Cyberwar has increasingly blurry boundaries, and an ever closer relationship with conventional conflicts. We saw the latest example of this with the escalation of the conflict between the USA and Iran, caused by the death of General Qasem Soleimani.
This death left the relationship between the two countries on an uncertain footing. Shortly afterward, the Cybersecurity and infrastructure Security Agency (CISA) of Donald Trump’s government responded, hinting that any kind of retaliation was possible: “CISA strongly urges you to assess and strengthen your basic cyber and physical defenses to protect against this potential threat,” read the official statement.
Stuxnet, the most recent cyberconflict between the USA and Iran_
Cyberconflict between these two states is nothing new. As we have discussed before, the most famous incident is Stuxnet. In this case, America and Israel managed to halt the activity of an Iranian uranium enrichment plant in what was called Operation Olympic Games. In this operation, the two countries managed to access the power plant’s computers, where they introduced a pen drive containing Stuxnet, a worm that used several Windows zero-day vulnerabilities to infect the centrifuges’ systems. When the worm took control of the centrifuges, it executed commands to make them self destruct.
The Iranian engineers tried to restart the system, but to no avail: the emergency shutdown had been disabled. All of this was made possible by the cooperation of an insider: an employee, recruited by the Dutch intelligence agency AIVD, who acted as a mole inside the Iranian power plant.
Iran and the attacks on Saudi Arabia and Italy_
Two years later, in August 2012, it was Iran that carried out a cyberofensive. An employee in the Saudi Arabian company Aramco, the country’s national petroleum company, opened an email, believing it to be from someone trustworthy in the organization. However, it turned out to be a targeted phishing attack, which allowed the cybercriminal to get their hands on the employee’s credentials and to gain access to one of the country’s strategic companies.
At 11.08 on August 12, this employee’s computer sent a file to the company’s 30,000 employees. This file contained a version of Shamoon, a piece of malware that disabled all of Aramco’s devices and immediately began to steal credentials, as well as all kinds of confidential information and data. It also overwrote the boot record and partitions so that the computers couldn’t be restarted, and the lost data couldn’t be recovered.
Shamoon fulfilled its role in Saudi Arabia, as well as in Italy. This was in mid-December 2018, when a version of the malware used against Aramco managed to disable the company’s largest client, the Italian oil company Saipem. This new version of Shamoon, attributed to the Iranian government, paralyzed between 300 and 400 servers in the Middle East, India, Aberdeen and Italy, as well as around 100 of the company’s 4,000 computers. Luckily for Saipem, they had made a backup of their files, so while they suffered the theft of their information, none of it was lost forever.
According to the accusations of a litany of foreign governments and experts, such as the Microsoft researcher Ned Moran, Iran has been preparing for years, developing and perfecting different cyberattacks with a clear aim in mind: the critical infrastructure of enemy countries. In fact, according to Moran, the Iranian cybercriminal group APT33 has been gathering passwords for months now, experimenting with different infection methods to paralyze the industrial systems used in large factories, oil companies, and electric companies worldwide.
How to avoid becoming victim of cyberwar_
These examples of cyberattacks show just how varied the techniques used to infiltrate IT networks can be: from targeted phishing campaigns to the presence of a mole in an organization. In any case, all of these experiences share three common factors:
- Inadequate endpoint protection.
- Human inability to detect threats.
- Deficient analysis of what is happening on the organization’s perimeter at all times.
In order to avoid falling victim to cyberwar, companies and states must therefore be aware of the need to have highly qualified teams that not only know how to run their organization’s cybersecurity protections, but also how instill in other employees a series of measures to avoid intrusions. It will also be necessary to assume that many threats received will be unknown until the moment they get into the company. This is why organizations need to maintain a proactive, cyber-resilient attitude. Beyond human work, they need to have the support of services and automated technology to monitor all IT system activity at all times, which can detect vulnerabilities and act on them.
The fact is that any kind of cyberattack has a very narrow margin in which to respond. In the case of cyberwar, this margin may be non-existent. Because of all of this, it is vital to get ahead of these threats, and to mitigate all dangers before they can show themselves.