twitter share facebook share 2019-06-26 1821

It appears that the United States launched cyberattacks on Iran in response to that nation’s shooting down of an American drone aircraft.

According to reports, President Trump had ordered a conventional military response, but had backed down upon learning that the attack would have caused over 100 Iranian fatalities.

The cyberattack plan had purportedly been developed over several weeks and was a response not only to the shooting down of the drone, but the growing number of cyberattacks by the Iranians.

The Wall Street Journal reported that the Department of Homeland Security’s Cybersecurity and infrastructure Security Agency (CISA) issued the following statement:

“CISA is aware of a record rise in the malicious cyber-attacks directed at United States industries and government agencies by Iranian regime actors and proxies. It will continue to work with our intelligence community and cybersecurity partners to monitor Iranian activity, share information, and take steps to keep America and our allies safe.”

Reports on the type of cyberattacks directed towards Iran have been vague and probably wrong. The Washington Post reported the attack included disabling Iranian computer systems that controlled its missile systems. The implication by the story was that it was air defense missile systems that were disabled.

Although the US is probably able to carry out cyberattacks against the Iranian air defenses system, this would be an unlikely target at this time. Such cyberattacks against Iranian air defense systems would have the most impact in conjunction with American air and missile attacks on Iranian targets. It would be counterproductive to make Iran aware of their air defense weaknesses and American cyber abilities without launching a conventional military attack because it would only improve their air defenses and possibly mean the loss of American aircrews.

The US could hack the Iranian offensive missile system, although their missiles are considerably more crude that those of the US or Russians. Many of their missiles still use inertial guidance and a separate computer determines the flight profile. Targeting is done by a computer that takes the target location, determines how long the missile flies straight up, when to rotate the missile, what angle to continue the mission, and when to shut off the engines.

The US could make the missile inaccurate by corrupting the algorithm used to compute the mission profile.

The likely American cyberattack was against an unnamed intelligence group that related to the attacks on oil tankers – a more important target given the recent attacks on tankers. And, the attacks would be designed to stop the attacks and cripple their ability to carry out more attacks.

These attacks would first try to cripple communications between the Iranian agents and their proxies. This might include corrupting messages or even preventing them from getting through. It is likely to use hacking and malware to corrupt the computers used in communications.

The attacks would probably entail finding out who is providing the Iranians with information on the tankers. These agents are probably in one of the GCC nations like the UAE and likely working for a commercial maritime company. This phase would also include the intelligence agencies of the GCC countries.

While these hacking probes are the most important, undoubtedly additional cyberattacks took place that made Iranian intelligence operations more difficult. These would mean damaging computer databases and slowing down computer operations – basically sending a message to the Iranians that the US can make their life difficult.

But what the US did is not all they can do and the Iranians know it. Based on previous experience with American and Israeli hacking of their uranium enrichment program, the Iranians must know that more damaging cyberattacks are possible, including attacks on their air defense system, offensive missiles, power grids, oil production and transportation, military communications, and military and political command systems.

Cyber Attacks on Russia

Act of War, or What?

The issue of cyber-attacks on the electrical grid came to the fore in several seemingly unrelated events. The New York Times had an article on American hacking of the Russian power grid. In South America, millions were left in the dark in Argentina, Uruguay, and Paraguay. And, on Wednesday, parts of New York City and New Jersey had power blackouts.

On Saturday, the New York Times reported that the United States is escalating their “digital incursions into Russia’s electric power grid in a warning to President Vladimir V. Putin” according to nameless current and former government officials.

The Times reported, “The American strategy has shifted more toward offense, officials say, with the placement of potentially crippling malware inside the Russian system at a depth and with an aggressiveness that had never been tried before. It is intended partly as a warning, and partly to be poised to conduct cyberstrikes if a major conflict broke out between Washington and Moscow…the action inside the Russian electric grid appears to have been conducted under little-noticed new legal authorities, slipped into the military authorization bill passed by Congress last summer. The measure approved the routine conduct of “clandestine military activity” in cyberspace, to “deter, safeguard or defend against attacks or malicious cyber-activities against the United States.”

“Under the law, those actions can now be authorized by the defense secretary without special presidential approval.”

“It has gotten far, far more aggressive over the past year,” one senior intelligence official said, speaking on the condition of anonymity but declining to discuss any specific classified programs. “We are doing things at a scale that we never contemplated a few years ago.”

There were some questions about what was reported and what President Trump knew. The Times reported, “Two administration officials said they believed Mr. Trump had not been briefed in any detail about the steps to place “implants” — software code that can be used for surveillance or attack — inside the Russian grid.”

“Pentagon and intelligence officials described broad hesitation to go into detail with Mr. Trump about operations against Russia for concern over his reaction — and the possibility that he might countermand it or discuss it with foreign officials.”

This raises a couple of issues. Apparently, the US is about ready to take down Russia’s infrastructure without the knowledge of the President, because he might tell someone, so instead, the New York Times just published the secret plan.

The second issue confirms what Trump says about a “deep state.” If bureaucrats are making war plans without the knowledge of the constitutionally authorized executive, it means that there is a national defense/intelligence community that is operating without legal authority.

Some speculated that the report was designed to act as a warning to Russia (although why it is important to warn the Russians, but not the President raises more questions).

Apparently, the Russians took the story seriously. The Moscow Times reported, “Russia has uncovered and thwarted attempts by the United States to carry out cyber-attacks on the control systems of Russian infrastructure, Russian news agencies cited an unnamed security source as saying on Monday.”

“The disclosure was made on Russia’s state-run RIA and TASS news agencies days after the New York Times cited unnamed government sources as saying that the United States had inserted potentially disruptive computer code into Russia’s power grid as part of a more aggressive deployment of its cyber tools.”

The Russian News Agency reported, “According to the Kremlin spokesman [Russian Presidential Spokesman Dmitry Peskov] Russia has repeatedly said “that the vital areas of our economy are under continuous attacks from abroad.” “We regret to say that,” Peskov said, adding that the relevant Russian agencies continued to counter those attacks in order to prevent damage to the country’s economy.”

Peskov also pointed out that “it was President Putin who has on numerous occasions sought to initiate international cooperation to counter any sort of cyber-crime.” Unfortunately, our American partners never responded to our initiatives,” he noted.

While it remains unclear precisely how the digital hacking of the Russian power grid is manifesting itself, Saturday’s report has clearly gotten the attention of Russian foreign policy commentators.

“This is a direct challenge that Moscow cannot leave unanswered,” Ruslan Pukhov, an arms expert and head of the Center for Strategies and Technologies, told the Russian business daily Kommersant.

Despite the Russian protests, the CSIS reported that major cyber-attacks on Russia over the last 13 years were less than two dozen.

Attacks on America

This cyber hacking isn’t just a one-way street. The US is also being attacked – with the prime suspects being Russia, China, North Korea, and Iran. In fact, the CSIS reports that the US is a victim more than any other country in the past 13 years. Meanwhile, China, Iran, North Korea, and Russia are the biggest offenders.

The website, Arstechnica reported that the very same hackers who caused issues in the US and Middle Eastern gas and oil industry with Triconex malware are poking around in America’s power grid.

“In a new troubling escalation, hackers behind at least two potentially fatal intrusions on industrial facilities have expanded their activities to probing dozens of power grids in the US and elsewhere, researchers with security firm Dragos reported Friday.

The group, now dubbed Xenotime by Dragos, quickly gained international attention in 2017 when researchers from Dragos and the Mandiant division of security firm FireEye independently reported Xenotime had recently triggered a dangerous operational outage at a critical-infrastructure site in the Middle East. Researchers from Dragos have labeled the group the world’s most dangerous cyber threat ever since.”

“Now, Dragos is reporting that Xenotime has been performing network scans and reconnaissance on multiple components across the electric grids in the US and in other regions. Sergio Caltagirone, senior VP of threat intelligence at Dragos, told Ars his firm has detected dozens of utilities—about 20 of them located in the US—that have been subjected to Xenotime probes since late 2018. While the activities indicate only an initial exploration and there’s no evidence the utilities have been compromised, he said the expansion was nonetheless concerning.”

“The threat has proliferated and is now targeting the US and Asia Pacific electric utilities, which means that we are no longer safe thinking that the threat to our electric utilities is understood or stable,” he said in an interview. “This is the first signal that threats are proliferating across sectors, which means that now we can’t be certain that a threat to one sector will stay in that sector and won’t cross over.”

Are the US and Russia the only Threatened Nations?

Events this week in South America and even the Eastern coast of the US raised questions about whether cyber-attacks on the power grid are already taking place.

Millions of South Americans in Argentina, Uruguay, and Paraguay were in the dark for hours this past weekend. Although officials don’t currently have proof of cyber-malfeasance, they’re not ruling it out.

“At this moment we cannot rule out any possibility….as anything can happen as per the current cyber landscape”, said Gustavo Lopetegui, Energy Secretary of Argentina.

“Millions of people were left in darkness and still some regions were suffering under the incident pressure,” says Mauricio Macri, President, Argentina.

The power outage fell on a day of provincial elections in some of Argentina’s provinces.

Meanwhile, the American train service for the northeast, Amtrak announced on Wednesday that trains travelling between New York and Philadelphia weren’t running due to electrical problems.

Is Cyber Hacking the Power Grid an Act of War?

Although many nations have made it clear that cyber hacking is a hostile act, does this really rise to an act of war?

Not really. There have been about 120 cyber-attacks on the US in the past 13 years – many from nations – and war hasn’t been declared. Nor have any other victims like India, South Korea, the UK, and Israel gone to war over hacking.

Of course, all of these countries also have their own cyber hacking teams.

What has occurred is an unofficial understanding about how far a nation can go in hacking another nation. And, in many ways it is like the rules that NATO and the Soviet Union played during the Cold War.

These rules still apply between NATO and Russia today.

NATO and Russian military aircraft regularly make runs towards their opponent’s airspace – frequently penetrating it (this occurred a few days ago as American B-52s flew close to the Crimea). The reason for these sorties is to see how quickly the offended nation scrambles its fighter aircraft to intercept the intruder and what radar frequencies are used.

When the intruder is intercepted, a set of strict rules of behavior are observed. No hostile actions are made nor are fire-control radars turned on. The intruder is then escorted out of the airspace, while the aircrews take pictures of each other.

Cyber hacking follows the same sort of rules. While both sides deplore hacking, all of them do it. Each side tries to penetrate the others computer grid and even place viruses in it. This gives both sides an idea of the opponent’s capabilities and ability to react.

However, both sides have avoided an activation of computer malware that would crash the opponent’s power grid.

This implies that most countries really draw the line at an active attack that would bring down their power grid.

Can this type of unofficial agreement work? It did for NATO and Soviet aircraft for decades.

The problem is that the enemy was obvious when aircraft penetrated airspace because aircraft type and markings made it clear who was perpetrating it.

It isn’t so clear in the world of cyber warfare. Malware doesn’t have national markings on it and many of the major countries could mask their malware, so it looks like the work of another nation.

While cyber warfare fits into the acceptable gray area of international relations like spying, it does pose its own problems. The potential for false flag attacks is great. Consequently, the risks of a nation overreacting are much greater.

Comments