On Cyberwarfare & the Effectiveness of Indicting Foreign Criminal Hackers
*Note: This article was originally published by the author on October 24, 2020.
“War is regarded as nothing but the continuation of state policy with other means.” — Carl Von Clausewitz
For centuries warfare was limited to two domains, land and sea. Battles were fought on the ground or on the water by navies. In the 20th and 21st centuries, however, all of that changed forever with technological innovation. Today, there are now five domains of modern warfare: Land, Sea, Air, Space, and Cyberspace. While warfare still takes place today on the land, sea, and air, space has yet to be militarily contested. Cyberspace, on the other hand, has become the new favorite playground of every nation with an internet connection for collecting intelligence. In cyberspace, espionage and attacks can be carried out with any loss of life and with little to no cost as compared to traditional forms of warfare.
In the 21st century nearly everything we do has migrated into the digital domain of cyberspace. Almost all of the electronic devices we use in our daily lives have been made to connect to the Internet in some fashion or another and whether that was a wise thing to do or not is beside the point. Classifying an electronic device or appliance as smart does not make it so. Allow me to qualify that statement by adding that I am an ethical hacker and security researcher who has been around long enough to have seen nearly all of this computing technology emerge.
One needs only to look at the categories listed on a vulnerability search engine such as Shodan.io, which web crawls the entire Internet, to see how many types of Internet-connected devices there are and just how insecure some of them are like smart toaster ovens. Each internet-connected device runs its own firmware and software code that must be maintained, updated with security patches, or else it is itself an attack surface that can be used by attackers to hack into networks, plant backdoors, steal intellectual property and sensitive data, modify the information or infect it with malware such as ransomware until the victim pays the ransom.
Hacking has gotten a lot easier than it used to be in several respects. In the 80s and well into the 90s, hackers didn’t have the type of access they do now to information. There were bulletin boards where they could download pirated software like video games like Wolfenstein 3D, video graphic editing software such as Corel DRAW, crudely formatted text documents, and secretive hacker groups you might try to join with slow, dial-up modems. Those same computer systems today would be considered obsolete or defunct.
Nowadays, hackers can get detailed tutorials on how to hack stuff just by watching videos posted on YouTube, reading eBooks, proof of concept whitepapers detailing how to exploit vulnerabilities in software and internet protocols that were designed in the 70s and 80s, and even downloading free offensive security hacking tools to practice with free practice hacking websites with virtual machines designed as hacking challenges. It has never been easier than it is today to learn how to hack. Essentially, all a hacker needs are the drive to learn and a basic $300 laptop computer with an internet connection.
There are still many complicated aspects to hacking that require degrees of experience and skills, don’t get me wrong. You’re not going to create Stuxnet, Flame, or Wannacry malware without a somewhat advanced degree of knowledge and skill, and more likely it is a team of highly skilled malware developers. However, successful exploits just as often may come down to opportunity. Finding the right target at the right time when it is vulnerable to an exploit that you have available or that you can quickly develop. Criminal hackers are using vulnerability scanning tools to find systems connected to the internet that have holes in their security. Finding vulnerabilities is arguably the easiest part of cyber warfare and hacking because they are plentiful and difficult to mitigate on a wide scale.
With so many different attack surfaces to defend against on a computer system or network of computer systems, printers, servers, switches, VoIP phones, Internet of Things (IoT) devices, which often number in the hundreds or thousands at larger organizations, it becomes mission impossible without some type of security automation. Otherwise, it’s like asking a handful of cybersecurity professionals to part the seas knowing full-well that it is an impossible task to succeed at. ‘Automate or die’, that is the name of the game in cybersecurity because unless you’re defending Uncle Joe’s Coffee Shop on the corner, you’re probably part of a very small team of cybersecurity pros that are understaffed, under-resourced, and overwhelmed with your mission to secure the enterprise IT domains your organization possesses and relies upon. These are some IT domains that criminal hackers and Advanced Persistent Threat (APT) groups seek to exploit.
At best, we as cybersecurity professionals can deter the less sophisticated attackers by implementing solid layers of security defenses that we term a defense-in-depth strategy. These security controls, however, could be easily circumvented by a single malicious insider. Or, a system owner might fail to perform a critical software patch in a timely manner. Or, perhaps a company employee falls victim to a successful phishing email that allows cybercriminals into the system. It matters not how they get inside your network, once inside they will work quickly to create persistence by planting Remote Access Trojans (RAT) backdoors, and heck, the attackers might even patch the vulnerabilities they exploited to get inside so that no other hackers can use the same entry point (don’t laugh, it’s happened).
After intruders establish a means to persist on the system, they will recon the information system to determine what valuable information they scored access to while all the while trying to fly low under the radar. They will also look to pivot laterally to other systems that the exploited system is connected to. But is anyone watching the event logs? Are the attackers using special, noisy custom hacking tools that leave unique signatures on the system, or are they “Living Off The Land” (LOTL) to remain unnoticeable by using tools and services native to the operating system like Windows PowerShell or Windows Management Instrumentation Command (WMIC)?
It is a mistake to think that criminal hacker groups are not well-trained, and well-resourced. Even the unskilled, unknowledgeable script kiddie has access to tools and how-to tutorials that make script kiddies more dangerous than ever. The big boy criminal hacker groups and APTs often have specific cyber espionage or attack objectives that focus on stealing money, stealing information they can sell for money, or they are after the intellectual property (IP), research and development (R&D), or sensitive information.
Sometimes, the chief aim might only be to disrupt critical infrastructure as we achieved with the Stuxnet or BlackEnergy APT malware. Criminal hacker group activity is similar to cyberwarfare activity in many respects, they may even use the same tools to accomplish their exploits. However, where they differ and how you can often help to fingerprint which group is which is by their Tactics, Techniques, and Procedures (TTP) to include the offensive security tools they use and any custom malware they employ. Whereas cybercriminals are often focused on ways in which they can make money off their malware, APTs are doing the bidding of their governments and regimes. APTs are involved in Computer Network Espionage (CNE) which can lead to follow-on Computer Network Attacks (CNA). That is a brief introduction to how cyber warfare works.
The Effectiveness of Indicting Foreign Criminal Hackers
On October 19, 2020, the Department of Justice (DOJ) released the unsealed indictments of six Russian nationals who are purportedly Russian GRU military intelligence officers that were part of a notorious APT group known as SANDWORM. This is the APT group behind high-profile cyber attacks like the NotPetya worm that caused something like $10 billion dollars in damages; the BlackEnery Ukraine power grids blackouts; and the 2018 Winter Olympics cyber attack among other cyber attacks. In the world of APT groups, SANDWORM is one of the most highly skilled and capable groups that exist.
SANDWORM continues to operate to this day in the open and hone their tactics, but they’ve already proven to be a worthy adversary for the U.S. and any other targeted nation demonstrating the disadvantage Computer Network Defense (CND) professionals face when often all it takes is a well-crafted spearphishing email to compromise a mail server. Like their APT counterparts, the Fancy Bear APT, SANDWORM possesses a wide range of attack targets and is itself like an instrument or a cyber weapon used by the Kremlin to advance its political agenda that positions Russia most favorably. Attribution of cyberattacks is difficult due to false flags in malware code and proxy servers that mask true IP addresses but when you forensically study how the cyber attack was carried and which nation stood to gain the most from its results, that usually tends to narrow the list of suspects down rather quickly.
But what is the point of these repeated token gesture indictments by the U.S. of Russian, Chinese, North Korean, and Iranian hackers? They are security theater at best and detrimental to national security at the worst. They are undoubtedly meant to send a message but asset freezes and travel bans are wildly ineffective and I would argue they even serve to embolden the mental resolve of foreign criminal hackers to continue doing exactly what they are doing. Now they know they are marked and will be arrested and extradited to the U.S. if they travel to any country that shares an extradition treaty with the U.S.
Would it not be a better strategy to keep the indictment sealed or only partially unseal by publicizing the fact that the U.S. has identified an unknown number of individuals as part of a particular hacking group that was responsible for “X” intrusions, damage, and crimes? Perhaps then these as of now out-of-reach foreign hackers might by themselves choose to travel to a country that shares an extradition treaty with the U.S. and can be then be easily arrested and extradited.
Naming the perpetrators with unsealed indictments only makes it more difficult to apprehend them as they either will be more careful by traveling under false identities or they won’t travel at all, like ever. What has that solved? Absolutely nothing. These “tools” the U.S. uses to impose costs on foreign hackers they can’t reach with the long arm of the Justice department are not totally ineffective but they don’t do enough to address the root causes of why adversaries are able to attack and infiltrate networks, exfiltrate data, and wreak havoc in the first place. We need to look in the mirror at why these types of hacks continue to happen and how we can modify our approaches to better defend against them.
At a national security level though, one has to wonder how long the U.S. is going to allow this type of cyber warfare activity to continue before it escalates to more serious consequences not only by Russian hackers, but also by Chinese, North Korean, and Iranian hackers? What is our line in the sand for retaliation? Do we even have one? Does USCYBERCOM possess the workforce and skills needed to carry out sophisticated cyber attacks against adversaries? I am confident they do but they are reserved for special situations. This does not include the NSA and CIA hacking teams that operate 24/7/365 that are performing similar types of cyber warfare activities that we are indicting foreign hackers for doing.
NATO’s founding treaty contains Article 5, the Collective Defence article. If invoked by a NATO member, it requires the other NATO member nations to consider it an attack on all of them and they join in the defense. Article 5 has not been used yet in defense of a cyber attack but when Estonia faced constant Distributed Denial of Service (DDoS) attacks by cyber threat actors attributed to Russian when Estonian authorities set out to remove a Soviet WWII memorial in the capital Tallinn.
Collective defence — Article 5
The principle of collective defence is at the very heart of NATO’s founding treaty. It remains a unique and enduring…
Some positive outcomes are that by unsealing these types of indictments, the US government publicly condemns them to the nation and to the world while simultaneously acknowledging that it knows who was behind the attacks. That is very important but I argue that the U.S. should be more strategic in how it does this. The DOJ should use more discretion in how much information it divulges because when you read between the lines of their indictment press releases, it doesn’t take a genius to figure out how they are collecting their intelligence. They may not go as far as to reveal exact sources but the methods of collection become plainly obvious which only makes it harder to collect the next time after adversaries change tactics and add more obfuscation.
“No country has weaponized its cyber capabilities as maliciously or irresponsibly as Russia, wantonly causing unprecedented damage to pursue small tactical advantages and to satisfy fits of spite,” assistant attorney general John Demers said in a statement.
Let us not forget also, that the National Security Agency (NSA) and Israel’s equivalent spy agency, Unit 8200, conspired to produce Flame and Stuxnet which are still considered two of the most, if not the most, destructive pieces of code ever written. This fact was acknowledged by former President Obama after it was leaked by General James Cartwright.
“He [Obama] repeatedly expressed concerns that any American acknowledgment that it was using cyberweapons — even under the most careful and limited circumstances — could enable other countries, terrorists or hackers to justify their own attacks.” — David Sanger, NYT reporter
Years went into developing that destructive code. In fact, the Stuxnet code was so well-written that it bridged the gap between cyberspace and the physical world, a feat that almost no other piece of code has been able to do on such an impactful scale. Stuxnet was able to destroy (i.e., brick) Iranian centrifuges that were used to enrich Uranium for Iran’s nuclear program.
Former President Obama acknowledged that the U.S. was involved with Israel in the deployment of Stuxnet after it was leaked, thus our hands are bloody here, too. We’re doing the exact same type of criminal hacking activity we’re indicting foreign adversaries for. Who are we to play the moral card and say our motives are purer than our adversaries? So, how long before American nation-state hackers are indicted by foreign governments for cyber attacks? My guess is that it won’t be long before China, Russia, and others start doing the same.
Keep the “Pew, Pew” Warfare in Cyberspace
In any event, an untold number of lives are saved by nations battling it out in cyberspace instead of through conventional warfare. Make no mistake about it. Given the choice between cyberwarfare and conventional warfare, I would choose cyberwarfare 10 out of 10 times having fought on the ground in combat. No matter how ridiculous state-sponsored hacking gets, it could be a lot worse when the bullets and bombs start flying.
A better approach might be to brick their computers & infrastructure so that it is non-functional, if possible. This exacts a small cost and perhaps it also costs attackers time. But how long does it really take to load a Virtual Machine (VM) snapshot and upload code that was very likely backed up prior to the attack in multiple locations? The answer is not long at all. Mere minutes. These costs may be small beans to these nation-state hackers but it sends a strong message.
If you mess with the US, we can reach & touch you anytime we want. It’s shy of conventional warfare but still effective… But then if we brick, they will most assuredly brick back. It becomes a tit-for-tat on a more destructive level. Patching flaws, burning 0days, it’s a vicious cycle that won’t soon stop. However, our response can change. Escalation to bricking devices has consequences & is not always possible. I don’t claim to know better but to me these silly little indictments are ineffective. It’s nothing more than security theater as I said before.