Cyber conflict will probably become more destructive

More and more states are enhancing their capabilities to carry out cyberattacks, although their methods and goals vary

Cybersecurity firm Symantec said yesterday that a cyber group called ‘Orangeworm’ is targeting healthcare providers for purposes of corporate espionage and installing malware in equipment such as MRI scanners, probably to find out how they work. Although Orangeworm is not believed to be state-backed, governments are prioritising the development of offensive cyberweapons but deploying them in different ways. These range from sabotaging geopolitical rivals -- as with Russia, Iran, Saudi Arabia and Israel -- to political espionage in the West, commercial espionage in China and financial gain in North Korea.

What next

Iran and Russia have recently targeted power grids for cyberattacks, which suggests that the future of cyber conflict will be increasingly destructive and possibly even have fatal outcomes. Only a few states currently possess truly destructive offensive cyber capabilities, but the number will grow rapidly. This will seriously disrupt and destabilise the international system.

Subsidiary Impacts

  • No sector or industry will be safe from state-to-state cyber conflicts.
  • Authoritarian states will use cyber tools to prevent or restrict political dissent and protest at home.
  • Activist and civil rights groups will increasingly be targeted.
  • The lines between political and criminal activity will blur further.

Analysis

Offensive cyber capabilities have proliferated over the past few years as more states recognise their potential.

Russia

Russian cyber operations have received a great deal of attention. Earlier this month, the US and UK governments called out Russian operators for hacking routers and targeting 'millions' of connected devices in their countries (see RUSSIA: Moscow will deny cyberattacks despite evidence - February 20, 2018).

Two well-known Russian groups linked to the Kremlin -- Advanced Persistent Threat (APT) 28 and APT 29 -- were found on the Democratic National Committee (DNC)'s networks in 2016, when the US presidential elections were underway. The hackers obtained the DNC's entire database of opposition research on Donald Trump and leaked it, hampering the Democratic campaign (see INTERNATIONAL: Moscow uses hacks to divide and confuse - June 28, 2017).

Russian intervention in the US election went beyond hacking. There was also social media activity aimed at misinformation. The Internet Research Agency, a 'troll farm' that operated in Russia ran an influence campaign during the US election using political adverts on Facebook to target US voters in swing states. The Kremlin has run similar disinformation campaigns elsewhere, including Ukraine and France.

The blurred boundaries between state and non-state actors makes attribution difficult

Russia's government has often used cyber proxies to conduct offensive operations on its behalf, giving it a degree of plausible deniability (see INTERNATIONAL: Impunity will incentivise cyberattacks - December 16, 2016).

Russia's cyber operations include destructive attacks. The United States, Canada and Australia believe that Russia was behind a 2017 ransomware attack called NotPetya, which temporarily disabled portions of Ukraine's power grid. However, NotPetya spread further (perhaps unintentionally), causing severe disruption, including to global shipping company Maersk which had to reinstall 45,000 computers and suffered damage estimated at 200-300 million dollars.

China

Chinese government hackers have conducted commercial and political espionage. The two are not always distinct. For example, the Chinese J-31 stealth fighter jet is thought to be modelled on the US F-35 after the F-35 blueprints were stolen (see CHINA: New intelligence law codifies espionage - August 21, 2017).

That attack had a military goal, but it is also plausible that China might target the aerospace sector for business reasons too.

Commercial intelligence operations have been underway for nearly a decade; Germany accused China of commercial espionage back in 2009. Key sectors targeted in Germany included car manufacturing, renewable energy, x-ray technology and machinery.

Corporate espionage creates friction between China and the United States

This issue has put significant strain on US-China relations. The US government indicted five Chinese officers in 2014 for stealing data from US corporations. A 2015 agreement between President Xi Jinping and his US counterpart Barack Obama appeared to resolve the issue somewhat, with a drop-off in Chinese campaigns against US companies, but recent trade disputes could prompt the Chinese government to increase its activity again (see CHINA/US: Tech tensions will escalate under Trump - October 13, 2017).

China's government uses cyber means to silence dissent domestically. It runs a highly censored and closed internet behind the so-called Great Firewall of China and has targeted activist groups in Hong Kong and Taiwan, as well as the office of the Dalai Lama (see CHINA: New laws advance 'cyber sovereignty' - September 29, 2017).

North Korea

Cyber capabilities appeal to North Korea for two reasons. First, the barriers to entry are lower than for traditional military capabilities, so even a poor and isolated state can still build a meaningful cyber capability. Second, cyber theft supplies Pyongyang with money that it cannot obtain through legitimate means because of sanctions.

North Korean hackers have penetrated South Korean infrastructure in preparation for real war. However, the country stands out because its cyber operations are often financially motivated (something typically associated with cyber criminals rather than governments) (see NORTH KOREA: Cybertheft will grow as sanctions bite - March 14, 2018).

In the last few years, North Korean hackers have targeted cryptocurrency wallets and exchanges. The US, UK, Canadian, Japanese, Australian and New Zealand governments accused North Korea of launching the ransomware called 'WannaCry' that affected over 150 countries in May 2017 and severely affected the UK National Health Service (see INTERNATIONAL: Ransomware fight will be uphill battle - May 15, 2017).

WannaCry was among the highest-profile examples of financially motivated North Korea cybercrime, although it was largely unsuccessful, earning its perpetrators just 140,000 dollars.

North Korean cyber operations were more profitable when they targeted the Bangladeshi central bank in 2016. North Korean hackers attempted to transfer 950 million dollars using the SWIFT network and managed to steal 81 million dollars (see INTERNATIONAL: Cybercrime targets digitising states - February 22, 2018).

Iran

Tehran has made the development of cyber capability a priority since its Natanz nuclear facility was targeted by a joint US-Israeli cyber operation known as Stuxnet that was identified in 2010. Stuxnet was a highly sophisticated computer worm that specifically targeted Iranian nuclear systems. It caused nuclear centrifuges to spin uncontrollably and eventually overheat and break.

Iran's cyber operations have increased since then. Its geopolitical rivals in the Middle East, such as Saudi Arabia, are its main targets. An Iran-linked group known as COBALT GYPSY has targeted telecommunications, government, defence, oil and financial services organisations in the Middle East (see IRAN: Tehran is set to become a formidable cyber actor - December 28, 2017).

In 2012, a virus named 'Shamoon' erased data on three-quarters of the corporate computers at Saudi Arabian national oil company Saudi Aramco. This caused the company to shut down its internal network, preventing employees' from accessing emails or the internet.

The hacker group claimed the attack was a response against the 'crime and atrocities' committed by Saudi Arabia's government in countries including Syria, Bahrain and Yemen. However, the incident was believed to be retaliation against Stuxnet, as Saudi Arabia is an ally of the United States (thought to be behind Stuxnet) and is an Iranian enemy vulnerable to cyber intrusions.

Cyberattacks have taken a more destructive turn recently. The New York Times reported in March that an unnamed petrochemical company with a plant in Saudi Arabia was targeted in a 2017 cyberattack that appears to have intended to sabotage its operations and trigger an explosion, rather than destroy data or shut down the plant. Investigators believe that the only country with the necessary motive and capability is Iran. This is the first known attack with such physically destructive intent.

Iran's targets extend beyond the Middle East. The US Department of Justice in 2016 indicted seven Iranian hackers for cyberattacks targeting the US financial sector. The hackers were involved in an extensive campaign over 176 days of distributed denial of service attacks (which effectively overload a web server, preventing legitimate web traffic from getting through).

One of the Iranian hackers was charged with obtaining unauthorised access to the control systems of a New York city dam, leading to concerns that future operations have the potential for a more destructive outcome.

Israel

Israel has developed impressive cyber capabilities. Its education system has made technology and hacking skills a priority. A high school cybersecurity training programme called Magshimim teaches teenagers how to hack from a young age (see ISRAEL: Cyber security sector to retain global edge - April 21, 2014).

Israel fosters cybersecurity training from high school onwards

Israel also has compulsory military service and many conscripts with an interest in technology choose to do their service with Unit 8200 -- a military hacking and intelligence unit. This provides the Israeli Defence Forces with some of the brightest and most technologically educated talent in the country. This compares starkly with other countries where cybersecurity skill shortages present recruitment and retention challenges for governments.

Israel uses its cyber capability to achieve geopolitical goals within the Middle East. In 2007, Israeli planes were able to sneak past Syrian air defences as a cyberattack interfered with Syrian computer and radar systems.

Much of Israel's cyber capability has been directed at preventing Tehran from developing nuclear weapons, as seen in Israel's involvement in Stuxnet.

Tel Aviv is also thought to have engaged in political espionage. Israel strongly opposed the US-Iranian nuclear deal with Israeli Prime Minister Benjamin Netanyahu calling the arrangement a "historic mistake". Given Israeli concern over the conditions of the deal, Israeli cyber forces are thought to have conducted a 2015 cyber espionage operation known as Duqu 2.0 targeting the P5+1 countries and the venues where negotiations and discussions related to the Iranian nuclear deal took place.

United States

The United States seems to enjoy the most sophisticated cyber capability globally. Washington prioritises secrecy, which coupled with its superior capability, means that details of its operations are less well known. The Stuxnet malware that targeted Iran in collaboration with Israel shows that the United States has an impressive ability to target hard-to-reach systems.

Another malware that has been connected, though not conclusively, to the United States is the Flame malware. Discovered in 2012, Flame was linked to Stuxnet in its design and aimed to conduct espionage, including taking screenshots, recording audio conversations and intercepting the keyboard. It targeted primarily Iran, but other affected areas included Israel and the Palestinians, Lebanon, Syria and Sudan, and to a lesser extent Saudi Arabia and Egypt.

While the United States has no lack of technical capability, it has faced challenges in other areas.

From a political perspective, the roles of cyber agencies including the National Security Agency (NSA) and Cyber Command have been politically contentious since former NSA contractor Edward Snowden revealed in 2013 that Washington spied extensively on US citizens and on heads of friendly states such as Germany and Brazil (see US/INT: Spying leaks will not widen intelligence group - November 18, 2013).

Private business and whistle-blowers curtail some US cyber operations

Another challenge has come from US technology firms, which have criticised US agencies for maintaining secrecy about vulnerabilities in their systems, so that such vulnerabilities can be used in cyber operations. Technology firms would prefer it if the details were released so that they could patch their systems.

This has led to the introduction of the 'vulnerability equity' process in which withholding knowledge of vulnerabilities has to be justified by the intelligence community, otherwise information should be made available to technology firms (see INTERNATIONAL:Vulnerability disclosure deeply divides - May 25, 2017).

The US intelligence community has struggled to prevent information and cyber tools from being leaked. This was most clearly seen through the Snowden disclosures. There have also been other leaks, most recently by NSA contractor Hal Martin, indicted in 2016 for stealing classified materials.

Europe

European states have also invested significantly in cybersecurity. The United Kingdom, France, Germany and the Netherlands have traditionally used cyber tools for political espionage in a manner similar to the United States.

The Snowden documents revealed that UK intelligence agency GCHQ possesses an impressive ability to access the systems of adversaries -- often in joint missions with the NSA (see UNITED KINGDOM: London will strengthen cybersecurity - December 20, 2016). Likewise, media reported in January that the Netherlands has achieved an impressive level of access in Russian operations and systems -- even obtaining access to CCTV cameras inside the offices of Russian hacking groups.

Outlook

As cyber capabilities rise, it is likely that all states will increasingly use cyber tools for more offensive purposes.

Geopolitics will be a key factor in the intensity of cyber intrusions

The targets of state cyber operations are not restricted to government institutions -- banks, power grids and cryptocurrency exchange platforms are now all in the crosshairs of states' offensive cyber operations. This means that geopolitical factors will become a crucial aspect of threat intelligence and risk assessment strategies.