We can now say with some certainty that the world’s first cyberwar is upon us, unfolding behind the scenes with a rising level of intensity, so far pretty much ignored by all but the need-to-knows.
On one side are the US and its European and Middle-Eastern allies, on the other Iran and perhaps its proxies in Syria, Lebanon and a handful of more isolated groups across the non-aligned Islamic world.
Is this really a cyberwar? Certainly. If you rank sustained state-to-state exchanges across the Internet as defining a digital campaign then this is surely the real McCoy even if everything looks normal from the outside.
History will judge ‘Cyberwar I’ as having kicked off around 2006 when the US hatched a series of over-lapping programmes to attack Iran’s nuclear industry using software sophisticated enough (i.e. free of identifying marks) to maintain an air of polite, plausible deniability.
The world unmasked these as Stuxnet, and a number of forensically-linked and increasingly enigmatic follow-ups including Duqu, Gauss, and a particularly complex piece dubbed Flame that was probably connected to Stuxnet despite only being discovered last year. There were almost certainly others cyber-weapons that have not been uncovered yet.
And it turns out that two can play this game.
Cyberattacks on US banks are nothing new but the series of large and disruptive attacks against the US financial sector starting around last September, claimed by the ‘Izz ad-Din al-Qassam Cyber Fighters’, appeared to mark the start of something more significant.
These have continued with small gaps ever since, ramping up to disruptive levels in December and continuing ever since. One large cyber-attack every now and again might be expected, but an ongoing campaign at this level of intensity is starting to grab the full attention of interested commentators.
A rolling core of banks have been affected over several months, including Bank of America, JPMorgan Chase & Co and Citigroup and HSBC, prompting former State and Commerce Department official, James A. Lewis to state quite categorically that “There is no doubt within the US government that Iran is behind these attacks” to the New York Times.
Amidst the daily noise of DDoS attacks, exactly where they come from has at times seemed almost irrelevant. Who launches them and why is rarely explicitly stated - they are just a fact of life.
Lewis’s intervention suggests that the pattern of the anti-bank campaign has elevated these mysterious events into the political arena, at least behind closed doors.
“They are high volume and also very complicated,” says Scott Hammack, CEO of DDoS mitigation firm, Prolexic. As is customary for his industry he is reluctant to discuss where the attacks might originate but is willing to admit that “the US Government is in a good position to know who is doing it.”
Two weeks ago his firm saw a 75Gbps DDoS attack unfolding with a couple of 45Gbps events since then, both at the very large end of the traffic spectrum.
In 2011, Prolexic had seen perhaps one or two attacks of this size for the whole year; attacks peaking at 80Gbps were now a weekly occurrence.
“The frequency, size and complexity has ramped up to the extent you could call it a cyberwar,” he says. “It is definitely a dangerous precedent. It is bad right now but will get worse,” he predicts.
A distinctive feature of the recent attacks was that they used a ‘push’ DDoS model based on real-time, manual control rather than a static command and control network. That also made them harder to disrupt.
Why would Iran or any other country attack another using DDoS? It would be easier to say why it wouldn’t. If the US wields complex targeted software with deadly purpose, smaller nations can level the field by attacking its infrastructure with a weapon accessible enough that even small groups have successfully used it. Such is the simple allure of DDoS.
“The attackers are fairly sophisticated because of the combination of attack vectors,” comments Arbor Networks’ Darren Anstee, who works for another company that makes it money by looking at and securing the Internet traffic few others pay attention to.
The attackers had deployed three main attacks tools - Brobot PHP injection (aka “itsoknoproblembro’) KamiKaze and AMOS - capable of hitting the targets with conventional volumetric (UDP/ICMP) and TCP exhaustion DDoS, spiked with rightly feared HTTP, HTTPS and DNS application attacks.
Launched via compromised server proxies, the attackers had shown knowledge and planning in the way they had executed the attacks, working out which targets might share data centres with one another as a means of maximising their effect. If an attack showed signs of failing, they adjusted in real time.
“They are obviously monitoring the effectiveness of the attack vectors very quickly,” he said, a feature that underscored them out as out of the ordinary.
Anstey rejects the simplistic notion that DDoS is a ‘cheap’ weapon for those lacking anything better.
“DDoS has become an advanced threat,” although he believed the effectiveness of the current campaign might be waning as organisations learned to cope with them.
Where might the Iranians go after DDoS? Indeed, how far has the US already gone beyond Stuxnet and Flame?
Months after the DDoS attacks started, few will yet call it for what it is; an escalating cyberwar with no clear rules of engagement beyond an uncertain translation through the calculus of geo-political realpolitik.
Meanwhile, in the Middle- East was enveloped by a slow-burning digital war during 2012, with Saudi Arabia finding its oil industry under destructive attack from malware such as Shamoon, designed to trash the hard drives of target PCs on a grand scale.
With packets flying back and forth, it looks as if the US v Iran will be a very 21st Century war. Where it started has already been lost in history, and as long as the collateral damage is relatively small (consumers unable to log on to their bank accounts, say) few will pay it that much heed. It is just part of the contemporary world.
But if the conflict ever moves to being a hot war, the largely hidden exchanges of this cyberwar could turn out to be the telling factor.
Posted by John Dunn