Cyber security Q&A: Mechanics of cyber warfare

The threats are many and varied, while suspects range from activist groups to nation-states

Q: Can you put a figure on the total cost of cyber warfare?


The global business of cyber warfare is an estimated £10bn, although the real figure is thought to be much higher because it does not take into account the technology needed to carry out the attack, the value of certain immaterial things such as IP, the cost of lost business for the target organisations and states, and the investment needed to protect IT systems.

 Q: Who are the people behind the attacks and what are they looking for?

At the top of the food chain you’ll find a large well-funded organisation such as a nation-state or very large corporation. The 2009 ‘Operation Aurora’ attack on Google, of suspected Chinese origin, and the 2012 Flame program used for cyber espionage in the Middle East, are two examples of such attacks. The hallmark of those organisations is that they carry out highly sophisticated and targeted attacks, especially as they often have additional sources of intelligence at their disposal about their target as well as huge infrastructure, data gathering, time and manpower resources.

So-called ‘second-tier’ cyber attackers are most likely well-organised groups with a political motivation such as the Syrian Electronic Army (SEA) or the Iranian Cyber Army (ICA). They are generally not directly associated with a nation-state, although there is sometimes a tenuous link, and do not have the same level of funding or sophistication as those that are. 

I believe the 2008 distributed denial of service (DDoS) attacks against Georgian media and banking facilities, which happened at the beginning of the Russian invasion of Georgia, are representative of this type of attacker. The Russian government has denied any involvement and the attacks are thought to have originated from activists with links to Russian organised crime.

Criminal organisations constitute the third category and they sometimes overlap with the previous group because, although they might leverage a criminal infrastructure such as a botnet, they often have a political motivation. This is why the types of attacks they are interested in are often leveraged towards critical infrastructure and not necessarily undertaken for monetary gain.

Q: What kind of vulnerabilities do these attackers use to get what they want? And in what ways do these differ from previously known ones?

There are several categories of threats that keep coming up.

Advanced Persistent Threats (APTs) are used to infiltrate a computer system to facilitate intelligence collection and IP theft. Attackers leveraging this approach often attempt to find ‘zero-day vulnerabilities’ – flaws in computer systems not previously identified. This means security professionals and software developers often fail to defeat them because they cannot fight something so new. This is the type of threat that was used to spy on the Dalai Lama’s computer systems in 2009. Interestingly, some instances of the malicious software (malware) used had gone undetected on the computers for nearly two years.

You will also find DDoS attacks, which are the signature weapon of organised crime. Those cause large volumes of traffic, originating from botnet-compromised systems, to target a single system. 

Most recently, activist group Anonymous targeted more than 100,000 Israeli websites in retaliation for what it called Israel’s “endless human right violations”, specifically air strikes that took place in the Gaza Strip. The group has also claimed attacks against the FBI and Nato. 

But they are obviously not the only ones conducting such attacks.

Attributing the sources of these attacks is difficult as, in theory, everything an attacker does can be faked in some way. Despite the use of computer forensics to analyse the malware to get precise details on attacker location, internet protocol address and language is difficult – investigators need to accumulate a relatively large amount of evidence and intelligence from a variety of sources to identify the origins of such incidents. We are researching this aspect of cyber warfare at West Point to design tools to help investigators.

In the same vein, you will also find internet protocol address hijacking of the type used by Hezbollah to fund their activities, as well as domain name server (DNS) redirection carried out by the ICA or Anonymous. In addition, social media group hacking has also been seen, one of the most representative examples being the SEA compromising the Facebook pages of rival groups to post propaganda.

Attacks against infrastructure are a lot rarer, but are set to grow. The 2010 Stuxnet attack is the only recorded attack that was successful, to our knowledge. It is thought that Stuxnet was developed to sabotage Iranian nuclear facilities. A lot of people are disregarding the potential of attacks against the power grid because they believe the overall network is so heterogeneous and comprised of so many computers that it would be difficult for an adversary to tear it all down. However, there are vulnerabilities in the individual components and targeting these could lead to a much bigger, cascading failure. 

Look at what happened in the US in 2003, when a tree falling on a single power line in Ohio caused a whole portion of the grid to collapse.