Fred Kaplan writes: Pentagon officials have publicly said, in recent weeks, that they’re hitting ISIS not only with bullets and bombs but also with cyberoffensive operations. “We are dropping cyberbombs,” Robert Work, deputy secretary of defense, is quoted as proclaiming in Monday’s New York Times. Similar, if less colorful, statements have been made by Secretary of Defense Ash Carter and,a week ago, President Obama.
What does it mean? And what effects are these new weapons having on the overall war? After dropping his “cyberbombs” bombshell, Work said, “We have never done that before.” But in fact, the United States has done it before, against Iraqi insurgents, including al-Qaida fighters, back in 2007. And, as I discovered while researching my book Dark Territory: The Secret History of Cyber War, the effects were devastating.
Standard accounts have credited President George W. Bush’s troop surge and Gen. David Petraeus’ counterinsurgency strategy for turning the Iraq conflict in the coalition’s favor in 2007. These accounts aren’t wrong, as far as they go, but they leave out another crucial factor — cyberoffensive warfare, as conducted by the Joint Special Operations Command and the National Security Agency. [Continue reading…]
The Atlantic reports: In late April 2013, a tweet from the Associated Press claimed that a pair of explosions at the White House had injured President Barack Obama. Markets reacted nearly instantly, sending stocks plunging. But when, a short time later, Press Secretary Jay Carney told reporters there was no explosion, the market quickly righted itself.
The news organization’s Twitter account was hacked, it turned out. A group calling itself the Syrian Electronic Army claimed credit. In only a few minutes, their rogue tweet demonstrated the market-moving power of 140 characters sent from a credible source.
The Syrian Electronic Army has also defaced websites belonging to the U.S. Marines, Harvard University, and Human Rights Watch, as well as websites and Twitter feeds of other major news organizations like the BBC, CNN, and The Washington Post. The group’s members remained anonymous, going by pseudonyms like “The Shadow” and “The Pro.”
But on Tuesday, the Justice Department revealed the identity of three members of the group, charging them with computer hacking and placing two of them on the FBI’s “Cyber’s Most Wanted” list. The FBI is offering a $100,000 bounty for information leading to their arrest. [Continue reading…]
Financial Times reports: Russia is mounting a far-reaching cyber espionage campaign against Syrian opposition groups and NGOs, as Moscow seeks to influence the flow of information on the country’s humanitarian crisis and obscure the full extent of its military operations there.
Targets include some of the most important human rights organisations and aid groups operating in the country, such as the Syrian Observatory of Human Rights, which reports on military incidents and is frequently cited in western media outlets, the Financial Times has learnt. The operation shares many of the hallmarks of Moscow’s sustained hacking campaign against the Ukrainian government in 2013 and 2014. [Continue reading…]
When more than 100,000 people in and around the Ukrainian city of Ivano-Frankivsk were left without power for six hours, the Ukrainian energy ministry accused Russia of launching a cyberattack on the country’s national energy grid.
Now reports released by security researchers from the SANS Industrial Control Systems team and the Industrial Control Systems Cyber Emergency Response Team confirm their belief that a cyberattack was responsible for the power cut, making the incident one of the first significant, publicly reported cyberattacks on civil infrastructure.
This is a rare event, of which the most famous example is the Stuxnet malware used to destroy equipment in the Iranian nuclear programme. Many consider Stuxnet so sophisticated that national governments must have been involved. But as is frequently the case, attributing responsibility for Stuxnet has proved difficult, and it’s likely that, despite circumstantial evidence, it will be the same in this case. While the Ukrainian Security Service (SBU) and the international press were quick to blame Russian state-backed hackers, Moscow has remained silent.
DefenseNews reports: The site of an Army golf course named for US President Dwight Eisenhower, one long drive from the National Security Agency, is an active construction site, the future of US military cyber.
Where there were once bunkers, greens and tees is a large gray building due to become an NSA-run 600,000-square-foot, state-of-the-art server farm, a skeletal structure that will one day house US Cyber Command’s joint operations center, with plots reserved for individual Marine Corps and Navy cyber facilities.
The plans reflect the growth in ambition, manpower and resources for the five-year-old US Cyber Command. One measure of this rapid expansion is the command’s budget — $120 million at its inception in 2010 rising to $509 million for 2015.
Another measure is the $1.8 billion in construction at Fort Meade, much of it related to Cyber Command. Though Cyber Command’s service components and tactical teams are spread across the country, the headquarters for Cyber Command, the NSA and Defense Information Systems Agency make Fort Meade a growing hub for military cyber.
Earlier this year, Defense Secretary Ash Carter announced a new cyber strategy that acknowledges in the strongest terms that the Pentagon may wage offensive cyber warfare. The strategy emphasizes deterrence and sets up a reliance on the commercial technology sector, hinging on a push to strengthen ties between Silicon Valley and the Pentagon. [Continue reading…]
The Washington Post reports: The purported theft of confidential Saudi documents that have been released by WikiLeaks bears the hallmarks of Iranian hackers linked to cyberattacks in more than a dozen countries, including the United States, according to cybersecurity experts and Middle East analysts.
Last week, WikiLeaks published about 70,000 of what it said were half a million documents obtained from Saudi Arabia’s Foreign Ministry. The transparency advocacy group promises more releases of the diplomatic cables, whose authenticity has not been independently verified.
Experts said that the cables, apparently stolen over the past year, paint an unflattering portrait of Saudi diplomacy as reliant on oil-wealth patronage and obsessed with Iran, the kingdom’s chief rival, but appeared to contain no shocking revelations. [Continue reading…]
Moisés Naím writes: This month, two years after his massive leak of NSA documents detailing U.S. surveillance programs, Edward Snowden published an op-ed in The New York Times celebrating his accomplishments. The “power of an informed public,” he wrote, had forced the U.S. government to scrap its bulk collection of phone records. Moreover, he noted, “Since 2013, institutions across Europe have ruled similar laws and operations illegal and imposed new restrictions on future activities.” He concluded by asserting that “We are witnessing the emergence of a post-terror generation, one that rejects a worldview defined by a singular tragedy. For the first time since the attacks of Sept. 11, 2001, we see the outline of a politics that turns away from reaction and fear in favor of resilience and reason.”
Maybe so. I am glad that my privacy is now more protected from meddling by U.S. and European democracies. But frankly, I am far more concerned about the cyber threats to my privacy posed by Russia, China, and other authoritarian regimes than the surveillance threats from Washington. You should be too. [Continue reading…]
Reuters reports: The United States tried to deploy a version of the Stuxnet computer virus to attack North Korea’s nuclear weapons program five years ago but ultimately failed, according to people familiar with the covert campaign.
The operation began in tandem with the now-famous Stuxnet attack that sabotaged Iran’s nuclear program in 2009 and 2010 by destroying a thousand or more centrifuges that were enriching uranium. Reuters and others have reported that the Iran attack was a joint effort by U.S. and Israeli forces.
According to one U.S. intelligence source, Stuxnet’s developers produced a related virus that would be activated when it encountered Korean-language settings on an infected machine.
But U.S. agents could not access the core machines that ran Pyongyang’s nuclear weapons program, said another source, a former high-ranking intelligence official who was briefed on the program. [Continue reading…]
Scientific American: The Pentagon has made clear in recent weeks that cyber warfare is no longer just a futuristic threat—it is now a real one. U.S. government agency and industry computer systems are already embroiled in a number of nasty cyber warfare campaigns against attackers based in China, North Korea, Russia and elsewhere. As a counterpoint, hackers with ties to Russia have been accused of stealing a number of Pres. Barack Obama’s e-mails, although the White House has not formally blamed placed any blame at the Kremlin’s doorstep. The Obama administration did, however, call out North Korea for ordering last year’s cyber attack on Sony Pictures Entertainment.
The battle has begun. “External actors probe and scan [U.S. Department of Defense (DoD)] networks for vulnerabilities millions of times each day, and over 100 foreign intelligence agencies continually attempt to infiltrate DoD networks,” Eric Rosenbach, assistant secretary for homeland defense and global security, testified in April before the U.S. Senate Committee on Armed Services, Subcommittee on Emerging Threats and Capabilities. “Unfortunately, some incursions — by both state and nonstate entities — have succeeded.”
After years of debate as to how the fog of war will extend to the Internet, Obama last month signed an executive order declaring cyber attacks launched from abroad against U.S. targets a “national emergency” and levying sanctions against those responsible. Penalties include freezing the U.S. assets of cyber attackers and those aiding them as well as preventing U.S. residents from conducting financial transactions with those targeted by the executive order. [Continue reading…]
The New York Times reports: In the report, to be released Friday, Norse — which, like other cybersecurity firms, has an interest in portraying a world of cyberthreats but presumably little incentive in linking them to any particular country — traced thousands of attacks against American targets to hackers inside Iran.
The report, and a similar one from Cylance, another cybersecurity firm, make clear that Iranian hackers are moving from ostentatious cyberattacks in which they deface websites or simply knock them offline to much quieter reconnaissance. In some cases, they appear to be probing for critical infrastructure systems that could provide opportunities for more dangerous and destructive attacks.
But Norse and Cylance differ on the question of whether the Iranian attacks have accelerated in recent months, or whether Tehran may be pulling back during a critical point in the nuclear negotiations.
Norse, which says it maintains thousands of sensors across the Internet to collect intelligence on attackers’ methods, insists that Iranian hackers have shown no signs of letting up. Between January 2014 and last month, the Norse report said, its sensors picked up a 115 percent increase in attacks launched from Iranian Internet protocol, or I.P., addresses. Norse said that its sensors had detected more than 900 attacks, on average, every day in the first half of March.
Cylance came to a different conclusion, at least for Iran’s activities in the past few months, as negotiations have come to a head. Stuart McClure, the chief executive and founder of Cylance, which has been tracking Iranian hacking groups, said that there had been a notable drop in activity over the past few months, and that the groups were now largely quiet. [Continue reading…]
The New York Times reports: In late 2012, just as President Obama and his aides began secretly sketching out a diplomatic opening to Iran, American intelligence agencies were busy with a parallel initiative: The latest spy-vs.-spy move in the decade-long effort to sabotage Tehran’s nuclear infrastructure.
Investigators uncovered an Iranian businessman’s scheme to buy specialty aluminum tubing, a type the United States bans for export to Iran because it can be used in centrifuges that enrich uranium, the exact machines at the center of negotiations entering a crucial phase in Switzerland this week.
Rather than halt the shipment, court documents reveal, American agents switched the aluminum tubes for ones of an inferior grade. If installed in Iran’s giant underground production centers, they would have shredded apart, destroying the centrifuges as they revved up to supersonic speed.
But if negotiators succeed in reaching a deal with Iran, does the huge, covert sabotage effort by the United States, Israel and some European allies come to an end?
“Probably not,” said one senior official with knowledge of the program. In fact, a number of officials make the case that surveillance of Iran will intensify and covert action may become more important than ever to ensure that Iran does not import the critical materials that would enable it to accelerate the development of advanced centrifuges or pursue a covert path to a bomb. [Continue reading…]
Quartz reports: The information superhighway got diverted last week when a Ukrainian internet service provider hijacked routes used by data heading for websites in the United Kingdom, according to a company that monitors and optimizes internet performance. The action could be a mere glitch — or something more sinister in an era of geopolitical cyber conflicts.
The issue at hand is the way disparate computer networks merge into the internet. The networks announce to one another which internet users — more technically, which IP addresses — they serve so that data can be routed accordingly; a US internet service provider might tell the world it can give you access to the Library of Congress, while one in Germany would say that it can reach BMW’s main website.
Dyn, the company that noted the incident, keeps an eye on network traffic patterns. Doug Madory, the company’s director of internet analysis, spotted something strange: Vega, a Ukranian internet service provider, had announced it was serving numerous IP addresses in the United Kingdom. Advertising the wrong addresses is called “route hijacking,” and it is often a quickly-corrected mistake — for instance, an employee of an internet service provider makes a typo while typing into a router. In this case, the affected addresses included those operated by defense contractors Lockheed Martin and Thales, the UK Atomic Weapons Establishment, and the Royal Mail. [Continue reading…]
The Soufan Group IntelBrief: The capability of nations and advanced criminal groups to engage in sophisticated cyber espionage and theft is nothing new; and the capability of these actors to impact components of critical infrastructure is also nothing new (the 2012 Saudi Aramco attack comes to mind). What is new is their willingness to actually launch attacks not for intelligence or commercial gain but to impact corporate or geopolitical decisions. Whether it’s having its data stolen or even held hostage via malicious encryption, or having its operations and personnel threatened with physical violence and damage, corporations and governments will find the Age of the Cyber Bomb Threat to be as costly and frustrating as the age of counterterrorism and counter-violent extremism.
Much as in terrorism, cyber conflict runs the spectrum of ideology and motivation. And as with terrorism, cyber conflict’s impact goes far beyond the point of attack. The ubiquity of the Internet means that anyone and everyone is a potential target—which is the point of all forms of terrorism. On December 21, 2014, unidentified attackers (assumed, rightly or wrongly, to be associated with North Korea) hacked into the non-operational computer systems of a functioning nuclear power plant in South Korea. The operator of the plant, Korea Hydro and Nuclear Power (KHNP), stated that at no time were plant operations at risk since those are on a closed and independent system, but that sensitive personnel and plant design data were stolen. In what will become the standard modus operandi for cyber bomb threats, the attackers threatened to destroy the plant if it wasn’t shut down. The threat of additional cyber attacks will be paired with threats of physical attacks.
While North Korea could very well be behind the nuclear reactor hack as well as the Sony hack, so could a range of other actors, given that the malware tools are available online to anyone with sufficient expertise and knowledge of where to look. It is the lack of true certainty that makes cyber attacks so difficult to respond to with counter-attacks. IP addresses are misleading and the tools and the capabilities are widespread enough that “the usual suspects” are now too large to count. With the stakes so high and the public and private players so poorly accounted for, the risks of attacks once thought unlikely will increase with cascading repercussions. [Continue reading…]
Shane Harris reports: North Korea’s limited connection to the Internet was temporarily severed Monday, just three days after President Barack Obama promised a “proportional” response for what he said was Pyongyang’s brazen hacking of Sony.
It’s too soon to say whether the United States knocked the Hermit Kingdom offline, or persuaded China to do it, or whether the North Koreans did it to themselves. One hacktivist group appears to be taking responsibility for the denial-of-service strike that targeted mostly North Korean government-operated sites.
But the outage has raised the question of what that proportional response would look like, and whether it would be legal. [Continue reading…]