While information warfare has been around since the first armies discovered the importance of gathering and using information to gain an advantage over an opponent, its incorporation of cyberterrorism methods is a completely new development. The basic model consists of an attack against an opponent’s information infrastructure, such as a computer network, to intimidate or threaten in furtherance of a political or social objective. Ostensibly, the attack is committed by a terrorist group of their own accord but the reality is that the group is sponsored, equipped or otherwise assisted by a nation-state who cannot directly initiate the attack due to legal or public relation concerns. To be sure, one of the key reasons for a nation to employ cyberterrorist tactics in their information warfare strategy is that it allows them to deny any involvement in the attack. Indeed, a nation can condemn an attack while at the same time benefit from its results.
While the number of reported cyberterrorist attacks have grown over the last few years (with countless others unreported), three of the more significant attacks in terms of size, daring uniqueness were the 2006 cyber intrusion into U.S. State Department computers; the 2007 cyberattack against Estonia and the 2008 cyber campaign against Georgia during the South Ossetia War.
Cyber Intrusion into State Department Computers (May–July 2006)
In an apparently well-coordinated “spear fishing” attack, e-mails containing an attachment embedded with malicious code were sent to a number of State Department employees working out of its Bureau of East Asian and Pacific Affairs. The e-mails notified readers that the attachment was a Congressional speech on a topic that they would likely need (or have an interest) to read. Once the attachment was opened, however, the embedded code implanted a backdoor into the State Department network that gave attackers unlimited and undetectable access into any computer connected to the network.
Once the intrusion was detected, State Department cyber analysts were able to capture and study the malicious code and eventually create an appropriate software anti-virus solution that eradicated and removed it from any system that was infected. However, while the solution was being created, all infected computers were taken offline and any suspicious network activity was blocked. This resulted in limited or no network connectivity for some employees. State Department officials said that the intrusions only affected its unclassified system, and that while the attackers may have been able to obtain user passwords and some personal information from victims, they did not gain access to state secrets or more sensitive data.
As the malicious code was removed and backdoor access was closed, affected employees were told to change their passwords and think twice before opening an attachment even if it seemed legitimate. Moreover, a new protocol was implemented that required, regular scans of computers and servers, mandatory anti-virus updates and the complete “sanitization and rebuilding of any infected computers.” The State Department was never able to determine who the attacker was or where the attacks had originated; but based on the fact the attacks were almost entirely against employees in the East Asia Pacific, many believe that Chinese state-sponsored hackers were behind the intrusions.
Estonia (April 2007)
Out of nowhere in late April 2007, a number of Estonian websites suffered a massive distributed denial of service (DDoS) attack. The sites affected a broad range of the country’s government agencies and private firms including two of the largest banks, TV and newspaper companies, government ministries and even the Estonian Parliament. As DDoS attacks are known for, the strikes flooded the targeted computers and servers with phony requests for information thereby blocking legitimate users from accessing the websites. Additionally, site functionality was either severely limited or completely destroyed as the computer/servers tried to answer every request. Since Estonia was one of the most “wired” countries at the time, many had grown to rely on the Internet for almost every aspect of their work and live. As a consequence the attacks were able to strictly limit business, commerce and communications into and out of Estonia for the targeted sites.
Interestingly, for a nation so reliant on the computers and the Internet, it did not have the tools to properly fight back or defend against the attacks. Assistance came to Estonia from outside computer experts from Europe and the U.S. Working together with Estonian officials; they were able to restore normal website functionality of the targeted websites by changing the IP addresses to ones that were not under attack and by switching the website’s host to providers that had the wherewithal to block further attacks. Eventually, the attacks first tapered off and ten stopped altogether in mid-May.
Just like the intrusions into the State Department computers, no one was able to confirm who initiated the attacks but many in Estonia blame Russia for sponsoring or encouraging the attacks if not directly launching the attacks themselves as a response to ethnic Estonian and ethnic Russian tensions over the Estonian decision to move a memorial recalling he Soviet fight to liberate the country during World War II. In fact, later an ethnic Russian hacker was later convicted of initiating one of the attacks against a government agency.
The upshot of the attacks was that Estonia has now become one of world’s leading voices and experts for cybersecurity with the ability to protect itself as well as provide counsel to other nations on ways to defend against cyber attacks. Soon after the attacks, NATO established it cyber defense research center in Estonia
South Ossetia (August 2008)
As tensions between Georgia and Russia over South Ossetia broke out into open fighting in August 2008, Georgian government sites encountered DDoS attacks similar in method, scale and scope to those experienced the year before in Estonia. Georgian sites were either “knocked off-line” or their functionality was extremely limited. Some sites, such as the official site for Georgian President Mikheil Saakashvili were defaced with pictures comparing Saakashvili to Hitler.
Unlike Estonia, however, Georgia was not very “wired” or reliant on the Internet. Accordingly, the attacks had minimal effect to the population. But, importantly, the strikes did affect the government’s ability to communicate with itself, its people and the outside world. What was interesting about the attacks was not that they were very sophisticated but that they occurred at the same time that Russian troops initiated ground, sea and air strikes against Georgian forces. That DDoS attacks eventually stopped without Georgia doing much to defend or fight against them. Some sites, like in Estonia, changed their IP addresses while others changed their hosts to get back online and avoid further attacks.
Since the attacks, Georgia has not done much in terms of building defenses against the recurrence of such types of attacks. Again, while confirmation of the attackers was never confirmed, the consensus was that the attacks were sponsored or at least coordinated by Russia.
Based on the nature of each attack it’s hard to pinpoint a specific deterrent that would completely prevent their recurrence in the future. Rather, I would recommend a program of deterrents that include: training employees on effective cyber hygiene (such as using strong passwords that are changed regularly) and how to avoid cyber scams; regular anti-virus and operating system updates as well as regular system scans for suspicious network activity. Additionally, website administrators should be given the ability to switch their IP addressed and hosting providers quickly and effectively and hosting providers should be have the computer power to deny a common DDoS attack. Finally, perhaps proactive intelligence in hacker forums or on hacker networks could provide information of when a cyberterrorist attack may be about to commence giving targets time to prepare a response (such as moving an IP address).
Herzog, S. (2011) Revisiting the Estonian cyber-attacks: Digital threats and multinational responses. Retrieved on June 5, 2014, from http://scholarscommns.esf.edu/jss/vol4/iss2/4
Hollis, D. (2011, January 6) Cyberwar case study: Georgia 2008. Retrieved June 6, 2014 from http://smallwarsjournal.com/jrnl/art/cyberwar-case-study-georgia-2008
Mulvenon, J.C. (2013, June 25) Testimony before Congressional-Executive Committee on China: Chinese cyber espionage. Retrieved on June 7, 2014 from http://www.cecc.gov/sites/chinacommission.house.gov/files/CECC%20Hearing%20-%20Chinese%20Hacking%20-%20James%20Mulvenon%20Written%20Statement.pdf
Reid, D.R. (2007, April 2007) Response to May-July 2006 cyber intrusion on Department of State computer network. Retrieved on June 6, 2014, from http://2001-2009.state.gov/m/ds/rls/rm/83256.htm
Tikk, E., Kaska, K., Runnimeri, K., Kert, M., Taliharm, A. & Vihul, L. (2008) Cyber-attacks against Georgia: Legal lesson identified. Retrieved on June 5, 2014, from http://www.carlisle.army.mil/DIME/documents/Georgia%201%200.pdf