Cyber warfare against critical infrastructure of a target is something which has become a staple of aggressive nations’ hybrid warfare program, and it is expected to take place between major superpowers i.e. Russia, China and the US in the long term. On a smaller scale, neighbor’s with particularly severe political and diplomatic relations such as Pakistan and India may find themselves involved in an exchange of this sort on a more frequent, short term basis. In Pakistan, we are certainly aware of the nearly 70 years old hostility of several Indian governments against this nation and its mandate, and security thinkers have now become aware of the new paradigm of hybrid warfare, consisting of usage of non-linear attack methods aimed at destabilising Pakistan and its national infrastructure. For nations whose leadership are accustomed to lengthy, strategic planning, and initiating covert, multi-layered plans co-coordinating multiple assets against numerous targets, the current digital age is relatively easy to handle. However, nations less adept at spycraft and manipulation, and whose belief is in international law, international agreements, or the words which are openly expressed in diplomatic exchanges; expecting, handling and deflecting subtle coercion in the cyber-realm is something of a challenge. With reference to India, it may be observed that their particular brand of HW is mainly emotionally triggered, and not specifically clinical. Rather than targeting Pakistan at the core of its existence and manipulating events in order to completely shut down the state from functioning, it chooses to pursue a line of aggravation and intrigue; including a few incidents along the border, refusing diplomatic talks, sending across fighter jets to test air defence capabilities, sending spies to trigger bomb attacks, and most often, a media/cultural line which consists of using news and television to imprint a negative image of Pakistan on the global subconscious, aimed at isolating the country from any potential partners, investors or allies.
Since state-on-state warfare in this regard is somewhat restricted on a legal basis, it limits the amount a hostile nation such as India can do to its enemies through underhand, non-linear methods; and this opens the door to usage of non-state actors, in the form of mercenaries, who can be hired to carry out these activities. A study of the various types of activities/cyber attack that can be engaged online to damage, undermine or compromise a target’s security infrastructure would possibly be a relevant part of this series in future, or if some research has already been compiled on this basis, I would invite any relevant readers to send that information forward. The focus here is to the types of actors at work in cyberspace to damage govt. organisations or large businesses, which can be commissioned and directed online via the dark web, a new avenue of the cyber-strand of hybrid warfare method, which for the time being I am labelling as ‘Outsourced Destabilisation’. Cyber attacks on large businesses, particularly banks as you may be well aware, became a fashionable habit due to the influence of ‘hacktivists/hacker groups’ who probably started out as left-wing masked activists, inhabiting chat-rooms or online forums such as 4Chan, and later honed their hacking skills to direct them against the ‘Banksters’. This wave of activity had died down around 2018, and now, the people with these abilities still need to make a living, which opens the possibility for cyber security assassins of a sort. The series now being released via Defence Journal aims to create an educational overview of cyber attacks which are perpetuated by third parties, and cyber criminals whose impact is being felt by the large, traditional financial institutions comprising the basis of a nation’s financial system, and how their activities translate across borders to sympathetic or like-minded parties in this part of the world.
Background to Cyber Crime and Its Nature
To provide security experts and thinkers with a clear overview on the subject being discussed, I am referring to a special report produced by ZDNet, an online tech-news website and their central library, Tech Republic. The first article in the report, ‘Cybercrime and cyberwar: A spotter’s guide to the groups out to get you’, describes cyber criminals, “Some of them just want to break things, many want to get rich, and some want to change the world.” The variables as to the types of criminal potentially targeting a specific entity are determined by two factors, i.e. 1) The internet is ‘borderless’ and therefore any grouping of these entities could be formed by the highest bidder, and 2) They are of various types, i.e. lone wolf, coordinated criminal gangs, or dedicated, state-sponsored groups. Essentially these groups use a variety of a) software/hardware combinations in order to target b) a particular organisation/entity with c) a specific process that will d) reveal/exploit some vulnerability, extract certain valuable data, or steal money.
Knowing this, we can understand the goal of cyber-crime units is to a) understand/detect usage of software/hardware combinations, b) warn/protect/assist particular organisations with regards to these, c) trace back the process/path taken by cyber criminals and d) secure/recover/protect the targets’ vulnerabilities, crucial data or money. The nature of cyber crime can thus be determined by using the above framework in order to analyse/understand the particular group/individual identified as using cyber attacks against a particular target, of which are described by Steve Ranger in the above article as follows.
0 Disorganised Crime,
0 Organised Crime,
0 Hacktivists,
0 Terrorists,
0 State Backed Hackers,
0 Insider Threats and he also mentions the realm of ‘gray zone’, where these actors may overlap, which he refers to as ‘blurred lines’.
For educational purposes, I will begin by discussion of the ‘gray zone’ combination because it seems to be the most likely scenario, and matches the nature of threats we expect within the new ‘hybrid’ paradigm, creating a scenario where a variety of actors and tools converge on a particular target. Different cyber criminals, according to Steve Ranger, often wear different hats, and organised crime is eager to borrow and emulate techniques identified by the state sponsored hackers. The attack methods so learned are then eventually filtered down through the chain of command until they are learned by even the most rudimentary and basic type of hacker.
Disorganised Crime
Considered to be the ‘petty criminals’ of the cyberworld, it is held that the majority of incidents are perpetrated by these types of actors. It is held that they usually start out of curiosity or fantasy, and progress down the ranks through a process of initiation, eventually forming groups/outfits once they gain the skills. The key tools being used are malware [malicious software], which can disguise itself as an advert and then mine the host computer for various forms of valuable data. It is believed that initiates and beginner hackers can purchase data-stealing malware for a few hundred dollars and then set them to work in spamming out millions of emails which then infect the target system with the data-stealing software. Each software used for this purpose acts in an essentially similar way, it is usually disguised [i.e. ‘trojans’, which were prevalent in previous decades] and then insert malicious codes into the receiving computer network, which then finds its data either stolen, its system compromised, or in case of a bank, its funds exposed. Beginner hackers in disorganised groups have found ‘ransomware’ to be particularly effective. They purchase ready-made ransomware packages from underground forums, and then fire them out at random, hoping to infect as many systems as possible; whoever’s computer system finds their hard drive scrambled after these attacks then has to pay a fee in order to get it fixed. Cryptocurrency
mining has been described as a more recent trend, where the target computer is not attacked, but the hacker stealthily digs for cryptocurrency which is then deposited into the hacker’s account. The disorganised groups use a variety of crude procedures to extract money from their targets, using a variety of ransom or scams to achieve their aims. A list of the different types of attack mentioned by Ranger includes: 1) denial of service attacks, which threaten to take down websites unless fees are paid, 2) other methods include ‘uninvited threat identification’, where they identify security threats in a target’s website, and then threaten to destroy the site unless fee is paid, 3) other scams include ‘advance fee’ types, where the target is promised a large payout in return for paying a substantial sum up front. It is held that to defend against this type of cyber crime, basic IT security is enough; including a variety of methods such as default passwords, two factor authentication, data encryption, anti-malware technologies, and staff training in good security practices.
Organised Crime
Often using a loose organisational structure, with a team of many contractors, often in combination with the disorganised crime group, this type of actor operates with a cybercrime boss at the center, who is the person with the ideas, the targets and the contacts. The team will consist of 1) those with expertise in developing hacking tools and vulnerabilities, 2) others who use these tools, and 3) others who launder the cash. These are the groups who usually have the capability to mount attacks on banks, law firms and other big businesses. These groups are characterised by a more planned form of activity, performing long-term, targeted attacks instead of random, termed ‘scatter-gun’ initiatives. Examples of key incidents of malware involving these types of groups include the ‘Carbanak’ and ‘Cobalt’ malware attacks, which cost financial institutions a price of 1bn Euros across 40 countries, according to Europol’s 2018 Internet Organised Crime Threat Assessment. During these incidents, the malware was first developed by the gang, after which they sent ‘phishing emails’ to the bank staff; following which the malware infiltrated the bank networks and found its way to the servers and ATMs. The insertion of malware allowed the thieves to use ‘mules’ to visit ATMs and then launder that cash as it was converted into cryptocurrency. Europol holds that ransomware and crypto-mining malware continues to be a big area of interest for criminal gangs. Ranger holds that any individual or small business could become a target even if it is within the supply chain of a big business being targeted by these organised groups. Also it is mentioned that there is a blurred line between the activities of disorganised and organised crime, as well as between nation-state backed hackers. As was described in relation to the threat from India, it can be understood as per Ranger, that there will always be possibility for collusion between criminal and state backed actors, as ‘states view cyber criminal tools as a relatively inexpensive and deniable means to enable their operations’, as warned by former US director of national intelligence, Dan Coats.
Hacktivists/Terrorists
The activities of Hacktivist groups such as ‘Anonymous’ and so forth are not considered to be driven by any particular agenda, according to Ranger. However, we can see that they do share a similar, broad range of policy positions, particular with regards to concepts such as ‘the elite’, ‘multinational corporations’, ‘central banks’, and mainstream politicians. Their activities are mostly carried out in order to create radical social change around the areas they are contentious about, originating from deeply held left-wing political views. Hacktivism, as the name suggests, allows for those who used to occupy long stretches of public space in mass protest to directly target their perceived oppressors using the web and through the software/hardware tools as mentioned previously. Their activities, as described in the essay at hand, are usually not to target a company’s accounts system or customer database, but rather to access embarrassing emails from the CEO or other company officials, or to get their logo onto your homepage, or to interrupt your social media posts, i.e. it’s usually for publicity.
The author contends, that ‘despite any hype, the threat from cyber terrorism remains low, largely because these groups lack the skills, money and infrastructure to develop and deploy effective cyber weapons, which only the largest nations can hope to build.’ Information cited from Europol describes the ‘Islamic State’ sympathisers that they have ‘demonstrated willingness to buy cyber attack tools and services from the digital underground, their own internal capability appears limited.’ The types of threats the US government perceives as likely from digital terrorists are very limited. These include things such as: 1) Personally identifiable information disclosures, 2) Website defacements and 3) Denial of service attacks against poorly protected networks.
| Strands of Attack | Political | Military | Economic | Social | Information | Infrastructure |
| Target of Attack | Military | Political | Economic | Civilian | Information |
State Backed Hackers
State backed hackers are believed to most commonly be characterised by the usage of what is known as ‘cyber espionage’, which is described to include things such as attempts to steal data on government personnel, or on expensive defence projects. Ranger notes that the data which is acquired through cyber espionage gets used in different capacities by the government departments relevant, or is sometimes passed on through to the private sector for their advantage. Ranger also claims that the US is keen to discourage activities under ‘cyber industrial espionage’, which is apparently due to fears of an ‘emerging trade war between the two countries’. Obviously since his essay was written before the trade war that is now taking place under Trump, the policy is most likely reflective of activity taking place during the Obama era, as opposed to the current one. The original policy was formed out of awareness that cyber espionage would inevitably follow the onset of a trade war, and the resulting activity would go on to have a negative impact on US companies working in fields such as tech/biotech, aerospace, robotics and power equipment considered to be at risk of attack. Now we reach the main focus of attention within this area of discussion, as I have explained from the onset, the major critical risk and target of attack within the realm of hybrid warfare is that of critical infrastructure, and cyber strands of attack are most likely used to target the computer systems supporting state infrastructure such as financial systems, power, communications, electricity, utilities, transport, or other variable definitions of key social components as mapped out by the original PMESII/MPECI model, which measures strands of attack against targets in the following way:
But not all state-backed hackers are after industrial secrets. The US has for example regularly warned that the networks which control much of its critical infrastructure including financial systems and power grids are probed for vulnerabilities by foreign governments and criminals. This could be seen as nations doing the groundwork for future more dangerous manoeuvres. Looking at different cyber criminal actors by classing them as separate entities whose behaviour patterns can be typified is basically inaccurate, and it should be expected that there is overlap in their methods, tools or goals. The future studies in this area could do well to include a more accurate analysis framework to match a) capacity of criminal with b) types of action and c) intended outcome, which would enable us to more accurately identify types of cyber criminal.
Ranger describes how state-backed hackers can also behave like hacktivists, citing the example of the 2016 US presidential elections where Kremlin-backed hackers released private emails from the Democratic National Committee and released them online. This is considered by him as an example where state-backed hackers can also behave like hacktivists, although it seems to be a futile comparison, in light of the analysis framework previously mentioned anyone could do anything in the gray battle-zone of cyber warfare. What is more commonly expected from state backed hackers is the targeting of critical infrastructure, with examples cited by Ranger including things such as bringing down a power grid or forcing open the doors of a dam at the wrong time. This is considered to be the transition line between cyber-crime and cyber-warfare.
Insider Threats
We can say that the realm of cyber warfare is the primary domain of hostile insiders who are willing to compromise the security of the major systems that they work for or help manage, as it is these individuals who have access to the innermost parts of critical infrastructure sites, leveraging their positions of access to allow damage and disrepair to take place. This is seen as particularly likely in the current environment, where through digitisation and technologisation of the central operating systems behind major social entities, such as critical infrastructure or that of key organisations of integral importance. These would be governing the key strands of attack from hybrid warfare, i.e. MPECI [Military, Political, Economic, Civilian, and Information] segments of society. This is seen to be amplified through the central digitisation of smaller aspects of daily administration; with the emergence of the IoT [Internet of Things] phenomenon, which has application across a wide spectrum of systems, including for 1) domestic usage, 2) consumer applications [smart homes, or for elderly care equipment], 3) commercial application [i.e. in medical and healthcare usage, transportation, V2X communications, building and home automation], 4) Industrial Application [i.e. manufacturing and agriculture], 5) Infrastructure Applications [i.e. for metropolitan scale deployments, energy management, and environmental monitoring]. There is much discussion surrounding the security concerns of the IoT phenomenon, with the interconnectivity and central control of these devices posing a risk to end users due to their security vulnerabilities and openness to manipulation. Vulnerabilities mentioned include things such as weak authentication, unencrypted messages being sent between devices, SQL injections, and lack of encryption/verification of software updates. What these vulnerabilities do is to create an opening for cyber criminals to more easily intercept data to carry out their usual range of activities, such as to collect personal data, steal credentials, or inject malware into newly updated firmware.
So now that the landscape within which the process of cyber security is pursued has been generally mapped for readers’ understanding, security experts and thinkers can explore further incidents and case studies, applying some of the frameworks of analysis and measuring scales mentioned in this initial article to real incidents appearing in the news as of late, with a mind to comprehend the scope of the attacks, the systems targeted, the tools used, and to get a picture of the type of cyber criminals at work in these situations. Logging these incidents and gathering a base of terminology is the key exercise required to develop some form of competency and understanding in performing security risk analysis in cyber-space, particularly when we are looking at how these types of processes can be used to target financial institutions. Steve Ranger advises that the IoT has created a new layer of vulnerability to critical systems of organisations and individuals. When this is the case, and given the level of funding and technology allotted to state sponsored
groups, the threat level to state organisations being targeted is quite high. He warns that keeping out these types of groups from accessing organisational control systems is a long, slow game, to be considered extremely difficult by all accounts. The focus for organisations in all contexts is to devise methods to limit damage from any inevitable attacks which pass through but I would suggest that finding methods or a combination of methods to restrict or prevent the success of these attacks is a first priority. Ranger argues that a preventative method is not enough given the funding and skill level of state backed hackers we are to assume that they will penetrate system defences and eventually find their way inside. This methodology implies the collusion of the ‘insider’ class whose activities open the door for the other classes of cyber criminals to exploit the vulnerabilities exposed. Ranger flags a significant threat of disgruntled employees who can pose big risks to businesses through access to data. They are attributed with the access to confidential company documents, system controls, and awareness of the weaknesses/access points to the core systems of a company i.e. IT network, customer database, account details, operations infrastructure and so forth. Blackmail and coercion also has a major role to play in this equation. It is described that staff can be blackmailed by foreign governments or state backed groups by coercing employees into handing over critical data or passwords, and this is particularly the case with IT staff of large organisations.
Spending and Costs
The main area of interest to financial institutions of these risks are the spending and costing related downsides, which according to one set of research sponsored by IBM Security and conducted by the Ponemon Institute, the average cost of a data breach with around 2500-100,000 stolen records in 2018 is $3.86 million. What is being underlined here for those with managing interests in these big organisations is the critical point that cleaning up the aftermath of these attacks is found to be higher than the money actually stolen. This lends particular weight to the preventative measures that can be put in place by cyber security experts; and the need for expenditure on the part of these companies to install security systems that are able to prevent their systems from penetration by hostile parties. Mapping of the points of access and potential routes taken by hostile elements to access the security systems or private information should be done with utmost diligence, taking into account the full range of possibly used cyber attack methods and the actors potentially involved. Another factor adding to the importance of cyber risk awareness, particularly in Europe, with the arrival of GDPR [General Data Protection Regulation], the range of fines which are potentially faced by large companies could be significant if they are found to have not put any importance on compliance or security protocols. At the time of writing i.e. 2017, the Gartner market research firm was cited as recording that worldwide spending on security products and services would reach $114bn and $10bn more the next year, due to higher concerns regarding GDPR, risk management and data privacy concerns.
Concluding Thoughts
Based on the thoughts of any number of reputable scholars of modern warfare, the objectives of war by any of their definitions are quite conclusively reached by use of cyber methods alone in today’s society. As hybrid and covert methods of warfare grow in favour of the larger superpowers, the sophistication and complexity of the usage of cyber weapons is also set to increase and diversify accordingly. Security analysts and those with interests in defence matters, on both the state level and among organisations are recommended to pay close attention to the developments on the side of cyber attack methods, as this is now the primary weapon of choice to target and damage critical infrastructure and institutions of enemy nations.
The threat to a country in terms of the core elements of society can all be influenced through one strand of attack which is the cyber strand, which gives it distinction among the other attack strands included within the hybrid threat spectrum, as explained in the diagram in the beginning.
Non-state actors who are emphasised as the core element in any hybrid warfare scenario, have been boosted to a high platform via cyberwarfare, and the introduction of cyber-mercenaries has made any target open to intrusion and manipulation, given the right mix of cyber criminals and the availability of funding for that purpose. Through ‘Outsourced Destabilisation’, a wide variety of threat actors can be employed by hostile stakeholders to damage a target’s infrastructure, ranging from disorganised lone wolf attackers, organised criminal units, hacktivists, terrorists, state backed hackers, and the ever present insider threats.
Cyber criminals have been identified as using routine practices including use of software to access valuable data, allowing them to either coerce target’s systems or extract information or money. They achieve this by manipulating any vulnerability visible in existing software/hardware combinations. Cyber crime thrives in the gray zone environment which characterises the essence of hybrid warfare, and operates entirely through discrete methods designed to avoid detection by the target. The major attack types they may use to target banks have been identified as part of this study to include things such as 1) ATM Skimming, 2) Phishing, 3) Vishing Calls, 4) Advanced Persistent Malware, 5) Darkweb usage, 6) BIN Attacks and 7) Supply Chain Attacks. Through use of heightened awareness, actionable intelligence and deep monitoring, cyber security researchers and experts are constantly developing ways to ensure resilience for organisations and making sure they have the understanding to take preemptive measures against any attack types being perpetuated by hostile actors, often using unique patented technology, such as the ‘smart automated technology’ described for defence against the Dark Web.
