Cyberweapon

Last updated

Cyberweapons are commonly defined as malware agents employed for military, paramilitary, or intelligence objectives as part of a cyberattack. This includes computer viruses, trojans, spyware, and worms that can introduce malicious code into existing software, causing a computer to perform actions or processes unintended by its operator.

Contents

Characteristics

A cyberweapon is usually sponsored or employed by a state or non-state actor, meets an objective that would otherwise require espionage or the use of force, and is employed against specific targets. A cyberweapon performs an action that would normally require a soldier or spy, and which would be considered either illegal or an act of war if performed directly by a human agent of the sponsor during peacetime. Legal issues include violating the privacy of the target and the sovereignty of its host nation. [1] Example of such actions are surveillance, data theft and electronic or physical destruction. While a cyberweapon almost certainly results in either direct or indirect financial damages to the target group, direct financial gains for the sponsor are not a primary objective of this class of agent. Often cyberweapons are associated with causing physical or functional harm to the system which it attacks, despite being software. [2] However, there is no consensus on what officially constitutes a cyberweapon. [2]

Unlike malware used by script kiddies to organize botnets, where the ownership, physical location, and normal role of the machines attacked is largely irrelevant, cyberweapons show high selectivity in either or both of their employment and their operation. Before the attack, cyberweapons usually identify the target using different methods. [3] Likewise, malware employed by fraudsters for the theft of personal or financial information demonstrates lower selectivity and wider distribution.

Cyberweapons are dangerous for multiple reasons. They are typically difficult to track or defend against due to their lack of physical components. [2] Their anonymity allows them to hide in systems undetected until their attack is unleashed. [4] Many of these attacks exploit "zero days" (vulnerabilities in software that companies have zero days to fix). [4] They are also significantly cheaper to produce than cyber defenses to protect against them. [4] Oftentimes, cyberweapons from one force are obtained by an opposing force and are then repurposed to be used against the original force, as can be seen with the cyberweapons WannaCry [5] and NotPetya. [6]

While the term cyber weapon is frequently used by the press, [7] [8] some articles avoid it, instead using terms such as "internet weapon", "hack", or "virus". [9] Mainstream researchers debate the requirements of the term while still referring to the employment of the agent as a "weapon", [10] and the software development community in particular uses the term more rarely.

Examples

The following malware agents generally meet the criteria above, have been formally referred to in this manner by industry security experts, or have been described this way in government or military statements:

History

Stuxnet was among the first and one of the most influential cyberweapons. [2] [11] In 2010, it was launched by the United States and Israel to attack Iranian nuclear facilities. [11] [12] Stuxnet is considered to be the first major cyberweapon. [11] Stuxnet was also the first time a nation used a cyberweapon to attack another nation. [13] Following the Stuxnet attacks, Iran used cyberweapons to target top American financial institutions, including the New York Stock Exchange. [14]

Stuxnet was subsequently followed by Duqu in 2011 and Flame in 2012. [11] Flame's complexity was unmatched at the time. [1] It used vulnerabilities in Microsoft Windows to spread. [3] It specifically targeted Iranian oil terminals. [7]

In 2017 data breaches showed that supposedly secure hacking tools used by government agencies can be obtained − and sometimes exposed − by third parties. Furthermore, it was reported that after losing control of such tools the government appears to leave "exploits open to be re-used by scammers, criminals, or anyone else − for any purpose". [15] Claudio Guarnieri, a technologist from Amnesty International states: "what we learn from the disclosures and leaks of the last months is that unknown vulnerabilities are maintained secret even after they've been clearly lost, and that is plain irresponsible and unacceptable". [15]

Also in that year WikiLeaks released the Vault 7 documents series that contain details of CIA exploits and tools with Julian Assange stating that they are working to "disarm" them before publication. [16] [17] Disarmament of cyber weapons may come in the form of contacting respective software vendors with information of vulnerabilities in their products as well as potential help with or autonomous development (for open source software) of patches. The exploitation of hacking tools by third parties has particularly affected the United States National Security Agency (NSA). In 2016, information about NSA hacking tools was captured by a Chinese hacking group, ATP3, that allowed them to reverse engineer their own version of the tool. It was subsequently used against European and Asian nations, though the United States was not targeted. [18] [19] Later that year, an anonymous group called the "Shadow Brokers" leaked what are widely believed to be NSA tools online. [19] [20] These two groups are not known to be affiliated, and ATP3 had access to the tools at least a year before the Shadow Brokers leak. [19] The leaked tools were developed by the Equation Group, a cyberwarfare group with suspected ties to the NSA. [19]

Among the tools leaked by the Shadow Brokers was EternalBlue, which the NSA had used to exploit bugs in Microsoft Windows. [5] This prompted Microsoft to issue updates to guard against the tool. [8] When the Shadow Brokers publicly released EternalBlue, it was quickly used by North Korean and Russian hackers, who formed it into the ransomware WannaCry [5] and NotPetya, [6] respectively. NotPetya, which was initially launched in Ukraine but subsequently spread around the world, encrypted hard drives and forced users to pay a ransom fee for their data, despite never actually giving the data back. [6] [9]

In September 2018, the United States Department of Defense officially confirmed that the United States uses cyberweapons to advance national interests. [14]

Potential Regulations

While there has been no full regulation of cyberweapons, possible systems of regulation have been proposed. [2] One system would have cyberweapons, when not being used by a state, subject to criminal law of the country and, when being used by a state, subject to international laws on warfare. [2] Most proposed systems rely on international law and enforcement to stop the inappropriate use of cyberweaponry. [2] Considering the novelty of the weapons, there has also been discussion about how previously existing laws, not designed with cyberweapons in mind, apply to them. [2]

See also

Related Research Articles

<span class="mw-page-title-main">Cyberwarfare</span> Use of digital attacks against a state

Cyberwarfare is the use of cyber attacks against an enemy state, causing comparable harm to actual warfare and/or disrupting vital computer systems. Some intended outcomes could be espionage, sabotage, propaganda, manipulation or economic warfare.

The Central Intelligence Agency (CIA) has repeatedly intervened in the internal affairs of Iran, from the Mosaddegh coup of 1953 to the present day. The CIA is said to have collaborated with the last Shah, Mohammad Reza Pahlavi. Its personnel may have been involved in the Iran-Contra affair of the 1980s. More recently in 2007-8 CIA operatives were claimed to be supporting the Sunni terrorist group Jundallah against Iran, but these claims were refuted by a later investigation.

<span class="mw-page-title-main">Kaspersky Lab</span> Russian multinational cybersecurity and anti-virus provider

Kaspersky Lab is a Russian multinational cybersecurity and anti-virus provider headquartered in Moscow, Russia, and operated by a holding company in the United Kingdom. It was founded in 1997 by Eugene Kaspersky, Natalya Kaspersky and Alexey De-Monderik. Kaspersky Lab develops and sells antivirus, internet security, password management, endpoint security, and other cybersecurity products and services.

Cyber spying, cyber espionage, or cyber-collection is the act or practice of obtaining secrets and information without the permission and knowledge of the holder of the information using methods on the Internet, networks or individual computers through the use of proxy servers, cracking techniques and malicious software including Trojan horses and spyware. Cyber espionage can be used to target various actors- individuals, competitors, rivals, groups, governments, and others- in order to obtain personal, economic, political or military advantages. It may wholly be perpetrated online from computer desks of professionals on bases in far away countries or may involve infiltration at home by computer trained conventional spies and moles or in other cases may be the criminal handiwork of amateur malicious hackers and software programmers.

Stuxnet is a malicious computer worm first uncovered in 2010 and thought to have been in development since at least 2005. Stuxnet targets supervisory control and data acquisition (SCADA) systems and is believed to be responsible for causing substantial damage to the nuclear program of Iran. Although neither country has openly admitted responsibility, multiple independent news organizations recognize Stuxnet to be a cyberweapon built jointly by the United States and Israel in a collaborative effort known as Operation Olympic Games. The program, started during the Bush administration, was rapidly expanded within the first months of Barack Obama's presidency.

The Stars virus is a computer virus which infects computers running Microsoft Windows. It was named and discovered by Iranian authorities in April 2011. Iran claimed it was used as a tool to commit espionage. Western researchers came to believe it is probably the same thing as the Duqu virus, part of the Stuxnet attack on Iran.

Duqu is a collection of computer malware discovered on 1 September 2011, thought by Kaspersky Labs to be related to the Stuxnet worm and to have been created by Unit 8200. Duqu has exploited Microsoft Windows's zero-day vulnerability. The Laboratory of Cryptography and System Security of the Budapest University of Technology and Economics in Hungary discovered the threat, analysed the malware, and wrote a 60-page report naming the threat Duqu. Duqu got its name from the prefix "~DQ" it gives to the names of files it creates.

Flame, also known as Flamer, sKyWIper, and Skywiper, is modular computer malware discovered in 2012 that attacks computers running the Microsoft Windows operating system. The program is used for targeted cyber espionage in Middle Eastern countries.

Operation Olympic Games was an ostensible and still unacknowledged campaign of sabotage by means of cyber disruption, directed at Iranian nuclear facilities likely by the United States and Israel. As reported, it is one of the first known uses of offensive cyber weapons. Started under the administration of George W. Bush in 2006, Olympic Games was accelerated under President Obama, who heeded Bush's advice to continue cyber attacks on the Iranian nuclear facility at Natanz. Bush believed that the strategy was the only way to prevent an Israeli conventional strike on Iranian nuclear facilities.

Regin is a sophisticated malware and hacking toolkit used by United States' National Security Agency (NSA) and its British counterpart, the Government Communications Headquarters (GCHQ). It was first publicly revealed by Kaspersky Lab, Symantec, and The Intercept in November 2014. The malware targets specific users of Microsoft Windows-based computers and has been linked to the US intelligence-gathering agency NSA and its British counterpart, the GCHQ. The Intercept provided samples of Regin for download, including malware discovered at a Belgian telecommunications provider, Belgacom. Kaspersky Lab says it first became aware of Regin in spring 2012, but some of the earliest samples date from 2003. Among computers infected worldwide by Regin, 28 percent were in Russia, 24 percent in Saudi Arabia, 9 percent each in Mexico and Ireland, and 5 percent in each of India, Afghanistan, Iran, Belgium, Austria, and Pakistan.

The Equation Group, classified as an advanced persistent threat, is a highly sophisticated threat actor suspected of being tied to the Tailored Access Operations (TAO) unit of the United States National Security Agency (NSA). Kaspersky Labs describes them as one of the most sophisticated cyber attack groups in the world and "the most advanced (...) we have seen", operating alongside the creators of Stuxnet and Flame. Most of their targets have been in Iran, Russia, Pakistan, Afghanistan, India, Syria and Mali.

The Shadow Brokers (TSB) is a hacker group who first appeared in the summer of 2016. They published several leaks containing hacking tools, including several zero-day exploits, from the "Equation Group" who are widely suspected to be a branch of the National Security Agency (NSA) of the United States. Specifically, these exploits and vulnerabilities targeted enterprise firewalls, antivirus software, and Microsoft products. The Shadow Brokers originally attributed the leaks to the Equation Group threat actor, who have been tied to the NSA's Tailored Access Operations unit.

<span class="mw-page-title-main">Vault 7</span> CIA files on cyber war and surveillance

Vault 7 is a series of documents that WikiLeaks began to publish on 7 March 2017, detailing the activities and capabilities of the United States Central Intelligence Agency (CIA) to perform electronic surveillance and cyber warfare. The files, dating from 2013 to 2016, include details on the agency's software capabilities, such as the ability to compromise cars, smart TVs, web browsers including Google Chrome, Microsoft Edge, Mozilla Firefox, and Opera, the operating systems of most smartphones including Apple's iOS and Google's Android, and computer operating systems including Microsoft Windows, macOS, and Linux. A CIA internal audit identified 91 malware tools out of more than 500 tools in use in 2016 being compromised by the release. The tools were developed by the Operations Support Branch of the CIA.

EternalBlue is a computer exploit software developed by the U.S. National Security Agency (NSA). It is based on a vulnerability in Microsoft Windows that allowed users to gain access to any number of computers connected to a network. The NSA knew about this vulnerability but did not disclose it to Microsoft for several years, since they planned to use it as a defense mechanism against cyber attacks. In 2017, the NSA discovered that the software was stolen by a group of hackers known as the Shadow Brokers. Microsoft was informed of this and released security updates in March 2017 patching the vulnerability. While this was happening, the hacker group attempted to auction off the software, but did not succeed in finding a buyer. EternalBlue was then publicly released on April 14, 2017.

<span class="mw-page-title-main">Petya (malware family)</span> Family of encrypting ransomware discovered in 2016

Petya is a family of encrypting malware that was first discovered in 2016. The malware targets Microsoft Windows–based systems, infecting the master boot record to execute a payload that encrypts a hard drive's file system table and prevents Windows from booting. It subsequently demands that the user make a payment in Bitcoin in order to regain access to the system.

<span class="mw-page-title-main">2017 Ukraine ransomware attacks</span> Series of powerful cyberattacks using the Petya malware

A series of powerful cyberattacks using the Petya malware began on 27 June 2017 that swamped websites of Ukrainian organizations, including banks, ministries, newspapers and electricity firms. Similar infections were reported in France, Germany, Italy, Poland, Russia, United Kingdom, the United States and Australia. ESET estimated on 28 June 2017 that 80% of all infections were in Ukraine, with Germany second hardest hit with about 9%. On 28 June 2017, the Ukrainian government stated that the attack was halted. On 30 June 2017, the Associated Press reported experts agreed that Petya was masquerading as ransomware, while it was actually designed to cause maximum damage, with Ukraine being the main target.

Government hacking permits the exploitation of vulnerabilities in electronic products, especially software, to gain remote access to information of interest. This information allows government investigators to monitor user activity and interfere with device operation. Government attacks on security may include malware and encryption backdoors. The National Security Agency's PRISM program and Ethiopia's use of FinSpy are notable examples.

<span class="mw-page-title-main">Russo-Ukrainian cyberwarfare</span> Informatic component of the confrontation between Russia and Ukraine

Cyberwarfare is a component of the confrontation between Russia and Ukraine since the Revolution of Dignity in 2013-2014. While the first attacks on information systems of private enterprises and state institutions of Ukraine were recorded during mass protests in 2013, Russian cyberweapon Uroburos had been around since 2005. Russian cyberwarfare continued with the 2015 Ukraine power grid hack at Christmas 2015 and again in 2016, paralysis of the State Treasury of Ukraine in December 2016, a Mass hacker supply-chain attack in June 2017 and attacks on Ukrainian government websites in January 2022.

<span class="mw-page-title-main">Sandworm (hacker group)</span> Russian hacker group

Sandworm is an advanced persistent threat operated by Military Unit 74455, a cyberwarfare unit of the GRU, Russia's military intelligence service. Other names for the group, given by cybersecurity researchers, include Telebots, Voodoo Bear, IRIDIUM, Seashell Blizzard, and Iron Viking.

References

  1. 1 2 Downes, Cathy (2018). "Strategic Blind–Spots on Cyber Threats, Vectors and Campaigns". The Cyber Defense Review. 3 (1): 79–104. ISSN   2474-2120. JSTOR   26427378.
  2. 1 2 3 4 5 6 7 8 Stevens, Tim (2017-01-10). "Cyberweapons: an emerging global governance architecture". Palgrave Communications. 3 (1): 1–6. doi: 10.1057/palcomms.2016.102 . ISSN   2055-1045. S2CID   55150719.
  3. 1 2 "Cyber Weapon Target Analysis". 2014-05-26.
  4. 1 2 3 Tepperman, Jonathan (2021-02-09). "The Most Serious Security Risk Facing the United States". The New York Times. ISSN   0362-4331 . Retrieved 2022-05-05.
  5. 1 2 3 Nakashima, Ellen; Timberg, Craig (2017-05-16). "NSA officials worried about the day its potent hacking tool would get loose. Then it did". The Washington Post. Retrieved 2022-05-09.
  6. 1 2 3 Brandom, Russell (2017-06-27). "A new ransomware attack is hitting airlines, banks and utilities across Europe". The Verge. Retrieved 2022-05-09.
  7. 1 2 "Powerful 'Flame' Cyberweapon Torching Mideast Computers : Discovery News". News.discovery.com. 2012-05-30. Archived from the original on 2012-06-01. Retrieved 2012-12-07.
  8. 1 2 "Infosecurity – 2012: The Year Malware Went Nuclear". Infosecurity-magazine.com. 5 December 2012. Retrieved 2012-12-07.
  9. 1 2 Perlroth, Nicole (2012-05-28). "Virus Infects Computers Across Middle East - NYTimes.com". Iran: Bits.blogs.nytimes.com. Retrieved 2012-12-07.
  10. "Infosecurity – Kaspersky looks at the wreckage of Wiper malware". Infosecurity-magazine.com. 2012-08-29. Retrieved 2012-12-07.
  11. 1 2 3 4 Farwell, James P.; Rohozinski, Rafal (2012-09-01). "The New Reality of Cyber War". Survival. 54 (4): 107–120. doi:10.1080/00396338.2012.709391. ISSN   0039-6338. S2CID   153574044.
  12. Farwell, James P.; Rohozinski, Rafal (2011-02-01). "Stuxnet and the Future of Cyber War". Survival. 53 (1): 23–40. doi:10.1080/00396338.2011.555586. ISSN   0039-6338. S2CID   153709535.
  13. Dooley, John F. (2018), Dooley, John F. (ed.), "Cyber Weapons and Cyber Warfare", History of Cryptography and Cryptanalysis: Codes, Ciphers, and Their Algorithms, History of Computing, Cham: Springer International Publishing, pp. 213–239, doi:10.1007/978-3-319-90443-6_13, ISBN   978-3-319-90443-6 , retrieved 2022-05-05
  14. 1 2 "How Cyber Weapons Are Changing the Landscape of Modern Warfare". The New Yorker. 2019-07-18. Retrieved 2022-05-05.
  15. 1 2 Cox, Joseph (14 April 2017). "Your Government's Hacking Tools Are Not Safe". Motherboard. Retrieved 15 April 2017.
  16. Fox-Brewster, Thomas. "Julian Assange: Wikileaks May Have Evidence CIA Spied On US Citizens". Forbes. Retrieved 15 April 2017.
  17. "WikiLeaks vows to disclose CIA hacking tools; CIA to investigate". SearchSecurity. Retrieved 15 April 2017.
  18. Perlroth, Nicole; Sanger, David E.; Shane, Scott (2019-05-06). "How Chinese Spies Got the N.S.A.'s Hacking Tools, and Used Them for Attacks". The New York Times. ISSN   0362-4331 . Retrieved 2022-05-05.
  19. 1 2 3 4 Doffman, Zak. "China Set Traps To Capture Dangerous NSA Cyberattack Weapons: New Report". Forbes. Retrieved 2022-05-05.
  20. Pagliery, Jose (2016-08-15). "Hacker claims to be selling stolen NSA spy tools". CNNMoney. Retrieved 2022-05-05.