security experts enhance their skills in defending national IT systems and critical infrastructure from real-time attacks. Blue Teams, formed by member nations of CCDCOE, play the role of national rapid reaction teams deployed to assist a fictional country in handling a large-scale cyber incident. The Red Teams initiate the attacks.

Last year, for instance, CCDCE created a fictional country, Berylia, where several hostile events coincided with coordinated cyber attacks against a major civilian internet service provider and maritime surveillance system.

The attacks, CCDCE notes on its website, caused “severe disruptions in the power generation and distribution, 4G communication systems, maritime surveillance, water purification plant and other critical infrastructure components”. More than 1200 experts from nearly 30 nations took part in that Locked Shields events. The team from France was declared the winner.

The world clearly needs many more such initiatives with cyber attacks getting more sophisticated.


GLOBAL COST OF CYBERCRIME: > $1 Tn

*Global losses from cybercrime have more than doubled from 2018 to total over $1 trillion
*Two-thirds of surveyed companies reported some type of a cyber incident in 2019
*The average interruption to operations was 18 hours
*The average cost was more than half a million dollars per incident
*IP theft and financial crime account for at least 75% of cyber losses and pose the greatest threat to companies
*Damage to companies also includes downtime, brand reputation and reduced efficiency
*56% of surveyed organizations said they do not have a plan to both prevent and respond to a cyber-incident

Source: December 7 report by security firm McAfee and CSIS, titled ‘The Hidden Costs of Cybercrime’


THE ESTIMATED AVERAGE COST OF CYBERCRIME

cyber security
Source: McAfee-CSIS December 7, 2020, report

 

Leave a Response