During my presentation at Club Hack Conference on day 2, the one named “Cybercrime, CyberWar, Information Warfare: what’s this all about, from a Hacker’s perspective? New rules for a new world”, I’ve noticed a deep interest by the audience.
All of the delegates, no matter if operating in the InfoSec industry or in Military environments, attended this presentation with an high and true interest, possibly due to the topic and keywords of the talk itself.
I have designed the slides along with Mr. Jart Armin, RBN exploit and Hostexploit.com founder and among the world’s top experts on RBN, the infamous Russian Business Network we’re used to hear about. Besides being a wonderful person and an highly-skilled professional, Jart belongs to an international network of experts, closing working with Law Enforcement and the IT Industry while fighting cybercrime every day.
Summing up our backgrounds, we have been able to develop this very first presentation on such topics, bridging both experiences and contacts, in order to build something new, aiming to bring a totally new approach to the subject. Giving the amount and nature of feedbacks, both on-side (after my talk) and those emails I’ve received, I may definitely say that we’ve been able to reach the goals 🙂
Reasons to speak about Information Warfare from a hacker’s perspective
After 9/11, the IA (Intelligence Agency) world started to “hunt” for hackers, meaning that they made up their very first move into the digital underground, looking for hacking resources to be hired, with specific goals.
At the beginning, US Government was informally seeking for hackers, in order to attack and/or infiltrate into Al Qaeda communication network. I do remember requests related to hacking into Thuraya (http://www.thuraya.com/), a Middle-East based satellite operator.
Intelligence gossip at that time was claiming that Al-Qaeda’s members were seen while using Thuraya phones, and obviously this may have lead IAs to imagine a scenario in which, if somebody would have been able to obtain both CDRs and satellite information of specific Thuraya’s users, then analyzing and correlating those data, the war against one of the main actors in worldwide terrorism could have been won.
Then, the time passed by, and no more requests of “on-demand” hacking to Thuraya’s network have been made to world’s most notorious, old-school hackers, at least as far as I know. During 2002 and 2003 tough, those guys assisted to a huge escalation of different requests, this time coming from US and Israel based IAs. These agencies were asking for 0-days, probably to be used in specific scenarios. Also, a few people got “softly detailed” requests to run black operations (hacking attacks for Intelligence purposes)
2005 observed the official claim of attacks pointing to China as the source of them, and popped up the very big issue of the Source of the Attack or Attack Source Attribution, that’s still pending today.
Finally, since 2008 up to now we started being aware of National Critical Infrastructures (NCIs) and those issue while trying to secure them, summed up to the very deep link with SCADA and Industrial Automation (IA) security.
Analyzing the nutshell
If we take a look at the wonderful graph made by the folks at Hostexploit.com, we’ll notice how all of the above I’ve written in this article, perfectly fits the reality of facts and what effectively happened.
While the 2000-2003 period has been for testing purposes, then during 2003 and 2004 we can see rising the extortion approach, that would explain and justify USA and Israel IAs (namely, just the “top of the iceberg”) to possibly seek for e-weapons.
Then, all of this leads us to 2005 and 2007, where I can see a deep, highly-shaked mix between the China attacks and the “botnets for hiring” boom, while not forgetting about what happened in Estonia (2007) and Georgia (2008).
The last three years made all of us seeing the botnet concept nicely applied both to Cybercrime and Information Warfare environments, while affairs such as the Vodafone Greece (2004/2005), Telecom Italia “Tiger team” scandal (2003/2005), Stuxnet (June 2010) and Israel VS Lebanon & Egypt (December 2010), not speaking about the Wikileaks (and CableWeaks) one, definitely helped us at drawing the big picture and realize what this is all about.
Today’s trends see IAs and MoDs deeply scouting hacker’s environments and underground, hiring specialized know-how for mission-oriented capabilities, such as 0-Days e-arsenary, launching cyber attacks, protecting National Security, rather than relying on the Industry and the Underground and Public communities in order to analyze malware and obtain early warning, alerts, malware trends and statistics.
So, during the very next years will hear about a few new terms, such as Next Generation Cybercrime (NGC) and Next Generation Walfare (NGW), along with the evergreen Cyberwar and Information Warfare.
From Cybercrime to Information Warfare, through Industrial Espionage
They do exist deep links between Cybercrime and the concept itself of Information Warfare. This happens because today’s information is digitally stored, parked on hard drives rather then on-line, from virtual hard drives to social networks, passing-by the Cloud. So, we just said that this information is digital. This means, beside the media where it is stored, that it stays into a file: it could be an email file, an Excel or Word document, a PDF or a Power Point presentation, an Open Office document, a simple text (txt) note. But it’s still a file, whose security relays on the operating system of the computer storing it, rather than the whole context and scenario around it: server farm rather than home users, so to speak.
This is one of the main reasons why Industrial Espionage incidents raised up drastically in the last 20 years, thanks to the Digital Revolution, and IT and TLC resources and chances.
In both cases we found “instruments” like botnets, DDoS tools, 0-days and so on that, depending on the scenario itself, can be labeled as “cybercrime tools” or “e-weapons”.
While the Underground Economy business model is indeed a wonderful and exciting study, it’s my opinion that what we should learn – and apply to our needs and scenarios – from the cybercrime environment is mostly the technical-related part. Analysing the “life” of botnets, rather than reverse engineering latest malware and 0-day exploited vulnerabilities may lead us to a total new world and perspectives, where the concept of electronic weapons to be applied and used in Information Warfare scenarios become totally true.
We will assist to an escalation of digital attacks, where some of them will became public while others will not. The recent NATO interest shown in Lisbona a few weeks ago is an important sign: in case of cyberattacks to a NATO Member, the other Members should support and help the State under attack”. This means really a lot, and automatically includes perspectives such as Information Sharing, CERT (Gov and Mil ones, mainly) involvement, Incident Management, a Coordination Center, and establishing defined Point of Contacts among all the Members, as well as defining the Chain of Cyber Command and how it will interlink and interact with the external.
Because the threat is global, just as well as the cybercrime is borderless.
What’s already happening?
Former speaker at Duma, Nikolai Kuryanovich, back in 2007 made a very strong but visionary statement:
“In the very near future, many conflicts will not take place on the open field of battle, but rather in spaces on the Internet, fought with the aid on information soldiers…
This means that a small force of hackers is stronger than the multi-thousand force of the current armed forces.”
Nowadays many States already began, trough their Minister of Defence, to work on topics such as an Official Cyber Doctrine, Cyberwarfare Training, Cyberwarfare exercise and simulations, building an IT roadmap (from a military and National Security point of view), working as well with the IT industry and technical universities (see Malaysia, China and many others), establishing Information Warfare units and, obviously, starting keeping record of hacking activities on other Nations.
It’s not a futuristic scenario, here we are talking about something that already happened a long time ago. It was in the middle of the 80’s when CCC members Hagbard and Pengo used to hack into Government and Military contracts, as well as centers and research labs, in the USA, giving back the results of their hacks to the KGB and receiving money and facilities from them. Hagbard was found dead, hanged to a tree out of the town he was living it, and burned.
Vodafone Head of Network Design, possibly involved in the 2005 Vodafone Greece affair, was found suicide. The same for Adamo Bove, working at Telecom Italia Lawful Interception System. And, the same recently happened to Majid Shahriari in Iran, and everything seems to be related to the Stuxnet worm (http://www.debka.com/article/20406/).
It’s out there, right now.
No, we are not talking about an Hollywood movie, tough it would be a great screenplay. This is reality. It’s a paradigm shift, where the classical war between armies has reached his long-term apogee, and a new paradigm recently started. So, the “good & old” Menani’s scale on cyberconflicts, raising from Cybervandalism to Internet crime, Cyberespionage, Cyberterrorism and Cyberwar, will sadly need to be “enhanced”: new rules for a new world.
Note from the Author
In this article I have reported information that have been gathered from personal experience and network of contacts: nevertheless, everything I am stating here is “suspected to be so”, meaning, speculations and possible scenarios.
Also, I have to underline that the views expressed are those of the author(s) and speaker(s) and do not necessary reflect the views of UNICRI or others United Nations agencies and institutes, nor the view of ENISA and its PSG (Permanent Stakeholders Group).
About the Author
Raoul “Nobody” Chiesa is 36 years old and lives in Turin, Italy. At UNICRI (United Nations Interregional Crime & Justice Research Institute) he’s a Senior Advisor on Cybercrime and manager for Strategic Alliances. Raoul is also a member of ENISA (European Network Information & Security Agency) Permanent Stakeholders Group (PSG) and a recognized international security expert, running its own independent security consulting companies, @ Mediaservice.net (a Security Advisory company) and @ PSS (Digital Forensics consulting). He can be contacted at chiesa [at] UNICRI [dot] IT