CYBERWARZONE – A cyberattack or series of attacks that target a nation are typically referred to as cyber warfare. It has the capacity to destroy civilian and governmental infrastructure and interfere with vital processes, causing harm to the state and possibly even fatalities.
In this post on cyber warfare, I will provide you some examples of real cyber attacks which had an direct impact by Advanced Persistent Threat (APT) actors
Although cyber warfare typically refers to cyberattacks launched by one nation-state against another, it can also refer to cyberattacks carried out by terrorists or hacker groups with the intention of advancing the objectives of certain states.
Fundamentals on cyberattacks
If you thought that cyberattacks happen by people which can write very fast on keyboards into green terminals, then I have to disappoint you. Cyberattacks are orchestrated and made out of various steps which have been described very nicely in the MITRE Attack framework. The MITRE attack framework holds a knowledge base on seen cyberattacks.
The technical information and steps performed by cyber criminals and nation state threat actors are translated towards a clear metric which is used to get a better understanding on how cyberattacks are carried out and how threat actors operate.
According to reports provided, most hacking teams and cyberattacks are not carried out by a single person, instead, they are carried out by professional teams which have strict time windows and goals.
These well funded professional hacking teams have their own toolsets.
Nation state cyberattacks
Nation states often perform cyberattacks for a variety of reasons. These attacks can be used to steal information, disrupt operations, spread propaganda, or cause damage to another nation’s infrastructure. In some cases, these attacks are used to gain a competitive edge or to even out a perceived power imbalance. Nation states may also launch cyberattacks to interfere in foreign elections or to gain access to critical infrastructure. Additionally, cyberattacks can be used to test the defenses of a target nation in order to prepare for future operations. Ultimately, nation states use cyberattacks to achieve their geopolitical goals, whether it be to gain power or to weaken the power of a rival.
Cybercrime as a service (CCaaS)
Cyber criminals offer a wide range of services on underground forums and marketplaces, some of theses services are of interest for nation state threat actor. For example, one criminal might offer bullet-proof hosting services, while another criminal will carry the task to send large amounts of phishing mails to potential victims.
Cybercriminals that provide CCaaS are organized. They employ developers to develop tooling and malware, while sellers and promoters are hired to promote their criminal services on (underground) forums. They run their operations like organized organisations.
Types of cyber warfare
From what has been categorized, we can say that there are 7 main objectives for cyberattacks to be carried out.
The 7 main objectives are;
- Denial of service
- Economic disruption
- Impact on critical infrastructures
- Propaganda attacks
- Surprise attacks
Denial of service (DoS)
DoS attacks stop legitimate users from using a website by bombarding it with fictitious requests and making it respond to them. Critical activities and systems can be interfered with, and sensitive websites can be made inaccessible to people, members of the armed forces and security forces, or research organizations. Some attacks in the past were aimed at airports, by making the websites of airports unavailable, the threat actors could win some time or force someone to make a different choice to travel.
Computers are used to run the majority of current economic systems. Attackers can attack the computer networks of commercial institutions like banks, payment systems, and stock exchanges to steal money or prevent individuals from getting the money they require. It is also likely that threat actors are hired to perform attacks on cryptocurrency exchanges — the stolen cryptocurrency can be used by the threat actors to fund their future cyberwarfare campaigns.
A cyber espionage attack’s major objective is for the attacker to stay concealed for as long as possible in order to acquire valuable intelligence. A nation-state can use cyber espionage to gather intelligence to get ready to start a physical or virtual conflict. The usage of botnets and (spear) phishing attacks are likely to be seen. Phishing attacks allow nation state threat actors to gather information needed to infiltrate companies. Botnets are used to command and control compromised systems.
On average, it takes companies months to notice that they have been compromised.
Impact on critical infrastructures
Attacks on critical infrastructures are carried out because they have a major potential to destabilize large parts of society. These threat actors target the foundations which general public relies upon in day to day existence.
Nation state threat actors share fake news to manipulate masses, they do this by posting text messages, videos, images, content on different types of social media platforms — with expectations that viewers will perform actions that are desired by the threat actors.
The cyber attack on Twitter, tweets which reported on incidents in China were bombarded with random tweets by Twitter accounts that were inactive for months.
Hostile governments or terrorists may steal information, delete it, or leverage insider threats such as disappointed or careless employees. The University of Leiden was attacked by Iranian threat actors — which resulted in direct reputation lose.
Leiden University was in the news last July, 2022, after a suspected hack by an Iranian group of hackers – the ransomware attack gave hackers access to its network for two months.Leiden University
In order to weaken defenses, nation state threat actors carry out cyber attacks to determine the defenses and capabilities of their targets. These type of attacks can assist troops in the context of hybrid warfare.
Hybrid threats combine military and non-military as well as covert and overt means, including disinformation, cyber attacks, economic pressure, deployment of irregular armed groups and use of regular forces.NATO
Cybersecurity and threat intelligence companies worldwide assist in the investigations of cyberattacks, they play a critical role in advising governments and companies on how to protect and prepare themselves against (nation state) cyber attacks. These companies create in-depth reports and share them with the public when the time is right. Coordinated takedowns are performed by Europol, and their partners to minimize the impact cyber criminals can have on establishments and civilians.
According to all of these investigations, there are over 100+ serious advanced persistent threat actors which have the capabilities to disrupt. In the last couple of years, ransomware attacks have become very popular. Threat actors infiltrate organisations and steal valuable data, they upload this data to their data leakage site (DLS) and continue to demand payment from the breached companies.
It is not unlikely to imagine that stolen information is sold to nation state threat actors.
Usage of cryptocurrency
(Nation state) threat actors utilize cryptocurrency to obtain direct financial gains from their victims. In ransomware cases, they demand that the payment is paid in crypto coins. These crypto coins can again be used in attacks where insiders (Insider threat) are needed, or to purchase/build phishing kits and exploit kits.
Tactics can change in cyberwarfare
When Russia invaded Ukraine, the typical Russian cyber attacks on Ukraine also changed, instead of mainly focusing on stealing victims credentials or installing malware on targeted systems, the nation state threat actors of Russia focused on finding vulnerabilities in firewalls, routers and email servers. The Russian threat actors would exploit the vulnerable edge devices, allowing them to capture data and gain immediate access to the organisations network.
The GRU has shifted in particular to what they call “living on the edge.”Mandiant analysts Gabby Roncone and John Wolfram — source
The rise of attack surface management
Attack surface management (ASM) is the non-stop discovery, analysis, remediation and monitoring of the vulnerabilities and manageable assault vectors that make up an organization’s attack surface. Companies can use ASM solutions to quickly identify systems and assets which they have lost from their sights. Marketing teams quickly create awesome websites and landingpages for specific events, after the event, they totally forget about these sites, which are outside of organisations network. ASM allows organisations to identify lost websites, so they can quickly be secured. The same idea goes for systems which have not been updated for years. ASM will index them so that the security engineers can properly secure them.
Nation state sponsored cyber attacks
Cyberattack on Estonia
In 2007, Estonia moved the bronze soldiers location from the Tallinn city centre to the Defence Forces Cemetery of Tallinn. This decision sparked outrage in Russian media outlets, by using false news which claimed that the statue, and close by Soviet battle graves, had been being destroyed, the Russian media outlets were able trigger people to go outside and protest against the movement of the bronze soldier. Because of this action, Estonia suffered cyberattacks on their government sites, media outlets and financial institutions.
Cyberattacks on Ukraine
Between 2014 and 2016, the Ukrainian armed forces were attacked by the ‘Fancy bear’ threat actor, this threat actor targeted the mobile applications with the X-Agent spyware.
Ukrainian soldiers used the mobile applications to manage targeting data of the D-30 Howitzer, and because those mobile applications were infected with spyware, valuable information was leaked to Russia. This cyberattack caused the destruction of over 80% of Ukraine’s D-30 Howitzers and is a great example of how Hybrid warfare.
Between 2020 and 2022, we have witnessed how Ukrainian organisations were targeted by DDoS and espionage attacks:
- 70 Ukrainian government websites taken offline by cyberattack
- Ukraine banking and defense networks knocked out
Diginotar cyber attack
Between 10 July and 20 July, 2011, DigiNotar, a digital certificate authority (CA) in The Netherlands, suffered a cyberattack which led to its bankruptcy. In the Diginotar cyberattack, false certificates had been created for thousands of websites, among these false certificates, were fake certificates for Google and Skype. As a result of this cyberattack, the Google webmail of as many as 300,000 Iranians were intercepted by the Iranian government, allowing the Iranian government to steal, manipulate and delete data.
The FBI reported in 2019 that in the elections of 2016, Russia had engaged in informational warfare to influence the presidential election. In the month of June, 2016, the Democratic National Committee and its cyber response group publicly stated that Russian hackers had compromised the organisations network.
Chinese APT 10
On the 20th of December, 2018, the United States charged two Chinese hackers which were part of the Chinese APT 10 group, it is claimed by the report that they successfully compromised 45 technology companies. They were charged for global computer intrustion campaigns which targeted intellectual and confidential property of businesses and organisations. According to the report, the threat actors were already operating in 2006.