Pierluigi Paganini October 03, 2013

FireEye security firm released World War C report to explain nation-state motives behind advanced Nation-state driven cyber attacks.

Nation-state driven cyber attacks are routinely conducted on a global scale to defend national sovereignty and project national power. We are living in the cyber era, human conflict is involving also the fifth domain of warfare, the cyberspace. As never before disputes take place with blows of bits, militias of every government are developing cyber capabilities dedicating great effort for the establishment of cyber units.

Security firm FireEye published another interesting research titled “World War C” that describes the effort spent by governments in cyber warfare context, the document analyzes in detail the different approaches adopted by various countries in conducting nation-state driven cyber attacks. Security experts highlight the intensification of state-sponsored attacks for both cyber espionage and sabotage purpose, campaigns such as Moonlight Maze and Titan Rain or the destructive cyber strikes on Iran and Georgia have signed the evolution of the military doctrine.

“Cyberspace has become a full-blown war zone as governments across the globe clash for digital supremacy in a new, mostly invisible theater of operations. Once limited to opportunistic criminals, cyber attacks are becoming a key weapon for governments seeking to defend national sovereignty and project national power.”

In the arsenal of government militias are entering strongly DDoS tools, spyware and computer viruses, nation-state driven cyber attacks are considerable an optimal option by governments for the following reasons:

• Reduced costs compared to conventional strikes.
• Efficiency
• The asymmetric nature of the cyber attacks makes difficult the defense.
• The anonymous nature of the offense allows the attacking government to circumvent the approval by the world community to a military offensive.
• Possibility to conduct cyber attacks in peacetime for immediate geopolitical ends, as well as to prepare for possible future kinetic attacks.

As explained in the study the attribution of responsibility for a cyber attack is a very hard task, FireEye experts correctly highlighted that to uncover the perpetrators is necessary to apply a multi layered approach based on forensic “reverse-hacking” techniques, build a deep knowledge of “patterns” of attack, evaluate the geopolitical context of cyber attacks aims associated to specific government.

“A cyber attack, viewed outside of its geopolitical context, allows very little legal maneuvering room for the defending state,” “False flag operations and the very nature of the internet makes tactical attribution a losing game. However, strategic attribution – fusing all sources of intelligence on a potential threat – allows a much higher level of confidence and more options for the decision maker,” “And strategic attribution begins and ends with geopolitical analysis.” said Professor Thomas Wingfield of the Marshall Centre, a joint US-German defense studies institute.

“The biggest challenge to deterring, defending against, or retaliating for cyber attacks is the problem of correctly identifying the perpetrator,” said Prof. John Arquilla, Naval Postgraduate School

“Attribution” for a nation-state driven cyber attack  is difficult due to similarity with methods adopted by single individuals, organizations, or state-sponsored hackers. States are often mistakenly identified as non-state entities, and vice versa. Another dangerous phenomenon that we are assisting is the growth of number of cyber mercenary groups close to governments that are structured as cyber criminal gangs but that are able to offer hacking services to involve in nation-state driven cyber attacks.

“cybercrime organizations offer anyone, including governments, cyber attack services to include denial-of-service attacks and access to previously compromised networks.” states the World War C report.

FireEye experts analyzed the Nation-state driven cyber attacks identifying the tactics and characteristics for the offensive in various regions:

• Asia-Pacific: home to large, bureaucratic hacker groups, such as the “Comment Crew” who pursues targets in high-frequency, brute-force attacks.
• Russia/Eastern Europe: More technically advanced cyberattacks that are often highly effective at evading detection.
• Middle East: Cybercriminals in the region often using creativity, deception, and social engineering to trick users into compromising their own computers.
• United States: origin of the most complex, targeted, and rigorously engineered cyber attack campaigns to date, such as the Stuxnet worm. Attackers favour a drone-like approach to malware delivery.

New players are entering the arena of cyber warfare strongly, countries such a North Korea, Iran and Syria have demonstrated to represent a serious menace also for the most industrialized super power, this is the democracy of the new military doctrine. Examining most advanced countries  in cyber warfare, China is considered responsible for the largest number of Nation-state driven cyber attacks, it uses high-volume noisly cyber attacks mainly for cyberespionage.

On the other end U.S., and Israel, providing the most advanced technologies, are able to conduct more sophisticated and surgical cyber operations, Stuxnet and Duqu are just a couple of examples of products of joint effort spent by the two governments. The Russian Government is considered one of the entities with major cyber capabilities, like Israel and US it is able to perform sophisticated nation-state driven cyber attacks, but little is known about the internal organization of its cyber units. According to rumors, a group of hackers that report directly to the President is the core of Russian cyber command that has operated in stealthily way in cyberspace against hostile governments and on the domestic front against opponents of the regime.

“Though relatively quiet, Russia appears to be home to many of the most complex and advanced cyber attacks FireEye researchers have seen. More specifically, Russian exploit code can be significantly stealthier than its Chinese counterpart—which can also make it more worrisome. The “Red October” campaign, including its satellite software dubbed “Sputnik,” is a prominent example of likely Russian malware.” states the report

FireEye’s World War C ends proposing a list of factors that could influence the cyber security landscape in the medium term:

• Outage of national critical infrastructure – we have still not assisted to cyber attacks that have compromised a national infrastructures like a power grid, but that day may not be far.
• Cyber arms treaty – we are already assisting to the cyber army race for the above reasons, governments will continue to invest to increase their cyber capabilities. Following the table reporting the investment in cyber capabilities I presented to the Cyber Threat Summit 2012,  let’s consider that that the expense has grown despite the cuts in most cases.

• PRISM, freedom of speech, and privacy – Disclosure of PRISM and other US surveillance activities will further complicate the delicate scenarios. The debate on topics such as freedom of speech and privacy could bring some “annoyance” to the intelligence activities conducted by the various governments, and nothing else in my judgment. No mistake, privacy and technology are like two separated spouses that live in the same house.

• New actors on the cyber stage –  cyberspace is a crowded place,  Iran, Syria, North Korea, and even non state actors such as Anonymous have employed cyber attacks as a way to conduct diplomacy and wage war by other means. FireEye researchers wager of growing cyber capabilities of Poland, Brazil and Taiwan.
• Stronger focus on evasion – due to the evolution of cyber defense attackers may be improve the offense with sophisticated techniques to avoid detection and fly under the radar.

Information warfare is ongoing …

Pierluigi Paganini

(Security Affairs –  Nation-state driven cyber attacks,  cyberwarfare)