Click here to view original web page at zombiecat.tech
Cyber Warfare – Image by Rawpixel.com
Since its creation, the Internet has evolved into a basic necessity for humanity to communicate, conduct commerce, trade, and maintain a technologically driven lifestyle that automates numerous daily activities. Many take this connectivity for granted or fail to take a moment to realize how far the Internet has progressed since its creation. As this growth took place, a new domain took shape on the battlefield. No longer was air, sea, land, and space the only locations that war took place. The cyber domain slowly became an element of the planning and execution of military operations. However, it was not until the mid-1990s that cyber warfare began to get the focus necessary to defend the nation and maintain superiority.
Evolution of Cyber Warfare:
War, conflict, espionage, and geopolitics have all existed as an intertwined component of human history. As humanity progressed technologically, nation-states and vested stakeholders leveraged advancing technologies and modified their methods, techniques, and procedures to deter, disrupt, or exploit their enemies and advance their objectives. The use of the cyber domain to develop goals is attractive due to its potential capabilities and the ability for an adversary to deny involvement. It was not until the late 1990s that cyber warfare began its rapid ascent into what we know it as today. However, to better understand cyberwarfare’s evolution it is important to look at earlier examples that led to the current threat landscape.
Cyber Warfare History:
In 1989 Clifford Stoll released The Cookoo’s Egg in 1989 that detailed a 1986 case of cyberespionage and cyberwarfare that involved a series of hacks that resulted in the successful exfiltration of sensitive data by the Soviet KGB from U.S. Cleared Defense Contractors (CDC) and DoD information systems. The hacks were not sophisticated, regularly relying on lax security, improper configurations, and the use of trust relationships between the University and CDC/DoD information systems. At the time, few organizations had the focus, knowledge, skills, funding, or legal guidance to pursue and mitigate the threat. A notable increase in attacks and compromises caused government officials to take a closer look at cybersecurity and the threats posed to national security.
Cyber Warfare Modernization:
As the Internet continued to grow, the threat and global reliance on it became more prevalent and the emergence of advanced persistent threats followed.
Clarke and Knake provided insight into how Cyber Warfare evolved in their 2010 book Cyber War where they explained:
NSA involvement in the Internet grew out of its mission to listen to radio signals and telephone calls. The Internet was just another electronic medium. As Internet usage grew, so did intelligence agencies’ interest in it. Populated with Ph.D.’s and electrical engineers, NSA quietly became the world’s leading center of cyberspace expertise. Although not authorized to alter data or engage in disruption and damage, NSA thoroughly infiltrated the Internet infrastructure outside of the U.S. to spy on foreign entities.
The DoD followed suit in 1995 when the National Defense University graduated its first class of officers trained to lead cyber war campaigns. However, this shift and graduation did little to define cyber warfare or organize cyber forces.
In an attempt to better understand cyber and determine how vulnerable the DoD was to cyber-attack, the U.S. government conducted a cyber warfare exercise in 1997 called Eligible Receiver. Eligible Receiver was an elaborate red-team operation led by the NSA that attacked the DoD using only commercially available tools and social engineering. The results of this penetration test were shocking to U.S. leaders after the exercise demonstrated the capabilities of cyber warfare and how ill prepared the U.S. was to defend against such attacks.
Major U.S. Government Compromises:
In 1998, the U.S. government fell victim to the exploitation of vulnerabilities with compromises Solar Sunrise and Moonlight Maze. Each event involved the compromise of sensitive government owned information by non-state and suspected nation-state threat actors respectively. Both Solar Sunrise and Moonlight Maze used University networks as hop points and proxies to conduct their activities/attacks.
Solar Sunrise attackers made a mistake that allowed investigators to mitigate the threat, but the incident, perpetrated by some teenagers, highlighted the vulnerability of DoD information systems and the effectiveness of cyber weapons available to the general public. Additionally, the investigation identified a group of hacktivists in Israel that authorities apprehended through coordinated efforts with the Israeli government.
Moonlight Maze was much more sophisticated, presenting an Advanced Persistent Threat that went unnoticed for more than a year. Although never officially tied to Russia, the U.S. suspected their involvement and went as far as stating that the U.S. was in the middle of a cyber war. However, some indicators did present a substantial nexus to attribute Moonlight Maze activities to Russia. One significant indicator included the timing of attacks and their absence during important Russian holidays. Also, dial-up connections originated from Moscow and Internet Protocol (IP) addresses involved in the same IP range as those publically disclosed as belonging to the Russian Academy of Sciences. Most recently, researchers discovered Russian phrases in some of the attacker’s tools used in the intrusion.
Hacktivists and Cyber Warfare:
In 1999 the Honker Union formed in response to the inadvertent U.S. bombing of a Chinese Embassy in Belgrade, Yugoslavia. The group has no proven and official connection to the Chinese government and is likely the oldest hacktivist organizations in existence. However, this is just one component of the Chinese cyber arsenal that has focused their efforts toward the U.S.
In 2001, the Code Red worm was deployed and was responsible for causing a Distributed Denial of Service (DDoS) attack on a broad range of IPs, to include the White House. Later in 2003, the Honkers Union released SQL Slammer that took advantage of a buffer overflow vulnerability. Honkers Union would release an improved worm that would further expand the DDoS capabilities of the worm and cause Internet slowdowns globally.
Cyber Warfare In the 21st Century:
The compromises discussed thus far were mostly the result of poor security practices, default configurations, and social engineering. However, attack methodologies had already begun to evolve to include the use of more advanced pieces of code and measures to spread and obfuscate threat actor activities. The compromises also served to alert leaders to the importance of cyber and the requirement to expand U.S. cyber capabilities. One issue stems from laws both in the U.S. and internationally that continue to lag behind rapidly growing threats and evolving technologies. This delay had left a void for investigators and a gap in both defensive and offensive roles and responsibilities.
Presidential Cyber Advisor:
In response to these issues, the first cyber advisor to the President was appointed in 2001 who began to look at the dire situation as it related to the cyber domain. As discussed above, the NSA had fallen into providing the cyber capability to the U.S. by default, but NSA was unable to execute full spectrum cyber operations due to implications with Title 10/50 authorities; the solution would require the DoD to step in and assume warfighter responsibilities. The DoD in 2002 granted the cyber mission to Strategic Command (STRATCOM). This newfound focus led to the detection and identification of new compromises and the formation of other nation-states and nonstate cyber organizations/capabilities.
In 2005, Titan Rain, loosely attributed to the Chinese Peoples Liberation Army (PLA) involved the exfiltration of additional sensitive U.S. government data. The compromise solidified the assessed threat to U.S. information systems by cyber actors and also revealed the prioritized focus of cyber by the PLA. A cyber approach by the PLA had the potential to offset the technological, strategic, and tactical advantage held by the the U.S.
The same year, researchers identified a new Remote Access Trojan (RAT), Poison Ivy, likely released by the Chinese. However, this would not be the first cyberwarfare tool to find its way onto the Internet and into the hands of any user interested in using them. Senior Suter, a suspected U.S. Air Force cyber tool to exploit enemy air defense networks also was discovered in the wild. These cyber warfare tools made it clear that the cyber domain was rapidly becoming much more sophisticated while leaving artifacts of cyber warfare scattered across the Internet.
NATO Cyber Defense Center:
Fast forward to 2008, and the world saw the establishment of the NATO Cyber Defense Center and the first hints that the DoD was ready to make changes to their stance on cyber. The Air Forces initiative to take on the cyber problem-set was noted, but the Pentagon saw the need for cyber integration across all service components. What resulted in 2009 was the establishment of U.S. Cyber Command (USCC); commanded by a four-star General that also served as the NSA director. USCC would fall under STRATCOM, but use the infrastructure already established by NSA to execute their mission. Each service component, to include Army, Air Force, Navy, and Marines then created commands to support cyber operations for each organization under USCC. These commands would focus on the defense of the DoD network while the Department of Homeland Security protected civilian infrastructure.
Global Cyber Warfare Capability Development:
With this newfound focus, funding, and alignment of cyber forces, the world took note and began the development and deployment of their cyber capabilities. This cyber focus led to the rapid formulation and implementation of much more sophisticated cyber warfare tactics, techniques, procedures, and tools.
The first of which, Stuxnet, reached international headlines in 2010 when discovered. Stuxnet was a worm that focused on destroying centrifuges in Iran tasked with plutonium enrichment. Although no one has claimed responsibility for the sophisticated malicious software, most attribute its development and deployment to the U.S. and Israel. Stuxnet made use of four zero-day exploits, which are exceedingly rare, expensive, and require a lot of resources to acquire. Additionally, Stuxnet was backward compatible with Windows 95, had signed drivers to communicate with the kernel, and private certificates to encrypt communications. Stuxnet infected air-gapped systems, likely through a USB thumb drive, and was highly selective in what it infected then taking the time to collect the necessary data to modify hardware firmware that destroyed the centrifuges. The worm would even have the capability to erase itself given the proper interrupt.
Stuxnet was the first autonomous cyber weapon that caused physical damage to enemy equipment as opposed to a focus on data. Cyberwarfare had finally become much more similar to, arguably more efficient than, traditional weapons. Duqu and Flame were other sophisticated malicious software worms that appear to share many of the attributes of Stuxnet, but are focused on intelligence collection and the Iranian oil ministry respectively.
The Future of Cyber Warfare:
Cyber warfare has rapidly evolved to become the future of warfighting and a significant threat to the U.S. due to its heavy reliance on the Internet. There are no indications that the development of more sophisticated attacks will slow as seen with recent compromises. Unauthorized disclosures/releases of NSA and CIA cyber tools have further fueled cyber warfare and provided the world a glimpse of U.S. cyber capabilities. These releases undoubtedly caused others to prioritize further defensive efforts to mitigate exposed tradecraft and develop capabilities to match and defeat U.S. capabilities.
What are your thoughts on cyber warfare? Has World War III commenced?