Archive for June 29th, 2017


The cyber attack post mortem – Ukraine

June 29, 2017

The latest cyber attack that inflicted by far the most damage upon Ukraine, and to be blunt was probably the intention, is now quite rightly subject to an international and domestic post mortem with experts and “experts” offering both wisdom and “wisdom”.  The is a lot of profile enhancing and finance gathering Op-Ed opportunities to be taken in its wake.

The blog is neither “expert” nor expert.  Expect no technical explanations.  That is not the point of the entry.

The “how”, or at least one “how” has been fairly well agreed upon regarding the MeDoc programme as a point of entry.  It was in fact identified very early on.

(There was no need to be expert nor “expert” to look at the attack as it was on-going and from the Ukrainian victims deduct the source was probably some form of accounting and/or invoicing software.  The blog tweeted as much early on during the attack, albeit with no knowledge of what actual programme it would or could be.)

The “who” will be a little more difficult to get experts (rather than “experts”) to officially and publicly commit to – albeit Ukraine wasted no time in attributing a “Russian trace” to the attack.  It is very probably an accurate attribution – based upon what evidence other than circumstantial  it is not yet known.

Corroborating expert and/or attribution by other nations may not come swiftly either.  For example, in March 2016 at a closed door 2 day round table, a world renowned cyber expert told this blog that Russia was behind the 2015 cyber attack that took down Ukrainian infrastructure.  Something long suspected of course, but at that time in 2016, no official public attribution had been made other than by Ukraine.  Ergo what may be privately known – and indeed privately attributed – may not, for whatever reason (political or operational), be done in the public domain for quite some time after the fact – if ever.

That leaves a very scary space where cyber shenanigans, be they terrorist, State actor/quasi-State actor, or organised crime, are converging toward acts that may deliberately or unintentionally equate to casus belli – for not all actors understand where the red lines are, and not all States may have the same red lines.  A very scary thought indeed.

In the case of Ukraine and Russia’s undeclared war upon it, then the latest cyber attack may well normally be classed as an act of war by many States, however having already suffered 2 cyber attacks that disrupted infrastructure, the illegal annexation of Crimea, and the occupation and kinetic engagements relating to parts of The Donbas, it is now an on-going war within which this is simply another high water mark act in the particular theatre of cyberspace.

The political, economic, diplomatic, legal and social war, notwithstanding the contained and managed kinetic war in the occupied Donbas, has waged for more than 3 years quite openly.

The continuous cyber warfare, with hundreds of attacks every month simply doesn’t leave the same public footprint.  It is not possible to look at an equivalent to open source Google satellite photographs over a period of time and witness changes on the ground when it comes to the never ending cyber warfare.  There are no official communiques or court results in the public domain to reference.  As such the level of intensity and public access to the cyberwar is not so easy – and even if most of us could access attacked and attacking code, few would understand what they saw, what it does or did, and how.

Further it is quite necessary to be blunt – neither Russia nor Ukraine (nor any other State) would particularly desire their cyber ops to be in the public domain anyway.

Which brings about the point to this entry.

Thus far almost all expert and “expert” commentary has focused upon the immediate who did it, what exactly did they do, why did they do it as it was done, how was it done and when etc.  All very valid questions that require answers.

Widening that aperture slightly, if The Kremlin is directly or indirectly responsible (as is probable) now for some questions from a blog that knows nothing about this particular theatre of war, but are questions not yet being asked particularly often, if at all – yet at some point will have to be.

How was this attack related to previous attacks that took down infrastructure?  Related not by way of code similarity, but by way of any relation to this attack that can be seen as a result of learning from the previous attacks.  When in the system last time and poking around, what was learned from the attack results and is there a Russian learning cycle that can be identified from such system intrusions?

After the last attacks, was anything left behind to specifically monitor any potential or actual Ukrainian cyber fixes?

Is anything left behind this time to monitor Ukrainian fixes in preparation for the next major cyber attack?

If it is there, is it possible to find it before its work is done?

Has something been left behind that simply need triggering to be the next cyber attack, or to enable it?

When the headline grabbing, all hands to the defensive cyber-pumps attack was going on and fixating the attention of one and all, did something else enter the system unnoticed?  If so, can or will it be found?

Now for perhaps the most interesting question – why were the attacks limited to what they achieved?

What else could have been done whilst in the system but wasn’t – and why wasn’t it done?

With the entry to the system as cleverly done as it was, why was the damage so (relatively) manageable and caused so (relatively) little lasting damage or disruption?

It could have been far, far worse if the intent had been to do so.  Why the limitation?  Is this new high tide cyber mark simply the latest probing and point scoring?  What can Ukraine see that was possible from this attack, but was refused for whatever reason?

At the end of the day, this latest cyber attack does not change the dynamics of the multiple front war of exhaustion to which Ukraine is subjected, but from every battle won or lost in any theatre in which this war is being waged, there are lessons to be learned and questions to be asked – and of those has to be what were the intended objectives, and why were those limitations placed when it could have been much worse?

The post mortem of course continues, and when these questions are eventually asked, it is not particularly likely the answers will be any more forthcoming than the willingness to publicly attribute cyber attacks.

%d bloggers like this: