This is a repost of Jeff Dougherty’s article on Small Wars Journal<\/a>.<\/em><\/span><\/p>\n <\/p>\n Although hacking has been part of espionage since at least 1989[i]<\/a>, nation-state sponsored attacks have grown dramatically throughout the past decade[ii]<\/a>,[iii]<\/a>,[iv]<\/a>.\u00a0 Nation-state sponsored groups are particularly worrisome to security professionals because they often operate as Advanced Persistent Threats (APTs)[v]<\/a>, a \u201cslow burn\u201d type of cyberattack many security experts consider the most dangerous for enterprises- or governments- with highly sensitive information to protect[vi]<\/a>,[vii]<\/a>,[viii]<\/a>.\u00a0 However, a deeper look at the pattern of these attacks in recent years reveals a still more worrying trend.\u00a0\u00a0 In the last decade, nation-state backed hacker groups have shifted away from pure information gathering and towards using cyberspace as a domain for a new kind of conflict called hybrid warfare.<\/p>\n Hybrid warfare is difficult to define, and some thinkers even doubt the utility of the concept[ix]<\/a>.\u00a0 However, others have defined it as aggressive actions designed to exploit international law by deliberately falling short of the common definition of aggression that permits a response against a nation-state[x]<\/a>.\u00a0 Hybrid warfare is a type of asymmetric warfare, in which a weaker opponent seeks to defeat a stronger one by indirect means without having to engage their main military forces.[xi]<\/a>\u00a0 The concept’s supporters frequently cite the civil war in Eastern Ukraine, where suspiciously well trained and equipped \u201cpro-Russian separatists\u201d have given Moscow effective control over large chunks of territory without a conventional invasion that could trigger the NATO treaty[xii]<\/a>.\u00a0 Also commonly cited are \u201csalami slicing\u201d tactics used by China to slowly establish a position of effective dominance over disputed islands in the South China Sea,[xiii]<\/a> including use of its fishing fleet to establish territorial claims.<\/p>\n Cyberspace is an especially rich field for hybrid warfare because the global and anonymous nature of the Internet makes it very difficult to prove a particular operation was state-sponsored.\u00a0 For example, a group codenamed APT28 has been identified as a Russian government operation based on their use of Russian-language programming tools, the fact that they keep 9-5 hours on Moscow time and observe Russian holidays, and the overlap between their operations and Russian interests[xiv]<\/a>.\u00a0 Suggestive, but hardly the sort of thing you can take to the United Nations.\u00a0 Online, hybrid warfare can involve a variety of methods, including denial-of-service (DoS) attacks against a target’s communications, obtaining and leaking embarrassing information about the target, or interfering with a target’s critical infrastructure.<\/p>\n Most state-sponsored hacks discussed in the open security press originate from a relative handful of nations: China, Russia, Iran, North Korea, Israel, and the United States[xv]<\/a>,[xvi]<\/a>,[xvii]<\/a>.\u00a0 An examination of recent actions by hackers affiliated with those countries reveals an increasing pattern of offensive action.<\/p>\n Of the nations listed, it is Russia that has taken by far the largest steps into online hybrid warfare.\u00a0 Beginning with a massive DoS attack against Estonia in 2007[xviii]<\/a>, Russia has used cyberwarfare as a major component of its operations in Georgia[xix]<\/a>, the Ukraine[xx]<\/a>, and Syria[xxi]<\/a>.\u00a0 The scope of attacks has also widened with time.\u00a0 The 2008 Georgia attacks included more DoS against communications infrastructure, attempts to glean military intelligence from online sources, and propaganda defacement of websites.\u00a0 Attacks against Ukraine in 2015 repeated these tactics, but also saw Russian hackers shut down large portions of the Ukrainian power grid.\u00a0 2015 also saw Russia shut down German government websites and a steel mill around the time of talks with the Ukrainian Prime Minister.[xxii]<\/a>\u00a0 The next year brought the publicized attempts to influence the US Presidential election by selectively releasing illegally obtained documents about the Hillary Clinton campaign.\u00a0 Taken as a whole, it is clear that Russia does not simply regard cyberattacks as an information gathering tool, but as weapons to be used offensively in support of Moscow’s geopolitical aims.<\/p>\n Similar patterns have appeared on a smaller scale from the other nations on the list.\u00a0 Most famously, the US and Israeli-developed Stuxnet worm was released onto the Internet in 2009, replicating itself until it reached the computer controllers for Iran’s uranium enrichment centrifuges.\u00a0 Once there, it caused the centrifuges to overspeed while loaded with corrosive uranium gas, damaging them and seriously delaying the Iranian nuclear program[xxiii]<\/a>.\u00a0 The same US-Israeli effort led to the creation of a piece of network reconnaissance malware called Flame, which provided information Israel later used to launch a unilateral attack on the Iranian oil industry in 2012 with a program called Wiper[xxiv]<\/a>.\u00a0 Other information about these countries’ cyberwar programs is hard to come by, but the April 2017 leaks from a group calling themselves ShadowBrokers revealed that both the American CIA and NSA have been actively developing their own ecosystem of tools and exploits[xxv]<\/a>.<\/p>\n The Stuxnet and Wiper incidents seem to have spurred Iran to create its own hacking program.\u00a0\u00a0 The year after the attacks, Iran attacked banks and a dam in the United States[xxvi]<\/a> as well as oil company systems in Saudi Arabia[xxvii]<\/a>,[xxviii]<\/a> using malware descended from Israel’s Wiper.\u00a0 Iranian hackers have also been implicated in a 2015 blackout that affected 40 million people in Turkey[xxix]<\/a>.\u00a0 It is significant that the Iranian hacking program appears to be associated with the country’s Revolutionary Guard Corps, or Pasdaran.\u00a0 Ever since the Iran-Iraq War of the 1980s, the Pasdaran has been the main Iranian force involved in all types of asymmetric warfare.\u00a0 The placement of Iran’s hacking groups under their control may well indicate that the Iranian government views them primarily as weapons of war.<\/p>\n North Korea’s cyber program is best known in the West for its 2014 hack of Sony Pictures[xxx]<\/a>, but has also been implicated in several other operations.\u00a0 These include the DarkSeoul attacks against South Korean infrastructure[xxxi]<\/a> and spreading malware to create botnets for denial-of-service attacks[xxxii]<\/a>.\u00a0 Many experts also believe North Korea is attempting to use its cyber program to finance its regime in the face of international sanctions- North Korean hacking groups have been tied to the WannaCry ransomware attack, the theft of $80 million from a bank in Bangladesh[xxxiii]<\/a>, and may also be targeting the crypto-currency Bitcoin[xxxiv]<\/a>.<\/p>\n At first glance, China’s hacking efforts may seem the odd man out in this group.\u00a0 China has taken little overt action online, although it is a prolific practitioner of cyber espionage.\u00a0 Its\u2019 operations have not been confined to traditional government and military targets, frequently targeting private companies to steal intellectual property that may improve the competitiveness of China\u2019s state-run businesses.[xxxv]<\/a>,[xxxvi]<\/a>.\u00a0 However, it is known that China’s military planning documents anticipate intensive network operations in the event of a war, and at least one analyst has argued that China’s current actions are preparing it for exactly that[xxxvii]<\/a>.\u00a0 China appears to think that the US needs the Internet more than they do, and that an exchange that leaves both sides’ networks severely degraded is a net win for them.\u00a0 They are probably right.<\/p>\n If these trends are alarming, there is little reason to think they will not continue.\u00a0 There have been some promising signs.\u00a0 The indictment of five Chinese army officers for hacking American servers led to an agreement between President Obama and Chinese President Xi Jinping under which China would reduce its attacks against American companies[xxxviii]<\/a>, and attacks did seem to decrease in the wake of the agreement[xxxix]<\/a>.\u00a0 However, a similar indictment of seven Pasdaran-affiliated Iranian hackers in 2013 has failed to yield similar results[xl]<\/a>, and efforts to confront Russia over its ever more brazen attacks have also stalled in the face of official stonewalling.\u00a0 More broadly, a number of analysts[xli]<\/a> have noted that the West has largely failed in its attempts to address hybrid warfare incidents that fall short of the clear aggression required to form international consensus.\u00a0 Given the nature of the Internet, cyberattacks are likely to remain one of the most difficult of all incidents to provably attribute to a government.\u00a0 The relative newness of the Internet also means that international law on acceptable online behavior between nations is still very much unset.\u00a0 Absent strong new norms of what is and is not acceptable between nation-states in peacetime, it is likely that both the number and severity of these cyberattacks will continue to escalate.<\/p>\n What does this mean for cybersecurity professionals?\u00a0 The first and most important lesson we can draw is that in a cyberwar, everybody is potentially on the front lines.\u00a0 Cyberattacks from all nations have made little distinction between government-owned and private systems, instead choosing to strike wherever necessary to accomplish their goals. Private companies, especially those in key infrastructure settings, need to be prepared to compete with teams of government-sponsored hackers from around the world.\u00a0 Second, to whatever extent this is unrealistic, there must be closer cooperation between the public and private sectors.\u00a0 The government may need to provide assistance with network hardening, penetration testing, and threat intelligence, not to safeguard private profit but to preserve critical national infrastructure.\u00a0 This assistance should be tied to a set of legally enforceable standards to make sure those trusted with critical information are taking adequate precautions to safeguard it.\u00a0 Finally, on the policy level, high-level leaders should work to create new standards for what is and is not acceptable in terms of hacking between nations at peace.\u00a0 This will not be an easy task, requiring both a willingness to engage with nations who show openness to the new standards and to take a firm line with those who do not.\u00a0 But if we fail to do so, the cyber realm we trust with more and more of our data may become a new theater of war.\u00a0 And if that happens, everyone and everything on the global Internet could become collateral damage.<\/p>\n End Notes<\/strong><\/p>\n [i] Stoll, Clifford.\u00a0 The Cuckoo’s Egg<\/u>.\u00a0 Doubleday, 1989.\u00a0 The East German hacker responsible for that incident was operating on behalf of the Soviet KGB.<\/p>\n [ii]McGuiness, Damien.\u00a0 \u201cHow a cyber attack transformed Estonia.\u201d\u00a0 BBC News, http:\/\/www.bbc.com\/news\/39655415<\/a> Accessed 10\/2\/2017<\/p>\n [iii]Rubenstein, Dana.\u00a0 \u201cNation State Cyber Espionage and its Impacts.\u201d\u00a0 Washington University in St. Louis.\u00a0 http:\/\/www.cse.wustl.edu\/~jain\/cse571-14\/ftp\/cyber_espionage\/<\/a>.\u00a0 Accessed 10\/2\/17<\/p>\n [iv]For a longer listing, see the Center for Strategic and International Studies’ \u201cSignificant Cyber Incidents Since 2006\u201d report, available for download at https:\/\/csis-prod.s3.amazonaws.com\/s3fs-public\/160824_Significant_Cyber_…<\/a><\/p>\n [v]\u201cA Survey of Nation-State Sponsored Hackers,\u201d published by DarkOwl Security.\u00a0 https:\/\/www.darkowl.com\/blog\/2017\/a-survey-of-nation-state-sponsored-hackers<\/a>.\u00a0 Accessed 10\/2\/17<\/p>\n [vi]Soto, Carlos.\u00a0 \u201cAdvanced Persistent Threats (APT) 101.\u201d\u00a0 Tom\u2019s ITPro.\u00a0 http:\/\/www.tomsitpro.com\/articles\/advanced-persistent-threats-apt-101,2-526.html<\/a>.\u00a0 Accessed 10\/2\/17<\/p>\n [vii]\u201cThe Danger of Advanced Persistent Threats.\u201d\u00a0 Published in BizTech Magazine, attr to staff.\u00a0 https:\/\/biztechmagazine.com\/article\/2016\/05\/danger-advanced-persistent-threats<\/a>.\u00a0 Accessed 10\/2\/17<\/p>\n [viii]\u201cAdvanced Persistent Threats: A Symantec Perspective.\u201d\u00a0 Symantec White Papers.\u00a0 https:\/\/www.symantec.com\/content\/en\/us\/enterprise\/white_papers\/b-advanced_persistent_threats_WP_21215957.en-us.pdf<\/a>.\u00a0 Accessed 10\/2\/17<\/p>\n [ix]Paul, Christopher.\u00a0 \u201cConfessions of a Hybrid Warfare Skeptic.\u201d\u00a0 Small Wars Journal, March 3, 2016.\u00a0 http:\/\/smallwarsjournal.com\/printpdf\/40741<\/a>.\u00a0 Accessed 10\/2\/17<\/p>\n [x]For discussions of this issue, see Stowell, Joshua, \u201cWhat Is Hybrid Warfare?\u201d, Global Security Review. https:\/\/globalsecurityreview.com\/hybrid-and-non-linear-warfare-systematically-erases-the-divide-between-war-peace\/<\/a> and Sarl, Aurel, \u201cLegal Aspects of Hybrid Warfare\u201d, Lawfare Blog. https:\/\/www.lawfareblog.com\/legal-aspects-hybrid-warfare<\/a>, both accessed 10\/2\/17<\/p>\n [xi]This is a simplification of a complex concept, but is the definition that will be used for this paper.\u00a0 For a good discussion of asymmetric war and its place in the landscape of military strategy see Daley, LTC Dan N, \u201cAsymmetric Warfare: The Only Thing New Is the Tactics\u201d, a seminar paper from the US National War College available at http:\/\/www.dtic.mil\/dtic\/tr\/fulltext\/u2\/a433588.pdf<\/a><\/p>\n [xii]Chivvis, Christopher S.\u00a0 \u201cUnderstanding Russian Hybrid Warfare and What Can Be Done About It.\u201d Testimony presented to the House Armed Services Committee on March 22, 2017 on behalf of RAND Corporation. \u00a0Available at https:\/\/www.rand.org\/content\/dam\/rand\/pubs\/testimonies\/CT400\/CT468\/RAND_…<\/a>.<\/p>\n [xiii]Shearer, Andrew.\u00a0 \u201cThe Evolution of Hybrid Warfare and Key Challenges,\u201d Statement to the House Armed Services Committee on March 22, 2017.\u00a0 Available at http:\/\/docs.house.gov\/meetings\/AS\/AS00\/20170322\/105746\/HHRG-115-AS00-Wst…<\/a><\/p>\n [xiv] \u201cAPT28: A Window into Russia\u2019s Cyber-Espionage Operations?\u201d\u00a0 Report published by the FireEye Corporation, 2014. Available at https:\/\/www2.fireeye.com\/rs\/fireye\/images\/rpt-apt28.pdf<\/a><\/p>\n [xv]A Survey of Nation-State Sponsored Hackers,\u201d published by DarkOwl Security.\u00a0 https:\/\/www.darkowl.com\/blog\/2017\/a-survey-of-nation-state-sponsored-hackers<\/a>.\u00a0 Accessed 10\/2\/17<\/p>\n [xvi]Walls, Mike.\u00a0 \u201cNation-State Cyberthreats: Why They Hack.\u201d\u00a0 DarkReading.\u00a0 https:\/\/www.darkreading.com\/informationweek-home\/nation-state-cyberthreats-why-they-hack-\/a\/d-id\/1318522<\/a>.\u00a0 Accessed 10\/2\/17<\/p>\n [xvii]This datum should be treated with a certain degree of caution.\u00a0 The open security press itself is largely a Western phenomenon- of the 500 top cybersecurity firms, 370 are American and a further 76 are based in Canada, Europe, or Australia.\u00a0 Thus, cyberattacks not targeted against these countries are probably less likely to be discussed in the open press. Source: analysis of data provided by Cybersecurity Ventures, available at https:\/\/cybersecurityventures.com\/cybersecurity-500-list\/<\/a>, accessed 10\/2\/17<\/p>\n [xviii]Richards, Jason.\u00a0 \u201cDenial-of-Service: The Estonian Cyberwar and Its Implications for US National Security.\u201d\u00a0 International Affairs Review, published by George Washington University.\u00a0 http:\/\/www.iar-gwu.org\/node\/65<\/a>.\u00a0 Accessed 10\/2\/17.<\/p>\n [xix]Hollis, David. \u201cCyberwar Case Study: Georgia 2008.\u201d\u00a0 Small Wars Journal, January 6, 2011, available at http:\/\/smallwarsjournal.com\/blog\/journal\/docs-temp\/639-hollis.pdf<\/a><\/p>\n [xx]Greenberg, Andy.\u00a0 \u201cHow An Entire Nation Became Russia’s Test Lab for Cyberwar.\u201d\u00a0 Wired.com, 6\/20\/17.\u00a0 Available at https:\/\/www.wired.com\/story\/russian-hackers-attack-ukraine\/<\/a>, accessed 10\/2\/17<\/p>\n [xxi]\u201cBehind the Syrian Conflict’s Digital Front Lines,\u201d Threat Intelligence Report by FireEye Corporation. https:\/\/www.fireeye.com\/content\/dam\/fireeye-www\/global\/en\/current-threats\/pdfs\/rpt-behind-the-syria-conflict.pdf<\/a>, accessed 10\/2\/17<\/p>\n [xxii]Walls, Mike.\u00a0 \u201cWhy Russia Hacks.\u201d\u00a0 DarkReading. https:\/\/www.darkreading.com\/risk\/why-russia-hacks\/a\/d-id\/1318733<\/a>.\u00a0 Accessed 10\/2\/17<\/p>\n [xxiii]Langner, Ralph.\u00a0 \u201cTo Kill a Centrifuge: A Technical Analysis of What Stuxnet’s Creators Tried to Achieve.\u201d The Langner Group.\u00a0 https:\/\/www.langner.com\/wp-content\/uploads\/2017\/03\/to-kill-a-centrifuge.pdf<\/a>.\u00a0 Accessed 10\/2\/17<\/p>\n [xxiv]Nakashima, Ellen, Greg Miller and Julie Tate.\u00a0 \u201cUS, Israel developed Flame computer virus to slow Iranian nuclear efforts, officials say.\u00a0 The Washington Post.\u00a0 https:\/\/www.washingtonpost.com\/world\/national-security\/us-israel-developed-computer-virus-to-slow-iranian-nuclear-efforts-officials-say\/2012\/06\/19\/gJQA6xBPoV_story.html<\/a>.\u00a0 Accessed 10\/2\/17<\/p>\n [xxv]Goodin, Dan.\u00a0 \u201cNSA-leaking Shadow Brokers just dumped its most damaging release yet.\u201d\u00a0 Ars Technica, https:\/\/arstechnica.com\/information-technology\/2017\/04\/nsa-leaking-shadow-brokers-just-dumped-its-most-damaging-release-yet\/<\/a>.\u00a0 Accessed 10\/2\/17<\/p>\n [xxvi]Perez, Evan and Shimon Prokupecz.\u00a0 \u201cUS charges Iranians for cyberattacks on banks, dam.\u201d\u00a0 CNN.com.\u00a0 http:\/\/www.cnn.com\/2016\/03\/23\/politics\/iran-hackers-cyber-new-york-dam\/<\/a>.\u00a0 Accessed 10\/2\/17<\/p>\n [xxvii]Zetter, Kim.\u00a0 \u201cWiper Malware That Hit Iran Left Possible Clues of Its Origins.\u201d\u00a0 Wired.com https:\/\/www.wired.com\/2012\/08\/wiper-possible-origins\/<\/a>.\u00a0 Accessed 10\/2\/17<\/p>\n [xxviii]Greenberg, Andy.\u00a0 \u201cNew Group of Iranian Hackers Linked to Destructive Malware.\u201d\u00a0 Wired.com.\u00a0 https:\/\/www.wired.com\/story\/iran-hackers-apt33\/<\/a>.\u00a0 Accessed 10\/2\/17<\/p>\n [xxix]Paganini, Pierluigi.\u00a0 \u201cIran accused of the blackout that paralyzed the Turkey\u201d (sic).\u00a0 Securityaffairs.co http:\/\/securityaffairs.co\/wordpress\/36536\/cyber-warfare-2\/iran-accused-blackout-turkey.html<\/a>.\u00a0 Accessed 10\/2\/17<\/p>\n [xxx]Peterson, Andrea.\u00a0 \u201cThe Sony Pictures hack, explained.\u201d\u00a0 The Washington Post.\u00a0 https:\/\/www.washingtonpost.com\/news\/the-switch\/wp\/2014\/12\/18\/the-sony-pictures-hack-explained\/<\/a>.\u00a0 Accessed 10\/2\/17<\/p>\n [xxxi]\u201cFour Years of DarkSeoul Cyberattacks Against South Korea Continue on Anniversary of Korean War.\u201d\u00a0 Symantec.com.\u00a0 https:\/\/www.symantec.com\/connect\/blogs\/four-years-darkseoul-cyberattacks-against-south-korea-continue-anniversary-korean-war<\/a>, accessed 10\/2\/17<\/p>\n [xxxii]\u201cRevisiting Nation State Threat Actors- North Korea (DPRK).\u00a0 Published by DarkOwl Security.\u00a0 https:\/\/www.owlcyber.com\/blog\/2017\/revisiting-nation-state-threat-actors-north-korea-dprk<\/a>.\u00a0 Accessed 10\/2\/17<\/p>\n [xxxiii]Finkle, Jim.\u00a0 \u201cCyber security firm: more evidence North Korea linked to Bangladesh heist.\u00a0 Reuters.\u00a0 http:\/\/www.reuters.com\/article\/us-cyber-heist-bangladesh-northkorea\/cyber-security-firm-more-evidence-north-korea-linked-to-bangladesh-heist-idUSKBN1752I4<\/a>.\u00a0 Accessed 10\/2\/17<\/p>\n [xxxiv]McNamara, Luke.\u00a0 \u201cWhy Is North Korea So Interested in Bitcoin?\u201d\u00a0 FireEye Security Blog.\u00a0 https:\/\/www.fireeye.com\/blog\/threat-research\/2017\/09\/north-korea-interested-in-bitcoin.html<\/a>.\u00a0 Accessed 10\/2\/17<\/p>\n [xxxv]Walls, Mike.\u00a0 \u201cNation-State Cyberthreats: Why They Hack.\u201d\u00a0 DarkReading.\u00a0 https:\/\/www.darkreading.com\/informationweek-home\/nation-state-cyberthreats-why-they-hack-\/a\/d-id\/1318522<\/a>.\u00a0 Accessed 10\/2\/17<\/p>\n [xxxvi]US Department of Justice press release.\u00a0 \u201cUS Charges Five Chinese Military Hackers for Cyber Espionage Against US Corporations and a Labor Organization for Commercial Advantage.\u201d\u00a0 https:\/\/www.justice.gov\/opa\/pr\/us-charges-five-chinese-military-hackers-cyber-espionage-against-us-corporations-and-labor<\/a>.\u00a0 Accessed 10\/2\/17<\/p>\n [xxxvii]McReynolds, Joe.\u00a0 \u201cChina’s Evolving Perspectives on Network Warfare: Lessons from the Science of Military Strategy.\u201d\u00a0 China Brief, Vol. 15 Issue 8, available at https:\/\/jamestown.org\/program\/chinas-evolving-perspectives-on-network-wa…<\/a><\/p>\n f[xxxviii]Harold, Scott Warren.\u00a0 \u201cThe US-China Cyber Agreement: A Good First Step.\u201d\u00a0 Rand Corporation.\u00a0 https:\/\/www.rand.org\/blog\/2016\/08\/the-us-china-cyber-agreement-a-good-first-step.html<\/a>.\u00a0 Accessed 10\/2\/17<\/p>\n [xxxix]\u201cRed Line Drawn: China Recalculates Its Use of Cyber Espionage,\u201d Published by FireEye Corporation, June 2016.\u00a0 Available at https:\/\/www.fireeye.com\/content\/dam\/fireeye-www\/current-threats\/pdfs\/rpt-china-espionage.pdf<\/a>, accessed 10\/2\/17<\/p>\n [xl]US Department of Justice Press Release.\u00a0 \u201cSeven Iranians Working for Islamic Revolutionary Guard Corps-Affiliated Entities Charged for Conducting Coordinated Campaign of Cyber Attacks Against US Financial Sector.\u00a0 https:\/\/www.justice.gov\/opa\/pr\/seven-iranians-working-islamic-revolutionary-guard-corps-affiliated-entities-charged<\/a>.\u00a0 Accessed 10\/2\/17<\/p>\n