• Home
  • Site Map
  • Contact Me
  • Famous Smith's
• History of Art and the Science of Crafts
  • Ancient Civilisations
• Decorative Arts and Antiques
  • What is Pottery and Ceramics?
• Science & Technology
  • Mesopotamian Science and Technology - I
  • Mesopotamian Science and Technology - II
  • Mesopotamian Science and Technology - III
  • The Manhattan Project
• Computer Science
  • Computer Security
    • Relay Attacks
    • Remote Access Trojans
    • Face Recognition
  • Cyber Warfare
  • Cambridge Analytica & Facebook
  • Social Media - Reset
• The minutiae of everyday life …
  • General Knowledge
    • Major Religious Festivals & Public Holidays
    • Paradises, Utopias, Heavens, Hells, and Mythical Places
• English Language
  • What is language?
  • Parts of Speech
  • Figures of Speech
  • Vocabulary
    • My Everyday English Slang
    • New Words - New Meanings
    • Old Words - Old Meanings
      • Jargon, Slang, and Cant
  • Abbreviations, Acronyms and Initialisms
  • Sayings
• Computatrum
  • My Computers
  • How to use Apple Photos
  • Video Editing - Beginning
  • Apple Tips & Tricks
    • Slow Mac?
• Le Cabinet de Curiosités
  • Bridge - Introduction
    • Basic Probabilities
    • Sick of Probabilities?
    • Hand Evaluation
    • Bidding Basics
    • Leads
  • Gardens in Andalucia
    • Olive Trees and Olives

Bernard Smith

Learning about the world, one fact at a time…

• Home  
• Computer Science  
• Cyber Warfare  

Cyber Warfare - weapons of mass disruption

last update: 19 Nov. 2019

If your interested in the story Cambridge Analytica - Facebook you can check out the webpage on this website and also go to a link to a set of additional documents.

For some more up-to-date information and comments on Cyber Warfare you can also check out my 'Brain’ on the topic.

Introduction - from Cold War to 'code war'

Warfare and Cyber Warfare

Fifth-generation warfare involves destroying a specific target without actually seeing it, e.g. a kind of non-contact warfare. The V-1 and V-2 buzz bombs were early examples, however today laser and GPS-guided weapons (smart weapons) provide added precision and accuracy. The Predator drone equipped with Hellfire missiles is often used as a starting point for fifth-generation warfare (2001). At this point targets could be specific pieces of infrastructure or even individual human beings.

A kind of fifth-generation (plus) also exists, combining combat forces with drones (unmanned aerial vehicles), unmanned underwater vehicles, and ground robots (unmanned ground vehicles). Other military experts have also placed nuclear weapons as part of fifth-generation warfare. No longer is thermonuclear war seen as a tool to create and maintain a strategic stalemate. Today there is a completely new generation of nuclear weapons with yields less than 1 kiloton. i.e. the 'micrornuke' with yields well below that of the first bombs used on Hiroshima and Nagasaki. This article provides a good description of 'micronukes', even if it goes on to suggest that numerous past terrorist attacks were in fact 'micronukes' masked as conventional explosions. In my opinion such devices would be almost impossible to make even by the most skilled terrorist organisations (at least today), and as far as I know there are no publicly available and verifiable reports on very small, concealable nuclear devices. Nor, to my knowledge, have there been any reliable reports about detecting trace radioactivity or any activation of structural components, etc. at any past terrorist attack. However, we should not underestimate the continued interest in tactical nuclear weapons, such as the Davy Crockett device, and W54 and suitcase device. In fact the U.S. tested recently their first precision-guided nuclear bomb, and it is well known that some countries have focussed on small tactical nuclear weapons, e.g. Pakistan has said it would be prepared to use low-yield nuclear weapons against India’s 'Cold Start' doctrine.
Another element of fifth-generation warfare were/are the so-called “Colour Revolutions”, such as the 2003 Rose Revolution in Georgia or the 2004 Orange Revolution in Ukraine. Seen by many as popular uprisings and protest movements for replacing restrictive governments with more liberal legitimate ones, the Russians suggest that the U.S. incited the uprisings to destabilise the regions for political gain (and Crimea was the Russians just doing the same thing). In any case one 'hidden' aspect of fifth-generation warfare is the post WW I (U.S. lead) ideal that everyone has the right to self-determination, even if the notion of 'self' was never defined.
So fifth-generation warfare also includes protests (by “ad-hoc warriors”), information warfare, destabilisation, government opposition, economic 'warfare', humanitarian interventions, and peacekeeping forces (and for some experts this (still) also includes terrorism and guerrilla warfare). The key is that fifth-generation warfare reduces the reliance on pure military force. But it also allows a government to view organic internal opposition as identical to hostile foreign subversion. So another key element of fifth-generation warfare is the inability (or unwillingness) to differentiate between legitimate dissent and foreign aggression. Other experts see fifth-generation warfare as being highly decentralised (using 'extreme' coordination methodologies enabling people to 'fight alone'), and involving so-called 'black globalisation' and the creation of virtual states. Fifth-generation sabotage is intended to disrupt existing systems and undermine global order, and is often inspired by the ideas of 'creative destruction'. Experts suggest that the aim is to show the impotence of secular military might, and the key is to win by not losing, whereas nation-states lose by not winning. Fifth-generation warfare includes car bombs, narcotic trafficking, individual stabbings, 'random' acts of violence ... The suggestion is that the aim is not to make one party submit to the will of the other, but to compel one party (the enemy) to accept the interests of the other.

Sixth-generation warfare is about the 'informatisation' of conventional warfare, and includes precision strike systems which make the massing of conventional forces suicidal. This type of warfare has also been termed 'system-versus-system' warfare, where distant, no-contact operations take place. A vital component of sixth-generation warfare is the C4ISR concept of Command, Control, Communications, Computers, Intelligence, Surveillance and Reconnaissance, sometimes including also a T for Target Acquisition (ISTAR). Experts have placed a number of other topics within sixth-generation warfare, ranging from the Arab Spring (2010-2012), missile defense systems, the Russian global navigation satellite system GLONASS, the Falcon HTV-2 hyper-sonic unmanned bomber, Topol-M the Russian intercontinental ballistic missile, and even prisoner exchange. The US Conventional Prompt Global Strike capability is seen as the “perfect” example of distant, no-contact warfare.

Seventh-generation warfare will be totally automated warfare. First, the enemy’s commercial and military communications systems, power grid, and water utilities must be shut down using advanced electronic warfare (EW) systems and cyber-weapons, or even localised EMP (electromagnetic pulse) weapons. This should disable their economy and banking system. Think that is futuristic? On 31 March 2015, Iranian military hackers shut-down the power grid to 44 of the 81 provinces in Turkey in retaliation after Turkey’s President Erdogan made statements supporting the Saudi bombings of the Houthi rebels in Yemen (who are supported by Iran). Iran and Houthi are Shia, while Turkey and Saudi Arabia are Sunni.
Next, the enemy’s airspace must be controlled by swarms of flying autonomous weapon platforms (lethal autonomous weapons), neutralising their air force (creating no-fly zones). Ports and seacoast must be controlled by swarms of autonomous naval surface vessels, unmanned underwater vehicles (UUV’s) such as smart torpedoes, and upward falling platforms (UFP’s), thereby eliminating the enemy’s naval forces. Ground forces can be attacked using swarms of aerial and ground-based weapons platforms. Satellite and unmanned aerial vehicle (UAV) intelligence gathering systems capture enemy movements and actions, feeding to autonomous weapons platforms commanded from a home base. There is no need for a single boot on enemy soil. The objective of automated warfare is to “subdue the enemy without fighting” by eliminating his ability to fight, thereby destroying his will to fight.
So the aim is to integrate a state’s capabilities, and at a distance and with minimum physical contact, obtain a quick decisive victory by destroying an enemy’s war waging potential and their command and control systems. Experts talk today of integrating ‘destructive kinetic energy’ and 'relentless information operations'. One essential function of ‘information operations' is cyber warfare, i.e. attacking the enemy’s communication networks and electronic systems whilst protecting their own. It also involves collecting critical information and cyber deception.

The Cyber-Arms Industry

What is a Cyber-Attack?

Cyber Warfare: China, Russia, and the U.S.

What Next?

• Almost every new geo-political event is coupled with a cyber attack

• The skills to make theft-oriented (national secrets, money, intellectual property) attacks are now present in virtually every country on Earth

• Increasing presence of non-state attacks designed to disable or destroy infrastructure

• For the moment cyber attacks will remain interesting because of the relatively low cost of entry, because the perceived payoff’s are high, and because the consequences don't appear significant

• Nation-states will increase their efforts on attribution, on sanctions, and on norms that deepen understanding about what is acceptable and unacceptable behaviour in a cyber conflict

• Trend to increased reliance of drones, autonomous robots, etc., which places a premium on hardening defences against cyber attacks (i.e. dronejacking), and offensive capabilities in the same field

• Trend to attack “smart city” infrastructure, i.e. intelligent traffic control, on-demand street lighting, energy management systems, building automation (heating, ventilation, lighting, alarms, lifts, etc.), and later, services such as self-drive cars

• Trend to increasing attacks on IoT (Internet of Things) devices (beyond the usual default passwords and hardcoded backdoors), and the development of Shadownets (i.e. IoT botnets)

• Trend to automated attacks against groups of smaller targets, and highly customised attacks against larger targets

• Trend to autonomous malware designed to adapt to overcome a targets defences, learning the best way to attack systems based upon an understanding of the applications being used, transaction details, traffic flow, network architecture, and security tools that appear to be used, i.e. so-called polymorphic and metamorphic malware

• Trend to malware that can work across multiple platforms, include mobile

• Trend towards flood attacks (a form of denial-of-service attack but with >25 Gbps) on both TCP and UDP (e.g. Brobot botnet from 2014)

• Trend towards queries to a domain name system (DNS) server with spoofed address that identifies the target, and the replies for the DNS servers flood the target (can be coupled with compromised DNS servers to ensure amplification up to 100 times)

• Trend to http flood attacks due to overwhelming number of page downloads

• Trend to encrypted attacks which consume up to 15 times more CPU in order to process the encrypted attack traffic (different from file encrypted ransomware)

• Trend towards attacks on health, gaming, education, hosting and ISP, and government (always government), e.g. a medical centre in Los Angeles paid the equivalent of $17,000 in Bitcoin after a ransomware attack on its computers

• Continuing trend to “low & slow”, application misuse, SQL injection, SSL encrypted flood, and cross site scripting

• Trend to changing data rather than pure theft, causing reputational damage, brand damage and erosion of trust, e.g. increasingly chatbots will be hacked in order for them to acquire credit card numbers, etc.

• Trend to multiple attacks, one after another, on the basis that you can’t stop everything

• Trend to constant attacks against target

• Trend to move botnets to server infrastructure

• Trend to http post requests, sending one byte every 10 seconds, making the connection last forever, and when done in parallel exhausts server resources.

Can We Set Rules for Cyber Warfare?

Some Major State-Sponsored Attacks

On the 31 December 2016 it was reported that “Grizzly Steppe” malware was found on a laptop of a US electrical company. It was on the same day that the US expelled 35 Russian “diplomats” over alleged Russian interference in the US presidential elections. CERT has clearly stated that this was a product of the Russian civilian and military intelligence services. Here is an alternative view on the topic.

On 27 December 2016 it was reported that the Russians made a phishing attack on US think tanks and non-profit organisations, using a fake Harvard email address.

On 11 November 2016 it was announced that at least five Russian banks suffered prolonged DDoS attacks of their online banking services. The attack originated from a botnet of at least 24,000 computers located in 30 different countries (and peaked at 660,000 requests per second). The attack is said to have originated from a botnet of IoT (Internet of Things) devices. Some experts suggest the Mirai botnet was used, but others have stated that it was not used for this attack. Russian banks have also been targeted in the past, in 2015 eight banks were hit by DDoS attacks.

The malware Mirai spreads to vulnerable devices by continuously scanning the Internet for IoT systems protected by factory default or hard-coded usernames and passwords (using a password guessing technique based upon a dictionary). Vulnerable devices were “seeded”, turning them into “bots” which were then used for DDoS attacks. Mirai is one of two recent malware tools designed to create IoT botnets, the other being “Bashlight” (but they used the same principles). Mirai was first seen on 20 September 2016 during an attack on the website of Brian Krebs, and on the 30 September 2016 the source code was published. In an analysis of the code it was interesting to note a “Don’t Mess With” list including the U.S. Postal Service, the U.S. Department of Defence, and Hewlett-Packard. The code also kills off processes from other botnets (other memory scrapers) and blocks attempts of other botnets to access the compromised device. Lastly, some of the code contains traces of Russian-language strings.

The reality is that almost 5.5 million new things (IoT and others) are connected to the Internet each day, most not protected against attacks.

Over the weekend of 26-28 November 2016 almost 1 million users were thrown off the Internet after a Mirai-like attack on routers in Germany. With a twist on the idea of IoT attacks they used an open port normally used by Internet providers to remotely manage and maintain their routers.

On the 4 November 2016 the West African country of Liberia lost its Internet connections to the outside world after a massive DDoS attack using the Mirai IoT botnet.

On the 21 October 2016 the U.S. suffered its largest every Internet blackout with an attack that included Dyn, a dynamic domain name service provider to a collection of major U.S. websites (e.g. PayPal, Twitter, Amazon, Netflix, ...). This DDoS attack was made by a IoT botnet, in part powered by the malware Mirai. In this attack digital video recorders and IP cameras were compromised. It has been said that almost 150,000 CCTV cameras were involved, and that attacks were close to 1.1 Terabits per second (Tbps), which would exceed the traffic handling capacity of many networks.

In late September 2016, a separate Mirai attack on French webhost OVH broke the record for the largest recorded DDoS attack. That DDoS was at least 1.1 Tbps, and may have been as large as 1.5 Tbps.

On 7 October 2016 the U.S. government formally accused Russia of a campaign of cyber attacks against Democratic Party organisations ahead of the 2016 (November 8) presidential election. The accusation was that the Russian government was conducting or orchestrating cyber attacks against the U.S. Democratic National Committee (DNC) and the Democratic Congressional Campaign Committee, possibly to disrupt or discredit the election, in which Democrat Hillary Clinton faced Republican Donald Trump. It would appear that they stole more than 19,000 emails from Democratic party officials. This was just one of several attacks on the U.S. Democratic Party during 2015 and 2016.

The U.S. Democratic National Committee publicly disclosed earlier intrusions into its systems in June 2016 and held Russia responsible. Leaks of committee emails from pro-transparency group WikiLeaks followed on 22 July 2016, demonstrating what appeared to be favoritism for Clinton over another Democrat, Bernie Sanders, by committee chairwoman Debbie Wasserman Schultz (she later stepped down). In the statement of 7 October 2016, the U.S. government said disclosures of emails by WikiLeaks and hacking entities known as DCLeaks and Guccifer 2.0 “are consistent with the methods and motivations of Russian-directed efforts”. Guccifer 2.0 claimed to be an independent Romanian hacker, but security analysts have concluded they are more likely to be the public persona of a Russian hacking group. Many experts think that Guccifer 2.0 was/is part of the two Russian intelligence groups.
In the statement by the U.S. Department of Homeland Security and the Office of the Director of U.S. National Intelligence it was stated that “We believe, based on the scope and sensitivity of these efforts, that only Russia’s senior-most officials could have authorized these activities”.
Concerning state election systems, they did not blame the Russian government for hacking attempts, but said "scanning and probing" of those systems originated in most cases from servers operated by a Russian company. However, a Department of Homeland Security spokesman said U.S. officials had concluded that the hacking attacks or probes of state voter registration systems were "consistent with Russian motivations". Attacks in August 2016 on these systems in Illinois and Arizona involved the theft of as many as 200,000 voter records, and the FBI issued a “flash alert” to election officials.

At the same time Microsoft said there had been a small number of attacks using "spear-phishing" emails from a hacking group known as Strontium, which is more widely known as "Fancy Bear". Microsoft did not identify any victims. In spear-phishing, an attacker sends targeted messages, typically via email, that exploit known information to trick victims into clicking on malicious links or opening tainted attachments. Microsoft said the attacks exploited a vulnerability in Adobe's Flash software and one in the Windows operating system.
“Fancy Bear” were also said to be responsible for stealing in March 2016 the emails of John Podesta, the chairman of Hillary Clinton’s 2016 U.S. presidential campaign and a former White House chief of staff.
A second group, codenamed “Cozy Bear” or “CozyDuke” (or APT29), appears to have broken into the DNC as well, but has not yet distributed whatever information it may have retrieved. “Cozy Bear” is believed to be affiliated to the FSB, the Russian Federal Security Service most directly descended from the KGB (was the main security agency until 1991). For example, in August 2015 “Cozy Bear” was linked to an spear-phishing attack against the Pentagon email system causing the shut down of the entire U.S. Joint Staff unclassified email system and Internet access during the investigation. “Cosy Bear” (or ATP29) exploited Twitter to mask their attacks, using it to send commands to their malware Hammertoss. This malware generates a new Twitter handle everyday so that it can communicated with the hackers command and control server using specific Twitter accounts (many companies do not block outbound communication with social media). Tweets contained a URL and a hashtag, the URL lead to an image on a different server that contained a hidden message through a steganographic technique. The hashtag contained the file size of the image and the some characters that must be added to the decryption key stored within Hammertoss for extracting the hidden data in the image. In addition Hammertoss was only active during local office hours (hiding in local traffic), and equally only communicated to the command centre during working hours in Moscow (and it avoids Russian holidays).
“Cosy Bear” targeted the U.S. White House, State Department and U.S. Joint Chiefs of Staff, as well as companies and government agencies in Western Europe, China, Brazil and many other countries. Their preferred method is spear-phishing and they prefer to “live-of-the-land”, i.e. techniques that bypass security controls. Whereas “Fancy Bear” targets defence ministries and military officials in the U.S., Western Europe, Brazil, China, Iran and many other countries. Their preferred method is by registering domains that resemble legitimate domains and establishing phishing sites that spoof them.

“Fancy Bear”, sometimes under different names, have also been associated with attacks on the German parliament, on the French television network TV5 Monde, on NATO and the White House, on the World Anti-Doping Agency, and on the Dutch Safety Board and Bellingcat (who were investigating the shooting down of Malaysia Airlines Flight 17 over Ukraine). “Fancy Bear” is believed to be operating under the aegis of the GRU, Russia’s largest intelligence service.

On 13 September 2016 “Fancy Bear”, also known as Tsar Team (or APT28), illegally accessed ADAMS, the Anti-Doping Administration and Management System of the World Anti-doing Agency (WADA). They created an account for the Rio 2016 Games which included confidential medical data. This access was obtained by spear-phishing of email accounts, resulting in obtaining ADAMS passwords. Basically they created WADA-like domains and then harvested credentials using targeted illegitimate emails (spear-phishing). This is typical of the tactics, techniques and procedures used by “Fancy Bear”. For example, they used the same name server from ITitch[.]com as they used for the attack of Democratic Congressional Campaign Committee, and the domains were all registered through Domains4bitcoins[.]com. Registrar acceptance of anonymous Bitcoin payments is typical for “Fancy Bear”, as is their use of the same name server for their domains. The actual domains are hosted in Germany and Italy. The webmail address used to register these domains had already been used in the past by “Fancy Bear”. The attacks had started on 12 August 2016 when they obtained the ADAMS password for Yuliya Stepanova, the whistleblower that exposed widespread doing in Russian athletics (Vladimir Putin called her a “Judas”). They released her medical testing results, history and whereabouts. Unusually, it was announced that the hack had been made by Anonymous Poland (who it is assumed worked with “Fancy Bear”). Here is a full account. On 14 September 2016 they released data for 25 athletes from eight countries. On 19 September 2016 they released data for another 26 athletes, and on 23 September they released data concerning an additional 41 athletes.

There was a later report (3 April 2017) that Fancy Bear had hacked athletes’ therapeutic use exemptions.

“Fancy Bear”, using the name “Sofacy”, was responsible for a six-month-long attack on the German parliament that began in December 2014. Authorities feared that sensitive information could be gathered by hackers to later manipulate public opinion ahead of elections such as Germany's next federal election due in September 2017. For example, servers of the Die Linke party were attacked, one was attacked with an open source utility used to remotely issue commands on Window hosts on the network, and another was forced to act as a tunnel to allow attackers to maintain a persistent link to the compromised network. In 2016 Germany accused Russian intelligence agencies for both the earlier attacks (mostly spying for information), and the more recent sabotage attacks designed to close down the computer systems in the Angela Merkel’s conservative party and in the Bundestag.

In August 2015, “Fancy Bear” spoofed the Electronic Frontier Foundation (EFF) and launching spear-phishing attacks on the White House and NATO (as part of “Pawn Storm”). They used a zero-day exploit of Java to take control of visitor’s computers. The EFF later won control of the spoof site, ElectronicFrontierFoundation.org, through a cybersquatting complaint with World Intellectual Property Organization. Sofacy (otherwise known as “Fancy Bear”) were behind the “Pawn Storm” operation (which is in fact a type of chess strategy). For once “Pawn Storm” was also found on Apple iOS devices. “Pawn Storm” was part of a Sednit-related spyware attack designed to steal personal data, record audio, make screenshots, and send them to a remote command and control server. Sednit would appear to be designed to steal confidential information from high-profile individuals, starting with their email credentials (mostly Gmail), and asking them to urgently act upon an emailed request by clicking on a link (thus infecting the targets computer).

Journalists associated with bell¿ngcat (a website for “citizen investigation journalists” and started by Eliot Higgins), researching the shoot down of Malaysia Airlines Flight 17 over Ukraine, were targeted by numerous spear-phishing emails. The messages were fake Gmail security notices with bitly and Tiny.CC shortened URL’s (link management and branding platforms). According to ThreatConnect, some of the phishing emails had originated from servers that “Fancy Bear” (Russian’s “attack dogs”) had used in previous attacks elsewhere (later in 2016 CyberBerkut, a pro-Russian Ukrainian hacktivist also defaced the bell¿ngcat website). bell¿ngcat is best known for having accused Russia of being culpable for the shoot down of MH17, and is frequently derided in the Russian media.
“Fancy Bear” also targeted the Dutch Safety Board (DSB), the body conducting the official investigation into the crash, before and after the release of the board's final report. They set up fake SFTP and VPN servers to mimic the board's own servers, likely for the purpose of spear-phishing usernames and passwords. A spokeswoman for the DSB said the attacks were not successful. Coupled with the attacks on bell¿ngcat, fake satellite images were also shown on Russian State television (post-truth) suggesting that MH17 was shot down by a non-Russian (i.e. Ukrainian) aircraft.

On 8 April 2015, French television network TV5Monde was the victim of a cyber-attack by a hacker group calling itself "CyberCaliphate" and claiming to have ties to the terrorist organisation Islamic State of Iraq and the Levant (ISIL, ISIS, IS). Hackers breached the TV network's internal systems, possibly aided by passwords openly broadcast by TV5Monde, overriding the broadcast programming of the company's 12 channels for over three hours. Service was only partially restored in the early hours of the following morning and normal broadcasting services were disrupted late into 9 April 2015. Various computerised internal administrative and support systems including email remained shut down or otherwise inaccessible due to the attack (in fact they just “pulled-the-plug” on affected systems). The hackers also hijacked TV5Monde's Facebook and Twitter pages to post the personal information of ('doxing') relatives of French soldiers participating in actions against ISIS, along with messages critical of President François Hollande, arguing that the January 2015 terrorist attacks were "gifts" for his "unforgivable mistake" of partaking in conflicts that "[serve] no purpose". Access was both simple (spear-phishing to gain access) and complex in the use of customised software to attack the TV channel servers.
The director-general of TV5Monde, Yves Bigot, later said that the attack nearly destroyed the company, and if it had taken longer to restore broadcasting, satellite distribution channels would have cancelled their contracts. The attack was designed to be destructive, both of equipment and of the company itself, rather than for propaganda or espionage, as had been the case for most other cyber-attacks. The attack was carefully planned, and the first known penetration of the network was on 23 January 2015. The attackers then carried out reconnaissance of TV5Monde to understand the way in which it broadcast its signals, and constructed bespoke malicious software to corrupt and destroy the Internet-connected hardware that controlled the TV station's operations, such as the encoder systems. They used seven different points of entry, not all part of TV5Monde or even in France, and one was a company based in the Netherlands that supplied the remote controlled cameras used in TV5's studios. Although the attack purported to be from IS, France's cyber-agency told Bigot to say only that the messages claimed to be from IS. He was later told that evidence had been found that the attackers were the APT 28 group of Russian hackers (again “Fancy Bear”). No reason was found for the targeting of TV5Monde, and the source of the order to attack, and funding for it, is not known. It has been speculated that it was probably an attempt to test forms of cyber-weaponry. The cost to TV5Monde was estimated at €5 million in the first year, followed by recurring annual cost of over €3 million for new protection. The company's way of working had to change, with authentication of email, checking of flash drives before insertion, and so on, at significant detriment to efficiency for a news media company that must move information.

Before moving on it is perhaps interesting to look at how experts try to identify the original perpetrator of an attack. In 2014 FireEye released a report titled “Digital Bread Crumbs: Seven Clues To Identifying Who’s Behind Advanced Cyber Attacks” that explained how to conduct an investigation based on common errors committed by the hackers.
The report was based on the analysis of nearly 1,500 campaigns tracked by FireEye, and the common characteristics of various attack were:

• Keyboard Layout. Hidden in phishing attempts is information about the attacker’s choice of keyboard, which varies by language and region.

• Malware Metadata. Malware source code contains technical details that suggest the attacker’s language, location, and ties to other campaigns.

• Embedded Fonts. The fonts used in phishing emails point to the origin of the attack. This is true even when the fonts are not normally used in the attacker’s native language.

• DNS Registration. Domains used in attacks pinpoint the attacker’s location. Duplicate registration information can tie multiple domains to a common culprit.

• Language. Language artefacts embedded in malware often point to the attacker’s country of origin and common language mistakes in phishing emails can sometimes be reverse-engineered to determine the writer’s native language.

• Remote Administration Tool Configuration. Popular malware-creation tools include a bevy of configuration options. These options are often unique to the attacker using the tool, allowing researchers to tie disparate attacks to a common threat actor.

• Behaviour. Behavioural patterns such as methods and targets give away some of the attacker’s methods and motives.

Some Useful References

“A Military Guide to Terrorism in the Twenty-First Century”, U.S. Army TRADOC G2 Handbook No. 1, 15 August 2007

“The Cyber Warfare Lexicon”, January 2009

Martin C. Libicki, “Cyberdeterrence and Cyberwar”, RAND, 2009

Jeffrey Carr, “Inside Cyber Warfare”, O’Reilly Media, 2010 (the link is to a copy on WikiLeaks)

James P. Farwell & Rafal Rohozinski, “Stuxnet and the Future of Cyber Warfare”, Survival, 53:1, 28 January 2011

Deepak Sharma, “China’s Cyber Warfare Capability and India’s Concerns”, Journal of Defense Studies, Vol. 5, No. 2, April 2011

U.S. Joint Forces Command “Commander’s Handbook for Attack the Network”, version 1.0, 20 May 2011

Oona A. Hathaway, et.al., “The Law of Cyber-Attack”, California Law Review, (posted) 16 November 2011

T.J. OConnor, “The Jester Dynamic: A Lesson in Asymmetric Unmanaged Cyber Warfare”, SANS Institute, 30 December 2011

Andrew F. Krepinevich, “Cyber Warfare: A “Nuclear Option”?”, Center for Strategic and Budgetary Assessments, 2012

Alexander Klimburg (ed.), “National Cyber Security Framework Manual”, NATO, 2012

Karin Kosina, “Wargames in the Fifth Domain”, Masters Thesis Vienna, 2012

Martin C. Libicki, “Crisis and Escalation in Cyberspace”, RAND, 2012

Robert Lai, “Analytic of China Cyberattack”, The International Journal of Multimedia and Its Applications, Vol. 4, No. 3, June 2012

“Law of Armed Conflict: Implications for U.S. Navy Cyber Strategy”, Masters of Information Technology Strategy, Carnegie Mellon, 3 August 2012

Gabi Siboni & Y.R., “What Lies behind Chinese Cyber Warfare”, Military and Strategic Affairs, Vol. 4, No. 2 September 2012

“NATO Logistics Handbook”, November 2012

Michael N. Schmitt (ed.), “Tallinn Manual of the International Law Applicable to Cyber Warfare”, Cambridge University Press, 2013

“DDoS Survival Handbook”, Radware, 2013

Jouko Vankka (ed.), “Cyber Warfare”, National Defense University, Helsinki, Series 1, No. 34, 2013

Paulo Shakarian, Jana Shakarian, Andrew Ruef, “Introduction to Cyber-Warfare”, 2013

“Comprehensive Study on Cybercrime”, United Nations Office on Drugs and Crime, February 2013

U.S. Navy Cyber Forces “Commander’s Cyber Security and Information Assurance Handbook”, revision 2, 26 February 2013

Ingo Ruhmann, “Cyber War: Will it define the Limits to IT Security?”, International Review of Information Ethics, Vol. 20, December 2013

Michael N. Schmitt, “The Law of Cyber Warfare: Quo Vadis?”, Stanford Law & Policy Review, Vol. 25:269, 2014

“Cyber-Attacks: Can the Market Respond?”, Willis Energy Market Review 2014

“FM 3-38 Cyber Electromagnetic Activities”, U.S. Department of the Army, February 2014

Gary D. Solis, “Cyber Warfare”, Military Law Review, Vol. 219, Spring 2014

“Profiling an enigma: The mystery of North Korea’s cyber threat landscape”, HP Security Briefing, Episode 16, August 2014

“Cyber defense in the EU”, European Parliament Briefing, October 2014

Jason Kick, “Cyber Exercise Playbook”, MITRE Corporation, November 2014

Alexandre Mansourov, “North Korea’s Cyber Warfare and Challenges for the US-ROK Alliance”, Korea Economic Institute of America, 2 December 2014

CERT-UK, “Common Cyber Attacks: Reducing The Impact”, 2015

Thomas Rid & Ben Buchanan, “Attributing Cyber Attacks”, The Journal of Strategic Studies, Vol. 38, No. 1-2, 2015

“Creating trust in the digital world”, EY Global Information Security Survey 2015

Antonia Chayes, “Rethinking Warfare: The Ambiguity of Cyber Attacks”, Harvard National Security Journal, Vol. 6, 2015

Fred Schreier, “On Cyberwarfare”, Democratic Control of Armed Forces, Working Paper No. 7, 2015

Kenneth Geers (ed.), “Cyber War in Perspective: Russian Aggression against Ukraine”, NATO, 2015

Scott Jasper, “Deterring Malicious Behavior in Cyberspace”, Strategic Studies Quarterly, Spring 2015

U.S. Department of Defense “Law of War Manual”, June 2015

Greg Austin, “Australia Rearmed! Future Needs for Cyber-Enabled Warfare”, Australian Centre for Cyber Security, January 2016

“Internet Security Threat Report”, Symantec, Vol. 21, April 2016

Keir Giles, “Handbook of Russian Information Warfare”, NATO, November 2016