![](\"https:\/\/media.wired.com\/photos\/5d487b14a95e1a0008d665a7\/master\/pass\/WIRED_Cyberwar_1080p.jpg\"\/)
<\/p>\n<\/p>\n
Credit to Author: Andy Greenberg| Date: Fri, 23 Aug 2019 11:00:00 +0000<\/strong><\/p>\n Not so long <\/span>ago, stories about cyberwar started with scary hypotheticals: What if state-sponsored hackers were to launch widespread attacks that blacked out entire cities? Crippled banks and froze ATMs across a country? Shut down shipping firms, oil refineries, and factories? Paralyzed airports and hospitals?<\/p>\n Today, these scenarios are no longer hypotheticals: Every one of those events has now actually occurred. Incident by catastrophic incident, cyberwar has left the pages of overblown science fiction and the tabletops of Pentagon war games to become a reality. More than ever before, it\u2019s become clear that the threat of hacking goes beyond nuisance vandalism, criminal profiteering, and even espionage to include the sort of physical-world disruption that was once possible to accomplish only with military attacks and terroristic sabotage.<\/p>\n So far, there\u2019s no clearly documented case of a cyberwar attack directly causing loss of life. But a single cyberwar attack has already caused as much as $10 billion dollars in economic damage<\/a>. Cyberwar has been used to terrorize individual companies and temporarily render entire governments comatose. It\u2019s denied civilians of basic services like power and heat<\/a>\u2014if only briefly, so far\u2014as well as longer-term deprivations of transportation and access to currency. Most disturbingly, cyberwar seems to be evolving in the hands of countries like Iran, North Korea, and Russia as they advance new disruptive and destructive cyberattack techniques. (The US and the rest of the English-speaking Five Eyes nations likely possess the most advanced cyberwar capabilities in the world, but have by all appearances shown more restraint than those other cyberwar actors in recent years.)<\/p>\n All of which means the threat of cyberwar looms heavily over the future: a new dimension of conflict capable of leapfrogging borders and teleporting the chaos of war to civilians thousands of miles beyond its front.<\/p>\n To understand the unique threat cyberwar poses to civilization, it\u2019s worth first understanding exactly how the word has come to be defined. The term cyberwar<\/em> has, after all, gone through decades of evolution\u2014well chronicled in Thomas Rid\u2019s history of all things cyber, Rise of the Machines<\/em><\/a>\u2014which has muddied its meaning: It first appeared in a 1987 Omni<\/em> magazine article that described future wars fought with giant robots, autonomous flying vehicles, and autonomous weapons systems. But that Terminator<\/em>-style idea of robotic cyberwar gave way in the 1990s to one that focused more on computers and the internet, which were increasingly transforming human life: A 1993 article by two analysts at the think tank RAND titled \u201cCyberwar Is Coming!<\/a>\u201d described how military hackers would soon be used not only for reconnaissance and spying on enemy systems but also attacking and disrupting the computers an enemy used for command-and-control.<\/p>\n <\/p>\n <\/a><\/p>\n A couple of years later, however, RAND analysts would start to realize that military hackers wouldn\u2019t necessarily limit their disruptive attacks to military computers<\/a>. They might just as easily attack the computerized and automated elements of an enemy\u2019s critical infrastructure, with potentially disastrous consequences for civilians: In a world increasingly reliant on computers, that could mean debilitating sabotage against railways, stock exchanges, airlines, and even the electric grid that underpins so many of those vital systems.<\/p>\n Hacking didn\u2019t need to be confined to some tactic on the periphery of war: Cyberattacks could themselves be a weapon of war. It was perhaps that definition of cyberwar that President Bill Clinton had in mind in 2001 when he warned in a speech<\/a> that \u201ctoday, our critical systems, from power structures to air traffic control, are connected and run by computers\u201d and that someone can sit at the same computer, hack into a computer system, and potentially paralyze a company, a city, or a government.\u201d<\/p>\n Since then, that definition for cyberwar has been honed into one that was perhaps most clearly laid out in the 2010 book Cyber War<\/a><\/em>, cowritten by Richard Clarke, a national security advisor to Presidents Bush, Clinton, and Bush, and Robert Knake, who would later serve as a cybersecurity advisor to President Obama. Clarke and Knake defined cyberwar as \u201cactions by a nation-state to penetrate another nation\u2019s computers or networks for the purpose of causing damage or disruption.\u201d Put more simply, that definition roughly encompasses the same things we\u2019ve always identified as \u201cacts of war,\u201d only now carried out by digital means. But as the world was learning by the time Clarke and Knake wrote that definition, digital attacks have the potential to reach out beyond mere computers to have real, physical consequences.<\/p>\n The first major historical event that could credibly fit Clarke and Knake\u2019s definition\u2014what some have dubbed \u201cWeb War I<\/a>\u201d\u2014had arrived just a few years earlier. It hit one of the world\u2019s most wired countries: Estonia.<\/p>\n In the the spring of 2007, an unprecedented series of so-called distributed denial of service, or DDoS, attacks slammed more than a hundred Estonian websites, taking down the country\u2019s online banking, digital news media, government sites, and practically anything else that had a web presence. The attacks were a response to the Estonian government\u2019s decision to move a Soviet-era statue out of a central location in the capital city of Tallinn, angering the country\u2019s Russian-speaking minority and triggering protests on the city\u2019s streets and the web.<\/p>\n Cyberespionage<\/strong><\/p>\n Cyberwar is not simply stealing information, neither the global great game of nations spying on each other\u2019s governments nor the more controversial sort of private-sector economic espionage that the US has long accused China of carrying out.<\/p>\n Cybercrime<\/strong><\/p>\n Cyberwar is not profit-focused hacking like bank fraud or the ransomware attacks that seek to extort millions from victims\u2014that\u2019s cybercrime, no matter how cruel and costly its effects may sometimes be.<\/p>\n Information Warfare<\/strong><\/p>\n Cyberwar is not\u2014although this point may be the most debated\u2014the "influence operations" that seek to spread disinformation and propaganda, or to hurt an adversary by leaking damaging information about them. And yes, that includes the hack-and-leak operation that Russian government hackers used against Democratic targets in 2016, which ultimately boiled down to dirty politics and kompromat,<\/em> not the directly coercive, paralytic disruption of true cyberwar.<\/p>\n As the sustained cyberattacks wore on for weeks, however, it became clear that they were no mere cyberriots: The attacks were coming from botnets\u2014collections of PCs around the world hijacked with malware\u2014that belonged to organized Russian cybercriminal groups. Some of the attacks\u2019 sources even overlapped with earlier DDoS attacks that had a clear political focus, including attacks that hit the website of Gary Kasparov, the Russian chess champion and opposition political leader. Today security analysts widely believe that the attacks were condoned by the Kremlin, if not actively coordinated by its leaders.<\/p>\n By the next year, that Russian government link to politically motivated cyberattacks was becoming more apparent. Another, very similar series of DDoS attacks struck dozens of websites in another Russian neighbor, Georgia. This time they accompanied an actual physical invasion\u2014a Russian intervention to \u201cprotect\u201d Russia-friendly separatists within Georgia\u2019s borders\u2014complete with tanks rolling toward the Georgian capital and a Russian fleet blockading the country\u2019s coastline on the Black Sea. In some cases, digital attacks would hit web targets associated with specific towns just ahead of military forces\u2019 arrival, another suggestion of coordination.<\/p>\n The 2008 Georgian war was perhaps the first real hybrid war in which conventional military and hacker forces were combined. But given Georgia\u2019s low rate of internet adoption\u2014about 7 percent of Georgians used the internet at the time<\/a>\u2014and Russia\u2019s relatively simplistic cyberattacks, which merely tore down and defaced websites, it stands as more of a historic harbinger of cyberwar than the real thing.<\/p>\n The world\u2019s conception of cyberwar changed forever in 2010. It started when VirusBlokAda, a security firm in Belarus, found a mysterious piece of malware that crashed the computers running its antivirus software. By September of that year, the security research community had come to the shocking conclusion that the specimen of malware, dubbed Stuxnet, was in fact the most sophisticated piece of code ever engineered for a cyberattack, and that it was specifically designed to destroy the centrifuges used in Iran\u2019s nuclear enrichment facilities. (That detective work is best captured in Kim Zetter\u2019s definitive book Countdown to Zero Day<\/a><\/em>.) It would be nearly two more years before The New York Times<\/em> confirmed that Stuxnet was a creation of the NSA and Israeli intelligence<\/a>, intended to hamstring Iran\u2019s attempts to build a nuclear bomb.<\/p>\n Over the course of 2009 and 2010, Stuxnet had destroyed more than a thousand of the six-and-a-half-foot-tall aluminum centrifuges installed in Iran\u2019s underground nuclear enrichment facility in Natanz, throwing the facility into confusion and chaos. After spreading through the Iranians' network, it had injected commands into the so-called programmable logic controllers, or PLCs, that governed the centrifuges, speeding them up or manipulating the pressure inside them until they tore themselves apart. Stuxnet would come to be recognized as the first cyberattack ever designed to directly damage physical equipment, and an act of cyberwar that has yet to be replicated in its virtuosic destructive effects. It would also serve as the starting pistol shot for the global cyber arms race that followed.<\/p>\n Iran soon entered that arms race, this time as aggressor rather than target. In August of 2012, the Saudi Arabian firm Saudi Aramco, one of the world\u2019s largest oil producers, was hit with a piece of malware known as Shamoon that wiped 35,000 of the company\u2019s computers<\/a>\u2014about three-quarters of them\u2014leaving its operations essentially paralyzed. On the screens of the crippled machines, the malware left an image of a burning American flag. A group calling itself \u201cCutting Sword of Justice\u201d claimed credit for the attack as an activist statement, but cybersecurity analysts quickly suspected that Iran was ultimately responsible, and had used the Saudis as a proxy target in retaliation for Stuxnet.<\/p>\n The next month, Iranian hackers calling themselves Operation Ababil hit every major US bank<\/a>, knocking their websites offline with sustained volleys of DDoS attacks, a far more focused version of the takedown technique Russians had used against sites in Estonia and Georgia. Again, cybersecurity analysts detected the hand of Iran\u2019s government in the attack\u2019s sophistication despite the \u201chacktivist\u201d front, perhaps a more direct message from Iran\u2019s state-sponsored hackers that any future US cyberattacks wouldn\u2019t go unanswered. A little over a year later, in February 2014, Iranian hackers launched another, more targeted attack on American soil: Following public comments from Zionist billionaire Sheldon Adelson suggesting the US use a nuclear weapon on Iran, sophisticated hackers hit Adelson\u2019s Las Vegas Sands casino<\/a>, using destructive malware to wipe thousands of computers, just as in the Saudi Aramco case.<\/p>\n By 2014, Iran was no longer the only rogue nation exploiting the potential for cyberattacks to reach across the globe and inflict pain against civilian targets. North Korea, too, was flexing its cyberwar muscles. After years of staging punishing DDoS attacks on its favorite adversary, South Korea, North Korean hackers launched a more daring operation: In December 2014, hackers revealed they had deeply penetrated the network of Sony Pictures<\/a> ahead of its release of The Interview<\/em>, a low-brow comedy movie about an assassination plot against North Korean dictator Kim Jong-un. The hackers, calling themselves the Guardians of Peace, stole and leaked reams of emails along with several unreleased films. They capped off their raid by wiping thousands of computers. (Though the leaks might be called a mere influence operation, the disruptive data deletion pushes the incident across the cyberwar line.) The hackers left a menacing image on wiped computers of a skeleton, along with an extortion message; they demanded both money and that the release of The Interview<\/em> be canceled. Despite that cybercriminal ruse, the FBI publicly named the North Korean government as the perpetrator of the attack, based in part on a slip-up that revealed a Chinese IP address known to be used by North Korean hackers<\/a>. The roster of global powers entering the fray of cyberwar was growing.<\/p>\n Even as North Korean and Iranian hackers wreaked havoc in attacks like the ones against Las Vegas Sands and Sony Pictures, cyberwar circa 2014 was limited to isolated incidents and periodic acts of disruption. Around the same time, however, Ukraine was undergoing a revolution\u2014one that would trigger a Russian invasion and lay the groundwork for the world\u2019s first full-blown, real<\/em> cyberwar<\/a>.<\/p>\n In the fall of 2015, after Russian troops had annexed Ukraine's Crimean peninsula and slipped across Ukraine\u2019s eastern border to rally a pro-Russian separatist movement in the region of Donbas, Russian intelligence hackers began unleashing a series of wiper malware attacks. They targeted Ukrainian media and infrastructure, including its national railway and Kyiv's airport, destroying hundreds of computers across those victims' networks. Then, the day before Christmas, the same hackers carried out a far more shocking and unprecedented act of sabotage: They attacked three Ukrainian regional energy utilities, turning out the lights to about 225,000 civilians<\/a>, the first known blackout in history ever to be caused by a cyberattack. The outage lasted just six hours, but it sent a powerful message to the Ukrainian populace about their vulnerability to remote attacks\u2014and to the world about the evolving prowess of Russian hackers.<\/p>\n As Ukraine\u2019s war wore on, Russian hackers launched another series of attacks in late 2016, much broader and more brazen than the year before. They hit the country\u2019s pension fund, treasury, seaport authority, and ministries of infrastructure, defense, and finance\u2014deleting terabytes of data that included the next year\u2019s budget. They also hit Ukraine\u2019s railway company, knocking out its online booking system for days during peak holiday travel season.<\/p>\n Estonia 2007:<\/strong> When the Estonian government decided in April 2007 to move a statue of a Russian soldier from the center of its capital in Tallinn, the move touched off massive protests by the country\u2019s Russian-speaking minority. Those riots were accompanied by a wave of crude distributed denial-of-service attacks that took down hundreds of Estonian websites, likely launched with the backing of the Russian government.<\/span><\/p>\n Georgia 2008:<\/strong> The next year, very similar cyberattacks were used during Russia\u2019s war in Georgia, bombarding the country\u2019s web sites at the same time as Russian tanks rolled toward its capital and Russian ships blockaded its coastline. As relatively crude as the online attacks may have been, they were perhaps the first time that widescale digital attacks were combined with a physical invasion.<\/span><\/p>\n Stuxnet, 2009:<\/strong> Starting in 2009, an ingenious piece of malware known as Stuxnet began to infiltrate the the network of Iran\u2019s nuclear enrichment facility at Natanz, silently altering the settings of its fragile centrifuges to destroy them and sabotage the country\u2019s quest for a nuclear weapon. Only when the worm accidentally spread to the rest of the world in 2010 was the operation revealed and, two years later, confirmed to be the work of the NSA and Israeli intelligence.<\/span><\/p>\n Saudi Aramco, 2012:<\/strong> Just two months after Stuxnet was confirmed to be a US- and Israeli-led operation, a piece of malware known as Shamoon hit oil giant Saudi Aramco, destroying 35,000 computers. The attack, the largest of its kind ever seen at the time, was quickly tied to Iranian hackers, and seen as a proxy attack against US interests in retaliation for Stuxnet\u2019s sabotage.<\/span><\/p>\n Sony, 2014:<\/strong> In late 2014, hackers calling themselves the Guardians of Peace ripped through the network of Sony Pictures, stole and leaked vast amounts of data including unreleased films, destroyed thousands of computers, and demanded that Sony not release its Kim Jong Un assassination comedy, \u201cthe Interview.\u201d Though the hackers at first appeared to be cybercriminals demanding a ransom, the FBI soon revealed that they were in fact North Korean state-sponsored hackers.<\/span><\/p>\n Ukraine, 2015:<\/strong> Two days before Christmas in 2015, Russian hackers triggered the first-ever blackout induced by a cyberattack, turning off the power to hundreds of thousands of Ukrainians. The attack came in the midst of Russia\u2019s physical invasion of the country\u2019s eastern region and Crimean peninsula, and was both preceded and followed by a severe series of data-destroying attacks, culminating in another blackout targeting the country\u2019s capital in late 2016.<\/span><\/p>\n NotPetya, June 2017:<\/strong> Russia\u2019s cyberwar against Ukraine climaxed in June of 2017, when it released the NotPetya malware, seeding the data-destroying worm onto thousands of machines via the hijacked software updates of the Ukrainian accounting software M.E.Doc. But as NotPetya devastated Ukraine\u2019s networks, it also spread to multinationals like Maersk, Merck, FedEx, and many others, causing a record-breaking $10 billion in damages.<\/span><\/p>\n Triton\/Trisis, August 2017:<\/strong> Just months after NotPetya, an oil refinery owned by Saudi Arabian firm Petro Rabigh was shutdown by a sophisticated piece of malware known as Triton or Trisis. But it could have been much worse: Analysts found that the mysterious malware, which showed traces of a Russian science institute\u2019s fingerprints, had been designed to turn off safety systems in the plant, potentially triggering a lethal accident.<\/span><\/p>\n Then, a week before Christmas, the hackers triggered another blackout, this time in the capital city of Kyiv. The attack only knocked out a fraction of the city\u2019s power for a single hour, but did so by hitting a transmission station rather than distribution substations as the hackers had a year before, a form of targeting that could have caused a far more widespread blackout. That second blackout attack also used a new, foreboding tool, something security researchers have named Industroyer or Crash Override<\/a>. This custom-made malware was designed to send rapid-fire commands directly to circuit breakers in a victim utility, automating the power-killing process and scaling it up so that it could, in the future, be used simultaneously against multiple facilities.<\/p>\n That Russian malware was the first specimen of code found in the wild since Stuxnet that directly targeted physical equipment. The tool featured a modular structure that would allow it to be easily adapted to other grid targets in Western Europe or the US, all signs that Russia\u2019s hackers were seeking not only to inflict more disruption and terror against Ukrainians were but also experimenting with and demonstrating sabotage techniques they might easily use elsewhere.<\/p>\n In fact, all of those attacks were just a prelude to the main event of the cyberwar being waged against Ukraine. In late June of 2017, Russian hackers used the hacked servers of the Ukrainian accounting firm Linkos Group to push out a piece of code that would come to be called NotPetya<\/a>. Combining the leaked NSA hacking program EternalBlue and the password-stealing tool Mimikatz into an automated worm, it spread almost instantly to an estimated 10 percent of all the computers in Ukraine, encrypting their contents with a destructive payload disguised to look like ransomware, but with no mechanism for actually decrypting files after the victim paid a ransom. (It appeared, at first, to be a version of the older Petya ransomware used by cybercriminals, but was not\u2014hence its name.) Across Ukraine, it shut down banks, ATMs, and point-of-sale systems, paralyzing nearly all the country\u2019s government agencies and crippling infrastructure like airports and railways, along with hospitals, the national post office, and even the operation monitoring radioactivity levels at the ruins of the Chernobyl nuclear power plant.<\/p>\n But NotPetya\u2019s virulence wasn\u2019t contained by national borders. It also hit A.P. M\u00f8ller-Maersk, the world\u2019s largest shipping firm; US pharmaceutical company Merck; FedEx\u2019s European subsidiary TNT Express; French construction company Saint-Gobain; food producer Mondelez; and manufacturer Reckitt Benckiser. In each of those cases, it saturated networks, killing thousands of computers and inflicting hundreds of millions of dollars in lost business and cleanup costs. It struck at least two US hospitals and shut down the speech-to-text software firm Nuance, which provided medical record transcription services to more than a hundred more hospitals and clinics. NotPetya even spread back to Russia, inflicting further collateral damage on victims like the state oil company Rosneft, steelmaker Evraz, medical technology firm Invitro, and Sberbank. In all, a White House estimate would later put the cost of NotPetya at $10 billion at least, though the full extent of its damage may never be known.<\/p>\n And yet, it could still get worse. Few cybersecurity analysts will take the bet that NotPetya will remain a one-off catastrophe. Just a month before that worm, after all, North Korean hackers had launched their own ransomware worm known as WannaCry<\/a> that was nearly as destructive. It shut down networks as far flung as Chinese universities, Indian police departments, and even the British National Health Service, causing thousands of medical appointments to be canceled across the UK and ultimately costing between $4 and<\/a> $8 billion<\/a>. (While WannaCry shows the potential for other nation-states to launch such megaworms, it doesn\u2019t necessarily count as a clear act of cyberwar itself, given that WannaCry did actually seem intended to collect ransoms from victims. The North Korean government, uniquely among global cyberpowers, focuses on cybercriminal profit as much as politically motivated attacks.)<\/p>\n There are hints of how a future cyberattack might cause even more disruption, or even physical destruction. In August 2017, a piece of malware called Triton or Trisis triggered the shutdown of an oil refinery<\/a> owned by the Saudi Arabian firm Petro Rabigh<\/a>. After months of reverse-engineering, security researchers determined that the malicious code wasn\u2019t actually intended to cause a shutdown, but instead was aimed at silently disabling the so-called safety-instrumented systems of the plant\u2014the equipment that serves as a last-ditch technological safeguard to prevent unsafe conditions, like a buildup of temperature or pressure. Stealthily borking those systems could have led to potentially lethal accidents like an explosion or gas leak.<\/p>\n It\u2019s still far from clear who the hackers responsible for that ultra-dangerous malware are, or what country they might be working for. While Iran quickly became the prime target of security industry speculation\u2014given its tension and proxy wars with Saudi Arabia\u2014in late 2018 security firm FireEye uncovered fingerprints that linked back to Moscow\u2019s Central Scientific Research Institute of Chemistry and Mechanics<\/a>. That could mean that Russia was responsible for the attack, or merely that Russian malware developers were working on behalf of Iranian or another country\u2019s hackers. (Iran, meanwhile, has over the past three years continued to periodically launch new waves of data destruction<\/a> against targets in Saudi Arabia, Qatar, and the United Arab Emirates with revamped versions of the Shamoon wiper malware it used against Saudi Aramco.)<\/p>\n Aside from the prospect of attacks on safety systems and the looming possibility of another NotPetya-style worm, plenty of other nightmare hypotheticals continue to trouble the sleep of cyberwar wonks. They fear cyberattacks on water distribution systems, financial systems, gas pipelines, hospitals\u2014perhaps even combined with a mass-casualty physical attack. And after the blackout attacks in Ukraine, they warn that far more severe attacks on the electric grid are possible. Way back in 2007, for instance, US researchers at Idaho National Laboratory showed in a demonstration that it was possible to destroy a tank-sized diesel generator with malicious code alone<\/a>. (See the video of their demonstration below.) That notion\u2014of a cyberattack that doesn\u2019t merely disable grid equipment but physically destroys its components\u2014still haunts grid-focused cybersecurity analysts. They warn that such a tactic, particularly if it were used on multiple targets simultaneously, could cause blackouts extending far beyond the mere hours of Ukraine\u2019s hacker blackouts, stretching for days or weeks.<\/p>\n<\/div>\n<\/figure>\n