tag:theconversation.com,2011:/us/topics/cyber-espionage-35126/articlesCyber espionage – The Conversation2023-05-11T05:16:47Ztag:theconversation.com,2011:article/2054052023-05-11T05:16:47Z2023-05-11T05:16:47ZIt’s being called Russia’s most sophisticated cyber espionage tool. What is Snake, and why is it so dangerous?<figure><img src="https://images.theconversation.com/files/525550/original/file-20230511-15-nzjt8r.jpeg?ixlib=rb-1.1.0&rect=6%2C41%2C1016%2C981&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">
</span> <span class="attribution"><span class="source">Shutterstock AI</span></span></figcaption></figure><p>Like most people I check my emails in the morning, wading through a combination of work requests, spam and news alerts peppering my inbox.</p>
<p>But yesterday brought something different and deeply disturbing. I noticed an alert from the American Cybersecurity and Infrastructure Security Agency (<a href="https://www.cisa.gov/news-events/cybersecurity-advisories">CISA</a>) about some very devious <a href="https://www.bing.com/videos/search?q=what+is+malware&qft=+filterui:duration-short&view=detail&mid=FE061B5C45296C83E456FE061B5C45296C83E456&&FORM=VRDGAR&ru=/videos/search?&q=what+is+malware&qft=+filterui:duration-short&FORM=VRFLTR">malware</a> that had infected <a href="https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-129a">a network of computers</a>.</p>
<p>The malware in question is Snake, a cyber espionage tool deployed by Russia’s Federal Security Service that has been around for about 20 years. </p>
<p>According to CISA, the Snake implant is the “most sophisticated cyber espionage tool designed and used by Center 16 of Russia’s Federal Security Service for long-term intelligence collection on sensitive targets”.</p>
<h2>The stealthy Snake</h2>
<p>The Russian Federal Security Service developed the Snake network in 2003 to conduct global <a href="https://www.techtarget.com/searchsecurity/definition/cyber-espionage">cyber espionage</a> operations against NATO, companies, research institutions, media organisations, financial services, government agencies and more. </p>
<p>So far, it has been detected on Windows, Linux and macOS computers in more than 50 countries, including <a href="https://www.cyber.gov.au/about-us/advisories/hunting-russian-intelligence-snake-malware">Australia</a>. </p>
<p>Elite Russian cyber espionage teams put the malware on a target’s computer, copy sensitive information of interest and then send it to Russia. It’s a simple concept, cloaked in masterful technical design.</p>
<p>Since its creation, Russian cyber spies have regularly <a href="https://www.justice.gov/opa/pr/justice-department-announces-court-authorized-disruption-snake-malware-network-controlled">upgraded the Snake malware</a> to avoid detection. The current version is cunning in how it <a href="https://www.justice.gov/opa/pr/justice-department-announces-court-authorized-disruption-snake-malware-network-controlled">persistently</a> evades detection and protects itself.</p>
<p>Moreover, the Snake network can disrupt critical <a href="https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-110a">industrial control systems</a> that manage our buildings, hospitals, energy systems, water and wastewater systems, among others – so the risks went beyond just intelligence collection. </p>
<p>There are warnings that in a couple of years bad actors may gain the capability to hijack critical Australian infrastructure and cause unprecedented harm by interfering <a href="https://ia.acs.org.au/article/2021/industrial-cyber-attacks-will-kill-someone-by-2025.html">with physical operations</a>. </p>
<p><div data-react-class="Tweet" data-react-props="{"tweetId":"1656064279148396546"}"></div></p>
<h2>Snake hunting</h2>
<p>On May 9, the US Department of Justice <a href="https://www.justice.gov/opa/pr/justice-department-announces-court-authorized-disruption-snake-malware-network-controlled">announced</a> the Federal Bureau of Investigation had finally disrupted the global Snake <a href="https://www.digitalcitizen.life/what-is-p2p-peer-to-peer/">peer-to-peer network</a> of infected computers.</p>
<p>The covert network allowed infected computers to collect sensitive information. The Snake malware then disguised the sensitive information through sophisticated <a href="https://us.norton.com/blog/privacy/what-is-encryption">encryption</a>, and sent it to the spy masters.</p>
<p>Since the Snake malware used custom <a href="https://www.comptia.org/content/guides/what-is-a-network-protocol">communication protocols</a>, its covert operations remained undetected for decades. You can think of custom protocols as a way to transmit information so it can go undetected.</p>
<p>However, with Russia’s war in Ukraine and the rise in cybersecurity activity over the past few years, the FBI has increased its monitoring of Russian cyber threats.</p>
<p>While the Snake malware is an elegantly designed piece of code, it is complex and needs to be precisely deployed to avoid detection. According to the Department of Justice’s press release, Russian cyber spies were careless in more than a few instances and did not deploy it as designed. </p>
<p>As a result, the Americans discovered Snake, and crafted a response.</p>
<h2>Snake bites</h2>
<p>The FBI received a court order to <a href="https://www.justice.gov/opa/pr/justice-department-announces-court-authorized-disruption-snake-malware-network-controlled">dismantle Snake</a> as part of an operation code-named MEDUSA.</p>
<p>They developed a tool called PERSEUS that causes the Snake malware to <a href="https://www.justice.gov/opa/pr/justice-department-announces-court-authorized-disruption-snake-malware-network-controlled">disable</a> itself and stop further infection of other computers. The <a href="https://www.cyber.gov.au/about-us/advisories/hunting-russian-intelligence-snake-malware">PERSEUS</a> tool and instructions are freely available to guide detection, patching and remediation.</p>
<p>The Department of Justice <a href="https://www.justice.gov/opa/pr/justice-department-announces-court-authorized-disruption-snake-malware-network-controlled">advises</a> that PERSEUS only stops this malware on computers that are already infected; it does not <a href="https://blogs.iuvotech.com/what-is-patching-and-why-is-it-important">patch</a> vulnerabilities on other computers, or search for and remove other malware. </p>
<p>Even though the Snake network has been disrupted, the department warned <a href="https://www.splunk.com/en_us/blog/learn/vulnerability-vs-threat-vs-risk.html">vulnerabilities</a> may still exist for users, and they should follow safe <a href="https://www.digitalguardian.com/blog/what-cyber-hygiene-definition-cyber-hygiene-benefits-best-practices-and-more">cybersecurity hygiene</a> practices. </p>
<h2>Snake bite treatment</h2>
<p>Fortunately, effective cybersecurity hygiene isn’t overly complicated. <a href="https://www.microsoft.com/en/security/business/microsoft-digital-defense-report-2022">Microsoft</a> has identified five activities that protect against 98% of cybersecurity attacks, whether you’re at home or work.</p>
<ol>
<li><p><a href="https://www.onelogin.com/learn/what-is-mfa">Enable multi-factor authentication</a> across all your online accounts and apps. This login process requires multiple steps such as entering your password, followed by a code received through a SMS message – or even a biometric fingerprint or secret question (favourite drummer? Ringo!).</p></li>
<li><p><a href="https://www.csoonline.com/article/3695697/what-is-zero-trust-and-why-is-it-so-important.html">Apply “zero trust” principles</a>. It’s best practice to authenticate, authorise and continuously validate all system users (internal and external) to ensure they have the right to use the systems. The zero trust approach should be applied whether you’re using computer systems at work or home.</p></li>
<li><p><a href="https://www.cyber.gov.au/protect-yourself/securing-your-devices/how-secure-your-device/anti-virus-software">Use modern anti-malware</a> programs. Anti-malware, also known as antivirus software, protects and removes malware from our systems, big and small.</p></li>
<li><p><a href="https://www.techtarget.com/whatis/feature/5-reasons-software-updates-are-important">Keep up to date</a>. Regular system and software updates not only help keep new applications secure, but also patch vulnerable areas of your system.</p></li>
<li><p><a href="https://geekflare.com/data-backup-best-practices/">Protect your data</a>. Make a copy of your important data, whether it’s a physical printout or on an external device disconnected from your network, such as an external drive or USB.</p></li>
</ol>
<p>Like most Australians, I have been a victim of a cyberattack. And between the recent <a href="https://www.abc.net.au/news/2023-04-21/optus-hack-class-action-customer-privacy-breach-data-leaked/102247638">Optus</a> data breach and the <a href="https://www.abc.net.au/news/2022-10-15/woolworths-mydeal-cyber-attack-hack-information-leaked/101539686">Woolworths MyDeal</a> and <a href="https://www.afr.com/technology/cyber-experts-worry-as-medibank-puts-hack-behind-it-20230223-p5cn10">Medibank</a> attacks, people are catching on to just how dire the consequences of these events can be. </p>
<p>We can expect malicious cyberattacks to increase in the future, and their impact will only become more severe. The Snake malware is a sophisticated piece of software that raises yet another concern. But in this case, we have the antidote and can protect ourselves by proactively following the above steps. </p>
<p>If you have concerns about the Snake malware you can read more <a href="https://www.nsa.gov/Press-Room/Press-Releases-Statements/Press-Release-View/Article/3389044/us-agencies-and-allies-partner-to-identify-russian-snake-malware-infrastructure/">here</a>, or speak to the fine folks at your IT service desk.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/holding-the-world-to-ransom-the-top-5-most-dangerous-criminal-organisations-online-right-now-163977">Holding the world to ransom: the top 5 most dangerous criminal organisations online right now</a>
</strong>
</em>
</p>
<hr>
<img src="https://counter.theconversation.com/content/205405/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Greg Skulmoski works at Bond University and having it's academics comment on the news elevates Bond University's reputation. </span></em></p>The Snake network has been detected in more than 50 countries, including Australia.Greg Skulmoski, Associate Professor, Project Management, Bond UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1649172021-07-22T13:24:22Z2021-07-22T13:24:22ZSpyware: why the booming surveillance tech industry is vulnerable to corruption and abuse<figure><img src="https://images.theconversation.com/files/412661/original/file-20210722-23-1582yi3.jpeg?ixlib=rb-1.1.0&rect=0%2C0%2C7329%2C3628&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">
</span> <span class="attribution"><a class="source" href="https://www.shutterstock.com/image-photo/man-finger-clicks-on-open-padlock-1934920949">Zoomik/Shutterstock</a></span></figcaption></figure><p>The world’s most sophisticated commercially available spyware may be being abused, according to <a href="https://amp.theguardian.com/world/2021/jul/18/revealed-leak-uncovers-global-abuse-of-cyber-surveillance-weapon-nso-group-pegasus">an investigation</a> by 17 media organisations in ten countries. <a href="https://www.independent.co.uk/world/pegasus-spyware-nso-activists-journalists-b1886317.html">Intelligence leaks</a> and <a href="https://www.amnesty.org/en/latest/news/2021/07/amnesty-categorically-pegasus-project-data-linked-to-nso/">forensic phone analysis</a> suggests the surveillance software, called <a href="https://www.theguardian.com/news/2021/jul/18/what-is-pegasus-spyware-and-how-does-it-hack-phones">Pegasus</a>, has been <a href="https://www.theguardian.com/news/2021/jul/19/nso-clients-spying-disclosures-prompt-political-rows-across-world">used to target</a> and spy on the phones of human rights activists, investigative journalists, politicians, researchers and academics. </p>
<p>NSO Group, the Israeli cyber intelligence firm behind Pegasus, insists that it only licenses its spyware to <a href="https://www.nsogroup.com/Newses/cyber-intelligence-sector-leader-nso-group-unveils-the-industrys-first-transparency-and-responsibility-report/">vetted government clients</a> in the name of combating transnational crime and terrorism. It has labelled reports from investigative journalists a “<a href="https://www.nsogroup.com/Newses/enough-is-enough/">vicious and slanderous campaign</a>” upon which it will no longer comment.</p>
<p>Yet the founder and chief executive of NSO Group <a href="https://www.theguardian.com/news/2021/jul/19/fifty-people-close-mexico-president-amlo-among-potential-targets-nso-clients">previously admitted</a> that “in some circumstances our customers might misuse the system.” Given that the group has sold its spyware to a reported <a href="https://www.theguardian.com/world/2021/jul/18/revealed-leak-uncovers-global-abuse-of-cyber-surveillance-weapon-nso-group-pegasus">40 countries</a>, including some with poor records of <a href="https://www.theguardian.com/news/audio/2021/jul/21/the-pegasus-project-part-3-cartels-corruption-and-cyber-weapons-podcast">corruption</a> and <a href="https://observatoryihr.org/news/spyware-leak-reveals-pegasus-was-used-to-hack-human-rights-activists-journalists-and-lawyers-globally/">human rights violations</a>, it’s alleged that Pegasus has been significantly misused, undermining the freedom of the press, freedom of thought and free and open democracies.</p>
<p>These revelations are the latest indication that the spyware industry is out of control, with licensed customers free to spy on political and civilian targets as well as suspected criminals. We may be heading to a world in which <a href="https://www.theguardian.com/news/2021/jul/19/edward-snowden-calls-spyware-trade-ban-pegasus-revelations">no phone is safe</a> from such attacks. </p>
<h2>How Pegasus works</h2>
<p>Pegasus is regarded as the <a href="https://theconversation.com/how-does-the-pegasus-spyware-work-and-is-my-phone-at-risk-164781">most advanced spyware</a> on the market. It can infiltrate victims’ devices without their even having to click a malicious link – a so-called “<a href="https://cybersecurity-journal.com/2020/08/14/demystifying-zero-click-attacks/">zero-click attack</a>”. Once inside, the power Pegasus possesses to transform a phone into a surveillance beacon is astounding. </p>
<p>It immediately sets to work copying messages, pictures, videos and downloaded content to send to the attacker. As if that’s not insidious enough, Pegasus can record calls and track a target’s location while independently and secretly activating a phone’s camera and microphone. With this capability, an infected phone acts like a fly on the wall, seeing, hearing and reporting back the intimate and sensitive conversations that it <a href="https://www.theguardian.com/news/2021/jul/18/what-is-pegasus-spyware-and-how-does-it-hack-phones">watches continuously</a>.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/how-does-the-pegasus-spyware-work-and-is-my-phone-at-risk-164781">How does the Pegasus spyware work, and is my phone at risk?</a>
</strong>
</em>
</p>
<hr>
<p>There’s previous evidence of Pegasus misuse. It was implicated in the <a href="https://www.ohchr.org/EN/NewsEvents/Pages/DisplayNews.aspx?NewsID=25488&LangID=E">alleged hacking</a> of Jeff Bezos’ phone by the crown prince of Saudi Arabia in 2018. The following year, it was revealed that several <a href="https://www.huffpost.com/archive/in/entry/did-indian-govt-buy-pegasus-spyware-home-ministry-answer-is-worrying_in_5dd3bbb1e4b082dae813a058">Indian lawyers and activists</a> had been targeted by a Pegasus attack via WhatsApp. </p>
<p>The new revelations suggest that Pegasus was used to watch Mexico’s president Andres Manuel Lopez and <a href="https://www.theguardian.com/news/2021/jul/19/fifty-people-close-mexico-president-amlo-among-potential-targets-nso-clients">50 members</a> of his inner circle – including friends, family, doctors, and aides – when he was an opposition politician. Pegasus has also been linked to the <a href="https://www.theguardian.com/news/2021/jul/19/modi-accused-treason-opposition-india-spyware-disclosures">surveillance of Rahul Gandhi</a>, the current political rival to Indian prime minister Narendra Modi. </p>
<p>A Pegasus infiltration has also now <a href="https://www.theguardian.com/world/2021/jul/18/nso-spyware-used-to-target-family-of-jamal-khashoggi-leaked-data-shows-saudis-pegasus">been found</a> among phones belonging to the family and friends of <a href="https://www.bbc.com/news/world-europe-45812399">murdered journalist</a> Jamal Khashoggi, and there are indications that Pegasus may also have been <a href="https://www.theguardian.com/news/2021/jul/18/revealed-murdered-journalist-number-selected-mexico-nso-client-cecilio-pineda-birto">used by a Mexican NSO client</a> to target the Mexican journalist Cecilio Pineda Birto, who was <a href="https://rsf.org/en/news/mexico-reporters-murder-revives-debate-about-effectiveness-protection">murdered</a> in 2017.</p>
<figure>
<iframe width="440" height="260" src="https://www.youtube.com/embed/G7H9uo3j5FQ?wmode=transparent&start=0" frameborder="0" allowfullscreen=""></iframe>
</figure>
<h2>Spyware industry</h2>
<p>Although the power of Pegasus is shocking, spyware in its various forms is far from a new phenomenon. Basic spyware can be traced back to <a href="https://www.sciencedirect.com/science/article/pii/B9780444516084500250">the early 1990s</a>. Now it’s a <a href="https://www.economist.com/business/2019/12/12/offering-software-for-snooping-to-governments-is-a-booming-business">booming industry</a> with thousands of eager buyers. </p>
<p>At the base of the spyware industry are the lesser snooping tools, sold for as little as $70 (£51) <a href="https://www.techrepublic.com/article/how-much-malware-tools-sell-for-on-the-dark-web/">on the dark web</a>, which can remotely access webcams, log computer keystrokes and harvest location data. The use of such spyware by <a href="https://www.bbc.co.uk/news/technology-50166147">stalkers and abusive partners</a> is a growing, concerning issue.</p>
<p>Then of course there’s the <a href="https://www.theguardian.com/world/2013/jun/09/edward-snowden-nsa-whistleblower-surveillance">global surveillance estate</a> that Edward Snowden lifted the curtain on in 2013. His leaks revealed how <a href="https://www.wired.com/story/edward-snowden-in-his-own-words-why-i-became-a-whistle-blower/">surveillance tools</a> were being used to amass a volume of citizens’ personal data that seemed to go well beyond the brief of the intelligence agencies using them.</p>
<p>In 2017, we also learned how a secret team of elite programmers at the US National Security Agency had developed an advanced cyber-espionage weapon called <a href="https://www.wired.co.uk/article/what-is-eternal-blue-exploit-vulnerability-patch">Eternal Blue</a>, only for it to be stolen by the hacker collective Shadow Brokers and <a href="https://www.wired.com/story/eternalblue-leaked-nsa-spy-tool-hacked-world/">sold on the dark web</a>. It was this spyware that would later be used as the backbone of the infamous 2017 <a href="https://www.cbsnews.com/news/wannacry-ransomware-attacks-wannacry-virus-losses/">Wannacry ransomware attack</a>, which <a href="https://www.nao.org.uk/report/investigation-wannacry-cyber-attack-and-the-nhs/">targeted the NHS</a> and hundreds of other organisations.</p>
<h2>Why Pegasus is different</h2>
<p>When the Snowden leaks were published, many were shocked to learn of the scale of surveillance that digital technologies had enabled. But this mass spying was at least developed and conducted within state intelligence agencies, who had some legitimacy as agents of espionage.</p>
<p>We’re no longer debating the right of the state to violate our own rights to privacy. The Pegasus revelations show we’ve arrived in a new, uncomfortable reality where highly sophisticated spyware tools are <a href="https://www.wired.com/story/the-murky-merits-of-a-private-spy-registry/">sold on an open market</a>. To be under no illusion, we’re referring here to an industry of for-profit malware developers creating and selling the same types of tools – and sometimes the very same tools – used by “bad hackers” to bring businesses and government organisations to their knees.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/spyware-merchants-the-risks-of-outsourcing-government-hacking-80891">Spyware merchants: the risks of outsourcing government hacking</a>
</strong>
</em>
</p>
<hr>
<p>In the wake of the Pegasus revelations, Edward Snowden has called for an <a href="https://www.theguardian.com/news/2021/jul/19/edward-snowden-calls-spyware-trade-ban-pegasus-revelations">international spyware ban</a>, stating that we’re moving towards a world where no device is safe. That will certainly be the case if Pegasus meets the same fate as Eternal Blue, with its source code finding its way onto the dark web for use by criminal hackers.</p>
<p><div data-react-class="Tweet" data-react-props="{"tweetId":"1417813151521951746"}"></div></p>
<p>We’ve only just begun to fully contemplate the full implications of Pegasus on our collective privacy and democracy. Without transparency, we have no sense of how and under what circumstances Pegasus is licensed, who has authorisation to use Pegasus once it’s licensed, under what circumstances a license may be revoked, or what international regulations are in place to police against its abuse. Evidence suggests that Pegasus has been misused and greater accountability and oversight is needed. We must also seek to rekindle important debates around enforceable controls on the creation and sale of corporate spyware. Without this, the threat that Pegasus and future spyware tools pose to privacy will not be limited to the high-profile targets that have so far been revealed, but will be a threat to us all.</p><img src="https://counter.theconversation.com/content/164917/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Christian Kemp does not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>Revelations of spyware abuse suggest we’re moving to a new reality in which no phone is safe from surveillance.Christian Kemp, Lecturer, Criminology, Anglia Ruskin UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1524442020-12-29T14:17:19Z2020-12-29T14:17:19ZThe Sunburst hack was massive and devastating – 5 observations from a cybersecurity expert<figure><img src="https://images.theconversation.com/files/376591/original/file-20201223-23-11m8mdo.jpg?ixlib=rb-1.1.0&rect=0%2C0%2C5674%2C3772&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">Federal government agencies, from the Treasury Department to the National Nuclear Security Administration, have been compromised by the attack.</span> <span class="attribution"><a class="source" href="https://www.gettyimages.com/detail/news-photo/the-morning-sun-rises-over-the-white-house-on-march-24-2019-news-photo/1137951124?adppopup=true">Tasos Katopodis/Getty Images</a></span></figcaption></figure><p>So much remains unknown about what is now being called the Sunburst hack, the cyberattack against U.S. government agencies and corporations. U.S. officials <a href="https://www.washingtonpost.com/national-security/russian-government-spies-are-behind-a-broad-hacking-campaign-that-has-breached-us-agencies-and-a-top-cyber-firm/2020/12/13/d5a53b88-3d7d-11eb-9453-fc36ba051781_story.html">widely believe</a> that Russian state-sponsored hackers are responsible.</p>
<p>The attack gave the perpetrators access to numerous key American business and government organizations. The immediate effects will be difficult to judge, and a complete accounting of the damage is unlikely. However, the nature of the affected organizations alone makes it clear that this is perhaps the most consequential cyberattack against the U.S. to date.</p>
<p>An act of cyberwar is usually not like a bomb, which causes immediate, well-understood damage. Rather, it is more like a cancer – it’s slow to detect, difficult to eradicate, and it causes ongoing and significant damage over a long period of time. Here are five points that cybersecurity experts – the oncologists in the cancer analogy – can make with what’s known so far.</p>
<h2>1. The victims were tough nuts to crack</h2>
<p>From top-tier cybersecurity firm FireEye to the U.S. Treasury, Microsoft, Intel and many other organizations, the victims of the attack are for the most part firms with comprehensive cybersecurity practices. The list of <a href="https://www.businessinsider.com/list-of-companies-agencies-at-risk-after-solarwinds-hack-2020-12?op=1">organizations that use the compromised software</a> includes firms like MasterCard, Lockheed Martin and PricewaterhouseCoopers. SolarWinds estimates about <a href="https://www.zdnet.com/article/sec-filings-solarwinds-says-18000-customers-are-impacted-by-recent-hack/">18,000 firms</a> were affected.</p>
<p>As CEO of cybersecurity firm Cyber Reconnaissance Inc. and an <a href="https://scholar.google.com/citations?user=OUAMn6oAAAAJ&hl=en">associate professor of computer science</a> at Arizona State University, I have met security professionals from many of the targeted organizations. Many of the organizations have world-class cybersecurity teams. These are some of the hardest targets to hit in corporate America. The victims of Sunburst were specifically targeted, likely with a primary focus on intelligence gathering.</p>
<h2>2. This was almost certainly the work of a nation – not criminals</h2>
<p>Criminal hackers focus on near-term financial gain. They use techniques like ransomware to extort money from their victims, steal financial information, and harvest computing resources for activities like sending spam emails or mining for cryptocurrency. </p>
<p>Criminal hackers exploit well-known security vulnerabilities that, had the victims been more thorough in their security, could have been prevented. The hackers typically target organizations with weaker security, like health care systems, universities and municipal governments. University networks are notoriously decentralized, difficult to secure, and often underfund cybersecurity. Medical systems tend to use specialty medical devices that run older, vulnerable software that is difficult to upgrade. </p>
<p>Hackers associated with national governments, on the other hand, have entirely different motives. They look for long-term access to critical infrastructure, gather intelligence and develop the means to disable certain industries. They also steal intellectual property – especially intellectual property that is expensive to develop in fields like high technology, medicine, defense and agriculture.</p>
<figure class="align-center zoomable">
<a href="https://images.theconversation.com/files/376596/original/file-20201223-49872-i98bca.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="A smart phone displaying the FireEye logo" src="https://images.theconversation.com/files/376596/original/file-20201223-49872-i98bca.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/376596/original/file-20201223-49872-i98bca.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=400&fit=crop&dpr=1 600w, https://images.theconversation.com/files/376596/original/file-20201223-49872-i98bca.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=400&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/376596/original/file-20201223-49872-i98bca.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=400&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/376596/original/file-20201223-49872-i98bca.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=503&fit=crop&dpr=1 754w, https://images.theconversation.com/files/376596/original/file-20201223-49872-i98bca.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=503&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/376596/original/file-20201223-49872-i98bca.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=503&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">One of the targeted organizations, cybersecurity firm FireEye, would be a poor choice for cybercriminals but highly desirable for the Russian government or other adversaries of the U.S.</span>
<span class="attribution"><a class="source" href="https://www.gettyimages.com/detail/news-photo/in-this-photo-illustration-a-fireeye-cyber-security-company-news-photo/1230182459?adppopup=true">SOPA Images/LightRocket via Getty Images</a></span>
</figcaption>
</figure>
<p>The sheer amount of effort to infiltrate one of the Sunburst victim firms is also a telling sign that this was not a mere criminal hack. For example, a firm like FireEye is an inherently bad target for a criminal attacker. It has fewer than 4,000 employees yet has computer security on par with the world’s top defense and financial businesses. </p>
<h2>3. The attack exploited trusted third-party software</h2>
<p>The hackers gained access by slipping their malware into software updates of SolarWinds’ Orion software, which is widely used to manage large organizational networks. The Sunburst attack relied on a trusted relationship between the targeted organization and SolarWinds. When users of Orion updated their systems in the spring of 2020, they unwittingly invited a Trojan horse into their computer networks.</p>
<p>Aside from <a href="https://www.bloomberg.com/news/articles/2020-12-21/solarwinds-adviser-warned-of-lax-security-years-before-hack">a report about lax security</a> at SolarWinds, very little is known about how the hackers gained initial access to SolarWinds. However, the Russians have used the tactic of compromising a third-party software update process before, in 2017. This was during the infamous <a href="https://medium.com/@PauloShak/learning-from-notpetya-43f2fea8994c">NotPetya</a> attack, which was considered the most financially <a href="https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/">damaging cyberattack in history</a>. </p>
<h2>4. The extent of the damage is unknown</h2>
<p>It will take time to uncover the extent of the damage. The investigation is complicated because the attackers gained access to most of the victims in the spring of 2020, which gave the hackers time to expand and hide their access and control of the victims’ systems. For example, <a href="https://krebsonsecurity.com/2020/12/vmware-flaw-a-vector-in-solarwinds-breach/">some experts believe</a> that a vulnerability in VMWare, software that is widely used in corporate networks, was also used to gain access to the victims’ systems, <a href="https://www.sdxcentral.com/articles/news/vmware-denies-its-software-used-in-solarwinds-hack/2020/12/">though the company denies it</a>.</p>
<figure class="align-center zoomable">
<a href="https://images.theconversation.com/files/376594/original/file-20201223-23-161id6c.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="the Microsoft logo on the side of a building" src="https://images.theconversation.com/files/376594/original/file-20201223-23-161id6c.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/376594/original/file-20201223-23-161id6c.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=338&fit=crop&dpr=1 600w, https://images.theconversation.com/files/376594/original/file-20201223-23-161id6c.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=338&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/376594/original/file-20201223-23-161id6c.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=338&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/376594/original/file-20201223-23-161id6c.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=424&fit=crop&dpr=1 754w, https://images.theconversation.com/files/376594/original/file-20201223-23-161id6c.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=424&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/376594/original/file-20201223-23-161id6c.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=424&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">Some of the exposed organizations, like Microsoft, made limited use of the SolarWinds software, which appears to have contained the damage they suffered.</span>
<span class="attribution"><a class="source" href="https://images.app.goo.gl/at74GEFtP7Qac6ps7">Raimond Spekking</a>, <a class="license" href="http://creativecommons.org/licenses/by-sa/4.0/">CC BY-SA</a></span>
</figcaption>
</figure>
<p>I expect the damage to be spread unevenly among the victims. This will depend on various factors such as how extensively the organization used the SolarWinds software, how segmented its networks are, and the nature of their software maintenance cycle. For example, Microsoft <a href="https://www.bloomberg.com/news/articles/2020-12-18/microsoft-says-its-systems-were-exposed-in-solarwinds-hack">reportedly had limited deployments of Orion</a>, so the attack had limited impact on their systems. </p>
<p>In contrast, the bounty the hackers stole from FireEye included <a href="https://blog.cyr3con.ai/the-vulnerabilities-fireeye-hackers-will-start-to-use">penetration testing tools</a>, which were used to test the defenses of high-end FireEye clients. The theft of these tools was likely prized by hackers to both increase their capabilities in future attacks as well as gain insights into what FireEye clients are protecting against.</p>
<h2>5. The fallout could include real-world harm</h2>
<p>There is a very thin, often nonexistent line between gathering information and causing real-world harm. What may start as spying or espionage can easily escalate into warfare. </p>
<p>The presence of malware on a computer system that gives the attacker greater user privileges is dangerous. Hackers can use control of a computer system to destroy computer systems, as was the case in the <a href="https://phys.org/news/2012-10-iran-cyberattack-saudi-ex-official.html">Iranian cyberattacks against Saudi Aramco in 2012</a>, and harm physical infrastructure, as was the case <a href="https://www.wired.com/2014/11/countdown-to-zero-day-stuxnet/">Stuxnet attack against Iranian nuclear facilities in 2010</a>. </p>
<p>Further, real harm can be done to individuals with information alone. For example, the <a href="https://www.technologyreview.com/2020/02/10/349004/the-us-says-the-chinese-military-hacked-equifax-heres-how/">Chinese breach of Equifax</a> in 2017 has put detailed financial and personal information about millions of Americans in the hands of one of the U.S.’s greatest strategic competitors.</p>
<p>No one knows the full extent of the Sunburst attack, but the scope is large and the victims represent important pillars of the U.S. government, economy and critical infrastructure. Information stolen from those systems and malware the hackers have likely left on them can be used for follow-on attacks. I believe it is likely that the Sunburst attack will result in harm to Americans. </p>
<p>[<em>Get the best of The Conversation, every weekend.</em> <a href="https://theconversation.com/us/newsletters/weekly-highlights-61?utm_source=TCUS&utm_medium=inline-link&utm_campaign=newsletter-text&utm_content=weeklybest">Sign up for our weekly newsletter</a>.]</p><img src="https://counter.theconversation.com/content/152444/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Paulo Shakarian works for/consults to/owns shares in Cyber Reconnaissance, Inc. (CYR3CON).</span></em></p>Cyberwarfare is more like cancer than bombs and bullets. Cybersecurity experts are just beginning to make their diagnosis of the Sunburst hack.Paulo Shakarian, Associate Professor of Computer Science, Arizona State UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1430472020-07-21T12:12:19Z2020-07-21T12:12:19ZRussian cyberthreat extends to coronavirus vaccine research<figure><img src="https://images.theconversation.com/files/348428/original/file-20200720-92332-1dragjf.jpg?ixlib=rb-1.1.0&rect=0%2C8%2C5463%2C3628&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">Who are in the hoodies?</span> <span class="attribution"><a class="source" href="https://www.gettyimages.com/detail/photo/group-of-hooded-hackers-shining-through-a-digital-royalty-free-image/682344086">BeeBright/iStock/Getty Images Plus</a></span></figcaption></figure><p>A Russian cyberespionage group that hacked into election networks before the 2016 U.S. presidential election is now attempting to steal coronavirus vaccine information from researchers in the U.S., U.K. and Canada. The governments of those three countries <a href="https://thehill.com/policy/national-security/507744-russian-hackers-return-to-spotlight-with-vaccine-research-attack">issued a warning on July 16</a> saying that the group known as APT29 or “Cozy Bear” is targeting vaccine development efforts. The group, which is <a href="https://www.theguardian.com/world/2020/jul/16/russian-state-sponsored-hackers-target-covid-19-vaccine-researchers">connected with the FSB</a>, Russia’s internal security service, had <a href="http://www.telegraph.co.uk/news/2016/12/16/russias-cyber-warriors-should-west-do/">gotten inside the Democratic National Committee</a> networks prior to the 2016 election.</p>
<p>This latest incident illustrates yet again how, beyond carrying all of our phone, text and internet communications, cyberspace is an active battleground, with cybercriminals, government agents and even military personnel probing weaknesses in corporate, national and even personal online defenses. Some of the most talented and dangerous cybercrooks and cyberwarriors come from Russia, which is a longtime meddler in other countries’ affairs.</p>
<p>Over decades, Russian operators have stolen terabytes of data, taken control of millions of computers and raked in billions of dollars. They’ve <a href="https://www.wired.com/story/russian-hackers-attack-ukraine/">shut down electricity in Ukraine</a> and <a href="http://www.nbcnews.com/news/us-news/intelligence-director-says-agencies-agree-russian-meddling-n785481">meddled in elections in the U.S.</a> and elsewhere. They’ve engaged in <a href="https://www.nytimes.com/2015/06/07/magazine/the-agency.html?hp&action=click&pgtype=Homepage&module=second-column-region&region=top-news&WT.nav=top-news&_r=1">disinformation</a> and disclosed pilfered information such as the <a href="https://en.wikipedia.org/wiki/Podesta_emails">emails stolen from Hillary Clinton’s campaign chairman, John Podesta,</a> following <a href="http://www.cnn.com/2017/06/27/politics/russia-dnc-hacking-csr/">successful spearphishing attacks</a>.</p>
<p>Who are these operators, why are they so skilled, and what are they up to?</p>
<h2>Back to the 1980s</h2>
<p>The Russian cyberthreat dates back to at least 1986 when Cliff Stoll, then a system administrator at Lawrence Berkeley National Laboratory, linked a 75-cent accounting error to intrusions into the lab’s computers. The hacker was after military secrets, downloading documents with important keywords such as “nuclear.” A lengthy investigation, described in Stoll’s book “<a href="http://www.penguinrandomhouse.com/books/173930/cuckoos-egg-by-clifford-stoll/">The Cuckoo’s Egg</a>,” led to a German hacker who was selling the stolen data to what was then the Soviet Union.</p>
<p>By the late 1990s, Russian cyberespionage had grown to include the multi-year “<a href="https://medium.com/@chris_doman/the-first-sophistiated-cyber-attacks-how-operation-moonlight-maze-made-history-2adb12cc43f7">Moonlight Maze</a>” intrusions into U.S. military and other government computers, foretelling the massive espionage from Russia today.</p>
<p>The 1990s also saw the arrest of <a href="http://www.nytimes.com/1995/08/19/business/citibank-fraud-case-raises-computer-security-questions.html">Vladimir Levin</a>, a computer operator in St. Petersburg. Levin tried to steal more than US$10 million by hacking Citibank accounts, foreshadowing Russia’s prominence in cybercrime. And Russian hackers defaced U.S. websites during the <a href="http://edition.cnn.com/TECH/computing/9904/06/serbnato.idg/index.html">Kosovo conflict</a>, portending Russia’s extensive use of disruptive and damaging cyberattacks.</p>
<iframe src="https://cdn.knightlab.com/libs/timeline3/latest/embed/index.html?source=1GY8J6sf6GgG4WPgW3wMcw5RGz1Sn6gyUpD5wGFZhv9o&font=Default&lang=en&initial_zoom=1&height=800" width="100%" height="800" webkitallowfullscreen="" mozallowfullscreen="" allowfullscreen="" frameborder="0"></iframe>
<h2>Conducting advanced attacks</h2>
<p>In more recent years, Russia has been behind some of the most sophisticated cyberattacks on record. The <a href="https://www.wired.com/story/russian-hackers-attack-ukraine/">2015 cyberattack on three of Ukraine’s regional power distribution companies</a> knocked out power to almost a quarter-million people. Cybersecurity analysts from the Electricity Information Sharing and Analysis Center and the SANS Institute reported that the multi-staged attacks were conducted by a “<a href="https://ics.sans.org/media/E-ISAC_SANS_Ukraine_DUC_5.pdf">highly structured and resourced actor</a>.” Ukraine <a href="http://www.reuters.com/article/us-ukraine-crisis-cyber-idUSKBN15U2CN">blamed the attacks on Russia</a>.</p>
<p>The attackers used a <a href="https://ics.sans.org/media/E-ISAC_SANS_Ukraine_DUC_5.pdf">variety of techniques</a> and adapted to the targets they faced. They used <a href="https://theconversation.com/spearphishing-roiled-the-presidential-campaign-heres-how-to-protect-yourself-68274">spearphishing</a> email messages to gain initial access to systems. They installed “<a href="https://ics-cert.us-cert.gov/alerts/IR-ALERT-H-16-056-01">BlackEnergy</a>” malware to establish remote control over the infected devices. They harvested credentials to move through the networks. They developed custom malicious firmware to render system control devices inoperable. They hijacked the <a href="https://doi.org/10.1109/PROC.1987.13932">Supervisory Control and Data Acquisition</a> system to open circuit breakers in substations. They used “<a href="https://thehackernews.com/2016/01/Ukraine-power-system-hacked.html">KillDisk</a>” malware to erase the master boot record of affected systems. The attackers even went so far as to strike the control stations’ battery backups and tie up the energy company’s call center with <a href="https://www.wired.com/2016/03/inside-cunning-unprecedented-hack-ukraines-power-grid/">thousands of calls</a>.</p>
<p>The Russians <a href="https://www.wired.com/story/russian-hackers-attack-ukraine/">returned in 2016</a> with more advanced tools to take down a major artery of Ukraine’s power grid. Russia is believed to have also invaded energy companies in the U.S., including those operating <a href="https://www.washingtonpost.com/world/national-security/us-officials-say-russian-government-hackers-have-penetrated-energy-and-nuclear-company-business-networks/2017/07/08/bbfde9a2-638b-11e7-8adc-fea80e32bf47_story.html">nuclear power plants</a>.</p>
<h2>Top-notch cybereducation</h2>
<p>Russia has many skilled cyberoperators, and for good reason: Their <a href="https://krebsonsecurity.com/2017/06/why-so-many-top-hackers-hail-from-russia/">educational system emphasizes information technology</a> and computer science, more so than in the U.S. </p>
<p>Every year, Russian schools take a disproportionate number of the top spots in the <a href="https://icpc.baylor.edu/worldfinals/results">International Collegiate Programming Contest</a>. In the 2016 contest, St. Petersburg State University took the top spot for the fifth time in a row, and four other Russian schools also made the top 12. In 2017, St. Petersburg ITMO University won, with two other Russian schools also placing in the top 12. The top U.S. school ranked 13th.</p>
<p>As Russia prepared to form a cyberbranch within its military, Minister of Defense <a href="https://www.rbth.com/society/2013/07/16/russia_to_get_cyber_troops_28069.html">Sergei Shoigu</a> took note of Russian students’ performance in the contest. “We have to work with these guys somehow, because we need them badly,” he said in a public meeting with university administrators.</p>
<h2>Who are these Russian cyberwarriors?</h2>
<p>Russia employs cyberwarriors within its military and <a href="https://www.us-cert.gov/sites/default/files/publications/JAR_16-20296A_GRIZZLY%20STEPPE-2016-1229.pdf">intelligence services</a>. Indeed, the cyberespionage groups dubbed APT28 (aka Fancy Bear) and APT29 (aka Cozy Bear and The Dukes) are believed to <a href="http://www.telegraph.co.uk/news/2016/12/16/russias-cyber-warriors-should-west-do/">correspond to Russia’s military intelligence agency GRU and its state security organization FSB,</a> respectively. Both groups have been implicated in hundreds of cyberoperations over the past decade, including U.S. election hacking.</p>
<p>Russia <a href="https://www.nytimes.com/2016/12/29/world/europe/how-russia-recruited-elite-hackers-for-its-cyberwar.html">recruits cyberwarriors</a> from its colleges, but also from the cybersecurity and cybercrime sectors. It is said to turn a <a href="http://thehill.com/policy/cybersecurity/256573-kremlins-ties-russian-cyber-gangs-sow-us-concerns">blind eye</a> to its criminal hackers as long as they avoid Russian targets and use their skills to aid the government. According to <a href="http://thehill.com/policy/cybersecurity/256573-kremlins-ties-russian-cyber-gangs-sow-us-concerns">Dmitri Alperovitch</a>, co-founder of the security firm CrowdStrike, when Moscow identifies a talented cybercriminal, any pending criminal case against the person is dropped and the hacker disappears into the Russian intelligence services. <a href="http://www.news.com.au/technology/online/hacking/the-russian-hacker-with-a-4-million-bounty-on-his-head/news-story/e5c363e260e25c0a09641d39e1d37636">Evgeniy Mikhailovich Bogachev</a>, <a href="https://www.fbi.gov/wanted/cyber/evgeniy-mikhailovich-bogachev">wanted by the FBI</a> with a reward of $3 million for cybercrimes, is also on the <a href="https://www.treasury.gov/press-center/press-releases/Pages/jl0693.aspx">Obama administration’s list of people sanctioned</a> in response to interference in the U.S. election. Bogachev is said to work “<a href="https://www.nytimes.com/2017/03/12/world/europe/russia-hacker-evgeniy-bogachev.html">under the supervision of a special unit of the FSB</a>.” </p>
<h2>Allies outside official channels</h2>
<p>Besides its in-house capabilities, the Russian government has access to hackers and the Russian media. Analyst Sarah Geary at cybersecurity firm FireEye <a href="https://www.thecipherbrief.com/article/tech/cyber-proxies-central-tenet-russias-hybrid-warfare-1092">reported that the hackers</a> “disseminate propaganda on behalf of Moscow, develop cybertools for Russian intelligence agencies like the FSB and GRU, and hack into networks and databases in support of Russian security objectives.” </p>
<p>Many seemingly independent “<a href="http://faculty.nps.edu/dedennin/publications/CyberConflict-EmergentSocialPhenomenon-final.pdf">patriotic hackers</a>” operate on Russia’s behalf. Most notably, they attacked critical systems in <a href="https://ccdcoe.org/publications/books/legalconsiderations.pdf">Estonia in 2007</a> over the relocation of a Soviet-era memorial, <a href="https://ccdcoe.org/publications/books/legalconsiderations.pdf#page=66">Georgia in 2008</a> during the Russo-Georgian War and <a href="http://dx.doi.org/10.5038/2378-0789.1.1.1001">Ukraine in 2014</a> in connection with the conflict between the two countries. </p>
<p>At the very least, the Russian government condones, even encourages, these hackers. After some of the Estonian attacks were traced back to Russia, <a href="https://ccdcoe.org/publications/books/legalconsiderations.pdf">Moscow turned down</a> Estonia’s request for help – even as a commissar in Russia’s pro-Kremlin youth movement Nashi <a href="https://www.rferl.org/a/Russian_Groups_Claims_Reopen_Debate_On_Estonian_Cyberattacks_/1564694.html">admitted launching some of the attacks</a>. And when Slavic Union hackers successfully attacked Israeli websites in 2006, <a href="https://www.army.mil/article/19351/georgias-cyber-left-hook">Deputy Duma Director Nikolai Kuryanovich</a> gave the group a certificate of appreciation. He noted that “a small force of hackers is stronger than the multi-thousand force of the current armed forces.” </p>
<p>While some patriotic hackers may indeed operate independently of Moscow, others seem to have strong ties. <a href="http://www.ibtimes.com/meet-cyberberkut-pro-russian-hackers-waging-anonymous-style-cyberwarfare-against-2228902">Cyber Berkut</a>, one of the groups that conducted cyberattacks against Ukraine, including its central election site, is said to be a <a href="http://www.dia.mil/Portals/27/Documents/News/Military%20Power%20Publications/Russia%20Military%20Power%20Report%202017.pdf">front for Russian state-sponsored</a> cyberactivity. And Russia’s espionage group <a href="http://www.dia.mil/Portals/27/Documents/News/Military%20Power%20Publications/Russia%20Military%20Power%20Report%202017.pdf">APT28 is said to have operated under the guise of the ISIS-associated CyberCaliphate</a> while attacking the French station TV5 Monde and taking over the Twitter account of U.S. Central Command.</p>
<h2>One of many cyberthreats</h2>
<p>Although Russia poses a major cyberthreat, it is not the only country that threatens the U.S. in cyberspace. <a href="http://www.huffingtonpost.com/frank-j-cilluffo/recalibrate-us-cyber-effo_b_2975841.html">China, Iran and North Korea</a> are also countries with strong cyberattack capabilities, and more countries will join the pool as they develop their people’s skills. </p>
<p>The good news is that <a href="https://www.cisecurity.org/controls/">actions to protect an organization’s cybersecurity</a> (such as monitoring access to sensitive files) that work against Russia also work against other threat actors. The bad news is that many organizations do not take those steps. Further, hackers find new vulnerabilities in devices and exploit the weakest link of all – <a href="https://theconversation.com/cybersecuritys-weakest-link-humans-57455">humans</a>. Whether cyberdefenses will evolve to avert a major calamity, from Russia or anywhere else, remains to be seen.</p>
<p><em>Editor’s note: This is an updated version of <a href="https://theconversation.com/tracing-the-sources-of-todays-russian-cyberthreat-81593">an article</a> originally published Aug. 15, 2017.</em></p><img src="https://counter.theconversation.com/content/143047/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Dorothy Denning does not work for, consult, own shares in or receive funding from any company or organization that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>The Russian cyberthreat, now targeting coronavirus vaccine research, goes back over three decades, extends into the country’s educational systems and criminal worlds, and shows no signs of letting up.Dorothy Denning, Emeritus Distinguished Professor of Defense Analysis, Naval Postgraduate SchoolLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1428192020-07-16T07:02:55Z2020-07-16T07:02:55ZThe Twitter hack targeted the rich and famous. But we all lose if trusted accounts can be hijacked<p>The list of US figures whose Twitter accounts were <a href="https://www.bbc.com/news/technology-53425822">hijacked by scammers on Wednesday US time</a> reads like a Who’s Who of the tech and celebrity worlds: Tesla boss Elon Musk, Amazon chief Jeff Bezos, Microsoft founder Bill Gates, former president Barack Obama, current Democratic nominee Joe Biden, celebrities Kanye West and Kim Kardashian, billionaires Warren Buffett and Mike Bloomberg, the corporate accounts of Apple and Uber, and more besides.</p>
<p>The point of the hack? To lure followers into sending US$1,000 in Bitcoin, with the classic scammer’s false promise of sending back twice as as much.</p>
<p>After a <a href="https://twitter.com/TwitterSupport/status/1283591844962750464">preliminary investigation</a>, Twitter said it believed the incident was “a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools”.</p>
<p><div data-react-class="Tweet" data-react-props="{"tweetId":"1283591846464233474"}"></div></p>
<p>The details are still far from clear, but it seems likely someone with administrative rights may have granted the hackers access, perhaps inadvertently, despite the presence of two-factor authentication on the accounts – widely considered the gold standard of online security. It appears insiders may have been involved, although the story is <a href="https://www.vice.com/en_us/article/jgxd3d/twitter-insider-access-panel-account-hacks-biden-uber-bezos">still unfolding</a>.</p>
<p>The use of the niche currency Bitcoin limited the number of potential victims, but also makes the hackers’ loot impossible to trace. Ironically enough, Bitcoin is a currency designed for a post-trust world, and the anonymity of its transactions makes the hackers even harder to track down.</p>
<h2>Whom do we trust?</h2>
<p>This is not the first time we have seen the complex and profound impact social media can have. In 2013, <a href="https://theconversation.com/why-the-ap-hack-is-likely-to-happen-again-13735">hackers gained access to @AP</a>, the official Twitter account of the respected Associated Press news agency, and tweeted: </p>
<blockquote>
<p>Breaking: Two Explosions in the White House and Barack Obama is Injured. </p>
</blockquote>
<p>The stock market <a href="https://www.cnbc.com/id/100646197">dived by US$136.5 billion almost immediately</a> but bounced back within six minutes, illustrating the interconnected systems that move so quickly a human cannot intervene - algorithms read the headlines and the stock market collapsed, albeit fleetingly. </p>
<p>By shorting stocks, whoever hacked AP’s Twitter account stood to make enormous profits from the temporary stock market tank. We do not know what the financial benefits, <a href="https://www.theguardian.com/business/2013/apr/23/ap-tweet-hack-wall-street-freefall">if any</a>, to the hackers in 2013 were. </p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/why-the-ap-hack-is-likely-to-happen-again-13735">Why the AP hack is likely to happen again</a>
</strong>
</em>
</p>
<hr>
<p>This week’s Twitter hack definitely had financial motives. The Bitcoin scammers in this recent hack netted <a href="https://mashable.com/article/twitter-memes-unverified-verified-hack/">more than US$50,000</a>.</p>
<p>More sinister still, however, are the implications for democracy if a similar hack were carried out with political motives.</p>
<p>What if a reliable source, such as a national newspaper’s official account, tweets that a presidential candidate has committed a crime, or is seriously ill, on the eve of an election? What if false information about international armed attacks is shared from a supposedly reliable source such as a government defence department? The impacts of such events would be profound, and go far beyond financial loss. </p>
<p><div data-react-class="Tweet" data-react-props="{"tweetId":"1283594548233613312"}"></div></p>
<p>This is the inherent danger of our growing reliance on social media platforms as authoritative sources of information. As media institutions decline in size, funding and impact, the public increasingly relies on social media platforms for news. </p>
<p>The Bitcoin scam is a reminder that any social media platform can be hacked, tampered with, or used to spread false information. Even gold-standard technical systems can be outwitted, perhaps by exploiting human vulnerabilities. A disgruntled employee, a careless password selection, or even a device used in a public space can pose grave risks. </p>
<h2>Who’s in charge?</h2>
<p>The question of who polices the vast power accrued by social media platforms is a crucial one. Twitter’s reaction to the hack – temporarily shutting down all accounts verified with the “blue tick” that connotes public interest – raised the ire of high-profile users (and prompted <a href="https://mashable.com/article/twitter-memes-unverified-verified-hack/">mirth</a> among those not bestowed with Twitter’s mark of legitimacy). But the underlying question is: who decides what is censored or shut down, and under what circumstances? And should companies do this themselves, or do they need a regulatory framework to <a href="https://global.oup.com/academic/product/in-search-of-jeffersons-moose-9780195342895?cc=au&lang=en&">ensure fairness and transparency</a>?</p>
<p>Broader questions have already been raised about when Twitter, Facebook or other social media platforms should or should not censor content. Facebook was <a href="https://www.nytimes.com/2018/10/15/technology/myanmar-facebook-genocide.html">heavily criticised</a> for not removing oppressive posts about Rohingya Muslims in Myanmar, and what the United Nations referred to as a genocide ensued. Twitter much later <a href="https://www.theguardian.com/world/2019/may/16/myanmar-army-chiefs-twitter-account-suspended-over-anti-rohingya-hate-speech">suspended some accounts</a> that had been inciting violence, with some criticism.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/instead-of-showing-leadership-twitter-pays-lip-service-to-the-dangers-of-deep-fakes-127027">Instead of showing leadership, Twitter pays lip service to the dangers of deep fakes</a>
</strong>
</em>
</p>
<hr>
<p>What is the responsibility of such platforms, and who should govern them, as we become more heavily reliant on social media for our news? As the platforms’ power and influence continue to grow, we need rigorous frameworks to hold them accountable. </p>
<p>Last month, the Australian government pledged a A$1.3 billion funding increase and an extra 500 staff for the Australian Signals Directorate, to boost its ability to defend Australia from attacks. Australia’s forthcoming 2020 Cyber Security Strategy will hopefully also include strategies to proactively improve cyber security and digital literacy. </p>
<p>In an idea world, social media giants would regulate themselves. But here in the real world, the stakes are too high to let the platforms police themselves.</p><img src="https://counter.theconversation.com/content/142819/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Kobi Leins is currently conducting research on the existing laws relating to cyber in Australia as part of a ‘Governing Cyber Law in Australia’ project with the Computing and Information Systems of the University of Melbourne, in partnership with the Centre for AI and Digital Ethics.</span></em></p>Twitter’s ‘blue tick’ club of influential users was locked out after financial scammers hacked celebrities’ accounts. But with ever more trust placed in social media, we stand to lose more than money.Kobi Leins, Senior Research Fellow in Digital Ethics, The University of MelbourneLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1047912018-10-17T11:32:55Z2018-10-17T11:32:55ZChina accused of mass cyber spying – but working out the truth is just the start of the problem<figure><img src="https://images.theconversation.com/files/240645/original/file-20181015-165885-1enqpal.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">Minuscule computer hardware could be spying on top tech firms</span> <span class="attribution"><a class="source" href="https://www.shutterstock.com/image-illustration/cpu-chip-on-motherboard-abstract-3d-1008152359?src=dSnLAqaLQPrFRmHs1htrjw-1-1">graphicINmotion/ shutterstock</a></span></figcaption></figure><p>Has China found a way to spy on computers used by the world’s top tech firms and perhaps even the US government by implanting them with tiny secret microchips? That’s what was alleged in a recent article from Bloomberg Businessweek, which claimed the US is investigating <a href="https://www.bloomberg.com/news/features/2018-10-04/the-big-hack-how-china-used-a-tiny-chip-to-infiltrate-america-s-top-companies">some form of spy microchip</a> thought to have been inserted into Chinese-made circuit boards used by a company that produces video data servers. Its products have, according to Bloomberg, been purchased by Apple, Amazon and many other large firms, as well as the US departments of Defense and Homeland Security, Congress and NASA. </p>
<p>If proved true, these allegations would have huge implications for all the parties involved, as well as global security, trade and international relations. But the supplier of the allegedly hacked hardware, the companies that bought it, and the Chinese government <a href="https://www.bloomberg.com/news/articles/2018-10-04/the-big-hack-amazon-apple-supermicro-and-beijing-respond">have repeatedly</a> and <a href="https://www.theregister.co.uk/2018/10/09/bloomberg_super_micro_china_spy_chip_scandal/">strenuously denied</a> that the chips exist or that any server hardware was compromised. <a href="https://www.theregister.co.uk/2018/10/08/super_micro_us_uk_intelligence/">US and UK officials</a> have backed the denials, while the <a href="https://www.bloomberg.com/news/articles/2018-10-10/fbi-s-wray-deflects-queries-on-china-tampering-with-server-chips">FBI has stated</a> that it is their policy “to neither confirm nor deny the existence of an investigation”.</p>
<p>The problem is that, at this stage, it’s impossible to know who’s telling the truth. The chip described in the report is said to be disguised as an extremely small and otherwise unremarkable electronic component. Proving that it even exists, let alone what it does, would require careful reverse engineering and security analysis by somebody with access to the allegedly afflicted hardware.</p>
<p>Security technology researchers I have consulted are adopting a “wait and see” attitude until more information emerges. Bloomberg’s story relies entirely on unnamed sources. Until somebody comes forward with a credible and detailed technical report, there is little to be gained by speculating about this specific incident. But if it were true, the nature of the incident would make it very difficult for authorities to respond.</p>
<p>The alleged attack quickly captures the imagination because it highlights a well-known challenge in cybersecurity: maintaining the integrity of end-point hardware. End-point hardware in this context simply means any device used to transmit or receive electronic messages. This can include obvious items like smartphones, laptops and servers, but also the growing body of Internet of Things devices such as smart home appliances, self-driving cars and connected industrial machinery.</p>
<p>If an attacker gains physical access to an end-point device, this can subvert multiple layers of security. A well-known example was publicised in 2013 when a criminal gang <a href="https://www.theguardian.com/business/2013/sep/20/remote-barclays-theft-eight-arrested">installed covert “KVM switches”</a> onto computers in London bank branches. These simple and inexpensive pieces of equipment let attackers monitor what a computer is doing and then operate it remotely. In this way, accessing the physical equipment effectively gets around a variety of protective measures.</p>
<figure class="align-center ">
<img alt="" src="https://images.theconversation.com/files/240650/original/file-20181015-165888-1m01gpa.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/240650/original/file-20181015-165888-1m01gpa.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=401&fit=crop&dpr=1 600w, https://images.theconversation.com/files/240650/original/file-20181015-165888-1m01gpa.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=401&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/240650/original/file-20181015-165888-1m01gpa.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=401&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/240650/original/file-20181015-165888-1m01gpa.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=503&fit=crop&dpr=1 754w, https://images.theconversation.com/files/240650/original/file-20181015-165888-1m01gpa.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=503&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/240650/original/file-20181015-165888-1m01gpa.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=503&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption">Hacking into hardware can get around security measures.</span>
<span class="attribution"><a class="source" href="https://www.shutterstock.com/image-photo/technician-hold-screwdriver-repairing-computer-concept-660436612?src=4LzrzziRunkrw8ov85fCww-1-0">Preechar Bowonkitwanchai/Shutterstock</a></span>
</figcaption>
</figure>
<p>The chips described in the Bloomberg article are a much more technologically sophisticated example of the same basic idea. In this case, it is alleged that the offending hardware is a specially designed chip the size of a grain of rice, manufactured and distributed at a large scale.</p>
<p>If it were to emerge that these chips do exist and work as described, the next challenge would be the “attribution” problem – demonstrating who was responsible for creating and installing them. This is critical for anyone who wants to respond to a cyber-attack using legal, diplomatic, or military action, but it remains extremely difficult due to limited forensic methods available.</p>
<h2>Legal action</h2>
<p>If a government was able to prove an attack like this was carried out by another state, there are a range of responses available. A conspiracy to install and operate a system of this type would constitute a crime under the domestic laws of most states. Jurisdictions such as the US and UK could attempt to prosecute people involved in this kind of conspiracy using laws that criminalise <a href="https://www.legislation.gov.uk/ukpga/1990/18/section/1">unauthorised access to a computer</a> and <a href="http://www.legislation.gov.uk/ukpga/2016/25/section/3/enacted">interception of communications</a>, among others.</p>
<p>But any such criminal prosecution would face three significant hurdles. You would need to identify and indict the suspects involved in the conspiracy and physically arrest or extradite them. You’d then have to present enough evidence to persuade a jury of guilt beyond reasonable doubt.</p>
<p>In recent years, US law enforcement officials have announced <a href="https://www.justice.gov/opa/pr/us-charges-five-chinese-military-hackers-cyber-espionage-against-us-corporations-and-labor">criminal indictments of individuals</a> accused of international cyber-espionage. But there is no realistic prospect that any of the accused parties, as employees of a state security agency, would be extradited to face charges in a US court. Instead, it is widely believed that such public announcements are designed signal awareness of state cyber-operations and potentially to deter such operations.</p>
<p>If domestic law provides little hope of action, what about international law? Even if overwhelming evidence is produced to demonstrate that the chips exist and that the Chinese government directed their deployment, as a legal matter there is nothing to suggest that these actions actually constitute a “cyber-attack” as that term is <a href="https://ccdcoe.org/tallinn-manual.html">used in international law</a> </p>
<p>There is a sharp distinction between state acts of violence, and non-violent espionage or psychological (propaganda) operations. Principles of international law require that any state response should be proportional and therefore limited in this case to non-violent options such as a diplomatic complaint or economic sanctions.</p>
<p>Nothing in the reporting suggests an outbreak of actual cyber war. At worst, what we see is the latest chapter in a still developing, complex, and poorly understood <a href="https://theconversation.com/the-next-cold-war-has-already-begun-in-cyberspace-57367">cyber “cold war”</a>.</p><img src="https://counter.theconversation.com/content/104791/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Robert Carolina does not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>We’ve no way of knowing if allegations that China implanted secret spying microchips in widely used computers are true.Robert Carolina, Executive Director, Institute for Cyber Security Innovation, Royal Holloway University of LondonLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1005032018-07-26T19:14:39Z2018-07-26T19:14:39ZWith hacking of US utilities, Russia could move from cyberespionage toward cyberwar<figure><img src="https://images.theconversation.com/files/229465/original/file-20180726-106505-1lqgnxm.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">What constitutes cyberwar?</span> <span class="attribution"><a class="source" href="https://www.shutterstock.com/image-photo/toy-soldiers-protect-computer-hacker-attacks-1101350894">manusapon kasosod/Shutterstock.com</a></span></figcaption></figure><p>Even before the revelation on July 23 that <a href="https://www.wsj.com/articles/russian-hackers-reach-u-s-utility-control-rooms-homeland-security-officials-say-1532388110">Russian government hackers had penetrated the computer systems of U.S. electric utilities</a> and could have caused blackouts, government agencies and electricity industry leaders were working to protect U.S. customers and society as a whole. These developments, alarming as they might seem, are not new. But they highlight an important distinction of conflict in cyberspace: between probing and attacking. </p>
<p>Various adversaries – including Russia, but also <a href="https://cchs.gwu.edu/sites/g/files/zaxdzs2371/f/Cilluffo%20Testimony%20for%20HHSC%203-22-2017.pdf">China, North Korea and Iran</a> – have been testing and mapping U.S. industrial systems for years. Yet to date there has been no public acknowledgment of physical damage from a foreign cyberattack on U.S. soil on the scale of <a href="https://www.wired.com/story/russian-hackers-attack-ukraine/">Russia shutting off electricity in the Ukrainian capital</a> or Iran attacking a Saudi Arabian government-owned oil company, <a href="https://foreignpolicy.com/2017/12/21/cyber-attack-targets-safety-system-at-saudi-aramco/">destroying tens of thousands of computers</a> and <a href="https://www.nytimes.com/2018/03/15/technology/saudi-arabia-hacks-cyberattacks.html">allegedly attempting to cause an explosion</a>.</p>
<p>The U.S. and its allies have substantial capabilities, too, some of which have reportedly been directed against foreign powers. <a href="https://www.csoonline.com/article/3218104/malware/what-is-stuxnet-who-created-it-and-how-does-it-work.html">Stuxnet</a>, for instance, was a cyberattack often <a href="https://arstechnica.com/tech-policy/2012/06/confirmed-us-israel-created-stuxnet-lost-control-of-it/">attributed to the U.S. and Israel</a> that disrupted Iran’s nuclear weapons development efforts.</p>
<p>The distinction between exploiting weaknesses to gather information – also known as “<a href="https://www.rand.org/content/dam/rand/pubs/monograph_reports/2007/MR1287.pdf">intelligence preparation of the battlefield</a>” – and using those vulnerabilities to actually do damage is impossibly thin and depends on the intent of the people doing it. Intentions are notoriously difficult to figure out. In global cyberspace they may change depending on world events and international relations. The dangers – to the people of the U.S. and other countries both allied and opposed – underscore the importance of international agreement on what constitutes an act of war in cyberspace and the need for clear rules of engagement.</p>
<h2>Advanced adversaries</h2>
<p>In July the Center for Cyber and Homeland Security at George Washington University, where we serve, hosted a <a href="https://cchs.gwu.edu/protecting-energy-infrastructure-forum">forum on protecting energy infrastructure</a>. At that event, a Duke Energy Corporation executive reported that in 2017, the company experienced <a href="https://www.bna.com/duke-energy-hit-n73014477416/">over 650 million attempts</a> to intrude into their system. That number is startling, though hard to contextualize. More generally, however, some efforts directed against the U.S. are extremely sophisticated. </p>
<p>Federal officials have said that starting in 2016, continuing in 2017 and <a href="https://www.wsj.com/articles/russian-hackers-reach-u-s-utility-control-rooms-homeland-security-officials-say-1532388110">likely still ongoing</a>, Russian government attacks took advantage of trusting relationships between key vendors of services related to equipment and operations for utility companies. Compromising the vendors’ computers was the first step toward breaching the security of <a href="https://www.wsj.com/articles/russian-hackers-reach-u-s-utility-control-rooms-homeland-security-officials-say-1532388110">systems not directly connected to the internet</a>.</p>
<p>It’s not just electric utilities – crucial though they are to <a href="https://theconversation.com/space-weather-threatens-high-tech-life-92711">almost every aspect of modern society</a>. The Russian intrusion targeted computerized industrial control systems that are at the beating hearts of every part of critical public and private infrastructure, including water, energy, telecommunications and <a href="https://www.bbc.com/news/technology-30575104">manufacturing</a>. In the U.S., <a href="https://www.dhs.gov/critical-infrastructure-sector-partnerships">more than 85 percent of those critical potential targets</a> are owned and operated by private companies. Once considered safely on home soil far from conflict, these firms are now at the center of the international cyberspace battleground.</p>
<h2>Setting up defenses</h2>
<p>The energy industry has invested heavily in protecting itself, and is leveraging a sector-wide collaboration called the <a href="https://www.eisac.com/">Electricity Information Sharing and Analysis Center</a> to communicate between companies about warnings and threats to grid operations. But the task is too great – and the consequences to public health and safety too severe – for private companies to handle the burden on their own. As a result, the U.S. Department of Homeland Security has been investigating breaches like the Russian intrusions, and briefing industry leaders about what it finds. </p>
<figure class="align-center zoomable">
<a href="https://images.theconversation.com/files/229488/original/file-20180726-106517-q5ilet.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="" src="https://images.theconversation.com/files/229488/original/file-20180726-106517-q5ilet.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/229488/original/file-20180726-106517-q5ilet.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=355&fit=crop&dpr=1 600w, https://images.theconversation.com/files/229488/original/file-20180726-106517-q5ilet.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=355&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/229488/original/file-20180726-106517-q5ilet.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=355&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/229488/original/file-20180726-106517-q5ilet.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=446&fit=crop&dpr=1 754w, https://images.theconversation.com/files/229488/original/file-20180726-106517-q5ilet.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=446&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/229488/original/file-20180726-106517-q5ilet.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=446&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">Homeland Security Secretary Kirstjen Nielsen speaks to government, corporate and academic experts on critical infrastructure.</span>
<span class="attribution"><a class="source" href="https://preview.dhs.gov/blog/2018/03/02/secretary-nielsen-addresses-2018-critical-infrastructure-summit">U.S. Department of Homeland Security</a></span>
</figcaption>
</figure>
<p>For instance, the Wall Street Journal reported that DHS cybersecurity experts are “<a href="https://www.wsj.com/articles/russian-hackers-reach-u-s-utility-control-rooms-homeland-security-officials-say-1532388110">looking for evidence that the Russians are automating their attacks</a>, which … could presage a large increase in hacking efforts.” That possibility, taken together with the energy-sector focus of the utility-hacking effort and the perpetrators’ interest in industrial control systems, could be a signal that Russia may be considering shifting from exploring U.S. utility systems to actually attacking them.</p>
<p>An upcoming meeting may deepen federal-corporate collaboration: On July 31, the Department of Homeland Security is hosting a <a href="https://www.dhs.gov/news/2018/07/18/department-homeland-security-host-national-cybersecurity-summit">National Cybersecurity Summit</a> to bring together government, industry and academic experts in protecting the country’s most important infrastructure. It will take all their efforts to keep up with the threats, particularly as the underlying techniques and technologies continue to evolve. The “internet of things,” for instance, <a href="https://theconversation.com/using-blockchain-to-secure-the-internet-of-things-90002">connects physical devices in ways that merge the virtual world with the real one</a> – making people only as safe as the weakest link in the network or supply chain.</p>
<p>The federal hint about identifying automated attacks offers a glimpse into the not-too-distant future. In 2017, Russian President Putin declared that “<a href="https://www.cnn.com/2017/09/01/world/putin-artificial-intelligence-will-rule-world/index.html">Whoever becomes the leader in [artificial intelligence] will become the ruler of the world</a>.” In May 2018, Chinese President Xi Jinping told the Chinese Academies of Sciences and Engineering of his plan to make China “<a href="http://www.xinhuanet.com/english/2018-05/29/c_137213175.htm">a world leader in science and technology</a>,” which includes “integration of the internet, big data, and artificial intelligence with the real economy.”</p>
<p>Those statements, and the inexorable march of research and development, mean that <a href="https://theconversation.com/teaching-machines-to-teach-themselves-88374">machine learning</a> – and ultimately <a href="https://theconversation.com/how-quantum-mechanics-can-change-computing-80995">quantum computing</a> too – will play an increasing role in cyberespionage and cyberwarfare, as well as cybersecurity. The line between probing and attacking – and between defensive readiness and offensive preparation – may get even thinner.</p><img src="https://counter.theconversation.com/content/100503/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Frank J. Cilluffo is affiliated with the Center for the Study of the Presidency & Congress, the National Consortium for Advanced Policing, BlackHorse Solutions, and Nisos. </span></em></p><p class="fine-print"><em><span>Sharon L. Cardash does not work for, consult, own shares in or receive funding from any company or organization that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>The difference between probing and mapping and actually attacking depends on the intent of the people doing it, which is hard to figure out and may change. The dangers, however, remain worrying.Frank J. Cilluffo, Director, Center for Cyber and Homeland Security, George Washington UniversitySharon L. Cardash, Associate Director, Center for Cyber and Homeland Security, George Washington UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/894232018-02-20T11:39:51Z2018-02-20T11:39:51ZNorth Korea’s growing criminal cyberthreat<figure><img src="https://images.theconversation.com/files/205121/original/file-20180206-88799-jfeluf.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">Money is a crucial target for North Korea's hacking efforts.</span> <span class="attribution"><a class="source" href="https://www.shutterstock.com/image-photo/north-koreas-bitcone-hacking-hacker-bitcond-782624338">rega rega/Shutterstock.com</a></span></figcaption></figure><p>The countries posing the greatest cyberthreats to the United States are <a href="https://theconversation.com/tracing-the-sources-of-todays-russian-cyberthreat-81593">Russia</a>, <a href="https://theconversation.com/how-the-chinese-cyberthreat-has-evolved-82469">China</a>, <a href="https://theconversation.com/following-the-developing-iranian-cyberthreat-85162">Iran</a> and North Korea. Like its counterparts, Kim Jong Un’s regime engages in substantial cyber espionage. And like Russia and Iran, it launches damaging cyberattacks that wipe data from computer disks and shut down online services.</p>
<p>But the North Korean cyberthreat is different in two ways. First, the regime’s online power did not grow out of groups of independent hackers. Even today, it seems unlikely the country has hackers who operate independent of the government. Second, North Korea’s cybercrime efforts – all seemingly state-sponsored – steal money that is then used to fund its cash-strapped government.</p>
<h2>Government-controlled hacking</h2>
<p>One reason for North Korea’s apparent lack of independent hackers is that most North Koreans do not have internet access. Although the country has had an <a href="https://arstechnica.com/information-technology/2017/10/as-us-launches-ddos-attacks-n-korea-gets-more-bandwidth-from-russia/">internet connection through China</a> for several years, <a href="https://fas.org/sgp/crs/row/R44912.pdf">it’s reserved</a> for elites and foreign visitors. Would-be hackers can’t launch attacks across borders; they can’t even pick up hacking manuals, code and tips from the many online forums that other hackers in other nations use to learn the trade and share information.</p>
<p>On top of that, North Korea maintains exceptionally strong controls over its population. Any hacking attributed to North Korea is likely done for the government if not by the government directly.</p>
<h2>State-sponsored hackers</h2>
<p>North Korea’s <a href="http://www.keia.org/publication/north-koreas-cyber-warfare-and-challenges-us-rok-alliance">cyber warriors</a> work primarily for the General Bureau of Reconnaissance or the General Staff Department of the Korean People’s Army. Prospective candidates are selected from schools across the country and trained in cyber operations at <a href="http://www.zdnet.com/article/a-glimpse-into-the-world-of-north-koreas-hacking-elite/">Pyongyang University of Automation</a> and other colleges and universities. By 2015, the South Korean military estimated the KPA employed <a href="http://www.telegraph.co.uk/news/worldnews/asia/northkorea/11329480/North-Korea-doubles-its-cyber-warfare-team-to-6000-troops.html">up to 6,000 cyber warfare experts</a>.</p>
<p>North Korean hackers operate from facilities in <a href="http://www.keia.org/publication/north-koreas-cyber-warfare-and-challenges-us-rok-alliance">China and other foreign countries</a> where their government sends or permits them to work. Indeed, the country has reportedly sent hundreds of hackers into nearby countries to <a href="https://www.bloomberg.com/news/features/2018-02-07/inside-kim-jong-un-s-hacker-army">raise money</a> for the regime. Many of the cyberattacks attributed to North Korea have been <a href="https://www.reuters.com/article/us-cyber-northkorea-exclusive/exclusive-north-koreas-unit-180-the-cyber-warfare-cell-that-worries-the-west-idUSKCN18H020">traced back to locations inside China</a>.</p>
<h2>From espionage to sabotage</h2>
<p>North Korea has been using cyber operations <a href="http://faculty.nps.edu/dedennin/publications/CNO%20threat.pdf">to spy on</a> the U.S. and South Korea since at least 2004. U.S. targets have included <a href="https://www.nytimes.com/2017/10/10/world/asia/north-korea-hack-war-plans.html">military entities</a> and the State Department. North Korea uses cyber espionage to acquire foreign technology, including <a href="http://money.cnn.com/2017/10/31/news/north-korea-hack-stole-south-korea-warship-plans/index.html">technologies relating to weapons</a> of mass destruction, unmanned aerial vehicles and missiles.</p>
<p>By 2009, North Korea had expanded its cyber operations to include acts of sabotage. The first of these <a href="https://www.csmonitor.com/Technology/Horizons/2009/0708/north-korean-hackers-blamed-for-sweeping-cyber-attack-on-us-networks">took place in July 2009</a>, when massive distributed denial of service (DDoS) attacks shut down targets in the U.S. and South Korea. The attackers also used “wiper” malware to delete data on disks.</p>
<p>North Korea has continued to <a href="https://www.symantec.com/connect/blogs/four-years-darkseoul-cyberattacks-against-south-korea-continue-anniversary-korean-war">launch DDoS and disk-wiping attacks</a> over the years, targeting banks as well as other military and civilian systems in the U.S. and South Korea. A cyberattack in April 2011 against South Korea’s agricultural banking cooperative Nonghyup was said to <a href="https://www.reuters.com/article/us-korea-north-cyber/north-korea-hackers-behind-attack-on-s-korea-bank-prosecutors-idUSTRE7421Q520110503">shut down the bank’s credit card and ATM services</a> for more than a week.</p>
<p>In December 2014, the North’s attackers hit desktop computers in a South Korean <a href="https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/korean-nuclear-plant-faces-data-leak-and-destruction">nuclear plant</a> with wiper malware that destroyed not only the data on hard drives, but also the master boot record startup software, making recovery more difficult. In addition, the attack stole and leaked blueprints and employee information from the plant.</p>
<p>North Korea has also been accused of trying to <a href="https://www.nbcnews.com/news/north-korea/experts-north-korea-targeted-u-s-electric-power-companies-n808996">hack electric power companies</a> in the U.S. and a <a href="https://www.thestar.com/news/gta/2018/01/23/metrolinx-targeted-by-north-korean-cyberattack.html">railroad system</a> in Canada.</p>
<h2>The attack on Sony</h2>
<p>The attack on the nuclear facility took place about a month after North Korea attacked <a href="https://fortune.com/sony-hack-part-1/">Sony Pictures</a> with wiper malware that zapped <a href="https://www.washingtonpost.com/news/the-switch/wp/2014/12/18/the-sony-pictures-hack-explained/?utm_term=.04b27501bbc7">over 4,000 of the company’s desktop computers</a> and servers. The attackers also stole and posted pre-release movies and <a href="https://www.theguardian.com/technology/2014/dec/14/sony-pictures-email-hack-greed-racism-sexism">sensitive, often embarrassing, emails</a> and other data taken from the company.</p>
<p>Calling themselves the “Guardians of Peace,” the attackers demanded that Sony withhold release of the satirical film “<a href="http://www.imdb.com/title/tt2788710/">The Interview</a>,” which depicts an assassination attempt against North Korea’s leader, Kim Jong-un. The attackers also <a href="https://www.theguardian.com/film/2014/dec/16/employees-sue-failure-guard-personal-data-leaked-hackers">threatened violence</a> against any movie theaters showing the film. </p>
<p>Although theaters initially canceled their scheduled showings, ultimately <a href="https://deadline.com/2017/04/as-north-korea-rumbles-insiders-tell-how-small-players-stood-tall-helping-sonys-the-interview-1202069868/">the film was released</a> both online and in theaters. North Korea’s <a href="https://www.cfr.org/blog/north-koreas-offensive-cyber-program-might-be-good-it-effective">coercive attempts</a> failed, as they have in other cases. </p>
<figure class="align-center zoomable">
<a href="https://images.theconversation.com/files/205123/original/file-20180206-88799-tgyq0v.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="" src="https://images.theconversation.com/files/205123/original/file-20180206-88799-tgyq0v.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/205123/original/file-20180206-88799-tgyq0v.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=377&fit=crop&dpr=1 600w, https://images.theconversation.com/files/205123/original/file-20180206-88799-tgyq0v.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=377&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/205123/original/file-20180206-88799-tgyq0v.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=377&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/205123/original/file-20180206-88799-tgyq0v.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=474&fit=crop&dpr=1 754w, https://images.theconversation.com/files/205123/original/file-20180206-88799-tgyq0v.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=474&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/205123/original/file-20180206-88799-tgyq0v.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=474&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">North Korea was not happy that Sony planned to release ‘The Interview,’ a comedy depicting the fictional killing of national leader Kim Jong Un.</span>
<span class="attribution"><a class="source" href="http://www.apimages.com/metadata/Index/North-Korea-Bombs-and-Bluster/4e04bb1b9f864d04995e83d0ec61b919/22/0">AP Photo/Ahn Young-joon</a></span>
</figcaption>
</figure>
<h2>Financial crimes</h2>
<p>In recent years, North Korea started <a href="https://motherboard.vice.com/en_us/article/8xvnmv/facebook-is-disrupting-north-korean-hacking-operations">using cyber operations</a> to generate revenue for the government. This is done through several illicit means, including outright theft of funds, extortion and <a href="https://www.thecipherbrief.com/kim-digs-cybercrime-coin-sanctions-cant-snatch">cryptocurrency mining</a>. </p>
<p>In early 2016, the regime came close to stealing US$951 million from the <a href="https://www.nytimes.com/2016/05/27/business/dealbook/north-korea-linked-to-digital-thefts-from-global-banks.html">Bangladesh Central Bank</a> over the global SWIFT financial network. Fortunately, because of a misspelling, they only succeeded in moving $81 million. Analysts attributed the attack to the “<a href="https://www.cfr.org/blog/north-koreas-offensive-cyber-program-might-be-good-it-effective">Lazarus Group</a>,” the same group believed to be behind many of the attacks tied to North Korea, including those against Sony and other banks.</p>
<p>The Lazarus Group has also been <a href="https://www.cnn.com/2017/12/18/politics/white-house-tom-bossert-north-korea-wannacry/index.html">blamed</a> for the <a href="https://www.csoonline.com/article/3227906/ransomware/what-is-wannacry-ransomware-how-does-it-infect-and-who-was-responsible.html">WannaCry</a> ransomware that spread to computers in 150 countries in 2017. After encrypting data on a victim’s computer, the malware demanded payment in the bitcoin digital currency to get access back.</p>
<p>North Korea has been <a href="https://www.bloomberg.com/news/articles/2018-01-02/north-korean-hackers-hijack-computers-to-mine-cryptocurrencies">mining cryptocurrencies</a> on hacked computers as well. The hijacked machines run software that “earns” the digital currency by performing a computationally difficult task. The funds are then directed into an account tied to the hackers. </p>
<p>North Korean hackers also <a href="https://www.scmagazineuk.com/more-evidence-emerges-of-north-korea-targeting-cryptocurrency-industry/article/719498/">attack cryptocurrency exchanges</a>. They have reportedly <a href="http://www.scmp.com/news/world/article/2131470/north-korea-barely-wired-so-how-did-it-become-global-hacking-power">stolen millions of dollars</a> worth of bitcoin from two exchanges in South Korea and attempted thefts from 10 others.</p>
<h2>A cybercrime power</h2>
<p>Like other countries, North Korea uses cyber espionage and cyber sabotage to acquire secrets and harm adversaries. But it stands out from other countries in its use of <a href="https://www.fastcompany.com/40525120/north-korea-hackers-money-bitcoin-cryptocurrency-theft-sanctions">cybercrime to finance</a> its programs. This is perhaps not surprising given North Korea’s <a href="https://fas.org/sgp/crs/row/RL33324.pdf">history of counterfeiting</a> U.S. currency and using other <a href="https://www.thedailybeast.com/are-cyber-crooks-funding-north-koreas-nukes">illicit activities</a> to acquire funds.</p>
<p>The introduction of online transactions and digital currencies, coupled with inadequate cybersecurity, has opened the doors to North Korea for illicitly acquiring funds by new means. Given the country’s appetite for building nuclear and other weapons, as well as the effects of economic sanctions, it seems likely that North Korea will continue to seek ways of exploiting the cyber world for economic advantage.</p><img src="https://counter.theconversation.com/content/89423/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Dorothy Denning does not work for, consult, own shares in or receive funding from any company or organization that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>North Korea’s cyber army is closely controlled by the ruling regime – a key difference from other countries’ cyberattack and espionage groups.Dorothy Denning, Emeritus Distinguished Professor of Defense Analysis, Naval Postgraduate SchoolLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/851622017-12-12T02:50:41Z2017-12-12T02:50:41ZFollowing the developing Iranian cyberthreat<figure><img src="https://images.theconversation.com/files/195769/original/file-20171121-6013-1qqleza.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">The Iranian Cyber Army has taken over many websites.</span> <span class="attribution"><a class="source" href="https://www.zone-h.org/news/id/4733">Zone-H</a>, <a class="license" href="http://creativecommons.org/licenses/by-nc-nd/4.0/">CC BY-NC-ND</a></span></figcaption></figure><p>Iran is one of the leading cyberspace adversaries of the United States. It emerged as a cyberthreat a few years later than <a href="https://theconversation.com/tracing-the-sources-of-todays-russian-cyberthreat-81593">Russia</a> and <a href="https://theconversation.com/how-the-chinese-cyberthreat-has-evolved-82469">China</a> and has so far demonstrated less skill. Nevertheless, it has conducted several highly damaging cyberattacks and become a major threat that <a href="https://www.wired.com/story/apt-34-iranian-hackers-critical-infrastructure-companies/">will only get worse</a>. </p>
<p>Like Russia and China, the history of Iran’s cyberspace operations begins with its hackers. But unlike these other countries, Iran openly encourages its hackers to launch cyberattacks against its enemies. The government not only recruits hackers into its cyberforces but supports their independent operations.</p>
<h2>Putting Iranian hackers on the map</h2>
<p>It was clear by the mid-2000s that Iran would become a source of cyberattacks: Its hackers had started taking over websites worldwide and posting their own messages on them, a practice called “defacing.” Often it was just for fun, but some hackers wanted to stand up for their country and Muslims. One prominent group, Iran Hackers Sabotage, launched in 2004 “with the aim of showing the world that Iranian hackers have something to say in the worldwide security.”</p>
<p>The group’s website announced that it provided vulnerability testing and secure hosting services, but it was also known for web defacements. In 2005, the group replaced the <a href="http://www.zone-h.org/mirror/id/2645159">U.S. Naval Station Guantanamo</a> home page with one defending Muslims and condemning terrorists. Another of its defacements proclaimed “<a href="http://www.zone-h.org/mirror/id/2917409">Atomic energy is our right</a>.” By early 2008, the <a href="http://www.zone-h.org/">Zone-H</a> defacement archive listed 3,763 web defacements for the group. The group has since disbanded.</p>
<p>Another prominent group, Ashiyane Digital Security Team, ran a website that offered free hacking tools and tutorials. The site claimed to have 11,503 members in May 2006. Like Iran Hackers Sabotage, Ashiyane provided security services while using its members’ knowledge and skills to deface websites. Their defacements frequently included a map of Iran with a reminder that “The correct name is Persian Gulf” for what some <a href="https://en.wikipedia.org/wiki/Persian_Gulf_naming_dispute#Viewpoint_of_Arabs">Arab states have called</a> the “Arabian Gulf.”</p>
<p>Ashiyane defaced 500 websites in 2009 during the Israeli incursion into Gaza and <a href="https://www.memri.org/reports/irans-cyber-war-hackers-service-regime-irgc-claims-iran-can-hack-enemys-advanced-weapons">1,000 sites</a> in the U.S., U.K. and France in 2010 for supporting what the group said were anti-Iranian terrorist groups. By May 2011, Zone-H had recorded 23,532 defacements by the group. Its leader, Behrouz Kamalian, said his group <a href="https://www.memri.org/reports/irans-cyber-war-hackers-service-regime-irgc-claims-iran-can-hack-enemys-advanced-weapons">cooperated with the Iranian military</a>, but operated independently and spontaneously.</p>
<p>A third group, the Iranian Cyber Army, launched a few years later. It has been implicated in <a href="https://www.memri.org/reports/irans-cyber-war-hackers-service-regime-irgc-claims-iran-can-hack-enemys-advanced-weapons">several website attacks</a>, including one against Twitter in 2009 that proclaimed support for Iran’s Supreme Leader Ali Khamenei. Other attack targets were <a href="https://arstechnica.com/tech-policy/2011/02/iranian-cyber-army-attacks-voice-of-america-website/">the Voice of America in 2011</a> after the U.S. supported Iran’s Green movement, and regime opposition websites in 2013 just before the presidential election.</p>
<h2>Iran’s cyber military</h2>
<p>The Iranian Cyber Army is <a href="https://web.archive.org/web/20130606084937/https://www.csis.org/blog/iranian-cyber-army">said by some</a> <a href="https://www.reuters.com/article/us-iran-cyber/once-kittens-in-cyber-spy-world-iran-gains-prowess-security-experts-idUSKCN1BV1VA">cybersecurity researchers</a> to operate on behalf of Iran’s <a href="https://en.wikipedia.org/wiki/Islamic_Revolutionary_Guard_Corps">Islamic Revolutionary Guard Corps</a>, a branch of the country’s military. The Revolutionary Guards runs a <a href="http://www.inss.org.il/publication/iran-and-cyberspace-warfare/?offset=50&posts=74&outher=Gabi%20Siboni">cyber warfare program</a> that in 2008 was estimated to employ about 2,400 professionals. In addition, it connects with independent hacker groups such as Ashiyane and the ICA.</p>
<p>The Revolutionary Guards also command Iran’s voluntary paramilitary militia, known as the Basij Resistance Force. In 2010, the Basij established the Basij Cyber Council, but it focuses more on <a href="http://www.inss.org.il/publication/iran-and-cyberspace-warfare/?offset=50&posts=74&outher=Gabi%20Siboni">media and influence operations</a> than on cyberattacks.</p>
<h2>Turning to sabotage</h2>
<p>By 2012, Iranian cyberattacks had gone beyond simple web defacements and hijacks to ones that destroyed data and shut down access to critical websites. The attackers conceal their government connections by hiding behind monikers that resemble those used by independent <a href="https://www.georgetownjournalofinternationalaffairs.org/online-edition/the-rise-of-hacktivism?rq=denning">hacktivists</a> fighting for justice and human rights.</p>
<p>One such group called itself the Cutting Sword of Justice. In 2012, it launched <a href="http://www.nytimes.com/2012/10/24/business/global/cyberattack-on-saudi-oil-firm-disquiets-us.html?pagewanted=all&_r=1">cyberattacks against the Saudi Aramco oil company</a>, claiming to protest Saudi oppression and corruption financed by oil. The attacks used “wiper” code that overwrote data on hard drives and spread through the company’s network via a virus dubbed Shamoon. <a href="http://money.cnn.com/2015/08/05/technology/aramco-hack/index.html">More than 30,000 computers</a> were rendered inoperable at Saudi Aramco and Qatar’s RasGas, which was also targeted. U.S. intelligence officials <a href="http://www.nytimes.com/2012/10/24/business/global/cyberattack-on-saudi-oil-firm-disquiets-us.html">blamed Iran</a> for the attacks.</p>
<p>Iran has deployed wiper malware in other acts of sabotage, most notably the 2014 <a href="https://thehackernews.com/2014/12/las-vegas-casino-hacked.html">attack against the Las Vegas Sands Corporation</a>. The attack was thought to be a response to remarks made by Sheldon Adelson, the company’s largest shareholder. Adelson suggested setting off a bomb in an Iranian desert to persuade the country to abandon nuclear weapons. And in 2016, the <a href="https://www.theregister.co.uk/2016/12/02/accused_iranian_disk_wiper_returns_to_destroy_saudi_orgs_agencies/">Shamoon malware resurfaced</a>, wiping data from thousands of computers in Saudi Arabia’s civil aviation agency and other organizations.</p>
<p>Iranian hackers operating on behalf of the government have also conducted massive <a href="https://theconversation.com/attackers-can-make-it-impossible-to-dial-911-67980">distributed denial-of-service attacks</a>, which flood sites with so much traffic that they become inaccessible. From 2012 to 2013, a group calling itself the <a href="https://www.recordedfuture.com/deconstructing-the-al-qassam-cyber-fighters-assault-on-us-banks/">Cyber Fighters of Izz ad-Din al-Qassam</a> launched a series of relentless distributed denial-of-service attacks against major U.S. banks. The attackers claimed the banks were “properties of American-Zionist Capitalists.” </p>
<p>In 2016 the U.S. <a href="https://www.washingtonpost.com/world/national-security/justice-department-to-unseal-indictment-against-hackers-linked-to-iranian-goverment/2016/03/24/9b3797d2-f17b-11e5-a61f-e9c95c06edca_story.html">indicted seven Iranian hackers</a> in absentia for working on behalf of the Revolutionary Guards to conduct those bank attacks, which were said to have caused tens of millions of dollars in losses. The motivation may have been retaliation for economic sanctions that had been imposed on Iran or the <a href="http://www.mdpi.com/1999-5903/4/3/672">Stuxnet</a> cyberattack on Iran’s centrifuges.</p>
<p>One of the seven indictments was of a man who allegedly obtained access to the computer control system for the <a href="http://time.com/4270728/iran-cyber-attack-dam-fbi/">Bowman Avenue Dam</a> in New York state. The access would have allowed the intruder to “operate and manipulate” one of the dam’s gates had it not been offline for maintenance.</p>
<p>Iran also engages in cyberespionage. One group, which cybersecurity research firm FireEye named <a href="https://www.wired.com/story/iran-hackers-apt33/">Advanced Persistent Threat 33</a>, has invaded computers around the world, with targets in the petrochemical, defense and aviation industries. The group uses code linked to Iran’s wiper malware, possibly in preparation for more destructive attacks. Another group, called <a href="https://www.wired.com/story/apt-34-iranian-hackers-critical-infrastructure-companies/">Advanced Persistent Threat 34</a>, has been active since at least 2014, targeting companies in the financial, energy, telecom and chemical industries.</p>
<h2>Foreign assistance</h2>
<p>Iran may be beefing up its cyberwarfare capabilities with the help of foreigners.</p>
<p>According to former Congressman Peter Hoekstra, who chaired the House’s Permanent Select Committee on Intelligence, Iran’s rapid emergence as a major cyberthreat likely stems from its <a href="http://freebeacon.com/national-security/iran-russia-partnering-to-launch-cyber-attacks/">close ties to Russia</a>. Matthew McInnis, a resident fellow at the American Enterprise Institute, believes Iran turned to Russia to <a href="http://freebeacon.com/national-security/iran-russia-partnering-to-launch-cyber-attacks/">level the cyberwarfare battlefield</a> with the U.S. and the West.</p>
<p>Iran may also be <a href="http://www.inss.org.il/publication/iran-and-cyberspace-warfare/">looking to Mexico</a> for cyberwarfare support. According to a <a href="http://dailysignal.com//2011/12/09/univision-confirms-iranian-threat-in-latin-america/">documentary aired on the Univision</a> television network in 2011, a former Iranian ambassador to Mexico accepted a plan from undercover Mexican students to launch crippling cyberattacks against the U.S. The targets included the White House, the CIA, the FBI and nuclear installations. The documentary also shows Venezuelan and Cuban officials in Mexico expressing interest in the plot.</p>
<figure>
<iframe width="440" height="260" src="https://www.youtube.com/embed/RmM5zkMFtME?wmode=transparent&start=0" frameborder="0" allowfullscreen=""></iframe>
<figcaption><span class="caption">A Univision documentary sheds light on Iranian cyberattack efforts.</span></figcaption>
</figure>
<h2>Strengthening its cyberwarfare program</h2>
<p>Iran may view cyberwarfare as a means of overcoming its military disadvantage compared to the U.S. To that end, it will likely continue to improve its cyber capabilities.</p>
<p>Containing Iran’s cyberwarfare program would likely be even more challenging than containing its <a href="https://theconversation.com/iran-nuclear-deal-how-to-ensure-compliance-53485">nuclear program</a>. Computer code is easy to conceal, copy and distribute, making it extremely <a href="http://faculty.nps.edu/dedennin/publications/Berlin.pdf">difficult to enforce controls placed on cyberweapons</a>. That leaves <a href="https://theconversation.com/how-companies-can-stay-ahead-of-the-cybersecurity-curve-74414">cybersecurity</a> and <a href="https://theconversation.com/cybersecuritys-next-phase-cyber-deterrence-67090">cyberdeterrence</a> as America’s best options for defending against the Iranian cyberthreat.</p><img src="https://counter.theconversation.com/content/85162/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Dorothy Denning does not work for, consult, own shares in or receive funding from any company or organization that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>Iranian cyberthreats come from independent hacker groups and from those suspected of having government ties. Their efforts may be part of a campaign to counterbalance other international powers.Dorothy Denning, Emeritus Distinguished Professor of Defense Analysis, Naval Postgraduate SchoolLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/815932017-08-16T01:38:58Z2017-08-16T01:38:58ZTracing the sources of today’s Russian cyberthreat<figure><img src="https://images.theconversation.com/files/181685/original/file-20170810-27649-a7n4re.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">Who's inside the hoodie?</span> <span class="attribution"><a class="source" href="https://www.shutterstock.com/image-photo/hacker-dark-hoody-sitting-front-notebook-498951418">BeeBright/Shutterstock.com</a></span></figcaption></figure><p>Beyond carrying all of our phone, text and internet communications, cyberspace is an active battleground, with cybercriminals, government agents and even military personnel probing weaknesses in corporate, national and even personal online defenses. Some of the most talented and dangerous cybercrooks and cyberwarriors come from Russia, which is a longtime meddler in other countries’ affairs.</p>
<p>Over decades, Russian operators have stolen terabytes of data, taken control of millions of computers and raked in billions of dollars. They’ve <a href="https://www.wired.com/story/russian-hackers-attack-ukraine/">shut down electricity in Ukraine</a> and <a href="http://www.nbcnews.com/news/us-news/intelligence-director-says-agencies-agree-russian-meddling-n785481">meddled in elections in the U.S.</a> and elsewhere. They’ve engaged in <a href="https://www.nytimes.com/2015/06/07/magazine/the-agency.html?hp&action=click&pgtype=Homepage&module=second-column-region&region=top-news&WT.nav=top-news&_r=1">disinformation</a> and disclosed pilfered information such as the <a href="https://en.wikipedia.org/wiki/Podesta_emails">emails stolen from Hillary Clinton’s campaign chairman, John Podesta,</a> following <a href="http://www.cnn.com/2017/06/27/politics/russia-dnc-hacking-csr/">successful spearphishing attacks</a>.</p>
<p>Who are these operators, why are they so skilled and what are they up to?</p>
<h2>Back to the 1980s</h2>
<p>The Russian cyberthreat dates back to at least 1986 when Cliff Stoll, then a system administrator at Lawrence Berkeley National Laboratory, linked a 75-cent accounting error to intrusions into the lab’s computers. The hacker was after military secrets, downloading documents with important keywords such as “nuclear.” A lengthy investigation, described in Stoll’s book “<a href="http://www.penguinrandomhouse.com/books/173930/cuckoos-egg-by-clifford-stoll/">The Cuckoo’s Egg</a>,” led to a German hacker who was selling the stolen data to what was then the Soviet Union.</p>
<p>By the late 1990s, Russian cyberespionage had grown to include the multi-year “<a href="https://medium.com/@chris_doman/the-first-sophistiated-cyber-attacks-how-operation-moonlight-maze-made-history-2adb12cc43f7">Moonlight Maze</a>” intrusions into U.S. military and other government computers, foretelling the massive espionage from Russia today.</p>
<p>The 1990s also saw the arrest of <a href="http://www.nytimes.com/1995/08/19/business/citibank-fraud-case-raises-computer-security-questions.html">Vladimir Levin</a>, a computer operator in St. Petersburg. Levin tried to steal more than US$10 million by hacking Citibank accounts, foreshadowing Russia’s prominence in cybercrime. And Russian hackers defaced U.S. websites during the <a href="http://edition.cnn.com/TECH/computing/9904/06/serbnato.idg/index.html">Kosovo conflict</a>, portending Russia’s extensive use of disruptive and damaging cyberattacks.</p>
<iframe src="https://cdn.knightlab.com/libs/timeline3/latest/embed/index.html?source=1GY8J6sf6GgG4WPgW3wMcw5RGz1Sn6gyUpD5wGFZhv9o&font=Default&lang=en&initial_zoom=1&height=800" width="100%" height="800" webkitallowfullscreen="" mozallowfullscreen="" allowfullscreen="" frameborder="0"></iframe>
<h2>Conducting advanced attacks</h2>
<p>In more recent years, Russia has been behind some of the most sophisticated cyberattacks on record. The <a href="https://www.wired.com/story/russian-hackers-attack-ukraine/">2015 cyberattack on three of Ukraine’s regional power distribution companies</a> knocked out power to almost a quarter-million people. Cybersecurity analysts from the Electricity Information Sharing and Analysis Center and the SANS Institute reported that the multi-staged attacks were conducted by a “<a href="https://ics.sans.org/media/E-ISAC_SANS_Ukraine_DUC_5.pdf">highly structured and resourced actor</a>.” Ukraine <a href="http://www.reuters.com/article/us-ukraine-crisis-cyber-idUSKBN15U2CN">blamed the attacks on Russia</a>.</p>
<p>The attackers used a <a href="https://ics.sans.org/media/E-ISAC_SANS_Ukraine_DUC_5.pdf">variety of techniques</a> and adapted to the targets they faced. They used <a href="https://theconversation.com/spearphishing-roiled-the-presidential-campaign-heres-how-to-protect-yourself-68274">spearphishing</a> email messages to gain initial access to systems. They installed “<a href="https://ics-cert.us-cert.gov/alerts/IR-ALERT-H-16-056-01">BlackEnergy</a>” malware to establish remote control over the infected devices. They harvested credentials to move through the networks. They developed custom malicious firmware to render system control devices inoperable. They hijacked the <a href="https://doi.org/10.1109/PROC.1987.13932">Supervisory Control and Data Acquisition</a> system to open circuit breakers in substations. They used “<a href="https://thehackernews.com/2016/01/Ukraine-power-system-hacked.html">KillDisk</a>” malware to erase the master boot record of affected systems. The attackers even went so far as to strike the control stations’ battery backups and tie up the energy company’s call center with <a href="https://www.wired.com/2016/03/inside-cunning-unprecedented-hack-ukraines-power-grid/">thousands of calls</a>.</p>
<p>The Russians <a href="https://www.wired.com/story/russian-hackers-attack-ukraine/">returned in 2016</a> with more advanced tools to take down a major artery of Ukraine’s power grid. Russia is believed to have also invaded energy companies in the U.S., including those operating <a href="https://www.washingtonpost.com/world/national-security/us-officials-say-russian-government-hackers-have-penetrated-energy-and-nuclear-company-business-networks/2017/07/08/bbfde9a2-638b-11e7-8adc-fea80e32bf47_story.html">nuclear power plants</a>.</p>
<h2>Top-notch cybereducation</h2>
<p>Russia has many skilled cyberoperators, and for good reason: Their <a href="https://krebsonsecurity.com/2017/06/why-so-many-top-hackers-hail-from-russia/">educational system emphasizes information technology</a> and computer science, more so than in the U.S. </p>
<p>Every year, Russian schools take a disproportionate number of the top spots in the <a href="https://icpc.baylor.edu/worldfinals/results">International Collegiate Programming Contest</a>. In the 2016 contest, St. Petersburg State University took the top spot for the fifth time in a row, and four other Russian schools also made the top 12. In 2017, St. Petersburg ITMO University won, with two other Russian schools also placing in the top 12. The top U.S. school ranked 13th.</p>
<p>As Russia prepared to form a cyberbranch within its military, Minister of Defense <a href="https://www.rbth.com/society/2013/07/16/russia_to_get_cyber_troops_28069.html">Sergei Shoigu</a> took note of Russian students’ performance in the contest. “We have to work with these guys somehow, because we need them badly,” he said in a public meeting with university administrators.</p>
<h2>Who are these Russian cyberwarriors?</h2>
<p>Russia employs cyberwarriors within its military and <a href="https://www.us-cert.gov/sites/default/files/publications/JAR_16-20296A_GRIZZLY%20STEPPE-2016-1229.pdf">intelligence services</a>. Indeed, the cyberespionage groups dubbed APT28 (aka Fancy Bear) and APT29 (aka Cozy Bear and The Dukes) are believed to <a href="http://www.telegraph.co.uk/news/2016/12/16/russias-cyber-warriors-should-west-do/">correspond to Russia’s military intelligence agency GRU and its state security organization FSB,</a> respectively. Both groups have been implicated in hundreds of cyberoperations over the past decade, including U.S. election hacking.</p>
<p>Russia <a href="https://www.nytimes.com/2016/12/29/world/europe/how-russia-recruited-elite-hackers-for-its-cyberwar.html">recruits cyberwarriors</a> from its colleges, but also from the cybersecurity and cybercrime sectors. It is said to turn a <a href="http://thehill.com/policy/cybersecurity/256573-kremlins-ties-russian-cyber-gangs-sow-us-concerns">blind eye</a> to its criminal hackers as long as they avoid Russian targets and use their skills to aid the government. According to <a href="http://thehill.com/policy/cybersecurity/256573-kremlins-ties-russian-cyber-gangs-sow-us-concerns">Dmitri Alperovitch</a>, co-founder of the security firm CrowdStrike, when Moscow identifies a talented cybercriminal, any pending criminal case against the person is dropped and the hacker disappears into the Russian intelligence services. <a href="http://www.news.com.au/technology/online/hacking/the-russian-hacker-with-a-4-million-bounty-on-his-head/news-story/e5c363e260e25c0a09641d39e1d37636">Evgeniy Mikhailovich Bogachev</a>, <a href="https://www.fbi.gov/wanted/cyber/evgeniy-mikhailovich-bogachev">wanted by the FBI</a> with a reward of $3 million for cybercrimes, is also on the <a href="https://www.treasury.gov/press-center/press-releases/Pages/jl0693.aspx">Obama administration’s list of people sanctioned</a> in response to interference in the U.S. election. Bogachev is said to work “<a href="https://www.nytimes.com/2017/03/12/world/europe/russia-hacker-evgeniy-bogachev.html">under the supervision of a special unit of the FSB</a>.” </p>
<h2>Allies outside official channels</h2>
<p>Besides its in-house capabilities, the Russian government has access to hackers and the Russian media. Analyst Sarah Geary at cybersecurity firm FireEye <a href="https://www.thecipherbrief.com/article/tech/cyber-proxies-central-tenet-russias-hybrid-warfare-1092">reported that the hackers</a> “disseminate propaganda on behalf of Moscow, develop cybertools for Russian intelligence agencies like the FSB and GRU, and hack into networks and databases in support of Russian security objectives.” </p>
<p>Many seemingly independent “<a href="http://faculty.nps.edu/dedennin/publications/CyberConflict-EmergentSocialPhenomenon-final.pdf">patriotic hackers</a>” operate on Russia’s behalf. Most notably, they attacked critical systems in <a href="https://ccdcoe.org/publications/books/legalconsiderations.pdf">Estonia in 2007</a> over the relocation of a Soviet-era memorial, <a href="https://ccdcoe.org/publications/books/legalconsiderations.pdf#page=66">Georgia in 2008</a> during the Russo-Georgian War and <a href="http://dx.doi.org/10.5038/2378-0789.1.1.1001">Ukraine in 2014</a> in connection with the conflict between the two countries. </p>
<p>At the very least, the Russian government condones, even encourages, these hackers. After some of the Estonian attacks were traced back to Russia, <a href="https://ccdcoe.org/publications/books/legalconsiderations.pdf">Moscow turned down</a> Estonia’s request for help – even as a commissar in Russia’s pro-Kremlin youth movement Nashi <a href="https://www.rferl.org/a/Russian_Groups_Claims_Reopen_Debate_On_Estonian_Cyberattacks_/1564694.html">admitted launching some of the attacks</a>. And when Slavic Union hackers successfully attacked Israeli websites in 2006, <a href="https://www.army.mil/article/19351/georgias-cyber-left-hook">Deputy Duma Director Nikolai Kuryanovich</a> gave the group a certificate of appreciation. He noted that “a small force of hackers is stronger than the multi-thousand force of the current armed forces.” </p>
<p>While some patriotic hackers may indeed operate independently of Moscow, others seem to have strong ties. <a href="http://www.ibtimes.com/meet-cyberberkut-pro-russian-hackers-waging-anonymous-style-cyberwarfare-against-2228902">Cyber Berkut</a>, one of the groups that conducted cyberattacks against Ukraine, including its central election site, is said to be a <a href="http://www.dia.mil/Portals/27/Documents/News/Military%20Power%20Publications/Russia%20Military%20Power%20Report%202017.pdf">front for Russian state-sponsored</a> cyberactivity. And Russia’s espionage group <a href="http://www.dia.mil/Portals/27/Documents/News/Military%20Power%20Publications/Russia%20Military%20Power%20Report%202017.pdf">APT28 is said to have operated under the guise of the ISIS-associated CyberCaliphate</a> while attacking the French station TV5 Monde and taking over the Twitter account of U.S. Central Command.</p>
<h2>One of many cyberthreats</h2>
<p>Although Russia poses a major cyberthreat, it is not the only country that threatens the U.S. in cyberspace. <a href="http://www.huffingtonpost.com/frank-j-cilluffo/recalibrate-us-cyber-effo_b_2975841.html">China, Iran and North Korea</a> are also countries with strong cyberattack capabilities, and more countries will join the pool as they develop their people’s skills. </p>
<p>The good news is that <a href="https://www.cisecurity.org/controls/">actions to protect an organization’s cybersecurity</a> (such as monitoring access to sensitive files) that work against Russia also work against other threat actors. The bad news is that many organizations do not take those steps. Further, hackers find new vulnerabilities in devices and exploit the weakest link of all – <a href="https://theconversation.com/cybersecuritys-weakest-link-humans-57455">humans</a>. Whether cyberdefenses will evolve to avert a major calamity, from Russia or anywhere else, remains to be seen.</p><img src="https://counter.theconversation.com/content/81593/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Dorothy Denning does not work for, consult, own shares in or receive funding from any company or organization that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>The Russian cyberthreat goes back over three decades, extends into the country’s educational systems and criminal worlds, and shows no signs of letting up.Dorothy Denning, Emeritus Distinguished Professor of Defense Analysis, Naval Postgraduate SchoolLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/714052017-01-22T19:09:40Z2017-01-22T19:09:40ZCould Russian hacking pose a threat to Australian democracy?<figure><img src="https://images.theconversation.com/files/153558/original/image-20170120-5257-ucwawp.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">Russia has been accused of interfering in the recent US presidential election.</span> <span class="attribution"><span class="source">Shutterstock</span></span></figcaption></figure><p>The Russian <a href="https://www.wired.com/2016/07/heres-know-russia-dnc-hack/">hacking of the Democratic National Committee</a> over the past two years might seem like a very American news story, inseparable from the lead characters of Hillary Clinton and Donald Trump, and hyped as only the polarised media of that country can do it.</p>
<p>But when we look more deeply, we see a very threatening reality that concerns all governments, liberal democratic or authoritarian. Australia should take note.</p>
<p>The UK parliament is already alert to the danger. On January 9, 2017, the <a href="http://www.parliament.uk/business/committees/committees-a-z/joint-select/national-security-strategy/">Joint Committee on the National Security Strategy</a> launched an inquiry into the country’s <a href="http://www.parliament.uk/business/committees/committees-a-z/joint-select/national-security-strategy/news-parliament-2015/cyber-security-inquiry-2016-17/">cyber security</a>. While the terms of reference do not call out political hacking as one of the threats, this subject was the <a href="http://www.parliament.uk/business/committees/committees-a-z/joint-select/national-security-strategy/news-parliament-2015/cyber-security-inquiry-2016-17/">main focus of the committee chair</a>, former Home Secretary Margaret Beckett, when <a href="http://www.parliament.uk/business/committees/committees-a-z/joint-select/national-security-strategy/news-parliament-2015/cyber-security-inquiry-2016-17/">announcing the inquiry</a>:</p>
<blockquote>
<p>Attention has recently focused on the potential exploitation of the cyber domain by other states and associated actors for political purposes, but this is just one source of threat that the government must address through its recently launched five-year strategy.</p>
</blockquote>
<p>We can only understand the full significance of the Russian hacking by reference to the escalating cyber battles between it and the United States. These began at least as early as 2000, when Vladimir Putin became president. This is described in some detail in a <a href="https://www.unsw.adfa.edu.au/australian-centre-for-cyber-security/news/russian-hacking-campaign-what-cia-cannot-say">seminar</a> I gave last week at UNSW Canberra.</p>
<figure>
<iframe width="440" height="260" src="https://www.youtube.com/embed/bIRqKks9vq4?wmode=transparent&start=0" frameborder="0" allowfullscreen=""></iframe>
<figcaption><span class="caption">Russia’s hacking campaign – what the CIA can’t say.</span></figcaption>
</figure>
<p>The cyber campaign got very personal for Putin in January 2016 when a US Treasury official publicly accused him of <a href="http://www.bbc.co.uk/news/world-europe-35385445">corruption on a grand scale</a>. This put Putin on notice that his personal political future was in the hands of Western intelligence agencies, which were signalling that they had gained access, including by cyber espionage, to secret information on his offshore accounts.</p>
<p>The more general lesson from the Russian hacking and covert cyber influencing campaign in the US election campaign is how the practice <a href="http://www.theglobalist.com/terabyte-leaks-political-legitimacy-u-s-china/">threatens political legitimacy everywhere</a>. This weapon is also a double-edged sword, and will <a href="http://www.theglobalist.com/putin-to-trump-internet-terror/">come back to haunt</a> those who use it. This warning applies to both Putin and Trump, in spite of their current appearance of being beneficiaries. </p>
<p>As I <a href="http://www.theglobalist.com/putin-to-trump-internet-terror/">argued</a> in January last year, we should expect that Trump’s phone records, email messages, financial transactions, home video selections, internet browsing history will be scrutinised by cyber insurgents.</p>
<h2>The threat to Australia</h2>
<p>Australian political and business leaders have been facing this threat of cyber surveillance for political purposes from foreign governments for at least 20 years. It is notable, curious even, that there have been no documented instances of such campaigns against Australian leaders. </p>
<p>The governments with the capability and will to conduct such campaigns against our leaders include allies and potential adversaries.</p>
<p>Historically, major governments have used such tactics against foreign leaders only sparingly and with extreme caution. That restraint began to evaporate more recently, as the Russia-US case shows.</p>
<p>As another example, just two days after the US government released the report on Russian’s covert cyber campaign, Israel’s ambassador to the UK was <a href="http://www.bbc.com/news/uk-politics-38545671">forced to apologise</a> for video comments by one of his staff plotting to “take down” Foreign Office Minister <a href="http://www.alanduncan.org.uk/">Alan Duncan</a> and chatting about which other ministers should be on the take-down list. </p>
<p>Israel is, of course, not alone in this kind of activity. As mentioned above, this is a tool of policy long used by any government with the wit and talent to do it, and cyber technologies play a central part in it.</p>
<h2>No Yahoos</h2>
<p>It is in this context that we need to understand the significance of the <a href="https://www.theguardian.com/technology/2016/dec/14/yahoo-hack-security-of-one-billion-accounts-breached">2013 leak of 1 billion personal records of Yahoo email users</a>, including Australian politicians, and up to <a href="http://www.abc.net.au/news/2017-01-17/senior-australian-politician-among-victims-of-massive-yahoo-hack/8185162">3,000 government-related accounts</a>. </p>
<p>Prime Minister Malcolm Turnbull is right to have <a href="http://www.smh.com.au/federal-politics/political-news/malcolm-turnbull-to-launch-cyber-security-probe-after-mps-affected-by-global-yahoo-data-breach-20170116-gtsplm.html">ordered an inquiry</a> into its impact on this country. It is almost certain that much or or all of this material has been in the hands of one or more foreign intelligence agencies since 2013. Yahoo had, in fact, been providing some of its customer content <a href="http://www.reuters.com/article/us-yahoo-nsa-exclusive-idUSKCN1241YT">directly to US intelligence</a> before the leak.</p>
<p>The question for the Australian government is whether its inquiry might be top-down rather than bottom-up. The latter approach would involve a look at the 3,000 separate government-related accounts, and then at the exponentially larger number of political correspondents with those account holders.</p>
<p>A more strategic top-down approach might be to ask which Australian political figures have suffered the most spectacular falls from grace in the past couple of years? </p>
<p>Could foreign-sourced cyber-espionage have played a part? Would any one of them have been so aligned with a foreign policy cause to attract the ire of a foreign government that might want to take them out?</p>
<p>Leaving aside that somewhat hypothetical, but not irrelevant, proposition, Australia would definitely benefit from following the lead of the UK’s Margaret Beckett. </p>
<p>Alongside an investigation of the impact of the Yahoo leak, we probably should study our capability to monitor covert cyber-based influencing campaigns against our political and business leaders, especially those who use relatively vulnerable off-the-shelf ICT systems.</p><img src="https://counter.theconversation.com/content/71405/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Greg Austin does not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>The prospect of foreign hackers interfering with democracy is not just an American story. It could happen in Australia too, and we need to guard against it.Greg Austin, Professor, Australian Centre for Cyber Security, UNSW SydneyLicensed as Creative Commons – attribution, no derivatives.