Inside Cyber Warfare

Chapter 1

Inside Cyber Warfare.

Jeffrey Carr.

Foreword.

Since the first edition of Jeffrey Carr's Inside Cyber Warfare: Mapping the Cyber Underworld was published, cyber security has become an increasing strategic and economic concern. Not only have major corporations and government agencies continued to be victimized by ma.s.sive data thefts, disruptive and destructive attacks on both public and private ent.i.ties continue and show no signs of abating. Among the publicly disclosed targets of cyber attacks are major financial inst.i.tutions, entertainment companies, cyber security companies, and US and foreign government agencies, including the US Department of Defense, the US Senate, and the Brazilian and the Malaysian governments.

Many of these cyber penetrations are aimed at theft of ident.i.ty or financial data for purposes of criminal exploitation. These cannot simply be regarded as a "cost of doing business" or tolerable losses; such episodes undermine the public trust, which is the foundation for business transactions over the Internet. Even more significant is the threat posed by cyber theft of intellectual property. Every year, economic compet.i.tors of American businesses steal a quant.i.ty of intellectual property larger than all the data in the Library of Congress. As a result, these rivals are gaining an unfair advantage in the global economy.

Also gaining in seriousness are organized efforts to disrupt or even destroy cyber systems. Anarchist and other extremist groups, such as Anonymous and LulzSec (and their offspring), seek to punish those with whom they disagree by exposing confidential data or disrupting operations. Recent breaches of cyber security firms such as HBGary and EMC's RSA SecurID division demonstrate a strategic effort to undermine the security architecture on which many enterprises rely. And the multiplication of social media and mobile devices will create many more opportunities for cyber espionage, social engineering attacks, and open source intelligence collection by nation-states, terrorists, and criminal groups.

Since the formation of the Comprehensive National Cybersecurity Initiative in 2008, the US government has unveiled a series of security-related strategies, including legislative proposals. These are useful and important steps, but they're not enough to keep pace with the growing and diversifying threats. The private sector in particular must take owners.h.i.+p of much of the burden of defending the networks they own and operate. Moreover, while technology and tools are key to the solution, human beings are at the heart of any security strategy. Unless those who use the Internet observe good security practices, defensive technologies will merely be a b.u.mp in the road to those who seek to exploit cybers.p.a.ce.

Finally, while defense against cyber attacks is important, it is not enough. When cyber attacks damage critical infrastructure or even threaten loss of life, sound strategy calls for preventive and deterrent measures. While some downplay the idea of cybers.p.a.ce as a warfare domain, occurrences such as the 2008 Russia-Georgia conflict underscore that information systems are very much part of the battlefield of the future. For this reason, the US Department of Defense has issued its first official strategy for operating in cybers.p.a.ce. To be sure, difficulties in attribution and questions of legal authority complicate the application of warfighting concepts to cybers.p.a.ce. Nevertheless, we must tackle these issues to determine what measures can be taken offensively to eliminate or deter critical cyber threats, when those measures should be triggered, and who should carry them out. Without formulating a strategy that encompa.s.ses these measures, our cyber security doctrine will be, at best, disconnected and incomplete.

For policymakers and business leaders, cyber warfare and cyber security can no longer be regarded simply as the province of experts and technicians. The leaders.h.i.+p of any public or private enterprise must consider the risks of and responses to cyber threats. This latest edition of Jeffrey Carr's volume is indispensable reading for senior executives as well as savants.

-The Honorable Michael Chertoff, former Homeland Security Secretary and co-founder of The Chertoff Group.

Preface.

I was recently invited to partic.i.p.ate in a cyber security dinner discussion by a few members of a well-known Was.h.i.+ngton, DC, think tank. The idea was that we could enjoy a fine wine and a delicious meal while allowing our hosts to pick our brains about this "cyber warfare stuff." It seems that the new threatscape emerging in cybers.p.a.ce has caught them unprepared and they were hoping we could help them grasp some of the essentials in a couple of hours. By the time we had finished dinner and two bottles of a wonderful 2003 red, one of the Fellows in attendance was holding his head in his hands, and it wasn't because of the wine.

International acts of cyber conflict (commonly but inaccurately referred to as cyber warfare) are intricately enmeshed with cyber crime, cyber security, cyber terrorism, and cyber espionage. That web of interconnections complicates finding solutions because governments have a.s.signed different areas of responsibility to different agencies that historically do not play well with others. Then there is the matter of political will. When I signed the contract to write this book, President Obama had committed to make cyber security a top priority in his administration. Seven months later, as I write this introduction, cyber security has been pushed down the priority ladder behind the economy and health care, and the position of cyber coordinator, who originally was going to report directly to the President, must now answer to multiple bosses with their own agendas. A lot of highly qualified candidates have simply walked away from a position that has become a shadow of its former self. Consequently, we all find ourselves holding our heads in our hands more often than not.

Cybers.p.a.ce as a warfighting domain is a very challenging concept. The temptation to cla.s.sify it as just another domain, like air, land, sea, and s.p.a.ce, is frequently the first mistake that's made by our military and political leaders and policymakers.

I think that a more accurate a.n.a.logy can be found in the realm of science fiction's parallel universes-mysterious, invisible realms existing in parallel to the physical world, but able to influence it in countless ways. Although that's more metaphor than reality, we need to change the habit of thinking about cybers.p.a.ce as if it's the same thing as "meat" s.p.a.ce.

After all, the term "cybers.p.a.ce" was first coined by a science fiction writer. My own childhood love affair with science fiction predated William Gibson's 1984 novel Neuromancer, going all the way back to The New Tom Swift Jr. Adventures series, which was the follow-up to the original series of the early 1900s. By some quirk of fate, the first Tom Swift Jr. book was published in 1954 (the year that I was born) and ceased publication in 1971 (the year that I left home for college). Although the young inventor didn't have cybers.p.a.ce to contend with, he did have the "Atomic Earth Blaster" and the "Diving Sea Copter." In an otherwise awful childhood, the adventures of Tom Swift Jr. kept me feeling sane, safe, and excited about the future until I was old enough to leave home and embark on my own adventures.

Now, 38 years later, I find myself

How This Book Came to Be.

This book exists because of an open source intelligence (OSINT) experiment that I launched on August 22, 2008, named Project Grey Goose (Figure 1). On August 8, 2008, while the world was tuning in to the Beijing Olympics, elements of the Russian Federation (RF) Armed Forces invaded the nation of Georgia in a purported self-defense action against Georgian aggression. What made this interesting to me was the fact that a cyber component preceded the invasion by a few weeks, and then a second, much larger wave of cyber attacks was launched against Georgian government websites within 24 hours of the invasion date. These cyber attacks gave the appearance of being entirely spontaneous, an act of support by Russian "hacktivists" who were not part of the RF military. Other bloggers and press reports supported that view, and pointed to the Estonian cyber attacks in 2007 as an example. In fact, that was not only untrue, but it demonstrated such shallow historical a.n.a.lysis of comparable events that I found myself becoming more and more intrigued by the pattern that was emerging. There were at least four other examples of cyber attacks timed with RF military actions dating back to 2002. Why wasn't anyone exploring that, I wondered?

Figure 1. The official logo of Project Grey Goose I began posting what I discovered to my blog IntelFusion.net, and eventually it caught the attention of a forward deployed intelligence a.n.a.lyst working at one of the three-letter agencies. By "forward deployed" I refer to those a.n.a.lysts who are under contract to private firms but working inside the agencies. In this case, his employer was Palantir Technologies. "Adam" (not his real name) had been a long-time subscriber to my blog and was as interested in the goings-on in Georgia as I was. He offered me the free use of the Palantir a.n.a.lytic platform for my a.n.a.lysis.

After several emails and a bunch of questions on my part, along with my growing frustration at the overall coverage of what was being played out in real time in the North Caucasus, I flashed on a solution. What would happen if I could engage some of the best people inside and outside of government to work on this issue without any restrictions, department politics, or bureaucratic red tape? Provide some basic guidance, a collaborative work s.p.a.ce, and an a.n.a.lytic platform, and let experienced professionals do what they do best? I loved the idea. Adam loved it. His boss loved it.

On August 22, 2008, I announced via my blog and Twitter an open call for volunteers for an OSINT experiment that I had named Project Grey Goose. Prospective volunteers were asked to show their interest by following a temporary Twitter alias that I had created just for this enrollment. Within 24 hours, I had almost 100 respondents consisting of college students, software engineers, active duty military officers, intelligence a.n.a.lysts, members of law enforcement, hackers, and a small percentage of Internet-created personas who seemed to have been invented just to see if they could get in (they didn't). It was an astounding display of interest, and it took a week for a few colleagues and I to make the selections. We settled on 15 people, Palantir provided us with some training on their platform, and the project was underway. Our Phase I report was produced about 45 days later. A follow-up report was produced in April 2009. This book pulls from some of the data that we collected and reported on, plus it contains quite a bit of new data that has not been published before.

A lot happened between April 2009 and September 2009, when the bulk of my writing for this book was done. As more and more data is moved to the cloud and the popularity of social networks continues to grow, the accompanying risks of espionage and adversary targeting grow as well. While our increasingly connected world does manage to break down barriers and increase cross-border friends.h.i.+ps and new understandings, the same geopolitics and national self interests that breed conflicts and wars remain. Conflict continues to be an extension of political will, and now conflict has a new domain on which its many forms can engage (espionage, terrorism, attacks, extortion, disruption).

This book attempts to cover a very broad topic with sufficient depth to be informative and interesting without becoming too technically challenging. In fact, there is no shortage of technical books written about hackers, Internet architecture, website vulnerabilities, traffic routing, and so on. My goal with this book is to demonstrate how much more there is to know about a cyber attack than simply what comprises its payload.

Welcome to the new world of cyber warfare.

Acknowledgments.

I'd like to thank Tim O'Reilly, Mike Loukides, Mac Sloc.u.m, and all of the great people at O'Reilly Media for supporting my work and making the difficult process of writing a book as stress-free as possible. I'd also like to thank my research a.s.sistants, Tim, Jennifer, and Catherine, for the hard work they put into researching the content for Chapters 16 and 17, which, while not complete, is the most comprehensive body of work on this topic that I believe exists anywhere in the public domain today.

Chapter 1. a.s.sessing the Problem.

You can't say that civilization don't advance, however, for in every war they kill you in a new way.

-Will Rogers, New York Times, December 23, 1929.

Whenever someone asks if anyone ever died in a cyber war, Magomed Yevloev springs to mind.

On August 31, 2008, in the North Caucasus Republic of Ingushetia, Yevloev was arrested by Nazran police, ostensibly for questioning regarding his anti-Kremlin website Ingushetia.ru. As he was being transported to police headquarters, one of the officers in the car "accidentally" discharged his weapon into the head of Magomed Yevloev.

The US Department of State called for an investigation. Vladimir Putin reportedly said that there would be an investigation. To date, nothing has been done.

Ingushetia.ru (now Ingushetia.org) and the Chechen website kavkazcenter.com are some of the earliest examples of politically motivated Russian cyber attacks dating as far back as 2002. In other words, in addition to Russian military operations in Chechnya, there were cyber attacks launched against opposition websites as well.

The Russia-Georgia War of August 2008 is the latest example, occurring just a few weeks before Magomed Yevloev's killing. If anyone would qualify as a casualty of cyber warfare, it might just be this man.

The Complex Domain of Cybers.p.a.ce.

The focus of this book is cyber warfare, and therein lies the first complexity that must be addressed. As of this writing, there is no international agreement on what const.i.tutes an act of cyber war, yet according to McAfee's 2008 Virtual Criminology Report, there are over 120 nations "leveraging the Internet for political, military, and economic espionage activities."

The US Department of Defense (DOD) has prepared a formal definition of this new warfighting domain, which is discussed in Chapter 11, but inspired by the writings of Sun Tzu, I offer this definition instead: Cyber Warfare is the art and science of fighting without fighting; of defeating an opponent without spilling their blood.

To that end, what follows are some examples of the disparate ways in which governments have attempted to force their wills against their adversaries and find victory without bloodshed in the cyber domain.

Cyber Warfare in the 20th and 21st Centuries.

China.

The emergence of the People's Republic of China's (PRC) hacker community was instigated by a sense of national outrage at anti-Chinese riots taking place in Indonesia in May 1998. An estimated 3,000 hackers self-organized into a group called the China Hacker Emergency Meeting Center, according to Dahong Min's 2005 blog entry ent.i.tled "Say goodbye to Chinese hackers' pa.s.sionate era: Writing on the dissolving moment of 'Honker Union of China.'" The hackers launched attacks against Indonesian government websites in protest.

About one year later, on May 7, 1999, a NATO jet accidentally bombed the Chinese emba.s.sy in Belgrade, Yugoslavia. Less than 12 hours later, the Chinese Red Hacker Alliance was formed and began a series of attacks against several hundred US government websites.

The next event occurred in 2001 when a Chinese fighter jet collided with a US military aircraft over the South China Sea. This time over 80,000 hackers became engaged in launching a "self-defense" cyber war for what they deemed to be an act of US aggression. The New York Times referred to it as "World Wide Web War I."

Since then, most of the PRC's focus has been on cyber espionage activities in accordance with its military strategy to focus on mitigating the technological superiority of the US military.

Israel.

In late December 2008, Israel launched Operation Cast Lead against Palestine. A corresponding cyber war quickly erupted between Israeli and Arabic hackers, which has been the norm of late when two nation-states are at war.

The unique aspect of this case is that at least part of the cyber war was engaged in by state hackers rather than the more common nonstate hackers. Members of the Israeli Defense Forces hacked into the Hamas TV station Al-Aqsa to broadcast an animated cartoon showing the deaths of Hamas leaders with the tag line "Time is running out" (in Arabic).

In contrast, during the Chechnya, Estonia, and Georgia conflicts, nationalistic nonstate hackers acted in concert but were not in the employ of any nation-state.

That is the second complication: attribution. And lack of attribution is one of the benefits for states who rely on or otherwise engage nonstate hackers to conduct their cyber campaigns. In other words, states gain plausible deniability.

Russia.

The Second Russian-Chechen War (19972001).

During this conflict, in which the Russian military invaded the breakaway region of Chechnya to reinstall a Moscow-friendly regime, both sides used cybers.p.a.ce to engage in Information Operations to control and shape public perception.

Even after the war officially ended, the Russian Federal Security Service (FSB) was reportedly responsible for knocking out two key Chechen websites at the same time that Russian Spetsnaz troops engaged Chechen terrorists who were holding Russian civilians hostage in a Moscow theater on October 26, 2002.

The Estonian cyber attacks (2007).

Although there is no hard evidence linking the Russian government to the cyber attacks launched against Estonian government websites during the week of April 27, 2007, at least one prominent Russian Nas.h.i.+ youth leader, Konstantin Goloskokov, has admitted his involvement along with some a.s.sociates. Goloskokov turned out to be the a.s.sistant to State Duma Deputy Sergei Markov of the pro-Kremlin Unified Russia party.

The activating incident was Estonia's relocation of the statue "The Bronze Soldier of Tallinn," dedicated to soldiers of the former Soviet Union who had died in battle. The resulting ma.s.sive distributed denial of service (DDoS) attacks took down Estonian websites belonging to banks, parliament, ministries, and communication outlets.

The Russia-Georgia War (2008).

This is the first example of a cyber-based attack that coincided directly with a land, sea, and air invasion by one state against another. Russia invaded Georgia in response to Georgia's attack against separatists in South Ossetia. The highly coordinated cyber campaign utilized vetted target lists of Georgian government websites as well as other strategically valuable sites, including the US and British emba.s.sies. Each site was vetted in terms of whether it could be attacked from Russian or Lithuanian IP addresses. Attack vectors included DDoS, SQL injection, and cross-site scripting (XSS).

Iran.

The Iranian presidential elections of 2009 sp.a.w.ned a ma.s.sive public protest against election fraud that was fueled in large part by the availability of social media such as Twitter and Facebook as outlets for public protest. The Iranian government responded by inst.i.tuting a harsh police action against protesters and shutting down media channels as well as Internet access inside the country. Some members of the opposition movement resorted to launching DDoS attacks against Iranian government websites. Twitter was used to recruit additional cyber warriors to their cause, and links to automated DDoS software made it easy for anyone to partic.i.p.ate.



Theme Customizer


Customize & Preview in Real Time

Menu Color Options

Layout Options

Navigation Color Options
Solid
Gradient

Solid

Gradient