What Can The Military Learn From A Decade Of Cyber Attacks?

The 2000s saw the first global cyber attack with the release of ILOVEYOU, a computer worm that infected millions of computers around the world in an effort to steal passwords and allow its creator to access the Internet for free. Over the next ten years newspapers reported China’s infiltration of US and UK defence networks, Russian attacks on Estonia and Georgia, and North Korean denial of service attacks on South Korea and the US.

However, it wasn’t until the 2010s when cyber attacks (or “offensive cyber operations” to the military) really burst into the mainstream. This article reviews offensive cyber operations over the past decade and identifies thematic objectives: it identifies case studies for each and considers what the military can learn from them.

While each of the case studies has their own lessons, each share a key theme: they demonstrate that cyberspace is a key element of the battlespace, and effects launched from, or occurring within, cyberspace easily have an impact outside of it.

Offensive cyber for espionage

Offensive cyber can provide understanding by gaining access to confidential information, bringing espionage into the digital age. This form of attack uses offensive cyber techniques to gain unauthorised access to systems and steal the data they hold for the purposes of the attacker.

As with conventional spying, many governments around the world have been implicated in some form of cyber espionage campaign. However, the most prolific offender is almost certainly China, whose government has aggressively targeted others over the past decade and beyond. Its objectives have been twofold: firstly, to obtain intellectual property to pass on to domestic organisations and fuel China’s economic growth, and secondly to obtain sensitive information for intelligence and security purposes.

Both of these objectives have a defence impact: domestic economic growth enables increases in defence spending, and information stolen by China may directly increase their threat. For example, China’s stealth fighter programme has significantly benefited from research & development stolen from the F-35.

Operation Cloud Hopper is one of the most notable and sustained examples of Chinese cyber espionage from the 2010s. Cloud Hopper was perpetrated by a group known in open source as APT10 and linked to the Chinese government’s civilian intelligence and security agency, the Ministry of State Security (MSS). The attack targeted Managed IT Service Providers (MSPs) – organisations contracted to provide and manage IT on behalf of others – and exploited the legitimate access they had to their clients’ systems and data. By doing so, the MSS was able to steal intellectual property from hundreds of organisations by targeting only a few. The industries of those compromised organisations were closely aligned to China’s 2016 “five-year plan” and the data they held was therefore highly valuable for economic growth. This economic growth in turn enabled increased defence budgets: spending grew by 81% from 2010 to 2020.

As well as demonstrating the utility of offensive cyber operations to enable espionage, China’s extensive intellectual property theft throughout the 2010s underlines the relevance of cyberspace to other domains of conflict. Adversary advantage in cyberspace (i.e. successful offensive cyber operations) can lead directly to advantage in other domains; conversely, insecurities in cyberspace (i.e. the failure of defensive cyber operations) can lead directly to insecurities in other domains.

Offensive cyber to finance other operations

Offensive cyber can enable other operations by providing funding. This can be achieved in many ways, for example, by developing offensive cyber tools and licencing access for others for a fee, holding organisations to ransom using offensive cyber tools (e.g., ransomware), or using offensive cyber operations to conduct fraud. While such enterprises are normally the domain of criminal organisations, North Korea is an exception; the regime has targeted financial services institutions around the world to conduct a number of high-payoff frauds over the past decade.

One of North Korea’s most notorious attempts at fraud was the 2016 “robbery” of the Bank of Bangladesh. In this operation, attackers issued fraudulent instructions through the SWIFT interbank network in an attempt to steal nearly $1 billion US dollars, of which they were successfully able to obtain $81 million. To do so, they compromised the Bank’s internal network and instructed the Federal Reserve Bank of New York to transfer funds to four attacker-owned accounts in The Philippines, from where it was distributed to a network of other accounts.

Cyber security firm FireEye found that these money-making cyber operations, tied to North Korea’s Reconnaissance General Bureau, began a year after the United Nations Security Council imposed sanctions limiting the regime’s access to foreign currency. These cyber attacks were therefore almost certainly planned and conducted to sidestep these restrictions.

As well as enabling the ruling Kim family’s notoriously lavish lifestyle, the payoff from these has clear defence impacts both in terms of international relations with North Korea and more broadly. These operations have provided a covert funding stream which mitigates the impact of international sanctions, diminishing the effectiveness of one of a limited number of non-military tools available to the West and enabling ongoing access to foreign goods. Also, these operations provide a real-world training ground for North Korea’s cyber operators, who may later attack higher-impact defence or government targets.

However, perhaps most notably, the profits of these operations (estimated at nearly $2 billion USD by the UN) fund nuclear weapons programmes which pose a clear and present danger to regional stability. This demonstrates the broader utility of offensive cyber as a mechanism for providing covert funding for illicit groups and rogue states (and thereby bolstering their capability), just as terrorist groups have historically relied on bank robberies and other forms of organised crime to fund their operations. Just as with China’s cyber-enabled espionage, this shows how advantage in cyberspace can enable advantage in other domains.

Offensive cyber for information operations

Offensive cyber can be used to support information operations, and to influence populations and their decision making.

As highlighted in the recent “Russia Report” from the Intelligence and Security Committee of Parliament, Russia has used offensive cyber operations to support a broader campaign of information operations targeted at undermining Western governments and society. One high-profile example of this is its compromise of the US Democratic National Committee (DNC) and the subsequent leaking of data in an attempt to undermine the 2016 US Presidential Election.

In this attack, Russian military intelligence (the Main Intelligence Directorate or GRU) gained unauthorised access to the DNC network, compromising a large number of systems including mail and file servers. The GRU obtained thousands of documents and copied them to GRU-controlled computers. Simultaneously, the GRU created the DCLeaks website to host the stolen documents, crafted the “DCLeaks” and “Guccifer 2.0” personalities to release these, and also passed the documents on to WikiLeaks. This operation was designed to undermine the American public’s confidence in democracy and Hilary Clinton, who the Russian Government believed was likely to win the Presidency; both of these objectives would benefit Russia’s foreign policy.

Such operations are, of course, nothing new for Russia, which has used cyber-enabled information operations repeatedly. Their use demonstrates how offensive cyberspace operations can have a strategic effect, both during wartime (as during the 2008 Russo-Georgian War to undermine public support for the Georgian government) and during peacetime (with Russia’s undermining of American democracy by targeting the DNC).

Offensive cyber to cause kinetic effect

Finally, offensive cyber can be used to achieve kinetic effects, and to replace the requirement for conventional military operations. This could include the denial, disruption, or destruction of property, or physical harm to individuals. Indeed, the UK’s Defence Secretary stated in July 2020 that “cyber attacks are every bit as deadly as those faced on the physical battlefield”.

In some cases these kinetic effects may be unintentional or an indirect consequence of a broader attack. For example, the 2017 “Wannacry” cyber attack infected 1,220 pieces of the UK’s National Health Service (NHS) medical equipment; while the National Audit Office’s subsequent after-action report did not identify any direct harm to individuals, the resulting cancellation of thousands of appointments likely caused indirect harm. Yet the targeting of the NHS in this attack was likely incidental, and the motive of the North Korean attackers was monetary.

There are also documented examples of offensive cyber operations having intentional kinetic effects. Security researcher Matt Wixey spoke about this at his 2019 DefCon talk, and cited examples including: malware tampering in near real-time with CT scans to add/remove evidence of lung cancer, attackers sending animations designed to trigger photo-sensitive epilepsy to web forums, and hacking pacemakers to withhold or add shocks and cause heart problems.

However, perhaps the most notable example of a cyber attack causing kinetic effect is Stuxnet. First discovered by security researchers in 2010, this joint US/Israeli attack likely began in 2008 and was designed to degrade Iran’s nuclear enrichment programme. It did so by initially infecting five Iranian companies linked to the programme, and moving via USB drives to eventually infect systems at Iran’s Natanz nuclear power plant. Once these systems were infected, Stuxnet caused around 1,000 centrifuges (used to enrich uranium for both power generation and nuclear weapons) to spin outside of their designed limits and fail. The failure of these centrifuges temporarily denied Iran around 20% of its total uranium enrichment capability, resulting in delays to the broader nuclear programme without the use of any conventional force.

While the other case studies in this article have primarily focused on offensive cyber operations as an enabler, Stuxnet demonstrates how these can have a direct kinetic impact and project power globally without deploying forces. As offensive cyber capabilities continue to develop it is highly likely that more examples of these having a direct kinetic impact emerge, as well as an increase in the impact of these operations.