Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operational Security //

Policy

1/15/2018
09:05 AM
Joe Stanganelli
Joe Stanganelli
News Analysis-Security Now
50%
50%

Predicting Russian Cyberwar: A Look Back

Information security predictions are ease to make and usually wrong. However, a look at how escalating international tensions combined with nation-state hacking power could cause a significant cyberwar turned out to be pretty precise.

From November to December, the cybersecurity punditry makes it its business to give InfoSec predictions for the year to come.

As I've noted in my own recent prediction series, these usually come to little more than safe, semi-educated guesses about how obvious trends will continue and that everything will gradually get worse. (See My Cybersecurity Predictions for 2018, Part 1: Following Trends & the FTC, My Cybersecurity Predictions for 2018, Part 2: GDPR Hype Is Hype, My Cybersecurity Predictions for 2018, Part 3: Protecting Killer Cars and My Cybersecurity Predictions for 2018, Part 4: Regulating Encryption.)

One such prediction about 2017 from 2016, however, bears special attention and analysis.

In a November 9, 2016, blog post, a collection of "BeyondTrust Security Experts" teamed up to make ten cybersecurity predictions for the coming year. Most of them are pretty bland, tracking tame industry trends -- "predictions" concerning increased awareness of password issues, industry attraction to alternative authentication solutions, increasing numbers of various types of already popular attacks, and government involvement in IoT security (See IoT Regulation Could Save the Internet).

To their credit, however, they led off with a real showstopper -- that a recognized act of cyberwar by a nation-state would occur.

Following trends in eastern Europe
"The first nation state cyber-attack will be conducted and acknowledged as an act of war," read BeyondTrust's #1 prediction for 2017.

Justifying the prediction, BeyondTrust cited both the Stuxnet worm -- widely credited as a nation-state exploit designed to disrupt rivals of the US and/or Israel -- and cyber attacks that have disrupted power grids.

The latter point is particularly salient. Attacks by Russian actors on essential Ukrainian infrastructure have been seen by the InfoSec community as a collection of cyberwarfare skunkworks projects. The Ukraine, pundits posit, is a sufficiently obscure eastern European nation at sufficient odds with Russia such that it has more or less been safely used for cyber target practice by the latter.

Since 2014, Russia has been engaged in military intervention against the Ukrainian government. A successful 2015 spear-phishing campaign followed by extensive cyber-recon allowed a group linked to Russia to completely shut down the Ukrainian power grid for up to six hours -- leaving operational difficulties that persisted for months after the fact. Since then, additional cyber attacks have persisted against multiple Ukrainian sectors. German government agencies, too, appeared to have gotten caught in the cyber-crossfire around the time of diplomatic talks between Germany and the Ukraine. In all of these instances, fingers point to Russian nation-state actors, but Russia denies wrongdoing.

Ukraine is hardly the only nation to have seen its geopolitical tensions with Russia erupt into warmongering cyber attacks, however.

In the five-day Russo-Georgian War of August 2008, a massive DDoS attack against 54 Georgian websites (that's Georgia the country, not Georgia the US state) was apparently coordinated to coincide with traditional physical attacks involving tanks, soldiers and bombs -- disrupting the Georgians' supply of information and transactional abilities while hampering the Georgian government's ability to spread its own propaganda online to attract international sympathy and support. Similar DDoS attacks began against Georgian government sites as early as July 20 -- less than three weeks before the shooting started. InfoSec researchers theorized that these preliminary DDoS attacks were a "dress rehearsal" of sorts to help gear up for the real thing.

And yet other cyber attacks against sovereign entities have been to Russian actors even before this 2008 war. (See Dispatch From the CyberWar: An Interview With Joseph Carson.)

For what it's worth, the Russian government has denied all such cyber involvement -- and hard proof has been hard to come by; attribution is notoriously tricky when it comes to tracing hackers. Moreover, private-citizen black-hat Russian hackers going after foreign targets have long received certain degrees of protection from the Russian government. Still, the smart money seems to lie in the Georgian narrative that the 2008 cyber attacks were directed by the Russian government as part of Moscow's war effort. Accordingly, information-security and cyberwar experts tend to identify these DDoS attacks as the actual first recognized acts of cyberwarfare committed by one nation-state (even if not purely directly so) against another.

Accordingly, BeyondTrust's basic prediction seems to fall on its face as a matter of question-begging; a "cyberattack… conducted and acknowledged as an act of war" seems to have already occurred.

How large is large?
Perhaps BeyondTrust simply wasn't aware of the details of the start of the Russo-Georgian War. But let's give the security firm the benefit of the doubt by reading their explanation more closely.

"2017 will see the first large scale attack by a nation, against another sovereign nation," elaborated BeyondTrust, "and be acknowledged as an attack and the techniques used considered as weapons (albeit software, malware, vulnerabilities, and exploits)."

If we emphasize the words "large scale," we can be a bit more generous in the reading. Sure, Georgia is not a particularly big nation, so those 54 websites might have been enough to wreak very large-scale havoc -- particularly because they did not seem to hamper the operation of other vital infrastructure, and especially given that the war in question officially lasted less than a week. Moreover, in all of the above examples, Moscow's involvement has not been readily proven.

Russia, of course, is not the only nation to be reputed to be engaged in cyberwarfare tactics. Even though Russian officials have apparently been caught and charged with illicit cyber intrusions, so too is the case for the officials of other nations (such as China) -- without any talk of "acts of war". (See DOJ Charges Russian Agents in Yahoo Breach.)

Yet now, with 2017 come and gone, conversations about Russia's cyber-warmongering have taken a drastic turn amid accusations that the Russian government engaged in a lengthy and far-flung campaign throughout 2016 to interfere in the US Presidential Election. (See: The New Nation-State Normal.)

Cold War 2.0
As usual, Moscow has fervently denied any accusations of cyber-meddling -- despite recently released statements to the contrary by an imprisoned Russian official. Despite Russia's denials, Russian interference in the 2016 US Presidential Election has been generally accepted as fact.

Interestingly, BeyondTrust's blogged prognostication (blognostication?) of an act of cyberwarfare came the day after Election Day in the US -- when Donald Trump was elected President. Might this be what BeyondTrust had in mind?

Indeed, US sanctions against Russia followed -- and, lo and behold, a US State Department official has recently come right out and actually referred to these acts as an act of war.

"I will tell you that when a country can come interfere in another country's elections, that is warfare," declared Nikki Haley, US Ambassador, at a forum three months ago in New York as she referenced Russia's putative electoral interference. "I find it fascinating because the Russians, God bless 'em, they're saying, 'Why are Americans anti-Russian? And why have we done the sanctions? Well, don't interfere in our elections and we won’t be anti-Russian."

It would seem that this satisfies the BeyondTrust prophecy -- except that BeyondTrust's prediction technically reads that the cyber-act of war itself would be conducted in 2017 (well after the US election that Russia is said to have interfered in).

Looking back to Europe
This detail doesn't leave BeyondTrust's prediction dead in the water, however. Consider that Haley further referred to a "massive" cyber attack-- widely attributed to Russian nation-state actors -- on Emmanuel Macron's presidential campaign in France this past spring in an apparent effort to spread propaganda that would swing France's presidential election in favor of Macron's populist opponent, Marine Le Pen.

"We didn't just see it here. You can look at France and you can look at other countries," continued Haley. "They are doing this everywhere. This is their new weapon of choice. And we have to make sure we get in front of it."

The attack of Macron's campaign -- in tandem with other headline-grabbing cyber attacks – led Guillaume Poupard, director general of the National Cybersecurity Agency of France (ANSSI), to declare that the world was on the path to a "permanent" cyberwar.

"We are getting closer, clearly, to a state of war," said Poupard, "A state of war that could be more complicated, probably, than those we've known until now."

Macron went on to win his country's election despite the cyber attack -- and, reportedly, investigators seem to have found but minimal links between the hack and Russian nation-state actors. Nonetheless, it is fair to say that multiple nations have identified and attributed a cyber attack as an act of war by one nation state against another.

Consequently, we can magnanimously give BeyondTrust a nod of recognition here for making an honest-to-God out-on-a-limb prediction and getting it right (kinda). The only real question remaining is if (or when) such a cyber-act of war will lead to an IRL bomb-dropping war.

An unsettling thought. Maybe that's why the pundits play it safe.

Related posts:

—Joe Stanganelli, principal of Beacon Hill Law, is a Boston-based attorney, corporate-communications and data-privacy consultant, writer, and speaker. Follow him on Twitter at @JoeStanganelli.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/6/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15505
PUBLISHED: 2020-07-07
MobileIron Core and Connector before 10.3.0.4, 10.4.x before 10.4.0.4, 10.5.x before 10.5.1.1, 10.5.2.x before 10.5.2.1, and 10.6.x before 10.6.0.1, and Sentry before 9.7.3 and 9.8.x before 9.8.1, allow remote attackers to execute arbitrary code via unspecified vectors.
CVE-2020-15506
PUBLISHED: 2020-07-07
MobileIron Core and Connector before 10.3.0.4, 10.4.x before 10.4.0.4, 10.5.x before 10.5.1.1, 10.5.2.x before 10.5.2.1, and 10.6.x before 10.6.0.1 allow remote attackers to bypass authentication mechanisms via unspecified vectors.
CVE-2020-15507
PUBLISHED: 2020-07-07
MobileIron Core and Connector before 10.3.0.4, 10.4.x before 10.4.0.4, 10.5.x before 10.5.1.1, 10.5.2.x before 10.5.2.1, and 10.6.x before 10.6.0.1 allow remote attackers to read files on the system via unspecified vectors.
CVE-2020-15096
PUBLISHED: 2020-07-07
In Electron before versions 6.1.1, 7.2.4, 8.2.4, and 9.0.0-beta21, there is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions. Apps using "contextIsolation" are affecte...
CVE-2020-4075
PUBLISHED: 2020-07-07
In Electron before versions 7.2.4, 8.2.4, and 9.0.0-beta21, arbitrary local file read is possible by defining unsafe window options on a child window opened via window.open. As a workaround, ensure you are calling `event.preventDefault()` on all new-window events where the `url` or `options` is not ...