Last night we watched The Imitation Game, a fictionalized account of the British compromise of the Nazi Enigma code machine, led by Alan Turning and played by Benedict Cumberbatch. (Is there a more English name?) Turing developed a primitive form of electro-mechanical computer, called a “bombe,” which permitted the British to read the coded orders sent to German units.
Although generally accepted wisdom is that the Stuxnet virus in 2010 was the first genuine cyberweapon—designed to inflict physical damage—it reportedly ruined almost a fifth of Iran’s nuclear centrifuges. I like to think that breaking the Enigma code is an early example of cyber warfare.
With Russia’s invasion of Ukraine, cyberwarfare has become a hot topic. Cyberwarfare is when one nation attacks another nation’s digital infrastructure, such as computers, software running on those computers, and the networks that connect them. Two common forms of cyberwarfare are viruses like Stuxnet, and distributed denial-of-service (DDoS) attacks.
DDoS attacks overwhelm a computer network with service requests so that legitimate service requests cannot reach the network. (The same thing can happen when a website suddenly experiences a surge in legitimate traffic—some people get no response). Attackers use viruses and malware to compromise computers and other devices (like routers and even refrigerators), which know how to communicate over the internet. These infected devices can be then used to send traffic on command, generally unbeknownst to their legitimate owners. The compromised devices are called “bots” or “zombies,” and the group of them under the control of an attacker is known as a “botnet.”
During the first week of April, the U.S. announced that it had unilaterally (and secretly) removed malware from computer networks around the world to pre-empt Russian cyberattacks. In other words, they remotely “fixed” compromised computers, so the owner of the botnet (GRU, the Russian intelligence agency) could no longer control those computers, effectively destroying the botnet. Although it didn’t receive much news coverage, this action was a pretty big deal. As stated in an article in The New York Times, “[It] showed a willingness to disarm the main intelligence unit of the Russian military from computer networks inside the United States and around the world.”
The U.S. didn’t know what the Russian botnet might be capable of doing. It simply disabled it. Had it been a missile, this action would have been classified as a “pre-emptive first strike,” which in the world of warfare is dropping your nukes on the enemy first. That’s the sort of thing that tends to cause nations to square off against each other and remove the gloves. On the other hand, the U.S. merely removed a threat, as opposed to unleashing a cyberattack of its own. The opinion of experts, quoted in The Guardian, is that “both sides understand that catastrophic cyber-attacks will most likely result in mutually assured destruction of systems.”
While DDoS attacks can be crippling, the real threat is malware, which actively destroys data (e.g financial data), render systems inoperable (like Stuxnet), or allows the control of operational systems (like the power grid or a pipeline). How are these threats delivered? The vast majority of ransomware is delivered via phishing email campaigns, legitimate-looking emails used to trick an individual into clicking a malicious URL or opening an attachment that contains malware. Another is the “USB drop attack” (Google it). Although anti-virus software (like Microsoft’s Windows Defender) can recognize known threats by their code or behaviors, previously unseen malware can slip past.
Microsoft counts the government of Ukraine as a customer and has been actively involved in protecting the country from cyberattacks. On Jan. 15, they blogged: “Microsoft Threat Intelligence Center (MSTIC) has identified evidence of a destructive malware operation targeting multiple organizations in Ukraine. This malware first appeared on victim systems in Ukraine on January 13, 2022.” The malware, now named “WhisperGate,” wiped data from affected computers.
In response to the attack on Ukraine, Microsoft updated its Defender software. But the data on the affected systems were lost. Of course, a well-run organization will have backups but even so, the system will need to be restored. And new variations of wiper software (HermeticWiper, IssacWiper) continue to appear, with the potential to slip past defenses. It really is a war, with the bad guys trying to find new attacks, and the good guys trying to find ways to block them. Of course, good and bad can depend upon where you’re standing—the U.S. clearly has weapons of its own, which as yet it has not deployed. Even so, it might be hard to tell if they do. The breaking of the Enigma code was a closely-held secret. I imagine that also applies to successful cyberattacks.
The invasion of Ukraine is giving us the first solid look at what a real cyber war might look like. While not as visible as tanks, bombs and bullets, the software can be equally damaging. Are the attacks we see state-of-the-art? Or, are there more sophisticated and damaging code weapons waiting to be unleashed in some digital Pearl Harbor?