The military strategy behind cyberattacks and how they're designed

Picking a high value target

Public info from U.S. Department of the Army: “The emphasis of targeting is on identifying resources (targets) the enemy can least afford to lose or that provide him with the greatest advantage … Denying these resources to the enemy makes him vulnerable … an electronic attack could potentially deny essential services to a local populace, which in turn could result in loss of life and/or political ramifications.”

• Military — Exploit an adversary’s weakness and degrade their capability and/or will to fight
• Political or diplomatic — Weaken adversary’s status or power in the world or region
• Informational — Generate favorable press, gain information superiority
• Economic — Undercut adversary’s ability to sustain operations

The ROI of asymmetrical warfare

Source: Unsplash

Cyberwarfare is asymmetrical. The parties at conflict use the means available to them to inflict as much damage as possible by careful exploiting their adversary’s weaknesses. An example of this tactic is in Palestinians flying “fire balloons” into Israel. The tactic has resulted in thousands of acres of valuable farmland and nature preserves being burned, the Times of Israel reported. A $10 incendiary balloon caused thousands in economic damage. Cyberattacks similarly target key infrastructure elements that will cause the most damage.

Cyberattacks on infrastructure

IoT devices, shared communications and cloud computing infrastructure expand the attack surface available to hackers. Electric power grids are especially vulnerable given the broad impact a power outage has on the economy. An electric utility with multiple partners has a broad and diverse attack surface — places where an attacker could attempt to access internal networks from the outside.

Employees at an electric utility or its partners are often unsuspecting targets. Spear-phishing attacks target a specific victim, and messages are modified to specifically address that victim, purportedly coming from an entity that they are familiar with and containing personal information. It’s the go‐to technique in the cybercriminal and nation state attackers’ arsenal. It is an effective and inexpensive way to harvest user credentials, implant various forms of malware, impersonate trusted people and collect intelligence on the target organization.

In cases described by the Department of Homeland Security, as presented to the electric utilities and outside experts, Russian hackers went into power plants through the networks of contractors, some of whom were ill-protected. Those contractors provided software to the utility company’s systems. Then they used spear-phishing emails, trying to trick utility operators into changing their passwords. Here are two other data points:

• In “Experts: North Korea targeted U.S. electric power companies,” it was reported that hackers linked to North Korea targeted U.S. electric power companies with spear-phishing emails which used fake invitations to a fundraiser to target victims, FireEye said. A victim who downloaded the invitation attached to the email would also be downloading malware into his computer network.
• In “The Ukrainian power grid was hacked again,” it was reported that experts say the country appears to be a testbed for cyberattacks that could be used around the world. The hackers conducted a coordinated attack against three power distribution companies, which began as part of a massive phishing campaign. The attackers sat on systems silently for months, conducting reconnaissance before making their presence known. They overwrote firmware on remote-terminal units that controlled substation breakers. This essentially bricked the devices and prevented engineers from restoring power remotely.

The financial damage of a cyberattack

The Hartsfield-Jackson Atlanta International Airport generates more than $34 billion in direct business revenue to metro Atlanta. A recent power outage, where more than 400 flights were canceled, wasn’t caused by a cyberattack, but illustrates how even a single disruption can have a huge financial impact. A simple projection reveals that a cyberattack on a large airport’s power systems, assuming that planes were forced to be idled, could exceed $100 million.

• Passenger time: 400 flights x 100 passengers x $50 per hour x 10 hours = $20 million
• Equipment cost : (Jet lease costs $20,000 per hour) 400 jets x 10 hours x $20,000 = $80 million

Beefing up cyberdefenses

The U.S. is outgunned in electronic warfare, says the country’s cyber commander. Two military leaders admitted at the TechNet conference in Augusta, Georgia this week that the country is falling behind in its electronic warfare capability. “When it comes to electronic warfare, we are outgunned,” Maj. Gen. John Morrison, the commander of Fort Gordon and the Army Cyber Center of Excellence, said during a Tuesday presentation. “We are plain outgunned by peer and near-peer competitors.”

With so much at stake, investments in cyberdefense have to be a high priority.

All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.