Malcolm Nance - The Plot to Hack America

During the clash Russia hit Georgia with a campaign of hybrid warfare that included massive cyberattacks on the websites of the officials, ministries, and other sites. Their campaign against Georgia started three weeks before the August 7, 2008 assault on Ossetia. 30On July 20, 2008, Georgian president’s office suffered a denial-of-service attack that shut down the website. As the conflict ensued, Russia used its cyber assets to both send pro-Russian messages aimed at the former soviet state and render the online resources of the Georgians useless. On August 8, 2008, hackers used an early variant of BlackEnergy malware to conduct distributed denial-of-service (DDoS) attacks against Georgian government websites as Russian forces invaded. 31This is perhaps first time combat has joined with cyber warfare operations. The aim of the attacks was to shape public opinion and control Georgian communications.

The coordination of the attacks was well planned and well targeted to gain the maximum effect of creating a digital outage for Georgian authorities, including stopping the ability to get their messages out to seek support. Georgia was blindsided and blinded at the same time. Analysts later determined that Russian nationalists who had received advanced warning conducted the attacks. Russia recruited these hackers via social media forums. The use of patriot hackers in this operation would set the pace for future hands-off operations. Russia’s use of hackers and cyber militias under a nationalistic banner proved effective over the Georgian authorities. 32

Pro-Russian websites were launched during the war in South Ossetia. Unlike the attacks on Estonia, the attacks on Georgia’s cyber systems used botnets, waves of self-replicating cyber agents, to engage in a distributed attack. As of 2016, the Cyber Bears APT28 and APT29 continue peripheral attacks on Georgia with spear-phishing campaigns aimed at the administration and military. 33

In 2008, the Lithuanian Parliament passed a series of amendments that aimed to prohibit the display the symbols of both Nazi Germany and the Soviet Union. This would include depictions of Nazi or Soviet leaders and Nazi or Soviet symbols, including the swastika and the hammer and sickle. 34

In response to this law, more than three hundred websites suffered both vandalism and DoS attacks. 35Most of the sites were co-located with the server host. 36Hackers defaced the websites with anti-Lithuanian messages images of the Soviet hammer and sickle. 37The sites affected included Lithuanian Socialist Democratic Party, the Securities and Exchange Commission, government agencies, and private enterprises.

Though officials in Lithuania said they could not prove the attacks were conducted or orchestrated by Russia, it was clear the attacks were tied to the laws passed banning Soviet symbols. The government said the attacks came from an array of computers from outside the country.

On January 17, 2009, an official of the Kyrgyzstan government informed the United States that the Manas Air Force Base outside of Bishkek would close. The United States had been using the base since December 2001 as part of the effort in Afghanistan. The official said that the base closure would come in days as a result of Russian pressure. Just a month before, Russia’s top general Nikolai Makarov accused the United States of planning to expand its number of bases in the region.

To drive their point home, a series of DoS attacks hit the country’s two main internet service providers in Kyrgyzstan, essentially knocking out the internet, websites, and email for the country. 38Though there are no conclusive reports that definitively name the responsible party, many firms state the attack appeared to be tied to the decision to let the U.S. use the Bishkek base as a logistics center for the war in Afghanistan. The attacks were attributed to “cyber militias” much like the attacks in the Russo-Georgian conflict just a few months before.

Despite being in operation for nearly eight years, on February 3, 2009 Kyrgyzstan President Bakiyev announced the base would close. This was a major victory for Russian control over Central Asia. After Kyrgyzstan complied with Russia’s demands it received a multimillion-dollar aid package. 39

Ukraine Power knocked out by Sandworm: December 23, 2015

Three Ukrainian power companies came under attack by the Sandworm tool set after employees downloaded BlackEnergy3 malware packages. According to an investigation by Robert M. Lee, former U.S. Air Force cyber warfare operations officer and co-founder of Dragos Security, the infections started in spring of 2015.

Attackers engaged in a spear-phishing campaign using infected Word documents aimed at system administrators and IT staff at the facilities. The targets who opened the Word document saw a prompt asking them to click to “enable macros,” which installed the BlackEnergy3 malware. It is notable that macros had been in decline until the time of this attack, but were now on the rise. 40After the malware successfully installed, it began to scan around for paths to the supervisory control and data acquisition networks, SCADA, which would allow them to take control of the plant’s control systems. 41All of this would be exceptionally risky at many power plants, but it turned out the Ukrainian security was above average and even outclassed many U.S. facilities. The networks were all very well segregated via firewalls but the CYBER BEARS stole in anyway. 42

One of the plant operators stated he saw the attackers control one of the computer terminals and successfully search for the panel that would control circuit breakers. The attacker began to take down the power grid in front of his eyes. Though he tried to take control of the computer it was too late. The attackers locked him out and continued its task of shutting down around thirty electrical substations.

After the breach, the attackers used an eraser program called “KillDisk,” which wiped out major sectors of files, corrupted master boot records, and essentially rendered the systems useless without taking them offline and replacing them. The attackers reconfigured the backup generators in a manner that disabled them so the repair crew had to tough it out in the dark.

To top this off, they didn’t do this just once, the attackers hit three power stations simultaneously belonging to the Ukrainian power company Kyivoblenergo in the Ivano-Frankivsk Region. 43They also struck Prykarpatyaoblenergo with an outage that affected 80,000, as well as the Chernivtsioblenergo station. 44In total, an estimated 225,000 people were affected for nearly six hours. The companies restored power by going back to manual control. Power had to be restored manually since many systems were fried by the “KillDisk” deletions.

To make all of this more complicated, a Telephone Denial-of-Service (TDoS) attack on the telephone system flooded the circuits with bogus calls, which prevented citizens from alerting the power companies about outages.

After the website for the Warsaw Stock Exchange went offline for two hours, a Pastebin message screamed to the world, “Today, we HACKED Warsaw Stock Exchange!” and “To be continued! Allahu Akbar!” Authorities initially credited the Cyber Caliphate, a hacker group that claims its allegiance to ISIS and works in association with the United Cyber Caliphate groups. The message posted on Pastbin, an online bulletin board said the hack was in retaliation for Polish bombing of the “Islamic State.” 45

Initially, many accepted that ISIS-affiliated hackers were responsible, but the techniques, tools, and more importantly digital footprints suggested the attackers came from Russia. This is old spycraft technique called a False Flag operation: A deception where one entity is blamed for the actions of another. The false flag cover didn’t last, as forensic analysts demonstrated that Russian hackers had posed as ISIS and let them take the blame. 46It was later revealed that the hackers stole details on investors and the stock exchange’s network, including credentials for authorization to access customer accounts. 47