In the early hours of Tuesday, a new wave of cyber attacks hit Russia and several other nations. Flights were delayed in Odessa, Ukraine, and the Russian news agency Interfax was also affected.
Early reports suggest that the attack was a professional operation, able to quickly infect critical infrastructure such as transport hubs. The US government issued a warning concerning the attack, which also affected Bulgaria, Turkey, and Japan.
Already, Turkish citizens have limited access to internet, after the government has banned thousands of websites, ranging from Facebook to Wikipedia. In the words of Human Rights Watch advocate Mahmet Ali,
As shown in data compiled by the volunteer-run TurkeyBlocks project, there were widespread complaints of slow access to social media platforms, to the extent of making them completely inaccessible, which signals an extrajudicial shutdown of social media applications. This alleged “network throttling” came at a time when citizens relied most on independent news and social media, and directly infringes on people’s right to access information.
(Turkish: Gönüllü olarak faaliyet gösteren Yasaklı Sitelere Giriş projesinde derlenen verilerde de gösterildiği gibi, sosyal medya uygulamalarına yargısız bir şekilde kapatılma sinyali veren sosyal medya platformlarına erişimi tamamen erişilemez hale getirme konusunda yavaş şikayet edildi. Bu iddia edilen “ağ azaltma”, vatandaşların en çok bağımsızlık haberlerine ve sosyal medyaya dayandığı ve insanların bilgiye erişim hakkını doğrudan ihlal ettiği bir zamanda geldi.)
The attack consisted of a ransomware worm, similar to many recent attacks. These viruses can spread quickly across the globe, as seen recently in the WannaCry attacks. The worm in question here has been dubbed “BadRabbit”, and analysis from Russian cyber security firm Kapersky Labs suggests that it resembles the NotPetya virus which affected many Ukrainian government agencies in June.
Interfax which is one of the largest news agencies in Russia, was not heavily affected. A spokesperson said that they expected all of their services to be back online by the end of Tuesday. The disruption at Odessa airport was caused by a computerized passenger information system shutting down, and workers being forced to deal with passenger data by hand.
It could, of course, have been much worse. Any virus that is able to infiltrate airport systems could, in theory, cause widespread disruption to transportation networks. This virus seems to have been able to gain access to such system relatively easily, and then did little to capitalize on this access. This is a pattern seen in many recent attacks, and has left the intelligence community somewhat perplexed.
The New Normal?
The recent spike in worm attacks like this has many cyber-security experts scratching their heads. The last ten years have actually been quite a quiet time when it comes to huge cyber attacks such as this. There was a spike in similar attacks during the late 1990s and early 2000s, but the intervening period has seen little activity.
That is, until now. The WannaCry virus caused widespread destruction earlier this year, and was able to steal financial information, and potentially disrupt government services. Though this virus has become the most well known, and was certainly the best publicized, there have been many similar attacks in the past 18 months. This recent surge in attacks, according to some economists, has cost the global economy billions of dollars.
For many in the cyber security community, the question has become: why now?
The confirmation, earlier this month, that the government of North Korea was behind the WannaCry attack provided clarification as the the source of the virus, but not the intention behind it. Indeed, the fact that the worm originated in the DPRK made its behaviour even more confusing – it was able to steal financial information, but this is hardly a priority for a nation state.
If WannaCry, NotPetya, and BadRabbit represent attacks by one nation state on another, why are their payloads designed to steal financial information? The same worms could have been used to cause widespread disruption, and possibly even destruction.
The theory at the moment is that these worms are merely tests. That instead of being full-blown cyber attacks, they represent the DPRK, and others, experimenting with techniques that will make future attacks more effective. Like the nuclear testing of the 1960s, they are also a way of making a show of the weapons that a particular state possesses.
And just like that same nuclear testing, attacks like this run the risk of escalating the ongoing ideological conflict between the US, Russia, the DPRK, Iran, and many others. In many ways, it seems like we haven’t come very far since the end of the Cold War. If that conflict was governed by a doctrine of “mutually assured destruction”, we can term the recent dynamic one of “mutually assured restraint”.
Ever since the StuxNet debacle of the 1990s, which saw the US infect Iranian nuclear centrifuges with a bespoke worm – the biggest and most advanced ever seen, at the time – there have been calls for international agreements on cyber warfare. In the same way that conventional warfare is conducted under the Geneva Accords, it is felt that there should be legal limits put in place to limit the targets, scale, and potential casualties of cyber warfare.
This, to date, has not happened. In the absence of legal agreement, it seems we are back in a familiar situation, albeit with new weapons: occasional shows of force, interrupted by periods of ineffective diplomacy.