The confustication of cyberwarfare
A simple glance around the contemporary threatscape shows that cyberwar is getting increasingly confused and complicated: confusticated, in fact. Nation states are (allegedly) attacking nation states; criminals are attacking infrastructures; nation states are (allegedly) controlling criminals; criminals are attacking the people; and the people are rebelling against their governments.
Let’s start at the top: state-sponsored cyber attacks. It came to the surface with Aurora two years ago – and incidentally, the gang behind it, whether state- (for which read ‘China’) sponsored or not, is still active – blossomed with Stuxnet and Duqu and went into overdrive with Flame and Wiper. The last four are all (allegedly) part of a US/Israeli campaign against Iran; and this is not cyber-espionage, this is pure war.
The thing about Wiper is that it is destructive. It attempts to be – and succeeds in being – a new form of ‘stealth’: it self-destructs to avoid being taken alive. And as far as is known, there is still no live Wiper in captivity. First, as far as we understand, it steals data; then it destroys data; and then it kills itself.
After Wiper we had Shamoon, and this is where things start to get complicated. Shamoon seems to be a poor copy of Wiper, and is believed to have been used to attack the Saudi oil company, Aramco – and possibly the Qatari energy company RasGas two weeks later. Now we are in the land of conjecture. Shamoon could have been designed and used by traditional criminals; but that idea doesn’t quite hang together.
Another theory points the finger at Iran. Shamoon, it suggests, is an Iranian retaliatory strike following Stuxnet and Flame; and targeting Aramco because of the Saudi promise to increase oil production to offset the effect of sanctions against Iranian oil. This theory suggests that since Iran was the primary target of Wiper, it more than any other source would be well-positioned to develop a copy – and indeed Shamoon does appear to be a poor copy of Wiper.
This political theory of Shamoon is supported internally by the malware itself. Part of its data wiping process is to use a fragment of a JPG file. That picture has now been recognised: it is a picture of a burning US flag. What we don’t know is whether Shamoon is state-produced in the same way as Stuxnet, Flame and Wiper; or whether it is produced by criminals ‘encouraged’ by the state. Incidentally, we are in exactly the same position with Aurora. The gang behind Aurora, called the Elderwood gang by Symantec, is still very active and still targeting primarily US defense companies. Is it China or Chinese criminals or Chinese criminals ‘encouraged’ by China?
The simple fact is the confustication of modern cyberwarfare means we neither know nor are likely to know the answers to these questions: plausible deniability lies at the heart of all cyber criminality.
Now let’s consider hacktivism, the ‘civil war’, or just civil rebellion part of cyberwarfare – Wat Tyler Vs the king. Anonymous is the seminal hacktivist – but not the only actor. Since the demise of LulzSec, Anonymous has largely undertaken its protest through DDoS (not entirely, since it was involved in first stealing huge volumes of Iraqi emails, and then leaking them to WikiLeaks). But now it has been ‘joined’ by NullCrew, adding to the hacking power of AntiSec. AntiSec may be mainstream Anonymous; but NullCrew is separate. It just has similar sympathies, and many of its recent hacks have been performed in the name of the Anonymous-led and politically motivated #OpFreeAssange.
Both AntiSec and NullCrew are seriously ‘talented’ hackers. AntiSec recently stole a large number of Apple UDIDs from either the FBI or BlueToad, depending on who you believe. Null Crew hacked a Cambodian Army site, Logica, Cambridge University, the European Space Agency and more and more. 0x00x00, perhaps a member of NullCrew, perhaps not, has undertaken his own Assange campaign, breaking into numerous websites and leaving an Assange poster calling-card.
But while we’re talking about hacktivism, let’s not forget that the king has his own men – the FBI (and SOCA) acting within the king’s law, and Jester – that ‘hacktivist for good’ – acting outside of it. The latter recently took on and took out a well-respected site, Cryptocomb, in what Cryptocomb openly described as a ‘state-sponsored’ attack. Now, if this isn’t confusticating enough, there is even a civil war within the rebels. One faction has been calling for a more organised Anonymous with a supreme council directing operations – only to be slapped down by the existing Supreme Council of One, Commander X. There will be no Supreme Council for at least as long as Commander X remains in charge (which, of course, he is not, other than by general consensus). Confused yet?
Well let’s summarize. There is a legal cyberwar being fought by the US and Israel (and if you believe the cyber-underground, the UK was involved – shortly before his very strange death, it is claimed that Mr Williams had been commuting between GCHQ and the NSA, and had just started talking about whistleblowing on something; all just before Stuxnet exploded. AntiSec claims on Pastebin, “And then you have Gareth Williams (31), the GCHQ hacker murdered and ‘bagged’ inside a MI6′s ‘safe’ house (we’d hate to see what the unsafe ones look like) in August of 2010 after talking about being curious about leaking something to Wikileaks with fellow hackers on irc.”
Then there is an illegal war of retaliation being fought by Iran, together with old-fashioned cyberespionage from China. And finally, the war against terror has spread to the battle against Anonymous (always classified as cyberterrorists, and therefore within the purview of the war on terror, by the king’s men) in an attempt to quell the cyber rebellion.
But – and we have to stress this – it is all conjecture, allegation and confustication. The problem is, we haven’t mentioned that primary weapon of all warfare used by all antagonists against all enemies: disinformation. And all sides are very good at it.