Your Peace of Mind is our Commitment

Contact Us English Recent Articles

Collateral Damage in Someone's Cyberwar

The concept of conflict through electronic intermediaries has been a common theme in science fiction for decades, and discussed as an emerging reality for years, but what is the real state of play, and how does it affect your business? Online conflict can take many forms, and there can be considerable overlap and blurring between categories.

Botnet wars are generally fought by rival gangs for control of territory. A botnet is a collection of computers infected with malware that allows them to be remotely controlled. A botnet can be commanded to perform Distributed Denial of Service attacks, spread spam, or other tasks, unknown to the legitimate owners of the computers. Once built, a botnet can be rented again and again to various malicious end users, so a bigger botnet is a more profitable botnet. Rival botnet gangs therefore fight to take over each other's networks. A recent conflict has been between a newcomer, SpyEye, and the established Zeus botnet, but a similar conflict played out in 2007 between Bagle, Warezov and Zhelatin.

Estonia experienced combined physical and online riots in 2007, after a controversial relocation of a war memorial. Sometimes referred to as the Estonian Cyberwar, the online disruption started very simply, as manual attacks, such as ping floods, by pro-Russian activists. Later, there were large-scale DDoS attacks, which ended suddenly, suggesting they were from a botnet hired for a limited time period. Some analysts claimed that Russian authorities were behind the attacks, but there was nothing more than circumstantial evidence to support this.

Some cyber attacks were seen during the 2008 South Ossetia war between Russia and Georgia, including website defacements and DDoS attacks on Georgian government websites. Again, nothing more than circumstantial evidence linked the attacks to the Russian government, and the Russian government suggested that it may have been individual actions by people in Russia or elsewhere. Two botnets, known as Vulcanbot and Vecebot, are notable for specifically targeting blogs that are critical of the Vietnamese government. One of the targets of these botnets, x-cafevn.org, also had its user database stolen and posted to a website, along with a message where the perpetrators described themselves as "a group of young people of Vietnam in many parts of the world". Again, we see hacktivism with Government deniability.

Hactivism in China goes by the name of Honker, from the Chinese 紅客; hóngkè, meaning "Red Guest", contrasting to the normal Chinese transliteration of hacker, 黑客, hēikè, literally "Black Guest". The first use of Honker was in 1999, following defacements of American websites after the bombing of the Chinese Embassy in Belgrade by US forces. Honkers have been involved in various patriotic or nationalistic attacks, such as tit-for-tat defacements of Iranian websites after the "Iranian Cyber Army" attacked the Chinese search engine Baidu in January 2010. Honker members claim they also help Chinese domestic websites to improve their security.

A very different style of attack was seen in Operation Aurora, which came to light in January 2010 when Google said it had been attacked from China, with intellectual property being stolen, and the webmail accounts of Chinese dissidents accessed. At least 34 other organisations were also targeted in the attack. The attack was highly sophisticated and utilised a zero-day vulnerability in Internet Explorer. Some analysts claimed that the primary objective was to access and modify source code repositories at high-tech security companies and defence contractors.

The more recent Stuxnet is another example of zero-day vulnerabilities being used in a sophisticated attack. While the intended target has not been confirmed, the most popular opinion is the Bushehr nuclear power plant in Iran, with the attacker being either Israel or the USA.

Various countries have stated their intention to prepare for cyberwar, though, as is natural with matters of national defence, they have not been specific about the form they expect a cyberwar to take. However, we can be sure that their plans will include offensive as well as defensive capabilities. If we imagine offensive cyberwar, incidents like Stuxnet and Operation Aurora come to mind: covert, sophisticated, and unattributable. The cruder tool of cyber-riots: mixtures of website defacements and DDoS attacks perpetrated by patriotic individuals, are less likely to be a military tool, but might be utilised for political ends.

What does this mean for businesses and ordinary users? The consequences are all bad. Your computers might be targeted because of your affiliation to a State or cause, or because you share server with a target. Your computer may be press-ganged into an attack wherever it is. The renting of botnets for cyberwar attacks makes them more profitable, and pours money into criminals' research and development. Nations will stockpile zero-day vulnerabilities as a resource to deploy in times of crisis, making all our computers less secure than they could be.

The internet used to be compared to the Wild West, a lawless frontier; now it is more like the Western Front, a massive, unrestricted , messy battlefield. Geopolitics is putting your data in the firing line.


More Information