In our article Cyber Warfare: Nation State Sponsored Cyber Attacks, we discussed the nature of warfare in the virtual world of the internet and how it differs from conventional warfare. We also covered why some kind of “cybergeddon”—an all out cyber war—hasn’t happened and quite likely never will. In this post we’ll look at which state actors have conducted cyber war operations, the techniques they’ve used in their campaigns, and what technologies are available for defending against cyber war attacks.
There are five nation-states that are known to be capable of waging a large-scale cyber war:
In addition, many other countries have developed cyber war capabilities, ostensibly for defense.
As numerous as the operational cybersecurity units of state actors are, they are just the visible part of the global cyber warfare machine most of which are implemented by hacker groups funded by state actors. Cyber mercenaries are available to do everything from surveillance to DDoS attacks. For example, the now infamous Israeli NSO Group has sold their iPhone spyware, Pegasus, to government agencies worldwide including the New York Police Department, and the governments of Mexico, Panama, Ghana, and Saudi Arabia. The spyware has been found on the cellphones of politicians and government officials, heads of corporations, journalists, activists, and even Avner Netanyahu [he], the son of then-Prime Minister, Benjamin Netanyahu.
While hackers who get involved over a cause—hacktivists—are neither created nor funded by a state actor, they can be a significant force in a cyberwar by, for example, launching a large-scale DDoS attack against one side or the other. The problem for the side that the hacktivists support is that they aren’t controllable and can interfere with or even thwart their own side’s attack plan. For the other side, the problem is that the often distributed and uncoordinated attacks can mask the more sophisticated attacks mounted by nation-state actors. One of the best examples of hacktivism is the decentralized international collective Anonymous:
Supporters have called the group “freedom fighters” and digital Robin Hoods, while critics have described them as “a cyber lynch-mob” or “cyber terrorists.” In 2012, Time called Anonymous one of the “100 most influential people” in the world. Anonymous’ media profile diminished by 2018, but the group re-emerged in 2020 to support the George Floyd protests and other causes. — Wikipedia
In cyber warfare, espionage has the same goals as in conventional warfare, i.e., to learn as much about the enemy’s physical, informational, and cybersecurity resources as possible. This can involve using hacking of servers and networks, phishing attacks, and social engineering to map target networks, breach data sources, and then exfiltrate information.
The goal of sabotage in cyber war is to weaken, disable, corrupt, or destroy the information services, cybersecurity measures, and resources of a target. The Stuxnet worm (see below), developed by the United States and Israel to damage Iran’s nuclear fuel processing capabilities is a great example of cyber sabotage.
Psychological warfare or PsyOps has been used in conventional warfare since time immemorial. For example, in the Battle of Pelusium in 525 BC, Persian forces carried cats in front of them into battle as a psychological tactic against the Egyptians, whose religious beliefs treated cats as sacred animals. In the digital age, nation-states use cyber PsyOps to create social chaos through disinformation campaigns, ransomware attacks, taking over and defacing websites, and distributed denial of service attacks to incapacitate websites and services.
A distributed denial of service (DDoS) attack uses various techniques to flood a target with fake requests, which can disrupt or stop operations and systems and block access to websites by civilians, military and security personnel, or research bodies. Of all the types of cyberattacks, DDoS attacks are the easiest to mount. In the early days of Russia’s attack on Ukraine, a series of DDoS attacks briefly knocked the Ukrainian government and banks offline and U.S. and U.K. officials identified Russia as the source. U.S. deputy national security adviser, Anne Neuberger, told journalists at the White House that Washington was seeking to hold Russia to account for its aggressive moves in cyberspace.
Phishing attacks target anyone who might click on a link in an email message in hopes of compromising their computer, cybersecurity, and network connections. A more focused attempt, spearphishing, targets people who work at a particular business or a particular industry to try to gain access to the business. To execute a spearphishing attack, attackers may use a blend of email spoofing, dynamic URLs and drive-by downloads to bypass security controls.
Whaling attacks are very carefully targeted on high-level executives with access to organizational data or finances. For example, an executive with financial approval authority may receive an email from a C-level executive asking them to urgently transfer a large amount of money to cover a vendor payment or similar obligation.
The use of malware that encrypts a computer’s disk drives and demands payment, usually in cryptocurrency, is the basis of a ransomware attack. These attacks are most often launched via phishing and have become one of the most common techniques for extortion and denial of service. The 2021, “Verizon Data Breach Investigations Report” found that ransomware was the cause of 10 percent of all breaches and the FBI’s Internet Crime Complaint Center reported a 62 percent year-over-year increase in ransomware with 2,084 ransomware complaints filed from January to July 31, 2021.
While it can be difficult to identify the origin of a cyber war attack, some cybersecurity attackers can be identified by their attack methods, malware coding, or information gained through covert channels. Here are a few examples of cyberwarfare attacks that were notable for not just their size and reach, but also because there was a lot of evidence to identify the aggressors:
An industry leader in cyber defense, A10 Networks, offers cyber security solutions including the A10 Thunder® Threat Protection System (TPS), which employs advanced DDoS protection and mitigation strategies to protect against DDoS attacks. A10 Thunder SSL Insight (SSLi) provides full network traffic visibility making it hard for attackers to sneak malware into networks or exfiltrate data. These solutions help support a Zero Trust strategy to help businesses protect their networks and data.