Understanding the Increasing Threat of Nation State Cyber-attacks

It’s a fact that cybercrime in increasing. It has also changed direction and new dangers are suddenly knocking on the door. New forms of malware and the involvement of nation states have made the cyber world much more ominous and potentially more dangerous than ever before. Understanding the motivations of these nation states is central to defending ourselves. This paper looks at the landscape and evolution of cyber interactions between nations and examines the reasons behind past actions as well as a look into what cyber war looks like in the future.

It may be dinned out by the noise much of the time, but the world is currently going through an unprecedented increase in malicious cyber activity in the past three years. Ransomware has found money in cybercrime that didn’t exist just a few years ago. The entrance of nation states using cyber-attacks and breaches to further their agendas’ has caused an explosion of new threats against which every network must now have defenses that work

Indeed, security powerhouse Symantec, in their 2017 Internet Security Threat Report (ISTR) concluded: “The world of cyber espionage experienced a notable shift towards more overt activity, designed to destabilize and disrupt targeted organizations and countries.” This is a fundamental change in the goal and tenor of cyber activities. It is much more than cyber-attacks just for money. 1

Today’s world has proved capable of producing staggering disasters at any time. The recent past has supplied us with myriad weather related challenges. However, from each iteration, we learn more and are better prepared for the next one.

That hasn’t happened with a “Cyber 9/11.” We’re still very early in our understanding of what havoc could be forced upon us due to a cyber-attack propagated by a nation state. Clearly there are nation states that have the capability to launch an offensive cyber-attack against another nation. While there are 9 nuclear countries, it’s estimated that 20-30 countries have military cyber programs.2 It’s likely therefore, that a sophisticated and coordinated cyber-attack which includes significant assaults on our communications, financial and infrastructure is overdue. Also, for reasons detailed here, we may be at significant risk for an attack on our critical infrastructure in the next couple years.

Cyber warfare is more common than we think.

Let’s start by bringing everyone up to date. The United States is fighting cyber war on a daily basis. Since the original “dot-com boom” and the subsequent wiring of the planet, having evil people do harm to others online has been part of the norm. Consequently, every military action we undertake has a cyber component to it. We spend on it as well. The fiscal 2017 DOD budget calls for spending $6.7 billion for cyber operations, an increase of about $900 million over fiscal 2016.

This trend is likely to continue and cyber-attacks will ultimately be used as an offensive weapon. Why? There are many reasons that developing an offensive cyber capability is very likely a high priority at ALL of our enemies.

War is expensive. The United States maintains the largest defense budget on the planet, which dwarfs all other nations spending to a staggering degree. The U.S. outspends China (the owner of the second largest defense budget) by a factor of almost 3 to 1 and outspends Russia by nearly 9 to 1.3 It’s reasonable to assume that these nations are looking for ways to maximize their military power at a reasonable cost and cyber activities may be the answer.

Just a single traditional military operation can run hundreds of millions of dollars. For example, the United States attack of the Syrian airport in April, 2017 used 59 Tomahawk Missiles at a cost of $1.4 million each.4 That’s $82 million in “ammunition” for that 2-hour attack. The costs do not end there. These missiles were launched from two 500-foot, $1.8 billion Arleigh Burke-class guided-missile destroyers each supported by a complement of almost 300 personnel. It’s daunting for other nations to compete with that type of raw military power.

However, it’s likely that military strategists around the globe have recognized the opportunity to gain some parity/advantage over the United States using expertise in cyber warfare. There is a “David and Goliath” quality to hacking, as single hackers have been successful in bringing down companies and networks. You can employ a lot of engineers for $82 million and likely make good inroads on a cyber strategy.

Cyber security for critical infrastructure may be at a low point. As a nation, we are in the midst of getting our arms around the cyber threats to our power, water and energy delivery systems. Technologies are in development by cybersecurity startups are figuring it out. The government is figuring it out. Any public attack would hasten the development and adoption of new security measures. Due to these actions, it’s likely that security on our power grid, for example, will be tighter in three years than it is today. A foreign actor could look at this and see a limited time opening to compromise our nation’s power grid, prompting an attack based on opportunity.

You only get one shot. Many point to the lack of a cyber 9/11 or really any sized attack on our power grid as evidence that it is unlikely to happen in the future. Nothing could be further from the truth. It’s likely that a foreign actor would have but one real chance to disrupt the power grid on a large scale. Also, from what we know about how IT security has evolved, it’s likely that intruders are in our systems, looking around, sometimes for long periods of time. IT security people talk about “dwell time” which is the period between when an intruder first enters your system to when it is discovered. This number in in the hundreds of days at enterprise size networks.

Many experts consider the recent cyber-attacks on the power grid in the Ukraine to have been a form of practice in the preparation for a more targeted attack on a larger enemy. Disk-wiping “KillDisk Trojan” malware was used against targets in Ukraine in January, 2016 and again in December, 2016, attacks which also resulted in power outages, likely perpetrated by Russian cyber efforts.5

Bang for the buck. Our enemies are intent on spreading terror. Terror is a bit of a mindset. Imagine the “terror” a national black-out would cause? Imagine the terror multiplying as a national blackout consumed for days, weeks and months. Lastly, imagine all of this happening during a military action or a physical terror attack on American soil, such as a nuclear “dirty bomb.” Terrorists often employ “coordinated attacks” to maximize effect. Cyber-attacks will be used in this manner in the future.

No one gets hurt. One of the stark realities of traditional warfare is that people die. Military leaders estimate the body count of various actions. We train military personnel knowing if they use that training some will die. These are not concerns in the cyber world. Sending your best and brightest off to invade via cyber space with no danger to their physical well-being can make this type of warfare very attractive.

There’s a plausible deniability to cyber activities. With today’s heavily satellite-surveilled world, we see ground evidence of most military activity very quickly. Submarines still pose a challenge, but things that are visible from the sky are visible to everyone now. This makes it hard to hide the movement of troops and equipment. Missiles are tracked with radar with certainty. However, cyber activity can be shrouded, spoofed, routed and frankly, made hard to track and identify its source. This muddies the warfare waters considerably. If you’re not sure exactly who your enemy is, war will be imprecise at best.

What type of attacks will we see?

Cyber aggression sponsored by nation states is a bit different than the normal cyber activity. From the limited number of verified state sponsored cyber activities, both the intent and the targets are large.

North Korea likely views cyber as a cost-effective, asymmetric, deniable tool that it can employ with little risk from reprisal attacks, in part because its networks are largely separated from the Internet and disruption of Internet access would have minimal impact on its economy.6

When a nation state initiates offensive cyber-activity, in general the goals are large and usually aimed directly at another state entity. As stated earlier, nation states are much more apt to focus on disruption of basic services or communications than to be gathering items to be sold on the dark web. When nation states do go after money, it will likely be of the scale of North Korea’s recent $81 million cyber heist at the Bangladesh central bank.

North Korea in particular is known to have an active botnet in place capable of executing DDoS attacks. This past May, an Alert was issued by the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI). This alert provides technical details on the tools and infrastructure being used by cyber actors in the North Korean government to target the media, aerospace, financial, and critical infrastructure sectors in the United States and globally.7

Some researchers have also linked North Korea to the WannaCry ransomware attack, an outbreak of malware in May reported to have infected more than 300,000 computers in over 150 countries, making data irretrievable in many cases.8 In December 2014, the South Korean government reported that power plants operated by Korea Hydro and Nuclear Power were targeted with wiper malware, potentially linked to North Korean actors.9

In the future we should expect to see all of these forms of attack, particularly from North Korea. It is also likely that future attacks will be coordinated, for example, executing a DDoS attack on specific websites during a power grid action. It’s also likely that cyber-attacks which impact critical infrastructure be timed for maximum damage, e.g. launching an attack on our power grid during a blizzard or extreme cold conditions.

How do we respond to the risk?

Plainly, we need to focus attention on this issue and understand both the risk and consequences of potential cyber actions by nation state actors. The risks and subsequent mitigation of risk is different than the physical world.

Certainly the most attractive way of handling all this would be to implement cyber defenses capable of protecting key assets from outside interference. This is the goal of most cybersecurity efforts. However, we all know that sometimes even the best cyber defenses are vulnerable and bad actors will penetrate these defenses.

One of the standard United States responses to offensive attacks of any kind is retaliation. Using the considerable cyber capabilities of the U.S. to bring even greater havoc to an aggressor would be viewed as an appropriate and reciprocal response. However, all is not created equal. For example, while North Korea holds considerable offensive cyber capabilities, there is little to no infrastructure to attack. They have almost no Internet and a primitive power grid to the point that there is nothing to target in a cyber-attack.

Lastly, having considerable cyber firepower may act as a deterrent to some nation states. For example, it could be that there is an unspoken doctrine of “mutually assured destruction” between the leading cyber powers, not unlike the nuclear detente between the US and Russia. Either party knows it can do considerable harm via an offensive cyber-attack, but also knows that a catastrophic attack will likely be met by a similarly destructive counter attack.

Where does this all end?

It’s hard to know where cyber war ends up. There is already a defensive posture in place. It’s also possible the United States will use cyber weapons offensively on another nation state. Now once again, we may not see airplanes with US markings do the bidding of the US (See “Stuxnet) but learn of our international victories much after the fact without confirmation by any government. Such is the theater of cyber war.

Clearly, we also aren’t going to see the progress enemies make in the cyber arena in the same way we can see North Korea’s Kim Jong Un’s progressive ballistic missile attacks. It’s unlikely that those nation states that have the cyber equivalent of North Korea’s missiles will advertise that fact and demonstrate the progress for the world to see. Cyber-attacks essentially exploit weaknesses in the system and cyber-defenses plug those vulnerabilities, making a surprise attack all the more powerful.

We shouldn’t draw massive conclusions about cyber warfare norms by observing North Korea. There have been some attacks from North Korea that have affected some specific large corporations. The Sony movie hack in 2014 was just that; an outreach from a Nation State on the assets of a publically held corporation. However, retaliating for an insult in a movie is unlikely to be a normal part of international cyber diplomacy.

Bottom line

The United States went through a loss of terrorism virginity during the 9/11 attacks. Terrorists changed the course of history with one morning’s activity. Unfortunately, there’s a chance we’ll see history repeat itself with a debilitating attack on United States critical infrastructure networks that control the critical water, power and transportation infrastructure.

What might be different on this attack is the personalization that comes from direct involvement with the disaster. An attack that compromises power or water systems can affect every person on a very basic level and hence, will be taken very personally. These may also be attacks that will not be over or forgotten so quickly.

In any of these events, we live in a world were battles are and will increasingly be fought in cyberspace rather than on the ground and in the air. While this is a cleaner style of war without the physical devastation of bullets and bombs, it is no less a threat.

First published in Network Security

About the author

Eric Lundbohm is a recognized CMO with three decades of marketing and executive experience, including over 15 years of cybersecurity industry background. He currently serves as CMO of Veracity Industrial Networks, and CMO-Lead for the IMA. Lundbohm’s background in cybersecurity has been shaped by running marketing for several security firms, including M86 Security, iSheriff and NSS Labs. Eric holds a Master’s in Business Administration from The Ohio State University and a Bachelors in Management Information Systems from the University of Rhode Island.

1. Symantec 2017 Internet Security Threat Report (ISTR) https://co.norton.com/security_response/
2. “Cyberwar” Richard Clarke
3. The Top 15 Countries For Military Expenditure In 2016 [Infographic], Forbes, April 24, 2017. https://www.forbes.com/sites/niallmccarthy/2017/04/24/the-top-15-countries-for-military-expenditure-in-2016-infographic/#c40fca643f32
4. This is how much it will cost to replace the Tomahawks used in Syria MSN, April 8,2017, https://www.msn.com/en-us/money/companies/this-is-how-much-it-will-cost-to-replace-the-tomahawks-used-in-syria/ar-BBzxyXr
5. Symantec 2017 Internet Security Threat Report (ISTR) https://co.norton.com/security_response/
6. Military and Security Developments Involving the Democratic People’s Republic of Korea 2015, A Report to Congress. https://www.defense.gov/Portals/1/Documents/pubs/Military_and_Security_Developments_Involving_the_Democratic_Peoples_Republic_of_Korea_2015.PDF
7. Alert (TA17-164A) HIDDEN COBRA – North Korea’s DDoS Botnet Infrastructure, US Cyber Emergency Readiness Team, June 13, 2017 https://www.us-cert.gov/ncas/alerts/TA17-164A
8. Exclusive: North Korea’s Unit 180, the cyber warfare cell that worries the West, Reuters, May 20, 2017, http://www.reuters.com/article/us-cyber-northkorea-exclusive-idUSKCN18H020
9. NORTH KOREA ALREADY HAS A DEVASTATING WEAPON: CYBERATTACKS North Korea already has a devastating weapon: Cyberattacks, 41nbc.com, August 15, 2017 https://www.41nbc.com/2017/08/15/north-korea-already-has-a-devastating-weapon-cyberattacks/