Cyberwarfare: the cybernetic war between states. Famous cases

War in the third millennium is fought also in Cyberspace, which has become the fifth war space. More and more, states use cybernetic weapons to hit strategic systems and infrastructures in other countries.

1. Cyberwarfare: war is fought in the fifth war space

The attack of Russia against Ukraine has brought Cyberwarfare, meaning the cybernetic war between states, to the attention of the world.
Actually, these attacks have been recorded for years now and in some cases we just didn’t know about them because – as we will see – one of the prerogatives of cyberwarfare is that of making it complicated to attribute the attack to a given hacker or hacker group, since it is easy for the attacker to hide his tracks.

This war, called “cyberwarfare”, is fought in an undeclared and hidden way, not in the traditional war spaces (land, sea, sky), but in “cyberspace”. And it is states themselves who fight it, through dedicated groups that many of the major states in the world have created on top of traditional armies.

We talked about so-called state-sponsored hacker groups, meaning groups that are linked – more or less directly – to states and governments in this other article.

>> FlashStart protects you from a wide range of threats and prevents access to malicious websites  ? Start your free trial now

2. What is the main aim of Cyberwarfare?

Before telling about some of the famous cyberwarfare cases, it is important to understand what cyberwarfare is and what are the reasons that make these types of attacks convenient.
Here is the definition of cyberwarfare reported by the “Intelligence Glossary” of the Italian system for Information and for the Security of the Republic (SISR):

“The set of military operations conducted in and through the cyberspace in order to procure damage to the enemy, be it a state or else, and that consist – among other things – in preventing the enemy from making an effective use of IT systems, weapons and tools and of the infrastructures and processes that they control. The meaning also includes defense activities and those aimed at granting the availability and use of cyberspace to the state”.

In this respect, we also suggest consulting the TALLIN Manual (updated to version 3.0 in 2021) by the Cooperative Cyber Defence Centre of Excellence (CCDCOE) of NATO.
The original Tallin Manual (published for the first time in 2013 by Cambridge University Press) discusses the applicability of existing principles of international law to cyberspace, both in times of peace and of war.

It is about the interpretation and applicability of international law in the cyber context.
It discusses the rules of international law that govern over cyber accidents between states but that are below the threshold that would trigger the use of force or armed conflict.

Cyber weapons are more and more used since they work well and are convenient for those using them.

And, differently from their analogic counterparts, meaning the forms of traditional warfare:
» They don’t put their forces at risk;
» They cause less collateral damage;
» They can be deployed in a hidden way and it is even possible to conceal attack techniques: in this way it is difficult to attribute responsibility for the attack;
» They are less expensive.

We will now see some cyberwarfare attacks, those which we know about (it isn’t always the case for the reasons we just outlined).

3. The Stuxnet attack: the most famous case

Stuxnet represents a turning point in cyberwarfare.
It dates back to 2010 but is considered still today a textbook example, both for the way in which it was carried out, and for the effects it triggered in cyberwarfare at the global level.

Stuxnet can be considered a “paradox in history” since – as we will see – it had as its target that of contrasting the proliferation of nuclear weapons, but actually ended up opening the door for a proliferation that is much more difficult to control: the proliferation of technology in cyber weapons.

In January of 2010 in the nuclear plant of Natanz in Iran the centrifuges used to enrich Uranium235 went crazy and got out of control: from 1,064 rounds per minute they reached 1,410 rounds per minute and exploded. This put out of use at least 1.000 of the 5.000 centrifuges and set back the Iranian nuclear program by a couple of years.

3.1 What happened?

Let’s go back in time to 2006, when the Iranian nuclear program was already worrisome for the United States and Israel. President Bush gave the secret order to prepare a cyber attack against Itanian plants to damage their atomic program without triggering a conventional war. This operation, under the coded name “Olympic Games”, was later continued and concluded under the presidency of Barack Obama.
The attack was assigned to American experts of the National Security Agency (NSA), in collaboration with Israeli IT technicians, the legendary Unit 8200 of the Israel Defense Force – IDF.

A deadly malware was created, called Stuxnet, which was able to act on the PLC Siemens Simatic S7-300, which governed the functioning of the centrifuges for uranium enrichment. The centrifuges in the Natanz industrial plant were of the P-1 type and were based on old projects that the Iranian government had purchased from Pakistan.

These centrifuges treated uranium hexafluoride in the form of gas, separating Uranium-235 (the one that can undergo nuclear fission, and hence can be used to build atomic bombs) from isotope U-238 (much more widespread in nature but less useful). The process of uranium enrichment has the aim of increasing the concentration of U-235: a low enrichment (20%) allows uranium to be used as fuel in nuclear reactors, while in order to produce an atomic bomb it needs to reach a U-235 concentration of at least 85%.

The first version of the Stuxnet software was created – according to Kaspersky – in June 2009 but did not produce the expected results. The final attack was carried out by Stuxnet version 2.0 in the first months of 2010.

>> FlashStart is the Windows web filtering software that blocks access to malicious websites and reduces your chances of being the next victim of a cyber attack  ? Start your free trial now

Picture 1 – The Iranian president Mahmoud Ahmadinejad observes the centrifuges inside the plant for uranium enrichment in Natanz

3.2  How did Stuxnet get inside the Natanz plant?

Of course, Iranians weren’t so naive as to put their plant details online.
The plant was actually “air gapped”, meaning isolated from the Internet network.
The problem for attackers was hence being capable of injecting the malware in Natanz.

By now it is almost certain that the beginning of the contagion by Stuxnet happened within the plant itself, through one or more USB devices.
It is deemed, with reasonable certainty, that the Stuxnet infection started from five Iranian suppliers exploited as vehicles for the attack, with a technique called Supply Chain Attack, which today is extremely frequent.

These companies were unaware of having been attacked and, once infected, it was only a matter of time before the Natanz plant was hit. Through a USB device inserted in various computers inside Natanz, the infection spread from the Windows computers to the industrial software Step7 (realized by Siemens), which controlled the PLCs of the plant and could modify their code.

We will later see how all this was possible thanks to the exploitation of a series of zero-day vulnerabilities by Stuxnet.
The analysts who examined Stuxnet, through the analysis of thousands of files believe they have identified the five Iranian companies that were infected by Stuxnet – at different times starting from June 2009 – and that then brought it inside Natanz.

Again in 2010, subsequent versions of Stuxnet hit other five Iranian organizations with the aim of controlling and damaging the Iranian production of enriched uranium. Over 60% of the computers infected by Stuxnet in 2010 were located in Iran.
Following the virus infection in the Natanz plant, Stuxnet spread outside the Iranian plant.

It seems that Israel was the one who wanted to strengthen the virus in order to make it more aggressive and capable of spreading more easily (indeed, version 2.0!)
Maybe too much: a computer that had been infected in Natanz is deemed to have then spread the malware outside the interested systems, causing important damages to other networks that used Siemens Simatic PLC and that were not supposed to be at all among the targets.
Stuxnet should never have left Natanz but instead, since it went out of control, it started spreading through the Internet. Obama was told: “We lost control over the virus”.

By now discovered, detected and analyzed by the major cyber security companies (Kaspersky, F-Secure, Symantec in its report “W32.Stuxnet Dossier Version 1.4 February 2011”), Stuxnet has been immediately considered an “anomalous” malware, way too sophisticated to be created by normal hackers.
Indeed, it exploited not one but as many as four zero-day vulnerabilities, meaning vulnerabilities not yet known by security companies. Zero-day exploits are very difficult to find and have a very high cost on the market for vulnerabilities.

Back in the day, there had never been the case of a malware that exploited more than one zero-day vulnerability. And Stuxnet exploited as many as four of them!
Only a state could have realized such a powerful cyber weapon….
Suspicions focused straight away on American and Israeli intelligence services, the only ones able to produce a software with these characteristics.

“The NSA and Israel wrote Stuxnet together”: in July 2013 Edward Snowden confirmed that Stuxnet had been designed by NSA with the collaboration of Israeli intelligence through a special team known as Foreign Affairs Directorate.

Nobody has ever claimed the attack or put their signature on Stuxnet. But actually maybe this “signature” exists for real.
When analysts sectioned the Stuxnet code they found different functions. Among these is function number 16, which contains a variable whose value is 19790509. Since this variable, used purely for control, could be assigned any value, why exactly that number?

Somebody discovered that 19790509 corresponds to the date of 9 May 1979, which has a very precise meaning both for Iran and Israel: that day in a square in Tehran, Habib Elghanian was executed. He was the chief of the Iranian Jewish community. It was one of the first executions of jewish people by the new Khomeini’s regime in Iran.

Not only that: in that period there were some centrifuges of the P-1 type (like the ones in Natanz) installed, as chance would have it, in the Israeli plant in dimona, in the Negev desert: too few for productive aims, but enough to run some tests in a pilot plant. They had been supplied to Israel by the United States, which had recovered them from the Libyan nuclear program.

This case, despite having by now been analyzed at the maximum level of detail, still has some little known aspects, which make it look like a disturbing war or espionage movie.
An indeed, the film exists for real: the Stuxnet attack was narrated in the documentary film “Zero Days” (2016) by the oscar-winning producer Alex gibney.

Picture 2 – The poster of the documentary “Zero Days” (2016) by the producer Alex Gibney (picture by nientepopcorn.it)

4. 2012: Shamoon against Saudi Aramco

Saudi Aramco is the Saudi public company for oil production, the major one in the world.
In August 2012, at 11:08 local time on the 15th of the month, the company employees noticed that some files in their laptops were being canceled in front of them.
In a few hours, Saudi Aramco was not online anymore.

Even more devastating were the consequences for payments, for which the network is by now essential: kilometers of tank trucks full of oil and blocked, for the simple reason that there was no way to invoice their content. Only the extraction systems, completely automated and independent from the Internet, kept on working.

The cause of the problem was discovered by Seculert: the malware was first named Disttrack and then it took the name of Shamoon.
One more time, the injection took place through easy spear phishing email, which carried the new malware.

Shamoon had a high capacity of replicating itself and spreading and was able to transfer files from the victim’s computer to that of the attacker and then cancel them from the original system. Like most of these softwares, it was a modular malware that comprised three modules:
» Shamoon Dropper, the modul used to enter inside the attacked system and dropping the other two components;
» Shamoon Wiper, the component that wiped away, so destroyed, the contents by installing a driver that could overwrite the data and managed to write in the Master Boot Record (MBR) of the computer, thus making it useless;
» Shamoon Reporter, which reported back to the attacker all information on files that had been overwritten.

It took Saudi Aramco 10 days (until August 25th) to restore the over 30,000 systems based on windows that had been overwritten by Shamoon.

4.1 Who was the author of such an attack?

The attack was claimed by “Cutting Sword of Justice”, an Islamic hacker group that requested better working conditions for the employees of Saudi Aramco.
It is possible, even if there is no certain evidence, that the Saudi oil plants were hit by state-sponsored Iranian hackers, maybe the Elfin group (aka: APT33, HOLMIUM). This Iranian group is famous for having targeted organizations in various sectors of the United States, Saudi Arabia and South Korea, with a special interest for the sectors of aviation and energy, and especially oil plants.

Whoever it was, this was a perfect cyber attack from a technical point of view and especially for its ability to hit a worldwide economic resource: oil. The case confirms that attacks on industrial systems prefer the energy sector.

According to Symantec, Shamoon suddenly came back in November 2016 and was then used again in an attack on 23 January 2017. It was called Shamoon 2.

>> FlashStart prevents users from navigating towards malicious websites as well as unsuitable or distracting contents ? Request a quote

5. Russia against Ukraine

Since the dawn of time, Russia has used Ukraine as their favorite target for cyber attacks.
We will not focus here on current affairs about the recent military invasion by Russia, also because information about the latest attacks is not clear yet.
We will focus, instead, on the cases of cyberwarfare that have by now made history and for which analysts were able to retrieve a lot of information.

5.1 BlackEnergy in Ukraine

Although it didn’t cause important damages, this was a textbook attack.
23 December 2015, 3.35 pm: the Ukrainian Kyivoblenergo, a regional electricity supplier, was attacked by a hacker. In a short time span the systems of at least 3 regional electricity operators were hit.

7 substations at 100kV and 23 at 35 kV were disconnected for over three hours. Half of the houses in the Ivano-Frankivsk region (in the west of Ukraine) remained without electricity. It is estimated that around 225,000 people were hit.

The attack, coming from a foreign country, remotely takes control of the SCADA systems (Supervisory Control and Data Acquisition) of the plants. To bring service back to normal, the managers had to shift to the manual control of plants.

The used agent was the BlackEnergy trojan, with backdoor features.
It is a modular malware that can download several components to finalize specific activities. In 2014 it was used for several cyber espionage attacks aimed at high-profile targets linked to the Ukrainian government.

According to the detailed report prepared by E-ISAC and SANS “Analysis of the Cyber Attack on the Ukrainian Power Grid” (18 March 2016), the attackers showed they knew and could exploit a wide range of techniques to carry out the offensive action:
» the use of spear phishing emails to access the company networks of the three suppliers (and here we have, like in almost any attack, the H factor, meaning human error). It seems that the attack email included as an attachment an Office file “armed” with a macro;
» the injection of the BlackEnergy 3 malware variant in each of the interested suppliers, used in combination with the new plug-in KillDisk (Win32/KillDisk), which has the ability to destroy files and can overwrite over 4,000 types of files), and hence is capable of overwriting the operating system and block an entire system;
» the theft of access credentials for company networks;
» the use of Virtual Private Networks (VPNs) to access the ICS network;
» the manipulation of Microsoft Office documents that included malware to access the IT networks of the electric companies;
» the ability to take control over the UPS systems in order to generate a service interruption: in at least one of the hit suppliers the attackers discovered a network connected to a UPS and re-configured it so that, when the power cut took place, there was a cut also to the supply of electricity to the buildings and data centers of the electricity company;

Therefore, it was a choral attack, well designed and carried out by specialists.

Ukrainian secret services condemned Russia straight away for the attack, also because of the very bad relations between the two countries (a little earlier the annexation of Crimea by Russia had taken place).

In particular, the attack is deemed to have been carried out by the Sandworm Team, also known as Unit 74455, which is a Russian cybermilitary unit connected to the GRU, the secret services of Russian armed forces.

Sandworm is suspected to be also behind the cyber attacks of 2017 against Ukraine with NotPetya and behind the cyber attack on the winter olympics in South Korea in 2018.
In December 2016 the attack was reiterated, with a lighter impact compared to that of 2015 and a blackout that lasted for about an hour. It seems that it was carried out by the same attackers as the previous year, not to create damages but rather as a test for future actions.

Picture 3 – The Office attachment with the macro attached to the spear-phishing email which vehiculated the injection of BlackEnergy

5.2 27 June 2017: NotPetya attack

NotPetya is deemed to be the cyber attack that has created the biggest damages in the world: the impact on the organizations it hit is estimated to have cost around 10 billion dollars.
It is a classical Supply Chain attack: it targeted an Ukrainian company (M.E.doc), which produces management softwares. Through this company, Ukrainian companies were massively hit, to the point that in 24 hours NotPetya canceled 10% of all the computers in Ukraine.

For the first time after 31 years, the radiation detectors in Chernobyl were switched off, making employees monitor the radiation levels manually.
From Ukraine, NotPetya spread to the rest of the world, causing enormous damages to several big companies among which were:
» Moller-Maersk: damages for 300 million dollars, and the company had to re-install 4,000 servers and 45,000 laptops;
» TNT Express (FedEx group): damages for 300 million dollars;
» Mondel?z International: 1,700 servers and 24,000 laptops blocked (damages for over 84 million dollars);
» Merck (pharmaceuticals): interruption of operations at the global level;
» Saint Gobain Group;
» Reckitt Benckiser: lower sales by about 110 million pounds.

Italy was one of the worst-hit countries.

NotPetya was a ransomware that asked for a 300$ ransom (0,138 bitcoin), but it actually turned out to be a wiper, since the files were never given back.
It exploited the Eternalblue exploit created by the NSA to spread through company networks, the same that had been used a month before for the infamous WannaCry attack (12 May 2017).

The United States and Great Britain have officially blamed Russia for the NotPetya attack, and also in this case it is deemed to have been carried out by the Sandworm Team, connected to the GRU, the Russian military secret services.

>> FlashStart thanks to the exclusive “Geoblocking” feature, is especially good at blocking navigation towards the websites of dangerous territories ? Start your free trial now

6. The Author

Giorgio Sbaraglia, engineer, is a consultant and trainer on the topics of cyber security and privacy.

He holds training courses on these topics for numerous important Italian companies, including ABIFormazione and the 24Ore Business School.
He is the scientific coordinator of the Master “Cybersecurity and Data Protection” of the 24Ore Business school.

He is a member of the Scientific Committee CLUSIT (Italian Association for Cyber Security) and an Innovation Manager certified by RINA

He has DPO (Data Protection Officer) positions in companies and Professional Associations.

He is the author of the following books:
» “GDPR kit di sopravvivenza” – “GDPR survival kit” (Edited by goWare),
» “Cybersecurity kit di sopravvivenza. Il web è un luogo pericoloso. Dobbiamo difenderci!” – “Cybersecurity survival kit. The web is a dangerous place. We must defend ourselves!” (Edited by goWare),
» “iPhone. Come usarlo al meglio. Scopriamo insieme tutte le funzioni e le app migliori” – “iPhone. How to use it to its full potential. Let’s discover together all the functions and best apps” (Edited by goWare).

He collaborates with CYBERSECURITY360 a specialized online magazine of the group Digital360 focusing on Cybersecurity.

He also writes for ICT Security Magazine, for Agenda Digitale and for the magazine CLASS.

You can activate the FlashStart® Cloud protection on any sort of Router and Firewall to secure desktop and mobile devices and IoT devices on local networks.