The rules of War 2.0 (or 3.0) are murky. Experts and pundits say that cyberwarfare is happening. And it makes sense. But it has been very hard to prove.

A new report adds to the body of evidence, charging that the Russian military is waging a sustained cyber campaign against Ukrainian military and law enforcement agencies, and the purpose is to extract a steady stream of classified documents that can aid violence and on-the-ground combat.

A Sustained Campaign Targeting Military

Lookingglass, a security firm based in Arlington, Va., and Baltimore, publishes a report Tuesday documenting a real-life instance of a cyberwar campaign.

CEO Chris Coleman says the attacks are persistent, but not sophisticated. "We're not claiming we found some big exploit in the Windows operating system," he says. "We tracked malware that was in emails, and it shows full-scale coordination."

Lookingglass says a dedicated group of hackers is getting Ukrainian military, counterintelligence, border patrol and local police to open emails with malicious attachments.

Only, they look legit. It's masterful — so far as manipulation goes — because of the "lure documents" that attackers use as bait.

Lead researcher Jason Lewis gives an example of a Microsoft Word file, dated Jan. 15, 2015. Written in Ukrainian, it's an overview of the situation at the Russia-Ukraine border — apparently authored by Ukraine's State Border Guard Service. The words "not for distribution" are written on it.

"That document appears to be something that was on a Ukrainian military computer," Lewis says. Hackers stole the document, then sent it to another Ukrainian security agency — with the malware hidden inside. "So the idea being that someone would see: 'Oh, this is news for today. Let me go and take a look and open it.' "

The malware would then infect their computer, so that the hackers could extract more classified intelligence: on the numbers of Ukrainian troops in reconnaissance battalions, the equipment they use and the rebel leaders they want.

This so-called spear-phishing attack is the same kind that got Sony Pictures. Lewis, who used to work at the National Security Agency, says military officers are human, too. "You probably have folks that don't know better and will open documents without thinking twice," he says.

Lookingglass says the attacks that focused on collecting combat intel took off in late April 2014, right after Ukraine's acting president declared a military operation against pro-Russian separatists.

The firm is tracking the activity using virtual private servers set up in Ukraine, which enable them to get scans of different attacks.

Researchers also collect malware samples from Virus Total, a free online service where hackers and researchers can submit documents to test whether they'll pass or fail antivirus scans.

Virus Total saves documents scanned, thereby creating a huge repository that anyone can sift through. Lookingglass did advanced queries, using fields including date and location, to pull additional samples of malware that targeted Ukrainian military and law enforcement.

A Window Into The Rules

In cyberattacks, it's hard to know exactly who the hacker is.

Lookingglass names the Russian security service (what used to be called the KGB). And after Ukraine declared the same last September, researcher Jason Lewis says, the attackers tweaked their malicious software to slip under the radar again: "They said, 'Oh, we've been discovered. We'll change to this new remote access tool.' "

Researchers also found that when both sides negotiated a cease-fire last June, the cyberattacks stopped for that same period as well.

"That is incredibly interesting," says Fred Cate, a cybersecurity expert and professor at Indiana University Maurer School of Law. "It's like the adversaries are actually thinking of themselves as attacking."

It looks like the hackers see themselves as part of the battlefield, he says, "and so they stop those attacks when a cease-fire's in place — as opposed to thinking of themselves as just intelligence gathering, which usually continues even during a ceasefire."

This research is among the few documented examples of cyberwarfare. While it doesn't pinpoint specific stolen data that reconfigured a specific battlefield, it does reveal the edge of a new weapon against enemies.

"If you can substitute fake instructions, if you can get them to do the wrong thing, if you can get them to send the troops where you want them sent," Cate says, "this could dramatically alter the way in which we think about warfare."

It also raises the question of when hacking constitutes an act of war. It's an issue that NATO is trying to address through the Tallinn Manual, a multilateral process initiated after the cyberattacks that crippled Estonia, following that country's spat with Russia over the removal of a war memorial.

Circumstantial Evidence

The Russian Embassy did not respond to NPR's request for comment.

Computer scientist Stefan Savage at the University of California, San Diego says in many cyber investigations, like this one, the evidence is circumstantial. Researchers have the digital version of tire tracks and gun casings — not DNA and fingerprints.

But from a technical standpoint, he says, entities who are not Russian could have carried it out. "The question has to be 'Who else would have the motivation to do it?' because this a significant piece of work. It's effort."

Lookingglass says neither country is its client, and it was not able to investigate whether Ukraine is hacking Russia as well.

Copyright 2015 NPR. To see more, visit http://www.npr.org/.

Transcript

RENEE MONTAGNE, HOST:

Next, we'll look into the hidden world of cyberwarfare. According to security experts, the Russian military is waging a sustained cyber campaign against Ukrainian military and law enforcement agencies. The purpose, to extract a steady stream of classified documents that can aid Russian-backed separatists in ground combat. NPR's Aarti Shahani has this report.

AARTI SHAHANI, BYLINE: The rules of warfare 2.0 or 3.0 are murky. Experts, pundits - they say that cyberwarfare is happening. And it makes sense, but it's been very hard to prove. Lookingglass, a security firm based in Arlington, Va., says it's documented a real-life instance - a cyberwar campaign that's persistent, but not sophisticated.

JASON LEWIS: We didn't think that anything about this was highly advanced.

SHAHANI: Jason Lewis is lead researcher.

LEWIS: They just continued to send the emails and change how they're doing things in a slightly small way.

SHAHANI: Lookingglass says hackers are getting Ukrainian military, counterintelligence, border patrol and local police to open emails with malicious attachments - only they look legit. It's masterful so far as manipulation goes because of what the attackers use as bait.

LEWIS: So I have an example from January 2015...

SHAHANI: It's a Microsoft Word file written in Ukrainian, Lewis says - an overview of the situation at the Russian-Ukrainian border, authored by Ukraine's State Border Guard Service. The words not for distribution are written on it.

LEWIS: So that document appears to be something that was on a Ukrainian military computer.

SHAHANI: Hackers stole it, then sent it to another Ukrainian security agency with the malware hidden inside.

LEWIS: So the idea being that someone would see, oh, this is news for today. Well, let me go and take a look and open it, and then infect their computer.

SHAHANI: Once inside, the hackers could extract more classified intel on the numbers of Ukrainian troops and reconnaissance battalions, the equipment they use, the rebel leaders they want. This so-called spear-phishing attack is the same kind that got Sony Pictures. Lewis, who used to work at the National Security Agency, says military officers are human, too.

LEWIS: You probably have folks that don't know better and will open documents without thinking twice.

SHAHANI: Lookingglass says the attacks focused on combat intel took off in late 2014. That's when Ukraine's acting president declared a military operation against pro-Russian separatists. And interestingly, when both sides negotiated a cease-fire last June, the cyberattacks stopped for that same period, as well.

FRED CATE: Wow, that is - I mean, that is incredibly interesting. It's like the adversaries are actually thinking of themselves as attacking.

SHAHANI: Fred Cate is a cyber-security expert and professor at Indiana University.

CATE: And so they stop those attacks when a cease-fire's in place, as opposed to thinking of themselves as just intelligence gathering, which usually continues even during a cease-fire.

SHAHANI: He says it looks like the hackers see themselves as part of the battlefield. This research is among the few documented examples of cyberwarfare. And while it doesn't pinpoint specific stolen data that reconfigured a specific battlefield, it does reveal the edge of a new weapon against enemies.

CATE: So if you can substitute fake constructions, if you can get them to do the wrong thing, if you can get them to send the troops were you want them sent, this could dramatically alter the way in which we think about warfare.

SHAHANI: And when hacking constitutes an act of war. In cyberattacks, it's hard to know exactly who the hacker is. Lookingglass names the Russian security service, what used to be called the KGB. And when Ukraine declared the same last September, researcher Jason Lewis says, the attackers tweaked their malicious software to slip under the radar again.

LEWIS: They said, oh, we've been discovered. We'll change to this new remote access tool.

SHAHANI: The Russian embassy did not respond to NPR's request for comment. Computer scientist Stefan Savage at the University of California, San Diego, says in many cyber investigations like this one, the evidence is circumstantial. Researchers have the digital version of tire tracks and gun casings, not the DNA and fingerprints. But from a technical standpoint...

STEFAN SAVAGE: There's not a fundamental limitation that would mean that only Russians could have carried it out. Then the question has to be, who else would have the motivation to do it, because this is a significant piece of work. It's effort.

SHAHANI: Lookingglass says neither country is its client, and it was not able to investigate if Ukraine is hacking Russia, as well. Aarti Shahani, NPR News. [POST-BROADCAST CLARIFICATION: Lookingglass has base offices in both Arlington, Va., and Baltimore. The audio of this story mentions only Arlington, and previous Web versions mentioned only one or the other.] Transcript provided by NPR, Copyright NPR.

300x250 Ad

Support quality journalism, like the story above, with your gift right now.

Donate