Cyberwarfare has evolved considerably over the past thirty years. Cyber-warfare activities were very much present in the early 1990s, but most people were unaware of the possible threats that these activities posed. Even though the threats during this period were presumed to be somewhat remote, they ended up becoming main instruments of contemporary warfare today.
The year 1998 ushered in an attack referred to as Solar Sunrise, which attacked the United State military computer systems (Stewart, 2010). The Solar Sunrise incident proved to be a severe threat to the United State’s national security; luckily the attacks did not impose considerable damage on the computer systems of the government. Rather, they served to bring the attention of government leaders and the public on the real risk of cyberattacks. A month later after the Solar Sunrise attack, another attack code-named Moonlight Maze was carried out. The attack entailed reconnaissance and permeation of computer systems that were owned by colleges, government agencies, and research laboratories across the U.S. The attack led to the theft of thousands of sensitive files. Notably, the Moonlight Maze portrayed the challenge of attributing attacks to their original source (Jensen, 2013).
The years that followed saw cyberwarfare attacks and capabilities grow considerably. Different types of organizations were increasingly becoming victims to cyber-attacks that seemed to originate from sources that were sponsored by the state. The 2000s ushered in complicated malware that spread globally under its own power. For instance, the attack code-named worm was introduced in 2001and it had the capability of spreading on its own power-moving from one system to another without the interference of humans (Stewart, 2010). In one day only, the Red worm was reported to have infected over 350,000 computer systems across the globe. Other cyberattacks that followed included the SQL Slammer in 2003, the Titan Rain and Poison Ivy in 2005 (Stewart, 2010).
The 2nd decade of the 21st century saw the attacks being shaped into maturity. The attacks conducted during the 1st half of this decade are progressively complicated and have considerable impacts on their targets. The 2010 Stuxnet attack marked a main turning point in the cyberwarfare world when it was alleged that a combined U.S.-Israeli cyberwarfare operation obliterated twenty percent of the nuclear centrifuges in utilization by Iran’s nuclear program. Other attacks that are synonymous with the 21st century include Operation Aurora, Duqu, Flame and Carito (Stewart, 2010). With the constant evolution of cyberattacks, it would be difficult to envisage that even more complicated weapons are not sitting unutilized in cyberarsenals, waiting for a suitable period to appear in the global stage.
An ATP has several characteristics. Phishing is one such feature. A majority of ATPs that employ internet-driven exploitation methods begin with spear-phishing and social engineering. Once there is a compromise in a user machine network credentials are given up, this gives room for hackers to actively execute steps aimed at positioning their own tools to monitor and spread via the network as needed, from one machine to another, and from one network to another, until they identify the information they are searching for (Anderson, 2008). ATPs have objectives that are clearly defined. Notably, ATPs function in a paramilitary or military manner. Their mission is clearly spelled-out and all their cyberwarfare activities are carried out in support of that mission.
APTs are very expensive as their custom development may cost between thousands and millions of dollars. As such, sponsors of APT offer very high funding levels and support for their operation. In that case, they are executed by very bright and skilled teams of cyberattackers. Developing and launching a sole APT may take months of effort, making it one of the most resource-intensive types of crime from the viewpoint of a hacker. APTs are well-organized and disciplined. This means that they are organized by disciplined organizations and are conducted in a command-and-control manner. Another important feature of APTs is that they utilize complicated technical tools. It is important to point out that they have access to sophisticated attack technologies which are basically not accessible to other attackers (Anderson, 2008). Examples of these technologies may encompass the utilization of susceptibilities discovered by APT that have not been revealed to anybody else; as such, are hard or not possible to defend against.
APTs are tailored according to the susceptibilities of an organization (Anderson, 2008). Therefore, they are greatly targeted towards specific organizations, and formulated with their susceptibilities in mind. APTs attack origination points as well. Numerous attempts to gain an entry point may be initiated to gain a preliminary presence within a network, although initial attempts are usually adequately researched well to be successful. Months of research can end in the entire knowledge of an organization’s susceptibilities and the human gatekeepers in an organization.
APT groups normally develop complicated tools which they utilize to attack their targets and attain their goals. Zero-day attacks are examples of APT tradecraft. In these cases, the attackers point out a new susceptibility in an operating system of software package, which they keep secret for utilization in conducting an attack in the future (Anderson, 2008). Another tradecraft used is advanced malware. In this case, the attacker may install malware such as the Trojan to obtain lasting access to a targeted system for exploitation in the future. Other APT tradecraft used encompass strategic Web comprises and social engineering and phishing.
The APT attacks are different from attacks that would have attempted prior to the prevalence of the internet in that they are attacks that are not hit and run. Once attackers permeate a network, they remain so as to obtain as much information as possible. APT attacks are also different because they are shrouded in secrecy. The attacks have the ability to remain undetected, obscuring themselves within the enterprise network traffic just enough to enable attackers to attain their goals (Schmitt, 2013). On the contrary, attacks that would have attempted prior to the prevalence of the internet mainly employ “smash and grab” strategies that alert guardians. The goals of ATP attacks are also different. While they usually target data that provides competitive advantage or strategic advantages, like intellectual property, national security data, etc, conventional threats mainly look for individual information such as credit card data or data that facilitates monetary gain.
The first step of the attack mainly entailed collection of information regarding the target, i.e., the country’s power grid. In that case, information about the target’s weaknesses that could be exploited was collected mainly through social engineering methods and open source intelligence. The information then allowed the cyberattackers to develop a weapon that would enable them to successfully compromise the security of the power grid’s computer system. To that effect, the attack is likely to have originated from web assets, authorized human users or network resources. As such, the attacker possibly gained entry into the computer system by compromising one of the above 3 mentioned attack surfaces. The cyber attacker was able to conduct the attack through malicious uploads (for example, SQL injection) or social engineering attacks such as spear phishing (Roculan et al., 2003). The uploaded malicious software then investigated susceptibilities and made communications with external command-and-control (CnC) servers for more instructions or extra code. Once the access was made, the hacker installed a backdoor shell quickly-this is malware that granted network access and made it possible to conduct far-off, covert operations. Extra compromise points were also set up by the malware to make sure that the attack still continued if a certain point of entry or vulnerability was closed.
After establishing a foothold in the computer system, the attacker acted to widen their presence within the network, after which they collected target data, e.g. passwords and account names (Roculan et al., 2003). Once this occurred, the attackers were able to recognize and access data in the power grid’s computer system. Since the eventual attack goal is to disrupt power in several states within the country, the attackers mainly focused on obtaining control of numerous critical functions of the power grid and manipulate them in a certain sequence to cause optimal destruction (Howard and David, 2002). Examples of common vulnerabilities and exposures that could have contributed to this kind of attack include XSS, and SQL injection. Insecure defaults are another example of CVEs. They refer to software with the capability of shipping with unsafe settings like guessable admin passwords. Escalation of privileges attributable to flawed verification mechanisms are also CVEs in this case.
Targets: The attacker mainly targets energy grid operators and main electricity generation companies located in the United States.
Tactics, Techniques, Procedures (TTP): The attacker utilizes attack techniques that are focused on obtaining data that is stolen, fixing more malware onto systems, and running implementable files on computers that are infected. The attack group is also capable of running extra plug- ins, like tools for gathering passwords, and cataloguing documents on computers that are infected. The initial phase of this attack group’s attacks comprises of sending malware in phishing emails to employees in companies targeted. The second phase entails adding watering hole attacks to its target thus compromising websites the personnel in the energy sector may possibly visit so as to redirect them to sites that host an exploit kit, which is then transferred to the computer of the target. In the third phase, genuine software bundles are Trojanized.
Resources and capabilities: The operations of this attack group are likely to be sponsored by a well-funded nation state. This is because the group portrays a high level of technical ability. As such, it has a wide range of malware tools and has demonstrated the ability to initiate attacks via numerous attack vectors, and at the same time, compromise 3rd party websites. The attacker also has a high capability to interfere with systems that regulate the transmission, production, and distribution of electricity.
Physical and logical access: The attacker has the ability to attain deep levels of physical/logical access. In this regard, it was discovered that this attack group is able to hack into industrial control systems (ICS) and into numerous energy companies and their power grids.
Anderson, R. (2008). Security Engineering: A Guide to Building Dependable
Distributed Systems (2nd ed.). New York: John Wiley & Sons, Inc.
Howard, M. and David L. (2002). Writing Secure Code (2nd ed). Redmond: Microsoft
Jensen, E. T. (2013). “Cyber Attacks: Proportionality and Precautions in Attack.”
International Law Studies, 89,198–217
Roculan, J. et al. (2003). “SQLExp SQL Server Worm Analysis.” Symantec Deep
Sight Threat Management System Threat Analysis. Retrieved from
Schmitt, M. N. (2013). Tallinn Manual on the International Law Applicable to Cyber
Warfare. New York: Cambridge University Press.
Stewart, J. (2010). “Operation Aurora: Clues in the Code.” Dell SecureWorks
Research blog. Retrieved from http://www.secureworks.com/resources/blog/research/research-20913/.