Imagine you’re a military leader. What if I offered you a weapon to cleanly take out enemy infrastructure with minimal incidental civilian deaths? It has near-infinite operational reach and it’s highly stealthy. Oh, and it’s cheap compared to say, strategic missiles, which cost about a million or so dollars apiece.1 Well, have I got a deal for you: cyberweapons.
Cyberwarfare attackers are advanced attackers who use cyberweapons to disrupt the activities or systems of a state or an organization for strategic or military purposes. Cyberattackers typically have generous resources, superior training, and dogged determination to take out a target. These are clearly the most dangerous of all cyber threats any of us could face.
Effectiveness
As Sun Tzu said, supreme excellence consists of breaking the enemy’s resistance without fighting. Cyberwarfare and cyberweapons have that capability, and they’re most effective when used against the toughest of opponents: large, industrialized, well-funded nation-states with global standing armies.
Mike Convertino, former F5 CISO and current Vice President of Technology, Security Products, comments: “Because things like our electrical grid are controlled by hackable ‘internet of things’ devices, it shouldn’t be at all surprising that nation states have invested in cyberattack capabilities that can exploit these devices. The ‘normalization’ of cyberattack among other military capabilities like air-to-ground, air-to-air, and ground maneuver of armor has been underway for some time now. Combined with computer network exploitation and information operations, non-nuclear military lethality is about to see a giant increase in effectiveness all the way to the level of weapons of mass destruction.”
Cyberwarfare is so effective because it can disable a nation’s critical infrastructure, plunging its population into chaos before a single shot is fired. But what is critical infrastructure? The US Department of Homeland Security identified sixteen critical sectors that compose critical infrastructure. These sectors are: Chemical, Commercial Facilities, Communications, Critical Manufacturing, Dams, Defense Industrial Base, Emergency Services, Energy, Financial Services, Food and Agriculture, Government Facilities, Healthcare and Public Health, Information Technology, Nuclear Facilities, Transportation Systems, Water and Wastewater Systems.2 As a bonus, often while this critical infrastructure is paralyzed, the valuable physical resources and machinery are often preserved for seizure by the attacker upon final victory.
Our own F5 Labs research has shown how a single hack can affect huge swaths of critical infrastructure, but let’s look at other significant cyberattacks in the past few years across the critical infrastructures. In the following sections, we include actual examples of cyberwarfare attacks against particular sectors. In cases where couldn’t find real-world examples, we include demonstrable hacks to prove that sector’s vulnerability to cyberwarfare.
Energy Sector Attacks
When you talk about critical infrastructure, most people’s thoughts jump straight to the electrical power grid. Over the past few years, US electrical systems and their controlling SCADA systems3 have been primary targets for Russian cyberattacks.4 In 2015, Russian attackers successfully shut down the Ukrainian power grid, causing massive blackouts.5
Nuclear Reactors, Materials, and Waste Sector Attacks
Even more terrifying are attacks against nuclear facilities. The most famous successful attack was Stuxnet against the Iranian nuclear program6 by the US and Israel. Given the possible choices, attacking with advanced air-gap malware was probably preferable to all parties than sending in bombers7 or commandos.8 Beyond Stuxnet, there are reports that in 2014, Russian hackers tried to breach US nuclear power plants.9
Dams Sector Attacks
In 2016, a dam in New York was the target of an Iranian hacking attempt. Although the SCADA systems were compromised, the dam was undergoing maintenance, and no water could be released.10 A proof-of-concept exploit demonstrating how a hack of an IoT device could open a dam was demonstrated at Black Hat 2018.11 If you discount the loss of life and property from a cyber-attack on dams, there is also the fact that hydroelectric dams produce over 6% of US electricity.12 Shutting them down would create blackouts affecting millions.
Water and Wastewater Sector Attacks
Unfortunately, water utilities have also been successfully exploited by cyber-warriors. In 2016, Verizon reports a Syrian hacktivist group used SQL injection and phishing to hack an unnamed water district system. The attackers were able to change flow controls of water and treatment chemicals via compromised SCADA systems.13
Public Health Sector Attacks
In 2017, the world witnessed the WannaCry ransomware rip through Europe, shutting down over a third of UK public health organizations. Sadly, this was not a one-time event as hospitals are continuing to be shut down by ransomware attacks.14 It also appears that pacemakers and other life-sustaining devices are exploitable.15
Emergency Services Sector Attacks
Earlier this year, the Baltimore 911 dispatch system was infected by ransomware, causing a temporary shutdown.16 In addition, F5 Labs has identified significant vulnerabilities on emergency services IoT-connected systems.
Chemical Sector Attacks
In 2012, targeted malware infected Aramco, a Saudi Arabian oil company, permanently disabling nearly 35,000 workstations. Since oil production is highly automated, the company experienced severe operational problems producing and selling oil.17
Financial Sector Attacks
Financial services organizations are often a target for cyber-crime, sometimes with devastating consequences such as the leakage of 145.5 million customers’ financial details.18 Cyber-warriors have also tried their hand. In 2012, Iranian-backed cyber-fighters blasted US banks with crushing DDoS attacks.19
Commercial Facilities Sector Attacks
The Department of Homeland Security defines commercial facilities as a “diverse range of sites that draw large crowds of people for shopping, business, entertainment, or lodging.”20 Many of these businesses have been hacked for various cybercriminal enterprises. There have been no specific cases of cyberwarfare that we could find. However, newer facilities are often riddled with IoT devices controlling HVAC, power, surveillance, and lighting.21 We’ve documented many cases of IoT attacks and the vulnerability of such devices. It’s reasonable to assume that any commercial facility using IoT is targetable by cyber-warriors.
Government Facilities Sector Attacks
As we’ve seen in the past few years, nearly every type of organization has been proven vulnerable to ransomware attacks that freeze their data and systems. This has also included the government offices of the cities of Atlanta,22 Sarasota23 Valdez,24 Leeds,25 and Spring Hill.26
Communications Sector Attacks
Like banks and e-tailers, Internet service providers27 and telecommunication companies28 have been frequent victims of cyber-criminal activity. Earlier this year, US-CERT issued an alert about Russian military hackers hacking of residential Internet modems and routers. In 2010, the state-owned China Telecom company rerouted a significant amount of external Internet traffic through Chinese servers for 18 minutes.29 There have been no publicly stated conclusions on whether this was an accident or a test of capability, but both cases demonstrate a nation-state’s ability to seize control or snoop on another’s Internet traffic.
Defense Industrial Base Sector Attacks
The US defense industrial base is continually plagued with foreign espionage, both for economic gain as well as to steal military secrets such as fighter craft design30 and naval missile secrets.31
Transportation Systems Sector Attacks
Just like everyone else, transportation agencies have been hobbled by ransomware. In 2016, the payment system for the San Francisco light rail system was hit during a busy weekend due to a ransomware infection. Rather than take the system offline, they let all riders on for free until systems could be restored.32 Private transportation systems like Uber33 and Sabre34 have also been hacked by cybercriminals.
Food and Agriculture Sector Attacks
No specific military cyber-hacks of Food and Agriculture sector organizations have been reported to date, though their vulnerability is well-known. Because of the high volume of payment card information present in the restaurant and grocery chain networks, cyber-criminals have repeatedly struck these networks over the past decade.35 Also, attacks against the transportation sector would directly affect the dependent supply chain that connects agriculture to the general population.
Critical Manufacturing Sector Attacks
In addition to the defense industrial attacks, there have been other successful hacks of critical manufacturing. In 2014, unknown attackers breached the systems of a steel mill in Germany and were able to damage a blast furnace. In 2017, security researchers found serious vulnerabilities with factory robots used throughout the manufacturing sector.36
Information Technology Sector Attacks
Lastly, the IT sector is often at the receiving end of blistering attacks from a variety of threats. Military hackers often target IT companies to get at the supply chain for defense systems to either plant back doors or steal source code for critical technology.37 Internet companies are also primary targets because they are conduits to the citizens of that country, whether the goal is to spy on billions of users38 or tamper with elections.
Not Always as Accurate as Hoped
Unfortunately, despite the power and promise of cyber-weapons, they aren’t as perfect as everyone had hoped. Because of the inter-dependence of networked systems all running the same software,39 malware can quickly spiral out of control, causing catastrophic collateral damage. A good example is the Russian malware NotPetya which was supposed to target only Ukrainian systems. It caused billions of dollars of damage across the globe, crippling many of these critical infrastructure sectors.40
The Rise of Hacker Armies
One thought may come to you as you read through these cases: cyberwarfare isn’t in our future, it’s our present. We’re seeing the opening shots of a whole new form of conflict. Cyberwarfare can be seen like the first aerial bombardment in the Spanish civil war that foreshadowed the paradigm shift in warfare of World War II.41
For this kind of warfare, the key tool is talent, and for that you can recruit or hire kids. Granted, these cyber-warriors may need slightly more training than your average ground pounder, but it’s cheaper than flight school. In addition, cyber-warriors are almost never killed or wounded in battle, although they are sometimes captured (arrested), but in general, your soldiers only improve and don’t diminish in force.
Right now, all the top known active players in this game are China, North Korea, Russia, Iran, Israel, and the US. Some of the more rogue of the cyber-armies work remote, like North Korea.42 Other countries are training and bolstering their cyber-force in an effort to keep up, notably France43 and Britain.44
What Can You Do?
Cyberwarfare targets critical infrastructure, of which 85% is owned and operated by the private sector in the US.45 Not only does this mean that defenses and resources are uneven and unpredictable, but response capabilities are limited. We civilians aren’t allowed to return fire by hacking back—it’s currently illegal under US law. Like non-combatants in any war, we are expected to just duck and run when the shelling starts. Unfortunately, our organizations and businesses are primary targets.
The good news so far is that many of the cyberwarfare attacks have leveraged basic hacking techniques like spear-phishing and exploiting known vulnerabilities. In general, cyber-warriors prefer not to waste exotic munitions like zero-day vulnerabilities as they are of limited supply and, once used, will lose most of their value.
So, most cyberwarfare are attacks we know how to stop with our traditional defenses and operational procedures. We also know of some techniques proven effective against advanced attackers, such as cyber-deception. With most of our critical infrastructure in civilian hands, it is ultimately up to us to defend it, not only for ourselves but to protect the lives and prosperity of our fellow citizens.