Not so long ago, stories about cyberwar started with scary hypotheticals: What if state-sponsored hackers were to launch widespread attacks that blacked out entire cities? Crippled banks and froze ATMs across a country? Shut down shipping firms, oil refineries, and factories? Paralyzed airports and hospitals?
Today, these scenarios are no longer hypotheticals: Every one of those events has now actually occurred. Incident by catastrophic incident, cyberwar has left the pages of overblown science fiction and the tabletops of Pentagon war games to become a reality. More than ever before, it’s become clear that the threat of hacking goes beyond nuisance vandalism, criminal profiteering, and even espionage to include the sort of physical-world disruption that was once possible to accomplish only with military attacks and terroristic sabotage.
So far, there’s no clearly documented case of a cyberwar attack directly causing loss of life. But a single cyberwar attack has already caused as much as $10 billion dollars in economic damage. Cyberwar has been used to terrorize individual companies and temporarily render entire governments comatose. It’s denied civilians of basic services like power and heat—if only briefly, so far—as well as longer-term deprivations of transportation and access to currency. Most disturbingly, cyberwar seems to be evolving in the hands of countries like Iran, North Korea, and Russia as they advance new disruptive and destructive cyberattack techniques. (The US and the rest of the English-speaking Five Eyes nations likely possess the most advanced cyberwar capabilities in the world, but have by all appearances shown more restraint than those other cyberwar actors in recent years.)
All of which means the threat of cyberwar looms heavily over the future: a new dimension of conflict capable of leapfrogging borders and teleporting the chaos of war to civilians thousands of miles beyond its front.
The History (and Meaning) of Cyberwar
To understand the unique threat cyberwar poses to civilization, it’s worth first understanding exactly how the word has come to be defined. The term cyberwar has, after all, gone through decades of evolution—well chronicled in Thomas Rid’s history of all things cyber, Rise of the Machines—which has muddied its meaning: It first appeared in a 1987 Omni magazine article that described future wars fought with giant robots, autonomous flying vehicles, and autonomous weapons systems. But that Terminator-style idea of robotic cyberwar gave way in the 1990s to one that focused more on computers and the internet, which were increasingly transforming human life: A 1993 article by two analysts at the think tank RAND titled “Cyberwar Is Coming!” described how military hackers would soon be used not only for reconnaissance and spying on enemy systems but also attacking and disrupting the computers an enemy used for command-and-control.
A couple of years later, however, RAND analysts would start to realize that military hackers wouldn’t necessarily limit their disruptive attacks to military computers. They might just as easily attack the computerized and automated elements of an enemy’s critical infrastructure, with potentially disastrous consequences for civilians: In a world increasingly reliant on computers, that could mean debilitating sabotage against railways, stock exchanges, airlines, and even the electric grid that underpins so many of those vital systems.
Hacking didn’t need to be confined to some tactic on the periphery of war: Cyberattacks could themselves be a weapon of war. It was perhaps that definition of cyberwar that President Bill Clinton had in mind in 2001 when he warned in a speech that “today, our critical systems, from power structures to air traffic control, are connected and run by computers” and that someone can sit at the same computer, hack into a computer system, and potentially paralyze a company, a city, or a government.”
Since then, that definition for cyberwar has been honed into one that was perhaps most clearly laid out in the 2010 book Cyber War, cowritten by Richard Clarke, a national security advisor to Presidents Bush, Clinton, and Bush, and Robert Knake, who would later serve as a cybersecurity advisor to President Obama. Clarke and Knake defined cyberwar as “actions by a nation-state to penetrate another nation’s computers or networks for the purpose of causing damage or disruption.” Put more simply, that definition roughly encompasses the same things we’ve always identified as “acts of war,” only now carried out by digital means. But as the world was learning by the time Clarke and Knake wrote that definition, digital attacks have the potential to reach out beyond mere computers to have real, physical consequences.
The first major historical event that could credibly fit Clarke and Knake’s definition—what some have dubbed “Web War I”—had arrived just a few years earlier. It hit one of the world’s most wired countries: Estonia.
In the the spring of 2007, an unprecedented series of so-called distributed denial of service, or DDoS, attacks slammed more than a hundred Estonian websites, taking down the country’s online banking, digital news media, government sites, and practically anything else that had a web presence. The attacks were a response to the Estonian government’s decision to move a Soviet-era statue out of a central location in the capital city of Tallinn, angering the country’s Russian-speaking minority and triggering protests on the city’s streets and the web.
What cyberwar is not
Cyberwar is not simply stealing information, neither the global great game of nations spying on each other’s governments nor the more controversial sort of private-sector economic espionage that the US has long accused China of carrying out.
Cyberwar is not profit-focused hacking like bank fraud or the ransomware attacks that seek to extort millions from victims—that’s cybercrime, no matter how cruel and costly its effects may sometimes be.
Cyberwar is not—although this point may be the most debated—the “influence operations” that seek to spread disinformation and propaganda, or to hurt an adversary by leaking damaging information about them. And yes, that includes the hack-and-leak operation that Russian government hackers used against Democratic targets in 2016, which ultimately boiled down to dirty politics and kompromat, not the directly coercive, paralytic disruption of true cyberwar.
As the sustained cyberattacks wore on for weeks, however, it became clear that they were no mere cyberriots: The attacks were coming from botnets—collections of PCs around the world hijacked with malware—that belonged to organized Russian cybercriminal groups. Some of the attacks’ sources even overlapped with earlier DDoS attacks that had a clear political focus, including attacks that hit the website of Gary Kasparov, the Russian chess champion and opposition political leader. Today security analysts widely believe that the attacks were condoned by the Kremlin, if not actively coordinated by its leaders.
By the next year, that Russian government link to politically motivated cyberattacks was becoming more apparent. Another, very similar series of DDoS attacks struck dozens of websites in another Russian neighbor, Georgia. This time they accompanied an actual physical invasion—a Russian intervention to “protect” Russia-friendly separatists within Georgia’s borders—complete with tanks rolling toward the Georgian capital and a Russian fleet blockading the country’s coastline on the Black Sea. In some cases, digital attacks would hit web targets associated with specific towns just ahead of military forces’ arrival, another suggestion of coordination.
The 2008 Georgian war was perhaps the first real hybrid war in which conventional military and hacker forces were combined. But given Georgia’s low rate of internet adoption—about 7 percent of Georgians used the internet at the time—and Russia’s relatively simplistic cyberattacks, which merely tore down and defaced websites, it stands as more of a historic harbinger of cyberwar than the real thing.
The world’s conception of cyberwar changed forever in 2010. It started when VirusBlokAda, a security firm in Belarus, found a mysterious piece of malware that crashed the computers running its antivirus software. By September of that year, the security research community had come to the shocking conclusion that the specimen of malware, dubbed Stuxnet, was in fact the most sophisticated piece of code ever engineered for a cyberattack, and that it was specifically designed to destroy the centrifuges used in Iran’s nuclear enrichment facilities. (That detective work is best captured in Kim Zetter’s definitive book Countdown to Zero Day.) It would be nearly two more years before The New York Times confirmed that Stuxnet was a creation of the NSA and Israeli intelligence, intended to hamstring Iran’s attempts to build a nuclear bomb.
Over the course of 2009 and 2010, Stuxnet had destroyed more than a thousand of the six-and-a-half-foot-tall aluminum centrifuges installed in Iran’s underground nuclear enrichment facility in Natanz, throwing the facility into confusion and chaos. After spreading through the Iranians’ network, it had injected commands into the so-called programmable logic controllers, or PLCs, that governed the centrifuges, speeding them up or manipulating the pressure inside them until they tore themselves apart. Stuxnet would come to be recognized as the first cyberattack ever designed to directly damage physical equipment, and an act of cyberwar that has yet to be replicated in its virtuosic destructive effects. It would also serve as the starting pistol shot for the global cyber arms race that followed.
Iran soon entered that arms race, this time as aggressor rather than target. In August of 2012, the Saudi Arabian firm Saudi Aramco, one of the world’s largest oil producers, was hit with a piece of malware known as Shamoon that wiped 35,000 of the company’s computers—about three-quarters of them—leaving its operations essentially paralyzed. On the screens of the crippled machines, the malware left an image of a burning American flag. A group calling itself “Cutting Sword of Justice” claimed credit for the attack as an activist statement, but cybersecurity analysts quickly suspected that Iran was ultimately responsible, and had used the Saudis as a proxy target in retaliation for Stuxnet.
The next month, Iranian hackers calling themselves Operation Ababil hit every major US bank, knocking their websites offline with sustained volleys of DDoS attacks, a far more focused version of the takedown technique Russians had used against sites in Estonia and Georgia. Again, cybersecurity analysts detected the hand of Iran’s government in the attack’s sophistication despite the “hacktivist” front, perhaps a more direct message from Iran’s state-sponsored hackers that any future US cyberattacks wouldn’t go unanswered. A little over a year later, in February 2014, Iranian hackers launched another, more targeted attack on American soil: Following public comments from Zionist billionaire Sheldon Adelson suggesting the US use a nuclear weapon on Iran, sophisticated hackers hit Adelson’s Las Vegas Sands casino, using destructive malware to wipe thousands of computers, just as in the Saudi Aramco case.
By 2014, Iran was no longer the only rogue nation exploiting the potential for cyberattacks to reach across the globe and inflict pain against civilian targets. North Korea, too, was flexing its cyberwar muscles. After years of staging punishing DDoS attacks on its favorite adversary, South Korea, North Korean hackers launched a more daring operation: In December 2014, hackers revealed they had deeply penetrated the network of Sony Pictures ahead of its release of The Interview, a low-brow comedy movie about an assassination plot against North Korean dictator Kim Jong-un. The hackers, calling themselves the Guardians of Peace, stole and leaked reams of emails along with several unreleased films. They capped off their raid by wiping thousands of computers. (Though the leaks might be called a mere influence operation, the disruptive data deletion pushes the incident across the cyberwar line.) The hackers left a menacing image on wiped computers of a skeleton, along with an extortion message; they demanded both money and that the release of The Interview be canceled. Despite that cybercriminal ruse, the FBI publicly named the North Korean government as the perpetrator of the attack, based in part on a slip-up that revealed a Chinese IP address known to be used by North Korean hackers. The roster of global powers entering the fray of cyberwar was growing.
Even as North Korean and Iranian hackers wreaked havoc in attacks like the ones against Las Vegas Sands and Sony Pictures, cyberwar circa 2014 was limited to isolated incidents and periodic acts of disruption. Around the same time, however, Ukraine was undergoing a revolution—one that would trigger a Russian invasion and lay the groundwork for the world’s first full-blown, real cyberwar.
In the fall of 2015, after Russian troops had annexed Ukraine’s Crimean peninsula and slipped across Ukraine’s eastern border to rally a pro-Russian separatist movement in the region of Donbas, Russian intelligence hackers began unleashing a series of wiper malware attacks. They targeted Ukrainian media and infrastructure, including its national railway and Kyiv’s airport, destroying hundreds of computers across those victims’ networks. Then, the day before Christmas, the same hackers carried out a far more shocking and unprecedented act of sabotage: They attacked three Ukrainian regional energy utilities, turning out the lights to about 225,000 civilians, the first known blackout in history ever to be caused by a cyberattack. The outage lasted just six hours, but it sent a powerful message to the Ukrainian populace about their vulnerability to remote attacks—and to the world about the evolving prowess of Russian hackers.
As Ukraine’s war wore on, Russian hackers launched another series of attacks in late 2016, much broader and more brazen than the year before. They hit the country’s pension fund, treasury, seaport authority, and ministries of infrastructure, defense, and finance—deleting terabytes of data that included the next year’s budget. They also hit Ukraine’s railway company, knocking out its online booking system for days during peak holiday travel season.
A Brief History of Cyberwar Attacks
Then, a week before Christmas, the hackers triggered another blackout, this time in the capital city of Kyiv. The attack only knocked out a fraction of the city’s power for a single hour, but did so by hitting a transmission station rather than distribution substations as the hackers had a year before, a form of targeting that could have caused a far more widespread blackout. That second blackout attack also used a new, foreboding tool, something security researchers have named Industroyer or Crash Override. This custom-made malware was designed to send rapid-fire commands directly to circuit breakers in a victim utility, automating the power-killing process and scaling it up so that it could, in the future, be used simultaneously against multiple facilities.
That Russian malware was the first specimen of code found in the wild since Stuxnet that directly targeted physical equipment. The tool featured a modular structure that would allow it to be easily adapted to other grid targets in Western Europe or the US, all signs that Russia’s hackers were seeking not only to inflict more disruption and terror against Ukrainians were but also experimenting with and demonstrating sabotage techniques they might easily use elsewhere.
In fact, all of those attacks were just a prelude to the main event of the cyberwar being waged against Ukraine. In late June of 2017, Russian hackers used the hacked servers of the Ukrainian accounting firm Linkos Group to push out a piece of code that would come to be called NotPetya. Combining the leaked NSA hacking program EternalBlue and the password-stealing tool Mimikatz into an automated worm, it spread almost instantly to an estimated 10 percent of all the computers in Ukraine, encrypting their contents with a destructive payload disguised to look like ransomware, but with no mechanism for actually decrypting files after the victim paid a ransom. (It appeared, at first, to be a version of the older Petya ransomware used by cybercriminals, but was not—hence its name.) Across Ukraine, it shut down banks, ATMs, and point-of-sale systems, paralyzing nearly all the country’s government agencies and crippling infrastructure like airports and railways, along with hospitals, the national post office, and even the operation monitoring radioactivity levels at the ruins of the Chernobyl nuclear power plant.
But NotPetya’s virulence wasn’t contained by national borders. It also hit A.P. Møller-Maersk, the world’s largest shipping firm; US pharmaceutical company Merck; FedEx’s European subsidiary TNT Express; French construction company Saint-Gobain; food producer Mondelez; and manufacturer Reckitt Benckiser. In each of those cases, it saturated networks, killing thousands of computers and inflicting hundreds of millions of dollars in lost business and cleanup costs. It struck at least two US hospitals and shut down the speech-to-text software firm Nuance, which provided medical record transcription services to more than a hundred more hospitals and clinics. NotPetya even spread back to Russia, inflicting further collateral damage on victims like the state oil company Rosneft, steelmaker Evraz, medical technology firm Invitro, and Sberbank. In all, a White House estimate would later put the cost of NotPetya at $10 billion at least, though the full extent of its damage may never be known.
The Future of Cyberwar
And yet, it could still get worse. Few cybersecurity analysts will take the bet that NotPetya will remain a one-off catastrophe. Just a month before that worm, after all, North Korean hackers had launched their own ransomware worm known as WannaCry that was nearly as destructive. It shut down networks as far flung as Chinese universities, Indian police departments, and even the British National Health Service, causing thousands of medical appointments to be canceled across the UK and ultimately costing between $4 and $8 billion. (While WannaCry shows the potential for other nation-states to launch such megaworms, it doesn’t necessarily count as a clear act of cyberwar itself, given that WannaCry did actually seem intended to collect ransoms from victims. The North Korean government, uniquely among global cyberpowers, focuses on cybercriminal profit as much as politically motivated attacks.)
There are hints of how a future cyberattack might cause even more disruption, or even physical destruction. In August 2017, a piece of malware called Triton or Trisis triggered the shutdown of an oil refinery owned by the Saudi Arabian firm Petro Rabigh. After months of reverse-engineering, security researchers determined that the malicious code wasn’t actually intended to cause a shutdown, but instead was aimed at silently disabling the so-called safety-instrumented systems of the plant—the equipment that serves as a last-ditch technological safeguard to prevent unsafe conditions, like a buildup of temperature or pressure. Stealthily borking those systems could have led to potentially lethal accidents like an explosion or gas leak.
It’s still far from clear who the hackers responsible for that ultra-dangerous malware are, or what country they might be working for. While Iran quickly became the prime target of security industry speculation—given its tension and proxy wars with Saudi Arabia—in late 2018 security firm FireEye uncovered fingerprints that linked back to Moscow’s Central Scientific Research Institute of Chemistry and Mechanics. That could mean that Russia was responsible for the attack, or merely that Russian malware developers were working on behalf of Iranian or another country’s hackers. (Iran, meanwhile, has over the past three years continued to periodically launch new waves of data destruction against targets in Saudi Arabia, Qatar, and the United Arab Emirates with revamped versions of the Shamoon wiper malware it used against Saudi Aramco.)
Aside from the prospect of attacks on safety systems and the looming possibility of another NotPetya-style worm, plenty of other nightmare hypotheticals continue to trouble the sleep of cyberwar wonks. They fear cyberattacks on water distribution systems, financial systems, gas pipelines, hospitals—perhaps even combined with a mass-casualty physical attack. And after the blackout attacks in Ukraine, they warn that far more severe attacks on the electric grid are possible. Way back in 2007, for instance, US researchers at Idaho National Laboratory showed in a demonstration that it was possible to destroy a tank-sized diesel generator with malicious code alone. (See the video of their demonstration below.) That notion—of a cyberattack that doesn’t merely disable grid equipment but physically destroys its components—still haunts grid-focused cybersecurity analysts. They warn that such a tactic, particularly if it were used on multiple targets simultaneously, could cause blackouts extending far beyond the mere hours of Ukraine’s hacker blackouts, stretching for days or weeks.
While the US has largely been spared from targeted cyberwar attacks—the collateral devastation of NotPetya aside—US intelligence warns that countries like China and Russia have already infiltrated American infrastructure to “prepare the battlefield” for any future cyberconflict. “China has the ability to launch cyber attacks that cause localized, temporary disruptive effects on critical infrastructure—such as disruption of a natural gas pipeline for days to weeks—in the United States,” noted a report from the Office of the Director of National Intelligence earlier this year. “Moscow is mapping our critical infrastructure with the long-term goal of being able to cause substantial damage.” Unspoken in such reports is the near certainty that America’s own hackers are laying the same logic bombs inside foreign networks, too.
Given that seemingly inexorable ramp-up of cyberwar’s destructive potential, how do humans head off a chaotic future of endless, widespread digital conflict? The most obvious answer is, of course, better cybersecurity: The owners of critical infrastructure across the government and private sector could certainly invest more in hardening their networks, separating vital systems from the internet wherever possible. But in cyberwar, as in the larger game of cybersecurity, the offense has the advantage: Don’t expect any security technology to prevent all future cyberattacks. Perhaps most importantly, critical infrastructure operators, government agencies, and companies need to focus on building resilient systems—ones whose backups and redundancies mean that they can bounce back quickly from serious cyberattacks.
But cyberwar wonks also say that old-fashioned deterrence needs to play a role, too. Countries need to face serious repercussions when they launch a cyberattack that violates some sort of red lines defining global norms of acceptable and unacceptable hacking activities. The Obama and Trump White Houses have taken the first steps to that kind of deterrence regime: The Obama administration indicted seven Iranian hackers for their roles in attacking US banks. Obama himself called out North Korea for its Sony cyberattack in a speech, and imposed new sanctions against the country. The Trump administration, for all its alleged friendliness toward Russian hackers, did eventually impose new sanctions against the country’s intelligence officials in response to their NotPetya chaos and operations that penetrated the US power grid..
But those actions aren’t enough, in part because the red lines they seek to enforce are still being drawn. For nearly a decade, cyberpolicy doves have been calling, largely in vain, for some sort of global treaty or convention that could establish rules for cyberwarfare. In their 2010 book Cyber War, Clarke and Knake proposed a Cyber War Limitation Treaty, which would ban first-use attacks on another country’s critical infrastructure. More recently, Microsoft president Brad Smith has called for a Digital Geneva Convention that would prohibit cyberattacks on civilian targets. Josh Corman, a former director of the Cyber Statecraft Initiative at the Atlantic Council think tank, has suggested a more limited agreement that he describes as a “cyber no-fly-zone” around hospitals, one that would essentially start the process of limiting cyberwarfare by making any life-threatening attack on medical facilities a war crime.
But as the cyberwar arms race escalates, none of those cyberpeace initiatives has gained much traction. Critics point out that cyberattack motives are hard to define—a cyberespionage or reconnaissance intrusion can often look a lot like a cyberwar attack in progress—and determining the identities of the hackers responsible can be even harder. (That so-called attribution problem hasn’t stopped the US government from definitively naming the governments responsible for most serious attacks that affected Western targets over the last decade. US intelligence agencies can use both human sources and their own powerful hacking capabilities to find the culprits behind cyberattacks even when the public can’t.)
More fundamentally, governments haven’t been willing to sign on to cyberwar limitation agreements because they don’t want to limit their own freedom to launch cyberattacks at their enemies. America may be vulnerable to crippling cyberattacks carried out by its foes, but US leaders are still hesitant to hamstring America’s own NSA and Cyber Command, who are likely the most talented and well-resourced hackers in the world. The Trump administration has only loosened the leash on Cyber Command, elevating its authority and freeing it up to launch preemptive attacks on enemy infrastructure. Just this year, Cyber Command has reportedly used those new authorities to fry the servers of the Russian troll farm known as the Internet Research Agency, target disruptive attacks on Iranian cyberspies, and plant potentially disruptive malware deep in Russia’s power grid.
In other words, the US and other world powers still haven’t realized that they have more to lose in an exchange of scorched-earth cyberattacks than to gain. Until they do, the cyberwar machine will roll onward, with nothing less than the infrastructure of modern civilization in its destructive path.
The Untold Story of NotPetya, the Most Devastating Cyberattack in History
The weapon’s target was Ukraine. But its blast radius was the entire world. “It was the equivalent of using a nuclear bomb to achieve a small tactical victory.”
What Israel’s Strike on Hamas Hackers Means For Cyberwar
The assault seems to be the first true example of a physical attack being used as a real-time response to digital aggression—another evolution of so-called “hybrid warfare.”
How Not To Prevent a Cyberwar With Russia
As the Trump administration increasingly beats its cyberwar drum, some former national security officials and analysts warn that even threatening that sort of attack could do far more to escalate a coming cyberwar than to deter it.
The Highly Dangerous ‘Triton’ Hackers Have Probed the US Grid
Security analysts at the Electric Information Sharing and Analysis Center and the critical-infrastructure security firm Dragos tracked a group of sophisticated hackers carrying out broad scans of dozens of US power grid targets, apparently looking for entry points into their networks. They probed the networks of at least 20 different US electric system targets.
How Power Grid Hacks Work, and When You Should Panic
The threat is real, but not every grid penetration calls for Defcon 1. Responding to them all with an equal sense of alarm is like conflating a street mugging with an intercontinental ballistic missile attack.
Last updated August 22, 2019.
Enjoyed this deep dive? Check out more WIRED Guides.