A Brief History of Cyber Threats and the Emergence of the APT Designator
"I think most people today understand that cyber clearly underpins the full spectrum of military operations, including planning, employment, monitoring, and assessment capabilities. I can't think of a single military operation that is not enabled by cyber. Every major military weapon system, command and control system, communications path, intelligence sensor, processing and dissemination functions—they all have critical cyber components."
— Gen. William L. Shelton, Commander, Air Force Space Command
Hackers aren't what Hollywood shows us
The common perception of a "hacker" is usually that of some individual at home or working in a basement somewhere, cloaked in a cheap hoodie and ingesting copious amounts of caffeine, while hammering away at code sprawled across at least three different monitors or displays.
In these Hollywood representations, the malicious actor is usually smiling and talking to themselves as they craft unique singular exploits that might be used to take down a bank or some world-ending computer system. These overhyped mythical "hackers" are almost always introverts and technical geniuses that are anti-social, anti-government, and often woefully ignorant of the totality of their actions.
In truth, this is not the reality behind the keyboard in the real world of cyber warfare operations. Certainly, in some instances, there must be a "hacker" somewhere that is a representation of this stereotype, but more often than not, the personas behind some of the most malevolent and vicious attacks in cyberspace look nothing like this. In many cases, those malicious actors are wearing a uniform and are paid, protected, and trained by their government – or in some cases, governments. They are exceptionally bright, well trained, highly focused, and creative individuals that have found a niche in their ability to engage in espionage and combat operations anywhere in the world, with any adversary. They are the tip of the digital spear for what is to be the dominant combat environment for the future, and they are the front-line warriors that are constantly engaged in a game of binary cat and mouse that rivals all other wars.
The command of cyberspace in the 21st century is as decisive and impactful as the command of the sea was in the 19th century and the command of the air in the 20th century. Cyberspace is, in all truth, the battlefield on which the war of the future is currently being fought. It is the arena for the New Cold War. An arena in which every nation on Earth, every criminal enterprise, and indeed almost every human on the planet, holds interests and resides. Never in the history of man has there been a location in which global conflict is actively raging in the same space as every business and organization on the planet.
With only about 50 years of history behind it, the internet and global connectivity are expanding at an extraordinary speed. More connections and more data were created and shared or distributed in the last 5 years than in the whole of human history previously.
Cyberspace is now the new platform for political, economic, military, and cultural interactions and engagements. This will be the domain wherein impacts on social stability, national security, economic development, and cultural communication will be made in the next century.
Computer security and the study of computer threats and exploitation have not always been at the forefront of computer science, however. It has only been in the last few decades that the need for, and the power of, cyber espionage and warfare tactics have been realized at an international level. In order to understand the power and efficacy of these digital warriors and the operations in which they hone their craft, it is imperative that we understand where computer exploitation came from, and analyze the evolution of this space; an evolution from a focus on innovation by any means necessary in order to benefit businesses and the consumer, to one of strategic combat on a global scale.
There are a variety of "early instances" of cyber threat activities and operations, and if you were to cobble together 50 different experts on the topic, you would likely have 50 different incidents to discuss as the beginnings of cyber warfare. It is therefore pointless to argue over the absolute particulars of specifics on what was the first or most influential of these attacks throughout time. What is important is to point out and detail a few major exploits and threat activities that stand out as seminal points in time to help us better understand the reality of this space and its evolution toward its future state.
For clarity's sake, in common definitions, a cyber-attack and cyber-defense could be conducted at any scale: from the state level by the military to a major organization, right down to the personal level involving a singular individual. It could be a simple hacking attack, focused mainly on nuisance type outcomes, or the attack could be a long-term, multi-year, large-scale state-launched operation that is aimed at damaging the physical infrastructure of an enemy state. There is no unequivocal "gospel" definition of a cyber-attack, or a cyber threat operation or operator.
However, in most circles familiar with the topic area, it generally refers to an unauthorized intrusion into a computer or a computer network in such forms as tampering, denial of service, data theft, and server infiltration. Additionally, there is no real consensus on what constitutes the actual "first" ever cyber-attack, be it by a nation state or a lone operator. Many cite the Morris Worm as one of the first real attacks, while others cite the attacks on the federal network in the early 1980s as the first real appearance of dedicated cyber threat actions. Regardless of the specific chosen threat action in history, in truth, there are so many possible referenceable actions that have occurred that there is no real right answer. What is more important to understand is the reality that the ways in which attacks have occurred in and around cyberspace have evolved from their earliest iterations, and that they are continuing to change and adapt as technology develops.
The Battle of the Beams
One of the earliest attacks leveraging communication- and electron-related conduits was not on a computerized system; those did not exist at the time. While not often widely considered as a direct part of cyberspace operations, signals espionage – an early form of cyberspace warfare, due to its use of communication media and electronic systems – was used to achieve specific operational objectives as far back as World War 2. In one of the earliest instances of leveraging a specific communication medium as a means of conducting espionage for warfare-focused outcomes, the United States and Great Britain launched an attack that would befuddle and confuse the German adversaries for years.
In what would come to be known as "the Battle of the Beams," German bombers navigated from continental Europe to Great Britain by following a radio signal transmitted from a point of origin (Manners, 2016). The German pilots would know they were above their targets when they intercepted a second beam, also transmitted from continental Europe. That system ensured that German night raiders found their targets in the dark and returned home safely – until it was "hacked," that is.
British engineers discovered the German use of radio-frequency telemetry and coordination for the German combat runs and developed countermeasures that would modify the German command signals.
By broadcasting similar signals at precise times on specific German frequencies, British cyber warfare operators fooled the German bombers, causing them to drop their ordnance at a location chosen by the British. Additionally, the British cyber-attacks made return trips nearly impossible for the Germans, many bombers never finding their home base, and a few even landing at Royal Air Force fields, their pilots thinking that they had returned home (Manners, 2016). This use of the frequency spectrum (a critical portion of what is now commonly referred to as cyberspace) created effects that illustrate the operational power of cyberspace half a century before it was to be considered a warfighting domain.
The first focused instances of computer threat research and exploitation studies actually began during the 1970s and were not even related to computers; they were instead noted as a problem in the telephone-switching network. The phone system was growing so fast and becoming so large that the system had to be integrated and automated to survive. This first automated phone system was built to serve a large test environment, and immediately many problems were discovered. Calls originated and ended on their own, phone numbers were allocated to persons without phones, and a myriad of other issues came to light.
These initial issues were not actually considered a threat as much as they were thought to be a problem for the owners of the systems and those administering the networks. In the 1980s, the modem became the powerhouse means of connecting and managing the large networks that were becoming more and more commonplace, and as such modems became the primary point of compromise from which systems could be hacked.
While there are many different opinions about the first real virus on a computer system, the reality of this becoming a problem for computers did not become prevalent in public literature until the computer became a household item in the mid-1980s. During the "age of modems," groups like the 414s, a group of modem hackers whose name came from their area code, were identified and arrested by the FBI (Hansman, 2003).
The 414 group targeted and exploited the phone networks and modems of Los Alamos National Laboratory and a center for cancer research, using a combination of malicious code and a deep understanding of the flaws in the automation technology that was used by the phone companies at that time. Not long after this first noted computer threat campaign was finalized, the federal government passed the Computer Crime and Abuse Act (CISPA 2010). This legislation detailed what constituted a protected computer and the resulting punishment for those who sought to conduct malicious actions against any protected system (Grance, Kent, & Kim, 2004).
Consequently, it was during this time that companies such as Symantec and IBM began to research and study viruses and malware to isolate and mitigate the threat. The malware and anti-virus company McAfee was established during this era. John McAfee noticed that many of his friends' and associates' computers were acting abnormally and running very slowly. After some research, he was able to discern that programs had either been installed and were intentionally causing detriment to the system, or programs had begun to simply degrade and harm the system on which they were running.
After some technical research and development, McAfee was able to write specific technical signatures for the anomalies within those programs, and the signature-focused malware and anti-virus system was born (Hutchins, Cloppert, & Amin, n.d.). McAfee's system of signature recognition and anomalous behavior detection was immediately recognized as a pivotal point in mitigating and detecting these newly recognized threats. Overnight, companies began to follow suit and corporate defensive cyber security operations were effectively "born."
It was not until 1987 that the federal government began to take notice of this type of activity and instituted the first Computer Emergency Response Team (CERT) (Grance et al., 2004). By the early 1990s, the rate of annual computer virus detection grew to over 1,000 instances per month. As the detection and isolation of computer viruses became a practice area within computer science, the detection and signature generation for viral programs also increased exponentially. By 1995, more than 250,000 viruses or variances of viruses had become commonplace. All of these incidents of early exploits and attacks paled in comparison to the growth of cyber threats that would emerge in the early 21st century.
The dawn of Advanced Persistent Threats (APTs)
The field of specific targeted cyber threats and especially cyber threat research did not truly exist in any real formality prior to the early 2000s, beyond that of what was in practice within the US government and other nation state agencies. The first mentions of cyber threats and cybercrime outside of government arenas appeared in 2001 during an unclassified briefing from the National Security Agency (Werlinger, Muldner, Hawkey, & Beznosov, 2010). This report was actually supposed to be focused on the issue of securing a network as large as that of the Department of Defense (DoD). However, thanks to leaks and the unclassified nature of the report, the spread of the threats that were becoming common knowledge within the DoD came to light in public circles.
Certain aspects of the report alluded to a highly trained and motivated cyber threat that was likely already deeply embedded in many DoD networks and was actively targeting commercial businesses as part of their plan to proliferate their attacks in the future.
The term APT, or Advanced Persistent Threat, came to light for the first time during a discussion at the Air Force Intelligence Agency (Iracleous, Papadakis, Rayies, & Stavroulakis, n.d.). The discussion involved a group of Lieutenant Colonels trying to determine which term to use to classify the new type of computer hacker, the ones who were very well trained and very successful and were in all likelihood funded and trained by nation state adversaries or well-financed criminal organizations. Since these attackers were advanced, persistent, and certainly a threat, the term APT was born and then quickly became the industry norm term for foreign government cyber operators and skilled threat teams. While this single term is used to categorize and identify a rather wide swath of possible threats, it is worth noting that APT is now used by almost every cyber warfare magazine and cyber-security official, from think tanks all the way to the White House.
In order to truly be considered an APT-specific attack, there are a few general criteria that are accepted by some (but not all) analytic groups across both industry and cyber operations personnel. For these groups, both the totality of the operation that took place and the means by which the group conducted the attack must generally fall into the following three categories for the attack to be even considered as a likely APT attack or exploitation event:
- Advanced – Operators behind the threat must have a full spectrum of intelligence-gathering techniques at their disposal. These may include computer intrusion technologies and techniques but also extend to conventional intelligence-gathering techniques such as telephone-interception technologies and satellite imaging.
While individual components of the attack may not be classed as particularly "advanced" (for example, malware components generated from commonly available do-it-yourself malware construction kits, or the use of easily procured exploit materials), their operators can typically access and develop more advanced tools as required. They often combine multiple targeting methods, tools, and techniques in order to reach and compromise their target and maintain access to it. Operators may also demonstrate a deliberate focus on operational security that differentiates them from "less advanced" threats.
- Persistent – Operators give priority to a specific task, rather than opportunistically seeking information for financial or other gain. This distinction implies that the attackers are guided by external entities. The targeting is conducted through continuous monitoring and interaction in order to achieve the defined objectives. It does not mean a barrage of constant attacks and malware updates. In fact, a "low-and-slow" approach is usually more successful. If the operator loses access to their target, they will usually reattempt access, and most often, successfully. One of the operator's goals is to maintain long-term access to the target, in contrast to threats that only need access to execute a specific task, such as run-of-the-mill hackers and those seeking financial gain via computer hacking.
- Threat – APTs are a threat because they have both capability and intent. APT attacks are executed by coordinated human actions, rather than by mindless and automated pieces of code. The operators have a specific objective and are skilled, motivated, organized, and well-funded. This funding has typically been known to come from either a host nation's government or from an extremely well-funded nefarious group, such as mafia or crime syndicates. However, in some cases there has been an indication that funding may have come from one or more of these providers and there are even cases where the source of funding appears to be interwoven between criminal enterprises and host nation agents.
In most of the circles that study or classify cyber-security threats and APTs there are normally a few major players in the space that have relatively specific targets, tactics, and procedures or TTPs (Targets, Tactics, and Procedures):
- Russia – Mainly focused on improving the Russian power position across the globe. They are typically noted as engaging in long-term threat operations that often include the use of spies and human assets to conduct their operations. Added to that, the Russian APT is known to be extremely well funded and capable of engaging in kinetic cyber action (physical strikes on infrastructure or assets that result in destruction) when needed, as noted in the attacks on Estonia and Crimea. The Russian APT also has significant focused technology and capability in the area of targeted influence and disinformation campaigns and sees the proliferation of social media and consumer interactions as an avenue for exploitation.
- China – The Chinese APT groups are the most successful at the theft of intellectual property via cyberspace operations. This is done via a concerted focused national effort within the Chinese military and government, with strategic plans aimed at "leapfrogging" the enemy via their operations. This leapfrogging approach to gaining an advantage is a national-level area of focus for the Chinese. Chinese leaders are open in detailing their strategic plans in that they aim to enhance their capability in science and technology wherever possible. The Chinese APT is willing to engage in espionage all the way down to implanting hardware and chips within manufactured devices that are built in China, and they are known to use American and British internships and education programs to embed their operatives within research and development groups at companies and government institutions.
- North Korea – The North Korean APT is not usually as persistent as they would like. Due to limited connectivity in the country and sanctions that are in place on travel and logistics, the North Korean APT groups are mainly noted for launching attacks on those entities that disparage or damage their national image.
- While they do have a dedicated cyber operations group with extensive training (most often gained in China), their ability to conduct any significant operation beyond basic ransomware attacks is limited. As noted during the SONY exploit operation, attacking weaker targets of opportunity is their most common activity.
- Israel – Unit 8200 is the elite of the elite for the Israeli cyber group. This unit is comprised of their most well trained and experienced cyber operations personnel and they are well funded and focused in their operations to counter perceived threats. Often, Unit 8200 engages directly with the Iranians in cyber threat operations, but it is logical to think they are under attack by the majority of Middle Eastern nation states as well as the usual suspects that the United States and NATO countries encounter. The Israeli cyber operations group conducted one of the first kinetic responses to a cyber-attack this year when they bombed an Iranian-affiliated hacker group building after the hacker group was discovered to be responsible for an attack on an Israeli asset. In many research circles, this extermination of the hacker group via missile attacks was seen as one of the most significant responses to cyber threat operations and demonstrates that there are literal life and death outcomes of actions in cyber warfare.
APT exploitation and targeting also follow a well-defined methodology and practice of attempting to maintain anonymity both during and following exploitation or compromise. Again, this is likely due to several factors, the primary of which is that the host nation funding and guiding the operation does not wish to have it known that they are participating in such a covert and possibly damaging attack.
However, the preceding definitions for APT and the clarification of the usage for this classification of attack are still not adopted across the entirety of cyberspace. For many different agencies, companies, and governments, the definition of any APT exploitation event is extremely difficult to concretely define. Consider that an organization such as NATO has more than 28 different countries working within its combined operations center.
Each one of these different groups has been actively targeted and independently hacked or exploited by different APT groups and actors, but there are literally no reporting criteria or vehicles across NATO that succinctly and definitively detail the need for an APT designation; each country and each group that has been reporting or analyzing their relative exploitation event determines APTs differently. Even within different agencies of the US government, attempting to specifically detail an APT exploitation event or hack cannot be done well. The National Security Agency (NSA) has its own specific set of criteria for determining an APT attack while the CIA and FBI have their own criteria, most of which do not cross-reference each other and none of which possess the same rules for delineating specifics on these items.
The lack of a cohesively uniform definition for APT operations and exploitation provides a great example of just how fluid and dynamic this area of study currently is and has been. Further, this example shows how the lack of consensus and broad term definition is so prevalent within cyber operations and analysis that even defining one of the most important terms used in the industry is difficult at best, as it is almost impossible to clearly identify and isolate any one threat group, the generic APT term is used across such a wide spectrum.
Early APT attacks
In the mid to late 2000s, a large section of the computer and internet industry was focused solely on increasing the speed and interoperability of their networks and the usability of their products, all while paying little, if any, real attention to security or cyber threats. It wasn't until the discovery of a coordinated and large-scale attack that concern for the future of computer, and later cyber, security became a serious consideration for both developers and persons in places of political power. This first real cyber threat attack at a significant scale was the discovery of the Zeus Botnet in 2007 (Singh & Silakari, 2009). This attack targeted the US Department of Transportation, among other things, and was responsible for extracting large amounts of data from government systems.
A broad range of data, including passwords for master control systems, system administrator passwords, network and control mapping systems, and proprietary code samples, were all taken (Singh & Silakari, 2009). While there were many previous computer viruses and different variations of computer threats prior to this, the discovery of the Zeus Botnet and the engineering and powerful programming capabilities of those behind the threat group led to the development of the term cyber and brought the dedicated study of cyber threats into its own area of focus.
In the realm of kinetic cyber warfare operations, the first real shot across the bow occurred in 2007. Russia was engaged in a low-action but highly tense dispute with the nation of Estonia. While the dispute was not of much international significance beyond basic news coverage, the follow-on cyber-attack and planning certainly was. As the political and societal sabers began to increase their rattling, the government of Russia maneuvered its physical forces into place for an invasion of Estonia. As the offensive ground operations began, nearly every aspect of internet-based infrastructure in Estonia was attacked by Distributed Denial of Service (DDoS) attacks (Goodchild, 2009) and was shut down, or at least severely degraded.
Everything from banking systems, government websites, state-sponsored media outlets, and electrical systems to any other connected system that was of military or strategic importance was taken "offline" by these attacks. Billions of packets were launched simultaneously from tens of thousands of computers and servers located within and outside of Russia as part of this campaign. As the Estonian systems began to crash and communications and coordination were interrupted, the Russian military moved into position and forced its will on the Estonian government. While officially none of the cyber-attacks were either attributed to or acknowledged by the Russian military or government, the implications and trail of evidence indicated that a coordinated cyber-attack was launched in conjunction with this military operation. This was one of the first and most powerful examples in the modern era of warfare of how a relatively simple, yet coordinated cyber-attack could not only hamper communications but also severely impede a defending system and cause a real loss of command and control for those under attack.
Confusion in cyber defense
In more recent history, the definition of cyber threat and any attempt to systematically or intelligently further demarcate the differences between what constitutes a cyber threat has become difficult at best. Consider the use of malware in relation to cyber security and cyber threats. While malware is certainly considered a subset of a cyber threat issue, it is not by itself an identifying term. Typically, research and academic work within the cyber field now discuss malware as a piece of the cyber problem, and any research or discussion of the malware term breaks down into an immediate classification of the malware type itself. Additionally, terms and definitions, such as social engineering and exploitation, have become a piece of the collective definition of cyber threat research.
They are not typically considered as specific corollaries to any set of cyber threat groups or certain operations. These terms and their uses, within cyber research, evolve on a nearly daily basis and have become more a study of tying specific cyber actions or operations to a group of cyber threats, instead of the collective research determining with any specificity what certain terms can be tied to which cyber threat. It is the language equivalent of trying to catch rain in one's hand; the medium simply moves too quickly and is reformed according to its own whims.
US and allied cyber defense establishment
It would not be until the mid-1990s that a formal, dedicated warfare fighting unit would be established to gain command and control of national security-related infrastructure, and leverage operations that would increase the ability of the United States to defend national interests in cyberspace. In Europe, the establishment of any actual functional warfighting entity that could operate at the covert or clandestine level in cyberspace would not take shape until the mid-2000s with the formalization of the NATO cyber task force and the British Government Communications Headquarters (GCHQ) cyber security units.
It would be even later when, in 2009, a singular military command body was established to take any offensive action in security cyberspace at the national level. This was done with the establishment of the US Cyber Command headquartered at the NSA in Ft Meade Maryland.
An important point of note on the evolution of this space, and the establishment of these new component commands and the authorities and capabilities that they now encompass, is that this occurred almost entirely in a defensive effort, not an offensive one. The establishment of the totality of these warfighting entities was almost singularly built on the premise of defending their respective national assets and infrastructures. It wasn't until the late 2000s that real cyber offensive capabilities came into real practice or use. This slow but important evolution from a focus on information warfare, gaining knowledge and information on the adversary, to cyber warfare, or conducting kinetic and non-kinetic attacks on the adversary, indicates a subtle shift in mission over time, based on the realization of the change in the battlespace: from one of information as a commodity necessary to the national intelligence community to one of attack and defense of the systems used to process, store, and transmit information and critical infrastructure.
The cyber shot heard round the world
The establishment of international command centers and operations groups focused on cyber security operations was a needed practice in cyberspace defense. The growth and formalization of those organizations, however, did not remain solely focused on defensive postures for long. In the early part of the 2010s, these groups began to be exposed as they engaged in a New Cold War in cyberspace. This clandestine back and forth would soon result in the leaking of some of the most powerful nation state-level weapons in cyberspace becoming commodities on the internet. Commodities that any person, anywhere could access and aim at their intended targets. One of the first, and most impactful, of these nation state cyber weapons to become public was Stuxnet – a US cyber weapon.
While there is no "official" declaration of the Stuxnet worm being a result of any specific US cyber operation, it is widely accepted that this is where the weapon originated. Stuxnet was a direct result of the tensions between the United States and the Iranian government's development of nuclear capabilities that took place in the late 2000s and early 2010s. In order to stop the development of potential nuclear weapons by an openly threatening regime, the US would unleash a new weapon of mass destruction, one built from code.
The development of Stuxnet began in the early 2000s, possibly 2003 or 2004, and took anywhere from a few months to a year to develop. Analysis of the code that operates within Stuxnet indicated that the level of sophistication required for this type of weapon could only come from the global superpower in cyberspace at the time, namely, the US. Given the assumption that the US is that superpower, the only place that has the capabilities to develop that advanced code to enable a weapon as complex as Stuxnet is the NSA.
Prior to late 2009 or early 2010, the NSA did not have a specific mission set that was solely focused or tasked with offensive cyber operations capabilities. Most of the missions within the NSA directorates prior to the establishment of US Cyber Command in 2010 operated as loosely-connected mission sets that often focused specifically on intelligence collection and dissemination. The development of the Stuxnet weapon was in actuality the result of an amalgamation of intelligence collection on possible targets in Iran, and the realization that there was certain vulnerable hardware running in the Natanz nuclear plant that could be exploited.
The NSA's intelligence collection apparatus had managed to collect open source technical information on the providers for the nuclear plant that openly advertised what specific hardware was in use within Natanz. The companies that provided support and hardware to the Natanz nuclear site in Iran noted that they serviced Siemens S7 programmable logic controllers (PLC) as part of their contract with an affiliate provider.
This information, combined with other intelligence resources that were collected via other methods, would be critical to the development and deployment of the Stuxnet worm.
The operation to get Stuxnet installed and launched on internal systems within the nuclear facility was most likely the result of a combined human spying operation via contacts that the CIA had in Iran. Those assets were provided with a USB device that contained the early version of Stuxnet, and with the simplicity of simply inserting that USB into a device that was connected to the Natanz network, the first shot across the bow was fired. The malware worked its way deep into the core of the Natanz network and ultimately found its target: those PLC controllers that control critical functions within the centrifuges that are used for enriching uranium. Slowly and covertly, the malicious code did its job and degraded the facility's ability to further enrich uranium, as the specific speed required for that precise process was impacted. Other nation-states, namely Unit 8200 in Israel, have also been either blamed for the Stuxnet attack or have been implicated as possibly being tied to the malware's installation on Iranian target networks. Regardless of who specifically launched the attack, the results were undeniable. Physical systems, those that enriched uranium, were afflicted and were damaged. This caused a degradation in the Iranian nuclear program's efficiency and capability and did impact their ability to gain specific nuclear capabilities at the time.
However, this weapon did not simply stop at its intended target. Research following the attacks on the Natanz nuclear facility by Symantec indicated that over 100,000 unique Internet Protocol (IP) addresses had seen or been exposed to versions of the Stuxnet virus. Although Stuxnet was a weapon that was aimed at a very focused scope for its operations, it would not take long for that weapon to expand beyond the bounds of the Iranian networks. The methods and tactics that the weapon used to proliferate within the Iranian network, where most machines were running MS Windows software, meant that should that malware be exposed to vulnerable machines outside of those networks, it would replicate and move across the globe. Which was exactly what happened.
Over 40,000 other infections related to signatures of Stuxnet were noted "in the wild" up to three years after the Natanz attacks, and three different specific variants of the malware were found by researchers in countries as far away as Taiwan.
For the next seven years, different variants of the Stuxnet weapon were found in a variety of different organizations across the globe. Duqu, a different but closely technically-related version of Stuxnet, was discovered in 2011 in Budapest. Duqu had many of the very same technical components as the Stuxnet tool, but Duqu was more vectored to collect information, including keystrokes, rather than being built to destroy a system physically. Flame, another closely tied technical variant of Stuxnet, was discovered in 2012. Again, Flame contained identical portions of the Stuxnet code and protocols, but Flame was modified for collecting and recording voice and chat conversations, including Skype calls.
As late as 2017, Triton, yet another variant of Stuxnet's original tooling, was found lurking in systems far beyond Iranian nuclear networks. Triton was modified to disable safety systems in petrochemical plants that used variations of the same Siemens S7 PLC controllers. It was dubbed "the world's most murderous malware" by researchers. Triton's focus on disabling safety controls meant it could cause explosive control failures in chemical plants. While Stuxnet was most likely, and by all accounts, a US cyber weapon, its variants were not exclusive to the US or its allies. Follow-on research from the cyber firm FireEye attributed Triton to Russian organizations. Duqu was noted to likely have originated in the Middle East. And Flame still has no real specific point of origin, but some organization had to have manufactured it.
That first attack with a targeted well-built cyber weapon was the first strike in a covert war whose weaponry spilled outside of the target area. That weapon, Stuxnet, was the first purpose-built piece of nation state cyber weaponry that the world became aware of. And its use spawned variants and attack tools that are in use by cyber warfare operators far beyond the realm of its original intended area of operations.
Tit-for-Tat cyber warfare
Over the next few years, the Iranians would not simply sit idly by and take a position of non-response to the Stuxnet attacks. They quickly upped their cyber operations game and responded in kind. In 2012, Operation Cleaver, the Iranian response to Stuxnet, was launched. The targets for the operators of Cleaver included militaries, oil and gas, energy and utilities, transportation, airlines, airports, hospitals, telecommunications, technology, education, aerospace, Defense Industrial Base (DIB), chemical companies, and governments. Other cyber-attacks had been launched in retaliation for the Stuxnet attacks, namely Shamoon and Operation Ababil. These attacks were targeted at the US banking systems and Saudi Arabian oil operations. Those attacks were significant but did not result in much other than a financial hit on the banks that were targeted and the oil facilities' abilities to ship oil.
Operation Cleaver was a direct response to the Stuxnet attack, but it was not entirely the same in its actions. Where Stuxnet was focused on causing physical damage in a relatively short timeframe on the Iranian nuclear centrifuges, Cleaver was more of a long-term ploy. Operation Cleaver was grander in scale in that it targeted essentially any "low-hanging fruit" that might contain intellectual property or data that could be used to gain an economic advantage in trading by the Iranians. Everything from the US Navy/Marine Corps Intranet, known as NMCI, critical infrastructure providers, and airline operations groups to educational organizations was hit.
The Iranian malware that was used showed that they had learned lessons in malware construction and design thanks to their post-attack analysis on the Stuxnet tools. The Operation Cleaver malware attacked systems in similar veins to Stuxnet. Cleaver malware would find a vulnerable target, conduct an exploit, worm deeper into the network, and then use command and control infrastructure to funnel data out of the compromised environment.
Just as Stuxnet had packaged its exploits and leveraged the network itself to find its ultimate target, so too did Cleaver. However, where Stuxnet was an elegant clandestine piece of malware, a digital scalpel, the tooling for Cleaver was an overt packaging of open exploits that hammered away at systems and did little to conceal its tracks, a sledgehammer. Ordinary cyber security providers were able to gather instances of Cleaver malware samples and find highly evident domains and sites that were openly registered to Iranian affiliated organizations. Many analysts, as well as the US and Allied government officials, noted after the Cleaver attacks that the reasons this malware campaign was not more subtle was that it was a show of force by the Iranians.
Pandora's box busts open
The latter half of the 2010s proved to be equally as formative for the future of cyber warfare as the earlier half of that decade. In this case, though, it would not be solely because of the back and forth between nation-states that cyber weapons were revealed; it would be due to rogue hacker groups aimed at causing chaos.
The Shadow Brokers came to the forefront of these operations in 2015 and 2016. The name Shadow Brokers was a reference to the popular video game at the time – Mass Effect. In that game, the Shadow Broker was said to be the head of an organization that trades in information, selling to the highest bidder. The Shadow Broker unit in cyberspace appeared to be highly competent at their chosen trade. The first leak that the Shadow Broker unit posted on the internet was one aimed directly at the US government, and specifically its cyber weapons creator, the NSA.
On August 13, 2016, the Shadow Brokers posted a Pastebin notice that stated that they had procured, via unknown means, access to specific tools that came from the Equation Group. The Equation Group is known to be either a part of, or directly related to, the Tailored Access Operations team at Ft Meade Maryland, that is, the base of operations for the NSA.
This is the unit that evolved out to the establishment of US Cyber Command in 2010 and is thought to be directly responsible for the design and deployment of Stuxnet. It is the digital weapons foundry for the US government. This Pastebin notice started with the following text:
"Equation Group Cyber Chase Weapons Auction – Invitation
!!! Attention government sponsors of cyber warfare and those who profit from it !!!!
How much you pay for enemies cyber weapons? Not malware you find in networks. Both sides, RAT+ LP, full state sponsor tool set? We find cyber weapons made by creators of stuxnet, duqu, flame. Kaspersky calls Equation Group. We follow Equation Group traffic. We find Equation Group source range. We hack Equation Group. We find many many Equation Group cyber weapons. You see pictures. We give you some Equation Group files free, you see. This is good proof no? You enjoy!!! You break many things. You find many intrusions. You write many words. But not all, we are auction the best files."
The posting follows up with the below:
"The Pastebin continues with instructions for obtaining the password to the encrypted auction file:
We auction best files to highest bidder. Auction files better than stuxnet. Auction files better than free files we already give you. The party which sends most bitcoins to address:
19BY2XCgbDe6WtTVbTyzM9eR3LYr6VitWK before bidding stops is winner, we tell how to decrypt. Very important!!! When you send bitcoin you add additional output to transaction.
OP_Return output. In
Op_Return output you put your (bidder) contact info. We suggest use bitmessage or I2P-bote email address. No other information will be disclosed by us publicly. Do not believe unsigned messages. We will contact winner with decryption instructions. Winner can do with files as they please, we not release files to public."
Following that posting on Pastebin in October 2017, the Shadow Brokers would again post that they had access to specific NSA-level tooling, again tools built by or used by the Equation Group.
Another posting by the Shadow Brokers emerged later that year, wherein access and screenshots for a variety of advanced exploitation tools were offered to whoever would contact the Shadow Brokers. The most impactful leak by the Shadow Brokers came in April of 2017 when they posted a tweet linked to their
@Shadowbrokers account wherein there were links to codeword exploits. The most powerful of which was EternalBlue. That exploit directly resulted in over 200,000 machines being infected within the first two weeks of its posting online. Remnants of the EternalBlue exploit appeared in the WannaCry and NotPetya ransomware attacks that would follow, in which millions of machines would be affected and billions of dollars of loss would be incurred by organizations all over the world.
While the specific motivations behind the Shadow Brokers will never be known with much real specificity, the outcomes of their actions certainly became known. There has to date been no owner of the Shadow Broker leaks, probably due to the very real fear of reprisal by the US federal government. There were instances of individuals that the press noted who might be affiliated with those leaks. One of which was a former Booz Allen Hamilton contractor named Harold T. Martin who was thought to be a likely culprit, as he was found with over 50 terabytes of stolen NSA tooling and exploits during an FBI raid of his home, but those claims were never substantiated and the Shadow Brokers continued to post even after his apprehension. Edward Snowden stated on his Twitter feed that "circumstantial evidence and conventional wisdom indicates Russian responsibility," but that was also never validated.
Regardless of who the Shadow Brokers were, Russian moles, disgruntled employees, nation state hackers, or political activists, the fact remains that those leaks were the equivalent of tactical government-designed weapons being offered freely to every man, woman, and child on the planet.
Although cyber warfare is currently limited to information networks and network-attached systems, it will drastically expand in the near future. Rather than decide between kinetic and non-kinetic effects, threat actors and cyber warriors will choose the effect that will best produce the desired outcome. Cyber-based effects will not be limited only to networks of computers and infrastructure; rather, they will encompass all electronic information processing systems across land, air, sea, space, and cyberspace domains. The future of cyber warfare is, unfortunately for the defender, not hindered or predicated by policy, technology, and threat. The leaks of major nation state-level exploits like BlueKeep and its variants, as well as the proliferation of force multipliers such as social media influence and bot tactics, will expedite and increase the variety and ferocity of future cyber-attacks.
New technology will have disproportionate effects, not only on the weapons used in cyberspace but also on the makeup of the domain itself. National policy on cyberspace dictates the objectives and rules of engagement for cyber capabilities as well as the organization and execution of operations, but those "rules" apply only to the nations and fighters that are willing to subscribe to them. There is no Geneva convention for cyberspace, and the establishment of those limits on defenders in truth only empowers those who don't play by the rules. Cyberspace is the only domain on the planet where a nation state such as North Korea or Iran can have the same devastating effect of impact as the most powerful nations on Earth. The use of the digital space has effectively leveled the playing field.
The digital world is where nations and organizations will continue to fight for the future. To own that "ground" and to take the initiative from the enemy is nothing new in the annals of espionage and warfare; it is simply a change in tooling and tactics that is necessitated by the evolution of where warfare will be fought that will continue to drive the New Cold War.
There is a hard truth for those of us caught in the middle of this no man's land between warring cyber superpowers and the hacker organizations of the world: we have built our systems and infrastructures to actually allow these attacks to succeed. Half a century of excessive speed of innovation and a reliance on a failed security paradigm will continue to enable these incursions and exploits to succeed.
In this chapter, we really dove into the history of this space in a very factual analysis of what brought us collectively to this arena. In the following chapter, we will discuss how the networks we have built and the foundational architecture of these infrastructures are flawed and will continue to fail.
- Manners, D. (2016, October 21). The Battle of the Beams. Retrieved from electronicsweekly.com: https://www.electronicsweekly.com/blogs/mannerisms/yarns/the-battle-of-the-beams-2016-10/