Target confirming an offensive cyber operation

For the first time in the “history of cyber conflicts” (call it like that) we have seen the media of one country signaling an offensive cyberattack on a target located in another country, and the media of the targeted country confirm that the operation has happened. This is without a precedence, and will have consequences.

This assessment aims to be neutral and factual.

Events in USA

Cyber doctrine in the US shifted (recently I wrote about the French one one) to simplify the conducting of offensive cyber operations. Reports of foreign interference via cyber means targeting business, infrastructure and impacting internal matters are at the center of interest of the US public opinion. The fears particularly spiked close to the 2018 mid-term elections, specifically fears of disinformation, justified or not.

This internal situation led to practical effects. Many reports indicated that the US Cybercommand conducted an offensive cyber operation targeting the so called “troll factory” compound (Internet Research Agency). It was reported a while ago, has been mentioned by US Cybercommand official, and more details emerged recently. All this suggests that an offensive cyber operation happened, with a target to “demonstrate a case”, or to disrupt the operation of IRA.

To this date, except from the anonymous sources, no particular details emerged in the US that would allow to conclude what has happened. This has now slightly changed - there are information from Russia.

Events in Russia (“the battleground”?)

The Federal News Agency (FNA) of Russia has made an announcement, in essence confirming that the US cyber operation has taken place. According to the presented communique, that is fortunately presenting at least some technical details:

“On November 5, 2018 at about 22:00 Moscow time, the RAID controller of the internal office was destroyed and two out of four hard drives were disabled. The hard drives on servers in Sweden and Estonia were formatted.”

Let’s break it down (based on the information from FAN).

Entry point:

  • multiple attempts to gain access to internal networks
  • first attempt by phishing; sending mails with infected document (the announcement speaks of “undocumented Windows features”?), which failed
  • second attempt allegedly via hacked iPhone 7 that has eventually been connected to a computer on the internal network

It is not possible to establish the veracity of those details; caution is advised unless more details are published, such as the infected document, the found malicious software, or more strict account or events. I would be especially cautious in interpreting since the “hidden Windows features” (used in FAN announcement) sounds simply suspicious. On the other hand, is true that iPhone 7 (iOS) has (have) security vulnerabilities allowing to infect it.

While the entry point are a matter of controversy, the effects are clearly explained: storage systems affected. Depending on the internal setup, wiping storage systems undoubtedly lead to some disruption of internal operation at FNA, but it might be difficult to estimate the degree of actual disruption; if at all serious, it was rather a temporary loss of functionality. While it’s possible to use elaborate military-parlance expressions like “defending forward”, or “persistent engagement” (certainly makes it sound serious), or in the more traditional parlance “rm boxes” (sound less impressive?), all things considered - wiping a selection of systems might not necessarily be seen as a significant effect. This understood solely on the technical grounds, and through the lens of actual long-term impact on the target (unless in the sense of sending a message).

Potential results in USA

It is unclear to what degree a cyber operation conducted so close to election date could lead to practical protection from disinformation (which might rather be a continuous activity; complex topic). No information about imminent threats in November 2018 has ever emerged. But there are indications that the operation aims may have been different, including

  • Internally, demonstrating (including to the broad public opinion) that something has been done, and that cybercommand is operational
  • Externally, sending a signal; actual outcome in the long run would be difficult to measure

Lacking more details, the assessment cannot be more elaborate.

Potential implications of operations in Russia

This point is particularly interesting. There are already signs that the US cyber operation is being used internally:

  • Russia is recently working on isolating of internal networks from the outside internet, including deploying more controls and traffic filtering. Among the motivations are “external cyberattacks”. Seen in this light the US cyber operation is additional argument and can be spun as such. Kremlin spokesman has even used this argument already.
  • the FNA announcement calls the attack, several times, as originating from US military. The message may hint at the risks of the militarisation of internet. It is true that offensive cyber operations on targets located in other countries might be seen as interfering with sovereignty.

Forecast

Lacking more information, predicting what happens next is difficult. However, taking all into account, one might expect the following:

  • More details about the carried offensive cyber operation will emerge in the US; eventually some might be declassified and made public (perhaps even in 2019)
  • So far signals in US and RU are flowing in the media. It is unclear if official actions are to follow (i.e. diplomatic) in Russia. While the US has made it somewhat a standard to make public indictments (I think there is around 30 of them by now), and this might be a potential opportunity for Russia to do a similar action on a different scale, it is unclear if it could be seen as the ideal way forward; Furthermore official proposals for the Open Working Group in the United Nations that Russia sponsored may indicate something else. Specifically this point:

States must meet their international obligations regarding internationally wrongful acts attributable to them under international law. However, the indication that an information and communications technology activity was launched or otherwise originates from the territory or objects of the information and communications technology infrastructure of a State may be insufficient in itself to attribute the activity to that State. States should note that accusations of organizing and implementing wrongful acts brought against States should be substantiated. (...)

  • Russia will continue moving forward with the project to isolate their networks from the external internet

Summary

While seeing offensive cyber operations as means of “projecting power or influence” might be more or less warranted, seeing the matter as such risks making oversimplifications, such as tying cyberattacks activity with arbitrary international policy events. The event described today is of a different nature. We have just seen an actual unprecedented case. A number of very interesting ramifications may follow, both in internal and external aspects. Potential “retaliations” might not always be limited to simple tit-for-tat, or via exactly same means.

Did you like the analysis? Feel free to reach out: me@lukaszolejnik.com