Recently, NATO officials, the
Ukrainian government, EU governments, and others have received emails with
compromised attachments containing spyware and other malicious code.
Cyber-threat intelligence group iSight called this attack Sandworm. Similar
emails with malware and spyware have been discovered in Taiwan. In both these
cases, malicious code that exploits weaknesses in the Windows operating system
and in Microsoft Office was found in Office documents, mainly PowerPoint, by
iSight, or by McAfee and Google researchers. The code uses a “zero-day
vulnerability” and takes advantage of the Object Linking and Embedding
mechanisms in Office files, which allow, for example, Excel graphs to be shown
in PowerPoint. Rather than embed a graph, however, the hackers embedded code
that spied on the recipients. A similar case in August called Epic Turla, also
from Russia, included malware that searched the recipient’s computer for
phrases relating to sensitive documents. If the phrases were present, more code
could be remotely enabled that would do more thorough searches and report what
it found to its creator. This case used compromised websites rather than email
attachments.
In the case of Sandworm, the
documents used were written in Russian and were usually interesting to the
target, such as falsified lists of pro-Russian Ukrainian separatists. In
Taiwan, very similar Chinese code was discovered. The malware used in Taiwan is
called Taidoor, and has been previously linked to Chinese cyber-espionage. Due
to the nature of the compromised documents and the code, the researchers
believe they are linked to or controlled by the Russian and Chinese
governments, respectively, rather than originating from civilian black-hat
hackers. However, there is currently no way to know for sure. Without proven
government involvement, the international community can take no effective
action against the attackers.
Even if government involvement was
proven in either case, there is still not much the international community can
really do. Although spyware sent from a government to foreign officials might
be a violation of international law and could be considered a violation of
state sovereignty, it cannot be classified as a cyber-attack and therefore is
not an act of war or controlled by the law of war.
As we read in Sanger, an example
of something that could be considered a cyber-attack is the Stuxnet virus.
Stuxnet, like Sandworm, exploited four “zero-day vulnerabilities.” Unlike
Sandworm, however, Stuxnet was introduced by USB drives and was used initially
to disrupt and damage Iranian nuclear facilities by affecting data and computer
networks and then destroying nuclear centrifuges. Sandworm and the similar
Chinese threat were spyware; they only reported data and did not alter data or
disrupt or take control of the computer.
In class, we defined a
cyber-attack as something that has force similar to an armed attack or that
undermines the function of the network. Since Stuxnet caused the destruction of
nuclear facilities, it is clear that it was a cyber-attack. Sandworm and the
Chinese code are obviously some kind of intrusive and malicious program, but
they do not have the ability to cripple systems like Stuxnet, so they cannot be
called a cyber-attack. In Hathaway et.al.
(2012), their recommended definition of a cyber-attack states that the program
must “undermine the function” of a system. This is typically done by adding or
modifying information and is not done by just observing the computer or network.
Programs that simply observe, as Sandworm does, are considered cyber-espionage
instead. Since cyber-espionage does not have any force similar to an armed
attack or undermine the function of the network, it cannot be considered an act
of war. Therefore, it is not governed by the law of war, and Article 51 of the
UN Charter governing self-defense does not apply.
Even without this definition, it
makes sense to classify Sandworm as espionage; it only looked at data on the
infected computers and did not contain the ability to destroy documents, take
over the computers, or spread more malicious code over a network. As sensitive
as the information might have been that was retrieved or observed by the
programs, Sandworm is not a cyber-attack. Those affected by the virus could
take diplomatic measures against the suspected hackers, but there is a good
chance they will not be effective, because of lack of proof, government
denials, the risk of further worsening relations, or the threat of further
attacks or intrusions. There is nothing effective the affected parties can do
but tighten their own internet security policies and wait for Microsoft to
release a patch to the operating system or to Office.
Taidoor: http://www.theguardian.com/technology/2014/oct/23/china-cyber-attacks-taiwan-windows-microsoft
Epic Turla: http://uk.reuters.com/article/2014/08/07/us-cybersecurity-hackers-epicturla-idUKKBN0G71LU20140807
Hathaway et.
al., California Law Review: http://www.californialawreview.org/assets/pdfs/100-4/02-Hathaway.pdf
No comments:
Post a Comment