Rack of Ethernet switches.

Cyberwar, Economic Espionage, and Advanced Persistent Threats

Cyberwar, Espionage, and APTs:
Military and intelligence applications of network attack and defense

The term cyberwar has been misused to promote various agendas. The often abused term "Digital Pearl Harbor" usually indicates that the speaker or writer is hyping something for political reasons, often with little to no understanding of the technology. However, cyberwar is going on, with the U.S., China, and Russia as major players. Denial-of-service attacks have played roles in parallel with physical attacks, and espionage attempts are constant. Let's look at some meaningful information on cyberwar.

The term Remote Access Trojan or RAT was initially popular for describing the advanced threats of the mid 1990s through maybe 2010. The term Advanced Persistent Threat or APT is cited as first being used by USAF Colonel Greg Rattray in 2006, it soon became common for describing precisely targeted threats using advanced techniques and typically lurking unseen for an extended time to extract data, gather intelligence for later attacks, or sabotage systems.

A true APT is very advanced and persistent. They are complex and sophisticated, especially the nation-state-sponsored ones. And they are persistent: analysis has shown that some have been in place undetected for several years.

Some cybersecurity vendors have become very sloppy with the term! Some vendors say "APT" to refer malware that affects a server instead of just desktops. Or, to ransomware that hits a file server instead of just one desktop. Or, worse yet, to anything at all that's more complicated than the standard Windows trojan. Let's not make the cybersecurity jargon any sloppier than it already is!

Lists of APT and major threat groups

Some organizations and individuals are trying to keep track of the names assigned to major threat groups:

Mitre Florian Roth's list MISP Galaxy Adversary Groups

International Conflict on the Internet


The National Security Archive at George Washington University maintains The Cyber Vault, a large and growing archive of documents on various aspects of cyber activities from the U.S. and foreign governments, international organizations, and cybersecurity firms.

The RAND Corporation wrote what looks like a good analysis of cyberwar for the U.S. Air Force.

Seymour Hersh wrote a good article for The New Yorker, "The Online Threat: Should we be worried about a cyber war?"

At the 2013 RSA conference a senior PLA colonel said "In the U.S., military espionage is heroic and economic espionages is a crime, but in China the line is not so clear."

I haven't tried to distinguish between conflicts directly between governments (e.g., Stuxnet), between supporters of a government against another government (e.g., Estonia in 2007), and between what might be spinoffs of the PLA conducting espionage against U.S. defense contractors.

As a general trend, attacks out of eastern Europe (Russia, Ukraine, Romania, and Bulgaria are prominent sources) tend to be criminal in nature — stealing financial information, extortion through DDoS or crypto-locker software, and stealing corporate information. Attacks out of China tend to be more focused on industrial and national espionage.

I have tried to divide things by country and put them in time order, as that is complicated enough.

As for things like nation-state threats attacking banks, I don't know how to put that into a category. But it happens!

The People's Republic of China

During the NATO attacks on Serbia in the spring of 1999, including the accidental bombing of the Chinese embassy, there were retaliatory attacks against NATO's public web server (instigated from Belgrade) and against a number of U.S. government sites, including Dept of Interior, Dept of Energy, the National Park Service (!), and the U.S. embassy in China (instigated from Beijing and from groups supporting the Beijing government).

There were also attacks against U.S. and NATO systems from China. Federal Computer Week, 1 Sep 1999.

April-May 2001 — A US Navy EP3 intelligence gathering aircraft landed on Hainan Island after a mid-air collision with a Chinese fighter, leading to scattered attacks using "Kill USA" and "China Killer" programs. New Scientist, 23 Feb 2008 pp 24-25.

2003 — The "Titan Rain" coordinated attacks from China on U.S. computer systems were announced. Systems were compromised at Lockheed Martin, Sandia National Laboratories, Redstone Arsenal and NASA. It had been going on at least since 2000. This was an early example of an advanced persistent threat.

October 2007 — The US Department of Homeland Security's U.S. Immigration and Customs Enforcement agency reported that it had launched more than 540 investigations into illegal exports of controlled U.S. technology to China since 2000. Homeland Security Affairs, (Journal of the Naval Postgraduate School Center for Homeland Defense and Security), vol V, No 1, Jan 2009.

January 2008 — The US Air Force said, "China has been positively identified as a source of campaign-style cyber attacks on Department of Defense systems."

January 2008 — The US Air Force said that papers in Chinese military journals and textbooks discuss ideas for war against the US in a confrontation over Taiwan, including communication jamming and computer malware.

February 2008 — The Australian government announced that Chinese hackers were launching targeted attacks to gather information from sensitive military secrets to the prices Australian companies will seek for resources such as coal. The Age, 10 Feb 2008.

11 February 2008 — US officials arrested a former Boeing engineer on charges of stealing trade secrets from the space-shuttle program, Delta IV rocket and other projects and sending them to agents of the Chinese government. Orlando Sentinel, 12 Feb 2008.

12 February 2008 — The Washington Times had a story on Chinese espionage.

15 February 2008 — The Washington Post had a story on Chinese espionage:

3 March 2008 — The US Defense Department said that attacks in 2007 against computer networks operated by governments and commercial institutions around the world "appear" to have originated within China:
Government Executive,
4 Dec 2007
Government Executive,
3 Mar 2008
Government Executive,
6 Mar 2008
Federal Computer Week,
4 Mar 2008
2007 Report To Congress of the U.S.-China
Economic and Security Review Commission

24 March 2008 — Tibet protest groups have been targeted for attack with hostile e-mail attachments sent from Chinese servers. BBC World News, 24 Mar 2008.

25 March 2008 — "A Chinese-born engineer convicted of conspiring to pass U.S. military secrets to the People's Republic of China was sentenced Monday to 24 years and five months in federal prison." Information Week, 25 Mar 2008.

10 April 2008 — Business Week ran a cover story "The New E-spionage". Summary: many prolific sources based in PRC launch spear-phishing attacks on government workers and contractors. The To: and From: fields look relevant, content is relevant. Message has spyware attachment that will capture keystrokes and harvest data files, sending product back to PRC. Plus capability for remote access of the system. BYZANTINE FOOTHOLD has been a US project to detect, track, and disarm intrusions on critical government networks. "Poison Ivy" was the name given to PRC code by commercial infosec companies.

6 May 2008 — "Over the past one and a half years, officials said, China has mounted almost daily attacks on Indian computer networks, both government and private, showing its intent and capability." Times of India, 6 May 2008.

3 Nov 2008 — The Diplomatic Security Daily publication of the U.S. Department of State reported the sophisticated threat assigned code word Byzantine Candor, with a subset of that known as Byzantine Hades.
BC = Byzantine Candor,
CNE = Computer Network Exploitation,
USG = United States Government,
DoS = Department of State (and not Denial of Service!), and
CTAD = Cyber Threat Analysis Division. As millions of copies of the WikiLeaks file contain, that report said:

¶39 (S//NF) Worldwide - BC conducting CNE on USG systems:

¶40. (S//NF) Key highlights: BC actively targets USG and other organizations via socially engineered e-mail messages. BC actors recently compromised the systems of a U.S. ISP to carry out CNE on a USG network. Additional IP addresses were identified this month as compromised and used for BC activity. BC has targeted DoS networks in the past and may again in the future via spoofed e-mail.

¶41. (S//REL TO USA, FVEY) Source paragraph: Byzantine Candor (BC) actors have compromised multiple systems located at a U.S. Internet service provider (ISP) and have used the systems as part of BC's U.S.-based attack infrastructure since at least March, targeting multiple victims including at least one USG agency.8

¶42. (S//NF) CTAD comment: Since late 2002, USG organizations have been targeted with social-engineering online attacks by BC actors. BC, an intrusion subset of Byzantine Hades activity, is a series of related computer network intrusions affecting U.S. and foreign systems and is believed to originate from the PRC. BC intruders have relied on techniques including exploiting Windows system vulnerabilities and stealing login credentials to gain access to hundreds of USG and cleared defense contractor systems over the years. In the U.S., the majority of the systems BC actors have targeted belong to the U.S. Army, but targets also include other DoD services as well as DoS, Department of Energy, additional USG entities, and commercial systems and networks. BC actors typically gain initial access with the use of highly targeted socially engineered e-mail messages, which fool recipients into inadvertently compromising their systems. The intruders then install malware such as customized keystroke-logging software and command-and-control (C&C) utilities onto the compromised systems and exfiltrate massive amounts of sensitive data from the networks. This month, BC actors attempted to compromise the network of a U.S. political organization via socially engineered e-mail messages (see CTAD Daily Read File dated October 16).

¶43. (S//REL TO USA, ACGU) CTAD comment: Also discovered this month by USG analysts was the compromise of several computer systems located at a commercial ISP within the United States. According to Air Force Office of Special Investigations (AFOSI) reporting, hackers based in Shanghai and linked to the PRC's People's Liberation Army (PLA) Third Department have been using these compromised systems as part of the larger BC attack infrastructure to facilitate computer network exploitation (CNE) of U.S. and foreign information systems. Since March, the responsible actors have used at least three separate systems at the unnamed ISP in multiple network intrusions and have exfiltrated data via these systems, including data from at least one USG agency. AFOSI reporting indicates, on March 11, BC actors gained access to one system at the ISP, onto which the actors transferred multiple files, including several C&C tools. From here, the intruders used the tools to obtain a list of usernames and password hashes for the system. Next, on April 22, BC actors accessed a second system at the ISP, where they transferred additional software tools. From April through October 13, the BC actors used this computer system to conduct CNE on multiple victims. During this time period, the actors exfiltrated at least 50 megabytes of e-mail messages and attached documents, as well as a complete list of usernames and passwords from an unspecified USG agency. Additionally, multiple files were transferred to the compromised ISP system from other BC-associated systems that have been previously identified collecting e-mail messages from additional victims. The third system at the U.S. ISP was identified as compromised on August 14, when BC actors transferred a malicious file onto it named "salaryincrease-surveyandforecast.zip." According to AFOSI analysis, BC actors use this system to host multiple webpages that allow other BC-compromised systems to download malicious files or be redirected to BC C&C servers.

¶44. (S//REL TO USA, FVEY) CTAD comment: Additional DoD reporting this month indicates BC actors have used multiple other systems to conduct CNE against U.S. and foreign systems from February through September. A October 23 DoD cable states Shanghai-based hackers associated with BC activity and linked to the PLA have successfully targeted multiple U.S. entities during this time period. The cable details dozens of identified Internet Protocol (IP) addresses associated with BC activity as well as the dates of their activity. All of the IP addresses listed resolve to the CNC Group Shanghai Province Network in Shanghai, and all the host names of the addresses contained Asian keyboard settings as well as China time zone settings. Most of these IP addresses were identified as responsible for direct CNE of U.S. entities, including unspecified USG organizations, systems and networks. Interestingly, although the actors using each IP address practiced some degree of operational security to obfuscate their identities, one particular actor was identified as lacking in these security measures. On June 7, the BC actor, using an identified IP address, was observed using a Taiwan-based online bulletin board service for personal use.

¶45. (S//NF) CTAD comment: BC actors have targeted the DoS in the past on multiple occasions with socially engineered e-mail messages containing malicious attached files and have successfully exfiltrated sensitive information from DoS unclassified networks. As such, it is possible these actors will attempt to compromise DoS networks in the future. As BC activity continues across the DoD and U.S., DoS personnel should practice conscientious Internet and e-mail use and should remain informed on BH activity. (Appendix sources 44-46)

I do not understand what is meant by:
and all the host names of the addresses contained Asian keyboard settings as well as China time zone settings.
Yes, the DNS PTR records might contain non-ASCII characters in the host names, and "Asian keyboard settings" might be a clumsy way of saying that. But "China time zone settings"? That says to me that they were looking at e-mail headers.

20 Nov 2008 — A U.S. Congressional advisory committee releases a report warning that Chinese attacks on civilian, government, and military networks are rising. This was also reported in Information Week.

18 Apr 2009 — Newsweek magazine reports on "Ghostnet". It was politically oriented, compromising systems belonging to the Dalai Lama's Tibetan exile centers in India, London and New York, along with embassies, foreign ministries and other government offices. See the reports from the SecDev Group and the Munk Centre for International Studies, and the University of Cambridge. Also see the McAfee—Foundstone detailed analysis Know Your Digital Enemy: Anatomy of a Gh0st RAT.

Some calm thinking on the Chinese hacking threat — Bruce Schneier's essay for the Discovery Channel pointed out that the truth is a lot more complicated. Much is from patriotic Chinese citizens, plus a lot of automated attacks run on compromised systems that just happen to be located in China.

Mid-2009 — China began "Operation Aurora" in the middle of the year, continuing through December. It was aimed at stealing intellectual property from dozens of technical corporations, including Google (the first to publicly disclose it, in December), Rackspace, Adobe Systems and Juniper Networks, all of whom publicly confirmed being targeted, plus Northrop Grumman, Dow Chemical, Morgan Stanley, Yahoo and Symantec.

Nov 2009 — The "Night Dragon" attacks began, launched against several global petrochemical and energy companies. These evolved into sophisticated attacks, advanced persistent threats as they're now known. McAfee has a good overview and detailed white paper describing these.

Jan 12-13 2010 — Google announced that they detected "a highly sophisticated and targeted attack" originating from China. Reuters reported on this. Dark Reading had a summary mentioning that Adobe was also a victim.

Feb 11 2011 — Dark Reading reported that McAfee had detected the "Night Dragon" series of APT attacks on major energy firms beginning as early as 2008, saying that they had "identified tools, techniques, and network activities utilized ... that point to individuals in China as the primary source", saying the hackers appear to be based in Beijing and working standard local business hours. Paris Match reported, and the French government subsequently confirmed, that over 150 computers in the Ministry of Economy and Finances had been penetrated for months leading up to the French-hosted G20 summit in February 2011.

May 8 2012 — Dark Reading reported that Cyber Squared had infiltrated the attackers' communications channel and gathered information on a widespread series of attacks dating back to 2011 against over twenty private firms, government organizations, and think tanks linked to Chinese strategic interests.

Sep 7 2012 — Symantec reported on the Elderwood Project, which includes the Aurora Trojan horse and other related attacks re-using components of a shared attack infrastructure. The primary targets are primarily members of the defense supply chain. Dark Reading has a summary.

Sep 25 2012 — Dark Reading reported on the "VOHO" attack campaign with ties to China. RSA's report is The VOHO Campaign: An In Depth Analysis. The VOHO attack is reported to share components of the Elderwood Project.

Sep 2012 — Peter the Great Versus Sun Tzu is an interesting analysis and comparison of Chinese and Russian hackers. Eastern European hackers tend to develop and use far more sophisticated malware running on their own fairly bulletproof hosting infrastructure, while East Asian hackers use simpler techniques running on cheap infrastructure at mass-hosting ISPs. Eastern European hackers work in small elite teams to steal credentials and directly derive profit, while East Asian hackers work in large groups at the direction of large institutions to steal sensitive corporate data.

Oct 2012 — The House Intelligence Committee warned U.S. companies to avoid Chinese telecommunications companies Huawei and ZTE See the Dark Reading report or the full investigative report.

January 2013 — The New York Times announced that an advanced persistent threat with suspected ties to the People's Republic of China, called APT12, had compromised its networks over the preceding four months. "Hackers in China Attacked the Times for Last 4 Months" The New York Times, 30 January 2013.

February 2013 — Mandiant released a detailed report on APT1, their label for a very sophisticated multi-year cyber espionage operation of the Chinese government. They provide evidence linking APT1 to the 2nd Bureau of the People's Liberation Army (PLA) General Staff Department's (GSD's) 3rd Department, using Military Unit Cover Designator Unit 61398. APT1 conducted economic espionage since 2006 against 141 victims in multiple industries in English-speaking countries, stealing hundreds of terabytes of data. The Washington Post reported on the story.

March 7 2013 — A Foreign Policy article reports: "Cyber-warfare directed against American companies is reducing the gross domestic product by as much as $100 billion per year, according to a recent National Intelligence Estimate." And: "In the coming weeks, the NSA, working with a Department of Homeland Security joint task force and the FBI, will release to select American telecommunication companies a wealth of information about China's cyber-espionage program, according to a U.S. intelligence official and two government consultants who work on cyber projects. Included: sophisticated tools that China uses, countermeasures developed by the NSA, and unique signature-detection software that previously had been used only to protect government networks."

March 11 2013 — The Australian Financial Review reported that Chinese-developed malicious software had repeatedly penetrated the Reserve Bank of Australia's networks and extracted sensitive internal information.

March 14 2013 — Cyber Squared published a report Medical Industry — A Cyber Victim: Billions Stolen and Lives At Risk describing three APT attacks out of China against the medical industry. Mandiant reports at least five active Chinese hacker groups targeting the medical industry. A Dark Reading report summarizes this trend.

The same day, International Business Times reported that China launched a probe against Coca-Cola for alleged spying activities especially "collecting classified geographic information using handheld GPS devices".

Mar 2013 — The journal Science had an article "A Call to Cyber Arms" (vol 339 pp 1026-1027) discussing Mandiant's APT1 discussion and reporting: "In the academic world, a leader in cyber defense research is Shanghai Jiao Tong University's School of Information Security Engineering. In the past several years, its scientists have published openly on the injection of Trojan Horses into the Windows platform, for instance, and on the pros and cons of Rootkit, a program for hijacking a computer system. In Changsha, the National University of Defense Technology has a research program in electronic and information warfare. And at Dalian University of Technology in northeast China, a pair of researchers funded by the science ministry and the National Natural Science Foundation of china published a report in Safety Science in July 2011 on vulnerabilities in the western U.S. power grid.

Apr 2013 — FireEye released their Advanced Threat Report detailing 2,000 incidents involving Gh0st RAT, a remote-access tool and APT believed to have been developed in and deployed from China.

May 2013 — China was accused of high-profile cyber-espionage, stealing information on U.S. weapons systems including the FF-35, PAC-3, THAAD, Aegis, F/A-18, V-22 Osprey, Black Hawk helicopter, and the Littoral combat ship, in addition to more mundane business information. See "Plans for More Than Two Dozen U.S. Weapons Systems — Including an F-35 Fighter — Have Been Stolen by Chinese Hackers, Claims Pentagon", The Daily Mail, 28 May 2013.

June 14 2013 — Kaspersky Lab announced the analysis of the Red Star or NetTraveler APT. They had samples going back to 2005, although it seems to have been active at least since 2004. It's also known as TravNet and Netfile. Targets include Tibetan and Uyghur activists, oil industry companies, governments and government institutions including embassies, and military contractors. Their analysis of the malware indicates that it was developed by a team of about 50 people, most of which speak Chinese natively and have working knowledge of English. See Kaspersky's detailed report for more.

12 Nov 2013 — FireEye concluded that a number of Chinese APT campaigns may be more connected than previously thought. Eleven Chinese APTs shared malware tools, code, and digital certificates. See FireEye's report Supply Chain Analysis: From Quartermaster to Sunshop

19 May 2014 — The U.S. Department of Justice issued an indictment of five Chinese military officers "for computer hacking, economic espionage, and other offenses directed at six American victims in the U.S. nuclear power, metals, and solar products industries." Time and CNN reported on this. Wired covered the indictment and also ran a story "How a Chinese Tech Firm Became the NSA's Surveillance Nightmare". The Lawfare blog discussed why the indictment was made. The five defendants were Wang Dong, Sun Kailiang, Wen Xinyu, Huang Zhenyu, and Gu Chunhui, members of Unit 61398 of the Third Department of the People's Liberation Army.

It had been clear for some time that the NSA had been attacking Chinese networks, see reports from CNN, Wired, and Bruce Schneier here and here. NSA had also been intercepting Cisco equipment shipments and modifying the contents to install their "implants". And, the Washington Post reported in 2013 that U.S. spy agencies had mounted 231 offensive cyber operations in 2011. China complained about what they saw as the hair-splitting distinction between NSA hacking China for purely national security reasons versus China hacking the US for economic reasons. See reports in the New York Times and DailyTech. Chinese retaliation was described by Reuters and Bloomberg and in Foreign Policy and The Los Angeles Times.

Foreign Policy ran a story "Exclusive: Inside the FBI's Fight Against Chinese Cyber-Espionage".

Xinhua reported "A spokesperson for China's State Internet Information Office on Monday published the latest data of U.S. cyber attack, saying that China is a solid defender of cyber security. The U.S. is the biggest attacker of China's cyber space, the spokesperson said, adding that the U.S. charges of hacking against five Chinese military officers on Monday are 'groundless'. Latest data from the National Computer Network Emergency Response Technical Team Coordination Center of China (NCNERTTCC) showed that from March 19 to May 18, a total of 2,077 Trojan horse networks or botnet servers in the U.S. directly controlled 1.18 million host computers in China."

July 2014 — CrowdStrike reported on what they called Deep Panda, a Chinese government cyber-operation against national security think tanks and human rights organizations. The think tanks in particular are staffed by former senior government officials with lots of insight of interest to the Chinese government and its military. CrowdStrike had noticed a sudden shift in interest by the Deep Panda operation, moving from Southeast Asia policy information to Iraq and related Middle East issues. This seems to be because of sudden advances in which the Islamic State of Iraq and the Levant group took control of large regions of Iraq, a country providing 20% of China's oil. See the CrowdStrike Deep Panda report for details on the shift in focus and the technology used in the continuing penetrations. The same group is thought to be behind the massive Anthem breach discovered in early 2015.

March 2015 — China explicitly acknowledged the existence of their cyber-warfare forces in The Science of Military Strategy, published by the top research institute in the People's Liberation Army and analyzed in the U.S. by the Center for Intelligence Research and Analysis and described in the book China's Evolving Military Strategy. See the story in The Daily Beast.

April 2015 — FireEye reported on what they called APT30, an advanced and very persistent operation against government and commercial entities across southeast Asia and India for over ten years. It was aimed at stealing information on political, economic, and military topics. FireEye concluded that it was a Chinese government operation.

June 2015 — The U.S. Government announced a data breach at the Office of Personnel Management or OPM that will likely have long-term geopolitical repercussions as it seems to have included a huge archive of background investigations used to grant security clearances. As the Washington Post described the data in July, 2014, when Chinese intrusion into OPM data was first noticed:

In those files are huge treasure troves of personal data, including "applicants' financial histories and investment records, children's and relatives' names, foreign trips taken and contacts with foreign nationals, past residences, and names of neighbors and close friends such as college roommates and co-workers. Employees log in using their Social Security numbers."

See the nice overview at Krebs on Security, here is further summarization of that:


April 2007 — The "Bronze Soldier" statue was moved from central Tallinn to a military cemetery. To Estonians, the statue was a symbol of almost 50 years of Soviet occupation. To Russia and to Estonians of Russian descent (about 25% of population of 1,300,000) the move was an insult to the memory of soldiers who fought the Nazis in WWII. There was street violence 26-28 April. The Sydney Morning Herald covered this.

9 May 2007 — Government web sites lost external connectivity due to a massive DDOS atack. Many of the attacking hosts were in Russia, some belonged to the Russian government, but official government involvement, support, or even awareness couldn't really be gauged.

24 Jan 2008 — Dmitri Galushkevich, an ethnic Russian, was convicted Jan 2008 for his involvement. Fined 17,500 kroons (1120 Euros, 1620 US$) for his part in attack against website of Reform Party of Prime Minister Andrus Ansip, one of many DDOS attacks on Estonian government and businesses. The Sydney Morning Herald covered this.

2 April 2008 — "Almost a year after falling victim to a "cyber-war" blamed on Russian hackers, the Baltic state of Estonia is now piloting NATO's efforts to ward off future online attacks on alliance members. After this week's NATO's summit in Romania, Estonia and seven other alliance partners will set up the "Cyber Defence Centre of Excellence" in Tallinn next month. The United States, Germany, Italy, Spain and Estonia's fellow ex-communist NATO member states Latvia, Lithuania and Slovakia will spearhead the project." The Age covered this.

11 March 2009 — The pro-Kremlin youth group Наши, or Nashi, meaning Ours, claimed responsibility for making the attack on behalf of the Kremlin. Wired and The Register covered this.

2014 — Estonia quickly grew from being a small republic within the Soviet Union to one of the most technologically advanced nations. Skype was developed in Estonia. Most of citizens' interaction with the national government has moved onto the Internet. For details see:

In early 2014, while Russia was forcably annexing Ukraine's Crimean Peninsula and threatening an invasion of eastern Ukraine, Estonia's CIO Taavi Kotka announced a plan to establish "data embassies". The Estonian government would upload all their data to cloud servers distributed around the world. If Estonia were invaded either physically or electronically, the government and its functions would be preserved. See "Concerned About Russian Invasion, Estonia Plans 'Data Embassies' in Allied Countries" from the Atlantic Council.


27 May 2009 — The Finnish military announced plans to establish "a cyberwar unit charged with protecting government data communications". It sounds more like pure defense and threat monitoring, made to sound more exciting with the buzzword "cyberwar"....


August 2008 — Russian military forces move into Georgia, citing requests for help from ethnic Russian communities in Georgian breakaway regions of South Ossetia and elsewhere. At the same time, DDOS attacks orchestrated out of Russia blocked access to Georgian government web sites. I don't know everyone's feeling on this, but if armored vehicles are rolling down the street in front of my home, and I see combat aircraft overhead and hear incoming artillery rounds, my inability to look at the Georgian equivalent of whitehouse.gov is going to be of relatively little concern...

This seemed to be another case of "Russian patriotic citizens rise up" and do the attack on their own, where the government does not direct them but neither does it stop them or even disapprove. Wired.com described how a Russian coder took credit for hacking Georgian sites including www.parliament.ge, the Georgian parliament's site.

Also see "Russian Hacker Forums Fueled Georgia Cyber Attacks", Washington Post, 16 Nov 2008.

October-November 2008 — Major news organizations started seriously questioning the accepted view of the military action is nothing but Russian aggression and Georgian self-defense, as Georgian targeting of civilians and other details come to light. See these reports:

See the "Russian Cyberwar on Georgia" report for lots of details on the military action, the Internet attacks, and the coverage: http://hostexploit.com/

September 2009 — Aviation Week and Space Technology ran an article (14 Sep 14 2009 pp 54-55) titled: "Cyberwar is Official" and subtitled: "Network attack, digital time bombs and information exploitation are now combat standards", quoting an analysis from the U.S. Cyber Consequences Unit (US-CCU), "only parts of which are available to the public". The article describes US-CCU as "an independent organization that does cyber-forensics and analysis for private organizations and government, including the National Security Agency and CIA." It's a non-profit research group with some affiliation to the Tufts University law school, the domain is registered to a guy in Vermont with an AOL e-mail address:

% whois usccu.us
Domain Name:                                 USCCU.US
Domain ID:                                   D7129910-US
Registrar URL (registration services):       whois.schlund.de
Domain Status:                               ok
Registrant ID:                               SPAG-33246501
Registrant Name:                             Scott Borg
Registrant Address1:                         PO BOX 1390
Registrant City:                             NORWICH
Registrant State/Province:                   VT
Registrant Postal Code:                      05055
Registrant Country:                          United States
Registrant Country Code:                     US
Registrant Phone Number:                     +1.8026493849
Registrant Email:                            scottborg@aol.com


August 2012 — Iran was suspected to be behind attacks on Saudi Aramco and Qatar-based RasGas. The New York Times covered the story when a US Department of Homeland Security warning appeared the following year.

May 2014 — FireEye releases their report Operation Saffron Rose, in which they describe the Ajax Security Team as a hacker group that formed in 2010, doing DDoS and web site defacements. FireEye says they have transitioned formed in 2010, doing DDoS and web site defacements. FireEye says they have transitioned into malware-based espionage against the U.S. Military-Industrial Complex and Iranian dissidents. However, Krypt3ia disparages the report as mostly hype "on a slow news day at FireEye".

May 2014 — iSIGHT reported on the Newscaster threat from Iran, underway at least since 2011. It targets US and Israeli military, government, and defense contractors by posing as journalists on Facebook, Twitter, YouTube, and LinkedIn. They have built a bogus journalism website newsonair.org on which they simple copy and paste content from actual news sites. They then use social media to make contact and then send spear-phishing attacks to their targets. A New York Times story also covered this.

March 2016 — the U.S. Department of Justice indicted seven hackers operating on behalf of the Iranian government for running DDoS attacks against 46 organizations, most of them U.S. financial institutions, from late 2011 through mid 2013. At its peak in September 2012, the attack reached 140 Gbps directed at the banks' networks. Ahmad Fathi, Hamid Firoozi, Amin Shokohi, Sadegh Ahmadzadegan (a.k.a. Nitr0jen26), Omid Ghaffarinia (a.k.a. PLuS), Sina Keissar, and Nader Saedi (a.k.a. Turk Server) were employed by ITSecTeam (a.k.a. ITSEC) and Mersad Company, both of which were working for the Iranian government and the Islamic Revolutionary Guard. See the stories in the New York Times and Dark Reading.

The DDoS targets included JPMorgan Chase, Bank of America, the New York Stock Exchange, Capital One, ING Bank, BB&T, Fidelity, US Bank, PNC Bank, and AT&T.

Firoozi is accused of accessing a Windows XP system serving as a SCADA controller for the Bowman Dam in Rye, New York, between August 23 and September 18 of 2013. It was read-only access of water levels, temperature, and the status of a sluice gate as the dam was under repair and offline. But seriously: In 2013 there was a Windows XP system serving as a dam's SCADA system while it was exposed to the Internet. Who thought that was a reasonable plan?

Earlier the same week, the D.O.J. charged three Syrian Electronic Army hackers for targeting U.S. government and media websites and social media accounts.

Also see the U.S. versus Iran section.


September 2000 — Israeli hackers launch DDOS and deface Hezbollah and Palestinian National Authority's websites. Palestinian authorities respond with call for a "cyber holy war", Israeli government and financial website attacked. [New Scientist, 23 Feb 2008 pp 24-25]

September 2007 — Israeli air strike on suspected nuclear facility in northern Syria reportedly aided by cyber-attack against Syrian radar air defenses. "Non-stealth Israeli fighters slip in and out of Syrian airspace virtually undetected." Yes, but I doubt that Syrian air defense systems were on publicly routable networks.... [New Scientist, 23 Feb 2008 pp 24-25]


2010–2016 — In early 2016 Cylance released an analysis of what they call Operation Dust Storm. That's a series of Advanced Persistent Threats that have been operating since before 2013, when RATs or Remote Access Trojans started to be called APTs. Attacks are known from 2010, starting with spear phishing with Word documents containing zero-day Flash exploits. A variety of vulnerabilities were used to implant a series of malware with different forms and capabilities.

The targets included Japanese critical infrastructure and resources — power, fuel, construction, finance, and transportation industries. So far they haven't been disruptive or destructive, and seem to be focused on long-term reconaissance and espionage.

Also see the section on North Korea.


January 2009 — A "russian cybermilitia" launched a distributed denial of service attack against the two biggest Internet service providers in Kyrgyzstan, largely cutting the country off the Internet. A few days later, Kyrgyzstan announced that the U.S. military would have to vacate Manas Air Base. Apparently the DDOS attack was part of the Russian pressure. Click here to see the story at computerworld.com.


2012 — See the Gauss malware deployed against Middle Eastern banking, primarily in Lebanon.

March 2015 — A spying attack was detected, primarily against Israel but also detected in Turkey and Lebanon and to lesser extents in the US, Canada, UK, Japan, Peru, and elsewhere. Checkpoint concluded that the attack, which they named Volatile Cedar, was by a nation-state group operating in Lebanon. The attack seemed to have been underway since 2012. It includes custom-written software to steal files, keystrokes, and screenshots, stealing sensitive information for political or intelligence purposes.


November 2008 — The websites of al-Anba' al-Ikhbari and Sahara Media, two news agencies in Maurtiania, are taken down in DDOS attacks. This is after the August 6 military coup replacing the democratically elected president, Sidi Mohamed Ould Cheikh Abdallahi, with a military junta. "Sahara Media has accused "national and foreign parties" of aiming to muzzle the site. Al-Anba', for its part, was far more specific in assigning blame. It said "some parties in the military regime in Nouakchott" are responsible or the sabotage." Menassat covered this.

Myanmar (Burma)

November 2010 — Just before the closest thing to an election in over 20 years, Burma's primary Internet service provider, the Ministry of Post and Telecommunication, was taken down with a massive distributed denial of service attack.

Maximum 14.58 Gbps 4.89 Mpps
Average 1.09 Gbps 576.96 Kpps
Duration 2 days, starting 0120 Tue 2 Nov UTC
Attack vectors 85% TCP SYN/RST, 15% flooding

Burma's MPT was limited at the time to one 45 Mbps T3 connection to the outside world, mostly via IPTel (AS 45419). The November 2010 attack was estimated at almost 15 Gbps, a few hundred times the available capacity.

This is much larger than the 2007 DDoS attacks against Georgia (estimated at 814 Mbps) and Estonia.

Arbor Networks' report summarizes it as in the table at right.


February 2008 — "Russian agents in Norway have reached levels as high as during the Cold War, warns the Norwegian Police Security Service (PST). Many other countries also have spies in Norway, climbing to a record number following a quiet period during the 1990s. [PST chief] Holme said unnamed sources indicate that Russian espionage activity is at an "all-time high", and other countries have also stepped up their activities in Norway. Russia and other countries are said to be interested in Norway because of its strategic geographical position and its offshore technological expertise." http://www.aftenposten.no/english/local/article2244756.ece

North Korea

According to The Daily NK, a South Korean publication focused on the north, North Korea's Moranbong University, directly managed by the Operations Department of the Workers' Party, is that country's leader in technical developments in computer warfare. Moranbong is said to have been founded in 1997 to train experts in data processing, cryptanalysis, hacking, and other skills, along with martial arts and shooting. It's a five-year university that only selects 30 freshmen per year, each of which is made a military first lieutenant. Moranbong is supposed to have taken the place of Mirim University. Moranbong is in Jung district, just across from the Number 3 Government Building housing the United Front Department, Liason Department, and Operations Department. The article has a dateline of 13 July 2009, Shenyang, China, presumably where they contacted their North Korean source by telephone.

Meanwhile, the North Korean government is making money with the help of Fox "News" owner Rupert Murdoch:
"Programmers from North Korea's General Federation of Science and Technology developed a 2007 mobile-phone bowling game based on the 1998 film [The Big Lebowski], as well as Men in Black: Alien Assault, according to two executives at Nosotek Joint Venture Company, which markets software from North Korea for foreign clients. Both games were published by a unit of News Corp., the New York-based media company, a spokeswoman for the unit said."

March 2013 — South Korea suffered a significant cyber attack against banking and media networks, damaging tens of thousands of systems. The systems were infected with malware and files were erased. North Korea was blamed for this attack, along with similar attacks in 2009 and 2011. A New York Times article described the attack as paralyzing three major South Korean banks and the countries two largest broadcasters, shutting down ATM transactions and rendering the targeted computers unusable.

11 Sep 2013 — Kaspersky Lab reported on the Kimsuky Operation, a North Korean cyber-espionage campaign against South Koreans think tanks. It was developed in a Korean language environment but uses mail.bg, a Bulgarian public email server, for command and control. It does keylogging and steals HWP (Hangul Word Processor) files, HWP being part of the Hancom Office bundle widely used in South Korea. It also does remote control access and download and execution of additional programs.

25 Sep 2013 — Kaspersky Lab reported on Icefog, a cyber-espionage campaign active at least since 2011. It targets government institutions and military contractors, maritime and ship-building industries, telecom and satellite operators, and other industry, high technology, and media mostly in South Korea and Japan. It provides an interactive backdoor for the operators, who again concentrate on the HWP files used almost exclusively in South Korea. It initially targeted both Windows and OS X. See Kaspersky's Icefog APT FAQ and their detailed report for more. CrowdStrike called the attack campaign Dagger Panda and said it was being run from China. In January a Java based variant called Javafog appeared. See the report from Kaspersky Lab and an overview from Information Week.

August 2014 — HP released a security briefing Profiling an enigma: The mystery of North Korea's cyber threat landscale. It opens by describing the DPRK as "a unique country with a military-focused society and an unconventional technology infrastructure." Their constitution states that songun, the "military-first" doctrine, defines life there. At least according to South Korea, Unit 121 is "North Korea's premier hacking unit" and is the world's third largest cyber warfare force behind Russia and the U.S. It and Lab 110 maintain technical reconnaissance teams that infiltrate computer networks to obtain intelligence and plant malware on enemy networks. Unit 35 does technical education and training of cyberwarfare personnel. Unit 204 does cyber-psychological operations. University-level training in cyber intelligence and warfare is done at Kim Il-sung University, Kim Chaek University of Technology, and the Command Automation University, traditionally called Mirim University.

As of a June 2011 report, North Korea is assigned the IP block and is the registered user of China Unicom's China Unicom is North Korea's connection to the rest of the Internet. Several of the nominally North Korean web sites known to the outside world are hosted in China.

I have installed Red Star OS, the DPRK-customized Linux distribution, on a test system and found that it expects to be able to reach IP addresses in the 10/8 block. It appears that much of North Korea is their Kwangmyong, a nationwide intranet behind NAT routers with little to no access to the outside world. Update: there is a Red Star 3.0 Server ISO image available via BitTorrent.

HP reported that North Korea is still making money from computer games (presumably still with help from Rupert Murdoch). They raise hard currency through MMORPG or massively multiplayer online role-playing games, and also use the games to infect systems and launch cyber attacks.

A timeline in the HP report includes:

November-December 2014 — A group calling itself the "Guardians of Peace" or "GOP" released a large collection of data stolen from Sony Pictures Entertainment, including e-mails between employees, personally identifiable information about employees and dependants, copies of unreleased films, and other data. They claim to have taken over 100 terabytes of data, a claim that was largely accepted despite the unlikelihood of moving that much data unnoticed. See this great step-by-step detailed analysis.

Yes, this is the same Sony that included deceptive, illegal, and harmful rootkits on about 22 million CDs in 2005–2007. See the excellent detailed analysis by Mark Russinovich for background on this.

The data was released on November 24. After media reports kept speculating about some connection to the upcoming comedy film The Interview, featuring an assassination plot against North Korea's leader, only on December 16 did GOP mention that film for the first time. They threatened terrorist action against theatres showing the film, and Sony pulled the film from release.

Many security researchers and analysts have commented (for example, Bruce Schneier, Marc Rogers, and in a Wired article) that the episode seems very unlikely to be the act of a national government. To begin with, the taunting messages from a group with a catchy name scolding the victim for having bad security. Then a e-mail from the attackers to Sony executives sent on November 21, three days before the public release, was signed not "GOP" but "God'sApstls". National governments, even insane ones like North Korea, don't usually behave this way.

Going deeper, the use of language seems like an English speaker pretending to be bad at English. More specifically, not someone actually from North Korea. See analyses of North Korean language use characteristics and its diversion from the language of South Korea here, here, here, and here. Also see the adept use of social media. The people doing the communicating aren't North Koreans.

The motive is clearly revenge against Sony. The information could have been used to directly extract money from Sony's accounts, or to extort enormous payments. But the data was simply released to embarrass Sony and greatly reduce the value of some products. Sony only helped that by (at least initially) entirely discarding a finished movie. This looks like the work of disgruntled insiders.

On December 21-22 North Korea's very limited connection to the Internet was down. North Korea has only 1024 routable IP addresses, the CIDR block. Those four /8 networks are run by Star Joint Ventures, the state-run Internet provider, and most of them are routed through China Unicom, China's state-owned telecommunications company. It might have been DDoS on North Korea's border routers, or it might simply be that China Unicom disconnected them.

Also see:

February 2016 — An analysis was released by the "Operation Blockbuster group," was led by Novetta and also including Kaspersky Lab, AlienVault, Symantec, Invincea, ThreatConnect, Volexity, and PunchCyber. They discovered 47 different malware families and matched the malware and MO to Operation Troy in 2009. That used the hacktivist DDOS and data-wiping attack on South Korean banks and media outlets as distraction while quietly exfiltrating South Korean and U.S. military secrets. Another round of this in 2013 was called Operation DarkSeoul. The analysts have named the attackers the Lazarus Group and remain unsure of the size and structure of the group.

See the North Korea Tech web site for updates on hacking from the DPRK.


April—May 2013 — A series of targeted attacks began, using the Bitterbug malware family and later to be named Operation Arachniphobia. See the detailed reports from FireEye and ThreatConnect, and the overview from Security Affairs.

May 2013 — At the same time, a targeted attack out of India was trying to steal information from Pakistan, using phishing emails with Word and PDF files apparently containing Indian military information. It was a rather simple attack, although it seems to have had some success. Read the overview or the more detailed report.


January 14 2014 — Kaspersky Lab reported that the Red October campaign had infiltrated computer networks over the past five years at diplomatic, government, and scientific research organizations. It can steal data from the traditional target of workstations, but also mobile devices including smartphones, Cisco enterprise network equipment, stealing data from USB devices and also recovering and stealing their deleted files, and from internal servers. The attacks are under the control of center C&C servers and are carefully customized for each victim. Kaspersky reported that its exploits were written by Chinese hackers while some modules were created by Russian speakers; the C&C server domains were registered by identities using *.ru email addresses. The target organizations are mostly in Eastern Europe, the former USSR, and central Asia, but are also in Western Europe and North America. Targets include Tibetan activists and Asian military and energy sector targets. However, Kaspersky saw no evidence linking this to a nation-state sponsored attack, the information would be valuable to a nation-state but might be traded in the underground and sold to the highest bidder.

In December of the same year the security firm Blue Coat reported what they called The Inception Framework, a sophisticated cyber espionage system directed at companies and other organizations operating in Russia. The companies are from Russia itself, Romania, Venezuela, and Mozambique. Embassies and other diplomatic offices in Romania, Paraguay, and Turkey have also been hit. Kaspersky Labs says that this is a variant of the Red October APT, and called it after a more recent movie, Cloud Atlas.

March-May 2014 — BAE Systems reported on a large-scale cyber espionage by Russia targeting systems around the world, predominantly Ukrainian government systems at first and then including NATO systems. The Atlantic Council reported in May "Russian Cyber Campaign Continues to Penetrate NATO Ministries".

July 2014 — Sentinel Labs reported and issued a more detailed analysis on what they named "Gyges", an advanced persistent threat that appeared to come from Russia and target government orgranizations. They had spotted it back in March. As they said, "Gyges is an early example of how advanced techniques and code developed by governments for espionage are effectively being repurposed, modularized and coupled with other malware to commit cybercrime." They believe "it was used as a "bus" or "carrier" for much more sophisticated attacks such as government data exfiltration. So we started digging, and eventually recovered government traces inside the "carrier" code, which we later connected to previous targeted attacks that used the same characteristics. At this point it became clear that the "carrier" code was originally developed as part of an espionage campaign." It exfiltrated its data by an SSL connection to a C&C (command and control) server in Russia, part of IP block That was part of the SevStar Network AS35816, Lancom Ltd., Sevastopol, Russia.

November 2014 — Recorded Future reported on Russian governmental cyber-espionage against companies involved in industrial control systems, pharmaceuticals, defense, aviation, and petroleum. They identified Uroburous, Energetic Bear, and APT28 as three main advanced malware families being used by Russia for espionage. They are used in a coordinated fashion — while all three are used aggressively, you seldom find more than one on a target system.

Uroburous was named by GData, Kaspersky calls it Epic Turla, BAE Systems calls it Snake and SnakeNet. It has been around since 2008 and targets governments, embassies, the defence and pharmaceutical industries, and research and education. Kaspersky has analyzed a Linux backdoor component.

Energetic Bear was named by CrowdStrike, Kaspersky calls it Crouching Yeti, iSIGHT Partners calls it Koala Team, and Symatec calls it Dragonfly. It targets aviation, defense, energy, industrial control systems and petroleum pipelines.

APT28 was named by FireEye/Mandiant, iSIGHT Partners calls it Tsar Team, Eset calls it Sednet, CrowdStrike calls it Fancy Bear, Trend Micro calls it Operation Pawn Storm, and others call it Sofacy and APT28. It targets NATO and Eastern European governments and military agencies, the defense industry, and "Russian adversaries" as the report puts it.

FireEye/Mandiant also named APT29 and its backdoor component HAMMERTOSS. They suspect that it is sponsored by the Russian government.

June–July 2016 — A group posing as a hacker calling himself "Guccifer 2.0" claimed in early 2016 to have broken into Hillary Clinton's private e-mail server, and in June 2016 claimed to have broken into the Democratic National Committee's computer network. The messages claimed that Guccifer was Romanian, but several analysts pointed to inconsistencies within the writing, saying that it appeared to be from multiple people, some of them Russian.

CrowdStrike's analysis is that Fancy Bear is affiliated with the GRU, Главное Разведывательное Управление or Main Intelligence Department, the primary military intelligence service, while Cozy Bear is affiliated with FSB, Федеральная Служба Безопасности, the foreign intelligence service formerly known as KGB.

On 22 July 2016 WikiLeaks published 20,000 Democratic National Committee emails. Analysis immediately pointed to Russian involvement, an attempt by Russian to influence the coming U.S. election and make Donald Trump the U.S. President. The intrusions were further operations of Fancy Bear (see above) and another known Russian operation called Cozy Bear. It wasn't collaboration, both groups independently broke into DNC systems and stole the same data. The intrusions had been happening since the summer of 2015, and both were expelled from the system on 11-12 June. The emails were released at the end of the week before the Democratic National Convention.

"National intelligence director: Hackers have targeted 2016 presidential campaigns" (Washington Post 18 May 2016)

"Russian government hackers penetrated DNC, stole opposition research on Trump" (Washington Post 14 June 2016)

"D.N.C. Says Russian Hackers Penetrated Its Files, Including Dossier on Donald Trump", on "Fancy Bear" (also called "APT28" and "Sofacy") and "Cozy Bear" (also called "APT29" and "CozyDuke") (New York Times 14 June 2016)

"Russian Hackers Penetrate Democratic National Committee, Steal Trump Research" (NPR 14 June 2016)

"Bears in the Midst: Intrusion into the Democratic National Committee" (CrowdStrike blog 15 June 2016)

"'Guccifer 2.0' Is Likely a Russian Government Attempt To Cover Up Their Own Hack" (Vice Motherboard 16 June 2016)

"WikiLeaks posts 20,000 DNC emails" (The Hill 22 July 2016)

"As Democrats Gather, a Russian Subplot Raises Intrigue" (New York Times 24 July 2016)

"Clinton campaign — and some cyber experts — say Russia is behind email release" (Washington Post 24 July 2016)

"How Putin Weaponized WikiLeaks to Influence the Election of an American President" (Defense One 24 July 2016)

"SitRep: Is Moscow Trying to Influence U.S. Election?" (Foreign Policy 25 July 2016)

"All Signs Point to Russia Being Behind the DNC Hack" (Vice Motherboard 25 July 2016)

"FBI Suspects Russia Hacked DNC; U.S. Officials Say It Was to Elect Donald Trump" (The Daily Beast 25 July 2016)

"Guccifer 2.0: All Roads Lead to Russia" (ThreatConnect 26 July 2016)

"Spy Agency Consensus Grows That Russia Hacked D.N.C." (New York Times 26 July 2016)

"The Same Russian Hackers Hit the DNC and the DCCC, Security Firms Say" (Foreign Policy 1 August 2016)

"How Russia Pulled Off the Biggest Election Hack in U.S. History" (Esquire 20 October 2016)

Wikipedia on the DNC attacks, with further references

13 August 2016 — A group calling itself the ShadowBrokers dumped an archive onto PasteBin containing what seemed to be NSA exploits used to attack systems from Cisco, Fortinet, and others. Securelist showed how an unusual implementation of RC5 and RC6 links that archive to the Equation Group (see more on that group below). According to a Reuters story, NSA believes that an employee or contractor left them on a publicly exposed computer. Investigators were assuming that the Shadow Brokers were affiliated with the Russian government.

"Powerful NSA hacking tools have been revealed online" (Washington Post 16 Aug 2016)

"Group claims to hack NSA-tied hackers, posts exploits as proof" (Ars Technica 15 Aug 2016)

"Confirmed: hacking tool leak came from 'omnipotent' NSA-tied group" (Ars Technica 16 Aug 2016)

"Cisco confirms two of the Shadow Brokers' 'NSA' vulns are real" (The Register 17 Aug 2016)

"Equation Group exploit hits newer Cisco ASA, Juniper Netscreen" (The Register 24 Aug 2016)

30 September 2016 — Newsweek magazine published a story reporting on Donald Trump's violation of the U.S. trade embargo against Cuba. The magazine's web site was then hit with a DDoS attack linked to Russia. See the stories in the Talking Points Memo and in Dark Reading.

Saudi Arabia — 2012

August 2012 — Shamoon, also known as DistTrack, was a denial of service attack against the Saudi Arabian national oil company Saudi Aramco. The attack, on 15 August 2012, wiped 30,000 to 35,000 disk drives. CNET and the BBC reported that the same malware was used to attack RasGas, a major liquefied natural gas firm in Qatar. Pastebin postings claimed credit for the "Arab Youth Group" and the "Cutting Sword of Justice" protesting the repressive rule of the al-Saud regime, although some suspect Iranian backing. Dark Reading and Symantec had some good early reporting. U.S. Secretary of Defense Leon Panetta described the attack as "the most destructive cyberattack on the private sector to date."

Aramco used its fleet of private aircraft to fly employees directly to factories throughout southeast Asia and buy all the available disk drives, some 50,000, at inflated prices. This temporarily halted shipments to other buyers and drove up prices, meaning that everyone who bought a disk drive or a computer between September 2012 and January 2013 paid a slightly higher price because of the Aramco hack.

September 2012 — A hacker group calling itself the "Izz ad-Din al-Qassam Cyber Fighters" took credit for a series of DDOS attacks against American banks starting in mid to late September. See the New York Times reports on Sep 26 2012 and Sep 27 2012 and CSO Online on Sep 27 2012. Later analysis by Dark Reading and RSA show that the DDOS wasn't the grass-roots uprising it was first portrayed as, but it included serious attackers.

South America — Argentina, Brazil, Ecuador, Venezuela

2008–2015 — An extensive campaign of malware, phishing, and disinformation was active across South America. Its range and nature suggests a sponsor (or sponsors) with regional political interests. The campaign was named Packrat by analysts, who first noticed it as a wave of attacks in Ecuador in 2015 but later tracked its activities back to 2008. See the detailed analysis by the Munk School of Global Affairs at the University of Toronto.

Spanish-Speaking Somewhere

February 2014 — Kaspersky Lab announced discovery and analysis of The Mask, a sophisticated spying operation running at least since 2007 using technique and code surpassing any nation-state spyware previously seen in the wild. It targeted government agencies, diplomatic offices and embassies, companies in the petrochemical and energy industries, and research organizations and activists. They found at least 380 victims in more than 24 countries, the majority in Morocco and Brazil. The very impressive software includes snippets in Spanish. The spear-phishing used for initial infection tricked victims into thinking they were viewing web pages from top newspapers in Spain plus the Guardian and the Washington Post. Kaspersky believes The Mask is a nation-state project because of its sophistication and because it uses an exploit they think Vupen sold to the attackers. Vupen is a French company that sells zero-day exploits to law enforcement and intelligence agencies. Wired and Ars Technica ran stories on The Mask.

Syria / Islamic State

2011-2014 — The Syrian Electronic Army appeared in 2011, propagandizing on behalf of Bashar al-Assad and attacking media outlets and opposition groups. Victims include Reuters, New York Times, Al Jazeera NPR GlobalPost, CNN, Facebook, the RSA Conference, and many others. Security researcher Ira Winkler described his run-in with them after giving a presentation at the 2014 RSA Conference detailing their tactics and some of their methods.

December 2013 — Researchers found that the Assad regime was gathering intelligence through spyware. The malicious software gathered information which the government used to plan raids, attacks, and arrests. The military can round up and question suspected rebels and interrogate them about activities they conducted on their computers without have physically seized those computers. See the EFF overview, the Wired overview, and the full report from EFF.

February 2015 — FireEye (which had merged with Mandiant) published its Behind the Syrian Conflict's Digital Frontlines report that between at least November 2013 and January 2014, hackers stole a large collection of sensitive documents and Skype conversations revealing the strategies, tactical battle plans, supply details, and large volumes of personal information from the Syrian opposition fighting President Bashar al-Assad's forces. Media activists and humanitarian aid workers were also targeted. The PDF report is here.


July 2016 — The Peace at Home Council, a faction within the Turkish Armed Forces, attempted a coup d'état on 15 July 2016. Plotters used a WhatsApp group to communicate and tried to block access to sites including Facebook, YouTube, and Twitter. President Recep Tayyip Erdoğan used Internet social media tools to rally popular opposition to the coup. Mass arrests followed, and over 45,000 military officials, police officers, judges, governors, and civil servants were arrested or suspended. This included 2,700 judges, 15,000 teachers, and every university dean in the country. Also, the licenses of 21,000 private-sector teachers were cancelled. 626 educational institutions, most of them private, were shut down immediately. Another 1,043 private schools were closed a week later, along with 1,229 charities, 19 trade unions, 35 medical institutions, and 15 universities.

A week later, WikiLeaks published nearly 300,000 emails from Erdoğan's Justice and Development Party, and the government blocked access to the site.


December 2015 — A blackout across the Ivano-Frankivsk region in western Ukraine killed power for 700,000 people on December 23. The blackout was attributed to a cyberattack on Ukrainian electrical power company Prykarpattya Oblenergo. Ukraine's state security service SBU officially blamed Russian-linked hackers.

ESET analyzed the attacks, reporting January 3 that a cybercriminal group had used the BlackEnergy malware family to attack the Ukrainian electrical power industry and news media companies. They used both denial-of-service attacks, overwriting document files with random data and making the operating system non-bootable, plus an SSH back door they labeled. SSHBearDoor. It listens for an SSH client providing the hard-coded password passDs5Bu9Te7.

ESET issued another report on January 4. Other energy companies in Ukraine were targeted at the same time. The infections came in through Microsoft Office files with malicious macros. The malware also had some additional functions targeting industrial control systems.

Kaspersky provided more details in their report on January 28. Cyc Centrum has a report on BlackEnergy attacks in Ukraine through 2014 and 2015.

SentinalOne released a nice detailed analysis of BlackEnergy 3 in late January, see the announcement and the detailed report.

SANS published a detailed analysis in mid-March 2016, summarizing the incident itself, the reporting in the media, and then analyzing the attack techniques. They concluded that it started with a phishing email with Word and Excel documents with macro-based malware. That dropped BlackEnergy3 malware into place, which stole legitimate user credentials. The stolen VPN credentials allowed attackers to access the industrial control systems network.

This was widely reported, including by Dark Reading on January 5 2016, January 14, and January 27; Foreign Policy on January 8; Reuters on January 27; The Register on January 28, and Wired with more detail on March 3.

U.S.A versus Iran

Stuxnet, Duqu, Flame and Gauss are sophisticated threats, the first three deployed against Iran and the fourth against Middle Eastern banking. Top analysts have shown that they share many modules, and have concluded that they must have been created by a group with nation-state level resources.

In February 2016 the documentary film Zero Days premiered at the Berlin Film Festival. It claimed that Stuxnet was just a small part of a vast set of U.S. hacking programs covered by the code name NITRO ZEUS. U.S. hackers at the Remote Operations Center (or ROC) at Fort Meade had penetrated a wide range of Iranian infrastructure, including military command-and-control facilities, the air defense grid, industrial plants, the electrical grid, and transportation systems. A source said that there were hundreds of thousands of implants in Iranian targets. The ROC was ready to launch disabling attacks in parallel with any military operation. Hundreds of personnel had worked over several years at a cost of hundreds of millions of dollars.

OLYMPIC GAMES was a long collaboration between the U.S. and Israel, working to frustrate Iran's nuclear program without the airstrikes and assassinations that Israel had deployed. That gave Israel access to the Stuxnet worm. Israel modified Stuxnet, making it far more aggressive, and unilaterily launched the new version. It was the Israeli modification that escaped into the wild to be discovered and analyzed by security researchers.

A U.S. source said, "Our friends in Israel took a weapon that we jointly developed — in part to keep Israel from doing something crazy — and then used it on their own in a way that blew the cover of the operation and could've led to war."

The Stuxnet worm was detected in June, 2010. In September, 2010, analysts announced that it seems to have been designed specifically to take control of a real-world industrial target, the SCADA software running chemical plants, factories, and electrical power generation and transmission systems. Its infections have been concentrated in Iran, Pakistan, India, and Indonesia, although systems have been infected world-wide. It was targeted at a specific facility — Iran's Bushehr nuclear plant. The Christian Science Monitor had a good report on this story, with more technical details than typically found in newspapers. Dark Reading goes deeper into the technical details and the analysis. Ars Technica and the New York Times describe how Stuxnet was a US-Israel operation, described in detail in David Sanger's book Confront and Conceal: Obama's Secret Wars and Surprising Use of American Power. Symantec reported in February 2013 that what they call Stuxnet 0.5, a less aggressive version that used an alternative attack strategy of closing valves within the Natanz uranium enrichment facility, was in development as early as November 2005 and was out in the wild by November 2007.

Duqu was discovered on 1 Sep 2011, and seems to be related to Stuxnet. It has been analyzed in detail by CrySyS, the Laboratory of Cryptography and System Security at the Budapest University of Technology and Economics, Kaspersky Lab, and Symantec. The Intercept has an overview. Unlike Stuxnet, which causes industrial controllers to drive centrifuges so they destroy themselves, Duqu gathers data for future attacks.

Flame, first deployed in March 2012, is an impressively complex system. It gathers data from the local disk, screenshots, keylogging, and data captured from the camera and microphone if they exist. The collected data is compressed and encrypted, and then exfiltrated by enabling the Bluetooth interface and transferring the data to a mobile phone. It also involved a world-class cryptographic breakthrough in its collision-based digital signature forgery used to make it appear to be a legitimate Microsoft Windows update. Microsoft has explained the use of an MD5 collision to forge digital signatures based on one of their weaker code-signing certificates.

Gauss was discovered in early August, 2012, and is believed to have been deployed since August or September of 2011. It combines the cyber-surveillance of Flame with a Trojan targeting online banking. It moves via USB memory sticks. The majority of the infected systems have been detected in Lebanon. Kaspersky has an overview and a detailed analysis. Other descriptions appeared in CNN Money, Wired The Register, and Ars Technica.

February 2015 — Kaspersky Labs released a report describing what they call the Equation Group" This seems to be their discovery of NSA TAO software and firmware in some of their customers' systems. Software and firmware, as it includes the ability to modify the firmware within more than a dozen brands of disk drives including Maxtor, Seagate, Hitachi, and Toshiba. Kaspersky describes this as the most sophisticated attack group of the approximately 60 such groups they track. The Equation Group software and firmware has ties to both Stuxnet and Flame among others, and goes back at least to 2001, possibly to 1996. Kaspersky has detected it in their customers' systems in at least 30 countries, concentrated in Iran, Russia, and Pakistan. It can travel on its own as a worm, or embedded in an email message or a hostile web page, or moved via USB devices.

August 2016 — Kaspersky Labs announced the discover of what they call "ProjectSauron", a cyber-espionage system designed to steal encryption keys and other sensitive data, a system of complexity adequate for them to credit it with national backing.

See their announcement and their research paper in which they show probable American UNIX-centric authorship.

Also see Symantec's analysis in which they dub the group "Strider".

These analyses brag on the attacks' sophistication, but they also describe some unexpected design choices like the use of RC4 and RC6, plus encryption by XOR with 8-bit and 16-bit patterns. So which is it, NSA origin or 8-bit XOR?

Also see the Iran versus the world section.

U.S.A. / South Korea / "North Korea" — July 2009

4 July 2009 — Distributed Denial-of-Service (DDOS) attacks against U.S. government servers including whitehouse.gov and treasury.gov on the U.S. national holiday, the same day that North Korea launches a series of medium-range missiles, are blamed on North Korea.
7 July 2009 — The same DDOS attacks move to South Korean servers, including the Ministry of Defense and the presidential Blue House, increasing the baseless theorizing that North Korea must be behind it.
8 July 2009 — Widespread coverage in Wired magazine and elsewhere reports that the DDOS seems to have been run by a sloppy hacker using five-year-old worm code.
10 July 2009 — Typically clueless U.S. legislator Peter Hoekstra of Michigan insists that the U.S. should conduct a "show of force or strength" against North Korea for its supposed role.
Lesson: Many legislators are idiots.
See Bruce Schneier's calm analysis that this is nothing new, just "kids playing politics".

U.S.A. Power Grid Panic

Dark Reading reported that after a million-dollar study by the Federal Energy Regulatory Commission in 2013, using confidential and private information, a group of research decided to research a related question in 2015. Spending just $15,000 for 250 man-hours, investigated what a small group of domestic terrorists could discover about the most critical U.S. power substations.

Meanwhile, news-reader and interviewer Ted Koppel wrote a rather silly book capitalizing on the worry over the power grid. It's an entire book about how hackers will take down the power grid, but he didn't bother talking to any information security experts.

Military-Industrial Espionage

The Office of the National Counterintelligence Executive warned of Internet activity by foreign intelligence entities back in 1997. BNA Daily Report for Executives, 6 January 1997, pg A15.

Country Industrial
Offensive IW
Major US Y2K
fix provider
Bulgaria No Yes Limited
People's Republic
of China
Yes Yes No
Cuba Yes Limited No
France Yes Yes No
India Yes Yes Yes
Iraq Yes Yes No
Ireland No No Yes
Israel Yes Likely Yes
Japan No Yes Likely
Pakistan No No Yes
Philippines No No Yes
Russia No Yes Yes
South Korea No Yes Yes

The CIA named countries thought in 1999 to be involved in industrial espionage or offensive information warfare, and noted that several had been providers of Y2K fixes to U.S. firms (Network World 13 Sep 1999 pg 10), see the table at right.

For details of recent events and trends, see the country-specific timelines above.

Viruses and Hacking

NATO revealed that the Anti-Smyser-1 virus infected systems at its Pristina, Kosovo facility early in 2000. Affected systems mailed copies of a nine-page classified document detailing NATO rules of engagement for land operations in Kosovo to "random Internet users' mailboxes" — SC Magazine, Aug 2000, pg 18. Well, I doubt they were really random, but instead were entries in someone's address list. Who put classified documents on Internet-connected PCs susceptible to viruses??

A group of hackers broke into U.S. Department of Defense computers in the fall of 1997. It was well-publicized, they claimed to have stolen GPS controlling software to sell to terrorists, but DOD said it was just some administrative data.

During the 1991 Persian Gulf War, a group in Eindhoven, Netherlands broke into computers at 34 U.S. military sites and stole information about troop movements, missile capabilities, etc. They offered it to the Iraqis, but they figured it had to be a hoax. London Telegraph, 23 Mar 97.

Government / Military Threat Reports and Warnings

The DOD urged the naming of an "information czar" and an "information warfare" center within the U.S. intelligence community back in 1997. WSJ, 6 January 1997, pg B2.

Some people in DOD, or working for the defense/intel community, think future conflicts will be the domain of digital terrorists. Mafia-based states (like many in the ex-USSR), quasi-governmental organizations (IRA, ETA, HAMAS), or followers of warlords (Somalia, Chechnya, Myanmar) could launch highly disruptive attacks in which modern states would be at a disadvantage. AWST, 27 Apr 1998, 54-56.

As early as 1997:

The article, "Nation's 'Infosec Gaps' Given New Scrutiny Post-Sept 11", is quite realistic and practical as information warfare material goes, AWST, 28 Jan 2002, pg 59.

Offensive Information Warfare / Information Operations

The USAF formed the 609th Information Warfare Squadron in early 1996AWST, 29 April 1996, pg 52.

The USAF Information Warfare Team was formed at Rome AFB in 1996. Director of CIA John Deutch said, "We have evidence that a number of countries around the world are developing the doctrine, strategies, and tools to conduct information attacks." AWST, 12 Aug 1996, pg 65-66.

In 2007-2008 the USAF made all sorts of conflicting claims about what it was going to do. Looks like political turf battles...

What they call information warfare (IW) or information operations (IO) is out there, but good luck finding much in the open literature. Just a few brief mentions, like a few sentences in AWST 12 May 2003 pp 62-63. Also be aware that the U.S. Department of Defense uses "information operations" to mean offensive information warfare, including denial of service attacks against data and network connectivity, and more subtly, rendering data or network connectivity worthless by degrading the other side's confidence on it. But at the same time, the Central Intelligence Agency instead uses "information operations" to mean obtaining data statically stored on systems or transiting networks, in order to analyze it and obtain an understanding of the other side's plans.

More recently, see Digits of Doom, in AWST, 24 Sep 2007, pg 74, suggesting that the U.S. military had started attacking jihadist web sites in the preceding few months. The article mentions:

In other stories:

"Network-Centric Warfare" — Terminology with a Convoluted History

Much depends on just what you mean by "network-centric warfare".

Initially (maybe 1996-2000) it seemed to be used recklessly, and was the domain of much wild speculation (science fiction analogies) and dangerous enthusiasm (controlling warships with Windows NT).

After maybe 2000 or so it seems to have really been working, but by then it really should have been called something more like "information-centric" or "communication-centric" warfare.

The point is the sharing of information and how that information is used, not just the fact that there's a networked graphical interface.

The Yorktown Failure — The Blue-Water Blue Screen of Death

In September 1997, the USS Yorktown, a Aegis-class missile cruiser, was left dead in the water for close to 3 hours because of a cascade of failures started by a Windows NT application that didn't prevent a divide-by-zero error. There's a design error here — who made NT a vital part of a warship, and who designed an architecture that allowed the failure cascade? Google finds lots of discussion, ask for:
september 1997 yorktown windows
Also see the Military and Aerospace Electronics article: "Navy Postmortem Tries to Pinpoint What Went Wrong With the 'Smart Ship'", in Military and Aerospace Electronics, March 2001, pp 1,5.

Early enthusiasm for "Network-Centric Warfare"

"What is Information Warfare" is available from the Government Printing Office (by Martin C. Libicki, August 1995, National Defense University series, G.P.O. 1996-405-201:40005). Much enthusiasm and anecdotes, light on technical facts and realism. Note the section where he discusses William Gibson's science-fiction novels and the movie "TRON" as possible models! Well, it's out there, and some people may consider it important.

Two government references that look better are NIST Special Publication 800-12 and NIST Special Publication 800-14.

"Network-Centric Warfare", Vice Adm Arthur K. Cebrowski and John J. Garstka, U.S. Naval Institute Proceedings, Jan 1998, pp 28-35. At least for the USNI publications, this seems to be the article that kicked off the craze.

"IT-21 Intranet Provides Big 'Reachbacks'", Rear Adm Robert M. Nutwell, U.S. Naval Institute Proceedings, Jan 1998, pp 36-38. A pretty good overview.

"Moving the Navy Into the Information Age", Cmdr Michael S. Loescher, U.S. Naval Institute Proceedings, Jan 1999, pp 40-44. He seems to have watched way too much "Star Trek", as the article actually suggests working on "cloaking" and "shielding" as in that sci-fi TV show, plus "omniscience" and "telepathy".

"The Power of e-Sailors", Vice Adm James R. Fitzgerald, U.S. Naval Institute Proceedings, Jul 1999, pp 62-63. A decent overview, at the expense of yet another unneeded neologism...

Early Skepticism and Caution Regarding "Network-Centric Warfare"

"Beware of Geeks Bearing Gifts", Lt Cmdr Eric Johns, U.S. Naval Institute Proceedings, Apr 1998, pp 74-76.

"The Seven Deadly Sins of Network-Centric Warfare", Thomas P. M. Barnett, U.S. Naval Institute Proceedings, Jun 1999, pp 36-39.

"The Smart Ship is Not the Answer", U.S. Naval Institute Proceedings, Jun 1998, pp 61-64. "Using Windows NT, which is known to have some failure modes, on a warship is similar to hoping that luck will be in our favor."

"Network-Centric: Is It Worth the Risk?", Cmdr William K. Lescher, U.S. Naval Institute Proceedings, Jul 1999, pp 58-63.

A very useful and more recent overview of NCW in its broader and more mature sense is a series of articles in AWST, 27 Jan 2003, pp 37-59.

Back to the main Security Page