The Day After Russia Attacks
What War in Ukraine Would Look Like—and How America Should Respond
It is easy to get lost in cyberspace. This world, created by engineers and populated by everyone, looks different to every person or group that interacts with it. For the U.S. military, cyberspace is a war-fighting domain; for a student, it is a place to interact with peers; for a business, it is a place to make money -- and the list goes on.
Discussions of a related topic, cybersecurity, share the same characteristic. How to achieve security, or even define it, also depends on the participant. For most in the world of cybersecurity, digital espionage is a hot topic. Few news items have caused such a stir in this world as the report released in February by my firm, Mandiant, on Unit 61398, formally known as the Second Bureau of the People’s Liberation Army’s General Staff Department’s Third Department. The report revealed the seven-year history of digital espionage by Unit 61398 against at least 141 Western companies. Mandiant traced Chinese cyber- spying back to the doorstep of a 12-story office building outside Shanghai.
Espionage of any kind is serious, of course, but some do not understand how spying in the cyber world is different from spying in the physical world. Few realize that the same tools required to conduct digital espionage could allow intruders to go a step further and commit digital destruction. Once an adversary has entered a computer system, the amount of damage he does or does not inflict depends entirely on his intent. Whether such actions qualify as war is largely a political decision, but the ability to escalate from espionage to destruction is often ignored.
Critics are quick to assert that espionage is a step below a full-fledged digital attack -- which could constitute an act of war. The writer Bruce Schneier, for example, responded to reports of Chinese cyberactivity by saying, “This is not cyberwar. This is not war of any kind. This is espionage, and the difference is important. Calling it war just feeds our fears and fuels the cyberwar arms race.”
A better general understanding of digital defense, spying, and war is clearly needed. Those with military backgrounds use three terms to explain cyberactivity: computer network defense (CND), computer network exploitation (CNE), and computer network attack (CNA). CND, protecting digital information from hackers, is universally considered to be a good thing. CNE and CNA are more problematic because they involve taking offensive actions against a target.
Security professionals in the West think of CNE as digital espionage and of CNA as altering, disrupting, or destroying computer systems, whether virtually or physically. Examples of CNE include penetrating computer networks to steal trade secrets or other sensitive data, monitoring individuals’ typing to steal their passwords, or capturing information as it passes through the Internet. Examples of virtual CNA include changing database records or deleting data, while examples of physical CNA include using computers to damage or destroy equipment or inflict other harm in the real world.
The term “cyberwar” usually refers to the use of a digital weapon to cause physical damage. Thus far, the only commonly accepted example of this was the Stuxnet attack against Iran’s nuclear facilities. Some employ “cyberwar” far too loosely, or consider many forms of digital action to be cyberwar so long as they are paired with real-world military operations, as when Russian hackers took down Georgian Web sites during the 2008 war between the two countries.
Any adversary that can spy can also harm -- the only limitation is his intent. As a result, depending on the target, cyber-espionage could quickly escalate to cyberwar -- in which digital weapons are used to inflict physical damage.
Consider the following attack pattern. First, an intruder performs reconnaissance against his target to survey its weaknesses and find ways to steal or manipulate data. Next, he delivers weaponized content (for example, a document with malicious code, or a link to a malicious Web site) via an e-mail message. The e-mail recipient opens the attachment or clicks on the link, resulting in his computer falling victim to the intruder. The attacker can now control the victim’s computer and is free to pursue his objectives.
This is the key moment: Does the intruder choose to spy or to destroy? In the vast majority of cases, the answer has always been to spy. Intruders typically have most to gain by accessing a target and quietly stealing data. This is true of both financially motivated cybercrime and digital espionage. It pays to be stealthy and persistent. Professional digital thieves do not want to announce their presence by destroying data or producing physical effects.
A minority of cases, usually perpetrated by so-called hacktivists, do involve the destruction of data. Most observers consider such actions to be akin to vandalism. The attacker wants to embarrass the victim, so he penetrates the target, steals data, disables their computer by destroying key files, then publishes news of his conquest on the Internet. This model is far different from the world of CNE and CNA.
Unfortunately, three recent cases demonstrate that some outside the hacktivist community are opting to destroy as well. In August 2012, the state-owned Saudi Arabian Oil Company, also known as Saudi Aramco, suffered a digital destruction incident. According to Abdullah al-Saadan, a vice president at the company, foreign intruders deleted key files from more than 30,000 computers, rendering them useless until restored from backups. Major General Mansour al-Turki, a spokesman for the Saudi Interior Ministry, stated that “the attack failed to reach its ultimate goal, which was to stop the flow of Saudi oil.” Several days later, RasGas, a joint-stock company owned by Qatar Petroleum and ExxonMobil and one of the world’s largest liquefied natural gas suppliers, reported it suffered similar damage. Officials have been hesitant to point fingers at a potential culprit, but many suspect Iranian involvement.
Most recently, last March, digital destruction attacks affected more than 48,000 computers in South Korea. Three TV stations and three banks reported destruction of critical system files by malware, with effects similar to those suffered by Saudi Aramco and RasGas. Officials in South Korea attributed the attacks to North Korea.
It is important to differentiate at this point between digital attacks that temporarily disrupt networks and those that delete data. The first kind, known as DDoS, involve flooding computers and the networks to which they connect. Attackers deluge targeted computers with bogus network traffic, reducing the victim’s ability to communicate with the Internet and others’ ability to visit the targeted networks. The damage caused by such attacks ends as soon as the intruder stops the attack, or a security company steps in to help.
Data deletion attacks are more disruptive. When an attacker destroys data, he generally wipes material from the targeted hard drive. If no other copy of the data exists, the data is lost forever. If the affected system performs a crucial business function, that business function will be impaired until the computer is rebuilt or restored. For example, an intruder who attacks the computing controlling a magnetic resonance imaging machine or a robot stamping automobile parts would have effectively halted business.
In all three cases -- Saudi Aramco, RasGas, and South Korea -- the intrusions likely began the same way: spear phishing, followed by access, and finally follow-on activities. The attackers could easily have decided to spend days, weeks, or months spying on these companies. Had investigators discovered the intrusions and removed the attackers, some commentators would have claimed the attack was just another case of harmless espionage. After all, the intruders would have only been looking at data while roaming freely within the victims’ networks. The fact is, however, that in cyberspace, the power to steal is the power to destroy. Every instance of computer network exploitation is a potential case of computer network attack.
Addressing this problem requires taking several steps. First, policymakers should place the cavalier attitudes of the “only spying” crowd in proper context. True, some adversaries are likely to restrict their conduct to espionage and choose not to inflict damage -- but others will not be so kind. Second, organizations that find themselves targeted must recognize that intruders routinely penetrate their networks. Anyone operating a network should adopt a hunter’s mindset, conducting operations to root out intruders before they decide to steal or destroy data. Third, organizations should partner with peers, trusted and competent security providers, and government entities to exchange information about threats in standardized and machine-readable formats such as Mandiant’s OpenIOC format or MITRE’s Structured Threat Information Expression.
Once an organization is aware of the threat, it can call a company such as Mandiant to look for intruders and remove them when found. Mandiant uses a combination of tools and intelligence to assess evidence from networks, computers, and application logs to discover hidden threats and help victims restore their network to a trustworthy state.
Organizations win when they quickly identify intruders within their networks and remove them before the adversary accomplishes his mission -- whatever it is. We can no longer hide behind the fiction that intruder activity is tolerable because it is just espionage.