Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operational Security //


// // //
09:05 AM
Joe Stanganelli
Joe Stanganelli
News Analysis-Security Now

Predicting Russian Cyberwar: A Look Back

Information security predictions are ease to make and usually wrong. However, a look at how escalating international tensions combined with nation-state hacking power could cause a significant cyberwar turned out to be pretty precise.

From November to December, the cybersecurity punditry makes it its business to give InfoSec predictions for the year to come.

As I've noted in my own recent prediction series, these usually come to little more than safe, semi-educated guesses about how obvious trends will continue and that everything will gradually get worse. (See My Cybersecurity Predictions for 2018, Part 1: Following Trends & the FTC, My Cybersecurity Predictions for 2018, Part 2: GDPR Hype Is Hype, My Cybersecurity Predictions for 2018, Part 3: Protecting Killer Cars and My Cybersecurity Predictions for 2018, Part 4: Regulating Encryption.)

One such prediction about 2017 from 2016, however, bears special attention and analysis.

In a November 9, 2016, blog post, a collection of "BeyondTrust Security Experts" teamed up to make ten cybersecurity predictions for the coming year. Most of them are pretty bland, tracking tame industry trends -- "predictions" concerning increased awareness of password issues, industry attraction to alternative authentication solutions, increasing numbers of various types of already popular attacks, and government involvement in IoT security (See IoT Regulation Could Save the Internet).

To their credit, however, they led off with a real showstopper -- that a recognized act of cyberwar by a nation-state would occur.

Following trends in eastern Europe
"The first nation state cyber-attack will be conducted and acknowledged as an act of war," read BeyondTrust's #1 prediction for 2017.

(Source: Steppinstars via Pixabay)\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n
(Source: Steppinstars via Pixabay)\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n

Justifying the prediction, BeyondTrust cited both the Stuxnet worm -- widely credited as a nation-state exploit designed to disrupt rivals of the US and/or Israel -- and cyber attacks that have disrupted power grids.

The latter point is particularly salient. Attacks by Russian actors on essential Ukrainian infrastructure have been seen by the InfoSec community as a collection of cyberwarfare skunkworks projects. The Ukraine, pundits posit, is a sufficiently obscure eastern European nation at sufficient odds with Russia such that it has more or less been safely used for cyber target practice by the latter.

Since 2014, Russia has been engaged in military intervention against the Ukrainian government. A successful 2015 spear-phishing campaign followed by extensive cyber-recon allowed a group linked to Russia to completely shut down the Ukrainian power grid for up to six hours -- leaving operational difficulties that persisted for months after the fact. Since then, additional cyber attacks have persisted against multiple Ukrainian sectors. German government agencies, too, appeared to have gotten caught in the cyber-crossfire around the time of diplomatic talks between Germany and the Ukraine. In all of these instances, fingers point to Russian nation-state actors, but Russia denies wrongdoing.

Ukraine is hardly the only nation to have seen its geopolitical tensions with Russia erupt into warmongering cyber attacks, however.

In the five-day Russo-Georgian War of August 2008, a massive DDoS attack against 54 Georgian websites (that's Georgia the country, not Georgia the US state) was apparently coordinated to coincide with traditional physical attacks involving tanks, soldiers and bombs -- disrupting the Georgians' supply of information and transactional abilities while hampering the Georgian government's ability to spread its own propaganda online to attract international sympathy and support. Similar DDoS attacks began against Georgian government sites as early as July 20 -- less than three weeks before the shooting started. InfoSec researchers theorized that these preliminary DDoS attacks were a "dress rehearsal" of sorts to help gear up for the real thing.

And yet other cyber attacks against sovereign entities have been to Russian actors even before this 2008 war. (See Dispatch From the CyberWar: An Interview With Joseph Carson.)

For what it's worth, the Russian government has denied all such cyber involvement -- and hard proof has been hard to come by; attribution is notoriously tricky when it comes to tracing hackers. Moreover, private-citizen black-hat Russian hackers going after foreign targets have long received certain degrees of protection from the Russian government. Still, the smart money seems to lie in the Georgian narrative that the 2008 cyber attacks were directed by the Russian government as part of Moscow's war effort. Accordingly, information-security and cyberwar experts tend to identify these DDoS attacks as the actual first recognized acts of cyberwarfare committed by one nation-state (even if not purely directly so) against another.

Accordingly, BeyondTrust's basic prediction seems to fall on its face as a matter of question-begging; a "cyberattack… conducted and acknowledged as an act of war" seems to have already occurred.

How large is large?
Perhaps BeyondTrust simply wasn't aware of the details of the start of the Russo-Georgian War. But let's give the security firm the benefit of the doubt by reading their explanation more closely.

"2017 will see the first large scale attack by a nation, against another sovereign nation," elaborated BeyondTrust, "and be acknowledged as an attack and the techniques used considered as weapons (albeit software, malware, vulnerabilities, and exploits)."

If we emphasize the words "large scale," we can be a bit more generous in the reading. Sure, Georgia is not a particularly big nation, so those 54 websites might have been enough to wreak very large-scale havoc -- particularly because they did not seem to hamper the operation of other vital infrastructure, and especially given that the war in question officially lasted less than a week. Moreover, in all of the above examples, Moscow's involvement has not been readily proven.

Russia, of course, is not the only nation to be reputed to be engaged in cyberwarfare tactics. Even though Russian officials have apparently been caught and charged with illicit cyber intrusions, so too is the case for the officials of other nations (such as China) -- without any talk of "acts of war". (See DOJ Charges Russian Agents in Yahoo Breach.)

Yet now, with 2017 come and gone, conversations about Russia's cyber-warmongering have taken a drastic turn amid accusations that the Russian government engaged in a lengthy and far-flung campaign throughout 2016 to interfere in the US Presidential Election. (See: The New Nation-State Normal.)

Cold War 2.0
As usual, Moscow has fervently denied any accusations of cyber-meddling -- despite recently released statements to the contrary by an imprisoned Russian official. Despite Russia's denials, Russian interference in the 2016 US Presidential Election has been generally accepted as fact.

Interestingly, BeyondTrust's blogged prognostication (blognostication?) of an act of cyberwarfare came the day after Election Day in the US -- when Donald Trump was elected President. Might this be what BeyondTrust had in mind?

Indeed, US sanctions against Russia followed -- and, lo and behold, a US State Department official has recently come right out and actually referred to these acts as an act of war.

"I will tell you that when a country can come interfere in another country's elections, that is warfare," declared Nikki Haley, US Ambassador, at a forum three months ago in New York as she referenced Russia's putative electoral interference. "I find it fascinating because the Russians, God bless 'em, they're saying, 'Why are Americans anti-Russian? And why have we done the sanctions? Well, don't interfere in our elections and we won’t be anti-Russian."

It would seem that this satisfies the BeyondTrust prophecy -- except that BeyondTrust's prediction technically reads that the cyber-act of war itself would be conducted in 2017 (well after the US election that Russia is said to have interfered in).

Looking back to Europe
This detail doesn't leave BeyondTrust's prediction dead in the water, however. Consider that Haley further referred to a "massive" cyber attack-- widely attributed to Russian nation-state actors -- on Emmanuel Macron's presidential campaign in France this past spring in an apparent effort to spread propaganda that would swing France's presidential election in favor of Macron's populist opponent, Marine Le Pen.

"We didn't just see it here. You can look at France and you can look at other countries," continued Haley. "They are doing this everywhere. This is their new weapon of choice. And we have to make sure we get in front of it."

The attack of Macron's campaign -- in tandem with other headline-grabbing cyber attacks – led Guillaume Poupard, director general of the National Cybersecurity Agency of France (ANSSI), to declare that the world was on the path to a "permanent" cyberwar.

"We are getting closer, clearly, to a state of war," said Poupard, "A state of war that could be more complicated, probably, than those we've known until now."

Macron went on to win his country's election despite the cyber attack -- and, reportedly, investigators seem to have found but minimal links between the hack and Russian nation-state actors. Nonetheless, it is fair to say that multiple nations have identified and attributed a cyber attack as an act of war by one nation state against another.

Consequently, we can magnanimously give BeyondTrust a nod of recognition here for making an honest-to-God out-on-a-limb prediction and getting it right (kinda). The only real question remaining is if (or when) such a cyber-act of war will lead to an IRL bomb-dropping war.

An unsettling thought. Maybe that's why the pundits play it safe.

Related posts:

—Joe Stanganelli, principal of Beacon Hill Law, is a Boston-based attorney, corporate-communications and data-privacy consultant, writer, and speaker. Follow him on Twitter at @JoeStanganelli.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The 10 Most Impactful Types of Vulnerabilities for Enterprises Today
Managing system vulnerabilities is one of the old est - and most frustrating - security challenges that enterprise defenders face. Every software application and hardware device ships with intrinsic flaws - flaws that, if critical enough, attackers can exploit from anywhere in the world. It's crucial that defenders take stock of what areas of the tech stack have the most emerging, and critical, vulnerabilities they must manage. It's not just zero day vulnerabilities. Consider that CISA's Known Exploited Vulnerabilities (KEV) catalog lists vulnerabilitlies in widely used applications that are "actively exploited," and most of them are flaws that were discovered several years ago and have been fixed. There are also emerging vulnerabilities in 5G networks, cloud infrastructure, Edge applications, and firmwares to consider.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-03-17
The Bookly plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the full name value in versions up to, and including, 21.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that w...
PUBLISHED: 2023-03-17
The WP Express Checkout plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘pec_coupon[code]’ parameter in versions up to, and including, 2.2.8 due to insufficient input sanitization and output escaping. This makes it possible for authenti...
PUBLISHED: 2023-03-17
A vulnerability was found in SourceCodester Student Study Center Desk Management System 1.0. It has been rated as critical. This issue affects the function view_student of the file admin/?page=students/view_student. The manipulation of the argument id with the input 3' AND (SELECT 2100 FROM (SELECT(...
PUBLISHED: 2023-03-17
A vulnerability classified as critical has been found in SourceCodester Student Study Center Desk Management System 1.0. Affected is an unknown function of the file Master.php?f=delete_img of the component POST Parameter Handler. The manipulation of the argument path with the input C%3A%2Ffoo.txt le...
PUBLISHED: 2023-03-17
A vulnerability classified as critical was found in SourceCodester Student Study Center Desk Management System 1.0. Affected by this vulnerability is an unknown functionality of the file admin/?page=reports&date_from=2023-02-17&date_to=2023-03-17 of the component Report Handler. The manipula...