Cyberwar against ISIS could bring into play tools and tactics that corporate security pros face every day, only this time they will be used as part of a larger objective than criminal profit.
The goals of the offensive are to disrupt communications within ISIS and between the group and potential recruits, according to a story in the New York Times.
To meet those goals, U.S. Cyber Command could use such means as DDoS and man-in-the-middle attacks, banking Trojans and even ransomware-type attacks that irreversibly encrypt machines (but skip the ransom), experts say.
+More on Network World: DARPA wants early warning system for power-grid cyberattacks+
Cyber operations would support traditional military tactics and carry out missions traditional military forces cannot, they say.
Knocking out communications ahead of ground attacks is standard military protocol and it used to be done using air attacks against communication centers, says James Barnett, a retired U.S. admiral who heads the cybersecurity practice at Washington law firm Venable LLP.
“That’s just part of the preparation of the battlefield,” he says. Now it is possible to accomplish the same goal with cyberattacks against command and control centers, he says.
ISIS has assets with which it buys armaments and pays troops, and it tries to sell oil to raise cash. Using cyberattacks to disrupt money transfers can deny the group some of its military resources, he says.
Cyber weapons could be embedded in command and control networks to gather intelligence or take them down. “Are we that good yet?” he says. “I don’t know.”
ISIS also holds territory that includes cities and towns, so attacks could be made against the control systems that run water and power supplies, he says.
The point of employing any kind of military weapon – physical or virtual – is to have an impact against the enemy, says Oren Falkowitz, a former NSA analyst who worked in Cyber Command, so cyber tactics will be carefully considered.
Attacks could conceivably include malware that infects machines and encrypts them, rendering them useless. But the effect of that wouldn’t be severe enough, he says. “The U.S. government isn’t in the business of just ruining people’s machines,” he says.
Rather cyber warfare would be executed in concert with other offensive operations on land, the sea and by air, he says, helping to achieve an overall victory. Done in isolation DoS attacks and corrupting individual machines are “ankle-biting tactics” that are merely annoying, but could be part of a larger scheme.
+More on Network World: No humor zone: 33 things you should never say to a TSA agent+
In any war, all weapons have to be brought to bear, but need to be matched to specific objectives, he says. For instance, cyber methods are already used by intelligence organizations to gather information, and the military could as well, but likely for different purposes such as to determining where to direct physical attacks. The objective is to gather enough intelligence to have an impact on the enemy, not just to own a vast amount of data about the enemy, he says.
Of course Cyber Command has the resources to go far beyond what cybercriminal groups are capable of, which means the possibility of more complex, multi-layered attacks, says Ed Cabrera, vice president of cybersecurity strategy for Trend Micro.
As an example of this type of sophisticated attack - carried out by unknown actors - he points to the attack on a Ukrainian power grid last year. The attack started with phishing then incorporated BlackEnergy3, an updated version of a crimeware toolkit that has been around for years. In this case it was embedded in macros in a Word document.
Once there, attackers moved laterally in the power company business network and stole credentials that gave access to the grid-control network.
But the attack had more layers:
- Installing rewritten firmware that blocked all but manual attempts to restore power
- Disabling backup power supply so the operations center couldn’t function
- DoS attacks against customer-service phones to stop calls reporting outages
- Use of KillDisk to prevent computers needed by grid operators from booting
Cabrera says he has no knowledge of what cyber weapons the U.S. has in its arsenal, but given that this type of layered attack can be fashioned from known exploit tools, it’s conceivable it could create similarly sophisticated attacks using newly devised methods. “They’re only limited by their imaginations,” he says.
For example, says Barnett, the 2009 Stuxnet attack against the Iranian nuclear program was created specifically to damage centrifuges used to refine nuclear material by attacking a specific type of industrial control gear. Stuxnet was a weapon that did physical damage to a specific target, and employed custom-made tools.
So far, ISIS hasn’t shown itself to be much of a cyber threat, Barnett says. ISIS has made threats to use cyberwar but its efforts have amounted to cyber vandalism. He’s certain the group will come up with more sophisticated attacks, but hasn’t seen evidence that the group can take down an electric grid using cyberattacks, for instance.
U.S. officials talking openly about actually engaging in cyberwar is new, and that public commentary could be political, to assure U.S. citizens and allies that the U.S. is taking on ISIS every way it can. Or it may be to get in the heads of ISIS leaders to make them wonder whether their communications can be trusted or whether their data has been corrupted. “They may be toying with them a little bit,” Barnett says.
Regardless, no one should have doubted that cyber tactics were being used, he says. “Cyber offense is critical to any type of military operation,” he says. “It’s inconceivable that we would not use it. It’s conventional now. It’s fully integrated now.”