The great Peter Sellers as Dr. Strangelove. Wikipedia, public domain.
(This article was written shortly before the start of the Russian invasion of Ukraine. It will be revised as events warrant.)
In the early months of 2009, a tiny payload of computer malware wrecked the construction of an atomic bomb. You may remember hearing about the virus known as Stuxnet when it sabotaged Iranian efforts to develop nuclear weapons; Written with just 500K bytes of computer code, Stuxnet managed to gain control of hundreds of centrifuges in Iranian laboratories, where they were being used to enrich uranium to weapons-grade quality. By changing the centrifuge's rotational speeds at critical moments, Stuxnet was able to ruin batch after batch of uranium, and the Iranian weapons program suffered a years-long setback.
No one ever proved who was behind the Stuxnet attack, although it's obvious to everyone that the US and Israeli governments were its perpetrators. The sophistication of the precision strike, the target, and the objectives all point to a case of premeditated country-on-country software violence. It was among the first of its kind.
Fast forward to the summer of 2017. Hackers managed to break into the servers of a small Ukrainian software company called the Linkos Group, based in Kyiv. But instead of wreaking havoc on the company itself, the attackers slipped their malware into Linkos' own software products. Anyone who used those products then became infected whenever they installed or updated Linkos software.
It turned out that "anyone" was just about everyone in Ukraine. Linkos' flagship product is the Ukrainian equivalent of TurboTax, and its use in the country is ubiquitous. The virus that became known as NotPetya infiltrated private businesses, government agencies, power plants, banks, and pretty much every sector of the Ukrainian economy. The malware didn't stop at Ukraine's borders, and several multinational companies were severely affected as well. Most notable among the victims was the Danish shipping giant Maersk, whose worldwide operations were brought to a standstill by NotPetya. Wired Magazine wrote a fascinating piece about the devastating effects of the attack; I highly recommend that you give it a read.
Whereas Stuxnet was the software equivalent of a commando raid, NotPetya was a weapon of mass destruction. The virus pretended to be ransomware, but victims weren't provided with any options to pay or to decrypt their files. The attack was simply designed to be as destructive as possible, with no regard for collateral damage. The worldwide cost of NotPetya was estimated to be $10 billion, and it's still regarded as the most devastating malware attack in history. Insurance companies balked at compensating NotPetya victims, claiming that the attack represented an act of war.
The consensus is that the perpetrators of NotPetya were the GRU, the intelligence unit of the Russian military. The attack shows the unmistakable traits of another instance of country-on-country software violence, this time a part of Russia's ongoing and increasingly menacing efforts to weaken and destabilize Ukraine.
Let's move the clock ahead to December of 2020. The Washington Post reported that a breach had been discovered in the systems of a software company called SolarWinds in Austin Texas. Much like the NotPetya attack on Linkos, the perpetrators didn't go after SolarWinds itself. Instead, they managed to infest legitimate SolarWinds software with their Sunburst and Supernova malware, after which the malignant combination infected some of SolarWinds' 300,000 customers.
Among those 300,000 customers are a few notable names: NASA. The US State Department. The Justice Department. The Pentagon. All five branches of the US military. The National Security Agency. And the Executive Office of the President of the United States.
Guess who else uses SolarWinds products? Microsoft. You know, the company whose Windows software runs 74% of the world's desktop computers. The company whose Office software is used by almost everybody. In the mad scramble to find out how deep the malware penetration managed to go, Microsoft discovered traces of it sniffing around their source code repositories. Some of the source code was stolen, but there's no evidence that the malware managed to embed itself into released versions of Microsoft software. Nevertheless, the very idea that it might have done so, and the potential for other so-called supply-chain attacks to succeed, is beyond frightening.
How many other systems may have been infected by Sunburst and Supernova? No one knows. By hiding inside the software of legitimate companies, malware strains can be incredibly stealthy and therefore exceedingly difficult to detect. Supernova is especially sinister; Its designers seem to have intended it to act as a sort of software sleeper cell, quietly waiting for instructions from afar.
It will probably take years to clean up the mess caused by the SolarWinds breach. In the meantime, the attack did at least act as a wakeup call to the tech industry, and threat mitigation efforts have taken a more urgent tone. The problem is that methods to stymie future attacks on the software supply chain are complicated and will also take years to implement. Such efforts are also highly dependent on the weakest link in that chain: Humans.
Now let's inch the clock closer to the present. In July of 2021 Russia conducted a test during which it managed to isolate itself from the global internet. On top of that, for the last several years Russian submarines have been detected sniffing around undersea internet cables. Why would they want to do that? Because such capabilities would be useful in the event of a hot war, of course. The initial stages of any war in the twenty-first century are inevitably going to involve vicious attacks on the internet and connected systems of the belligerents. The ability to isolate their internet might provide Russia with a measure of protection against such attacks. At least Vladimir Putin may be convinced that they would.
So, has Vlad morphed into a modern-day amalgam of Premier Kissov and General Jack Ripper? Maybe he’s decided to start a war now because he's convinced that the West is trying to sap and impurify all of his precious bodily fluids? Perhaps he's been waiting to launch his attack on Ukraine until his own cyber defenses were ready? It could be something like that - Except that if Putin does order a Doomsday cyber strike, there won’t be any recall codes. Or decryption keys.
If a hot war erupts between Russia and Ukraine, you can be sure that the accompanying cyberwar won’t stop at Ukraine’s borders. If the West’s response to Russian aggression is severe enough, Putin could decide to awaken his software sleeper cells, sever our transatlantic internet cables, and wreak as much internet havoc as possible. The lights will go out. The gas will stop flowing. Grocery stores will be empty, but we'll have no way of getting to them anyway. We'll be plunged into darkness, and we'll have no way of communicating with each other. It's an unfortunately realistic Doomsday scenario.
Comments
Post a Comment