Inside Cyber Warfare

Jeffrey Carr

Part 1

Report Chapter

Inside Cyber Warfare.

Jeffrey Carr.


Since the first edition of Jeffrey Carr's Inside Cyber Warfare: Mapping the Cyber Underworld was published, cyber security has become an increasing strategic and economic concern. Not only have major corporations and government agencies continued to be victimized by ma.s.sive data thefts, disruptive and destructive attacks on both public and private ent.i.ties continue and show no signs of abating. Among the publicly disclosed targets of cyber attacks are major financial inst.i.tutions, entertainment companies, cyber security companies, and US and foreign government agencies, including the US Department of Defense, the US Senate, and the Brazilian and the Malaysian governments.

Many of these cyber penetrations are aimed at theft of ident.i.ty or financial data for purposes of criminal exploitation. These cannot simply be regarded as a "cost of doing business" or tolerable losses; such episodes undermine the public trust, which is the foundation for business transactions over the Internet. Even more significant is the threat posed by cyber theft of intellectual property. Every year, economic compet.i.tors of American businesses steal a quant.i.ty of intellectual property larger than all the data in the Library of Congress. As a result, these rivals are gaining an unfair advantage in the global economy.

Also gaining in seriousness are organized efforts to disrupt or even destroy cyber systems. Anarchist and other extremist groups, such as Anonymous and LulzSec (and their offspring), seek to punish those with whom they disagree by exposing confidential data or disrupting operations. Recent breaches of cyber security firms such as HBGary and EMC's RSA SecurID division demonstrate a strategic effort to undermine the security architecture on which many enterprises rely. And the multiplication of social media and mobile devices will create many more opportunities for cyber espionage, social engineering attacks, and open source intelligence collection by nation-states, terrorists, and criminal groups.

Since the formation of the Comprehensive National Cybersecurity Initiative in 2008, the US government has unveiled a series of security-related strategies, including legislative proposals. These are useful and important steps, but they're not enough to keep pace with the growing and diversifying threats. The private sector in particular must take ownership of much of the burden of defending the networks they own and operate. Moreover, while technology and tools are key to the solution, human beings are at the heart of any security strategy. Unless those who use the Internet observe good security practices, defensive technologies will merely be a in the road to those who seek to exploit cybers.p.a.ce.

Finally, while defense against cyber attacks is important, it is not enough. When cyber attacks damage critical infrastructure or even threaten loss of life, sound strategy calls for preventive and deterrent measures. While some downplay the idea of cybers.p.a.ce as a warfare domain, occurrences such as the 2008 Russia-Georgia conflict underscore that information systems are very much part of the battlefield of the future. For this reason, the US Department of Defense has issued its first official strategy for operating in cybers.p.a.ce. To be sure, difficulties in attribution and questions of legal authority complicate the application of warfighting concepts to cybers.p.a.ce. Nevertheless, we must tackle these issues to determine what measures can be taken offensively to eliminate or deter critical cyber threats, when those measures should be triggered, and who should carry them out. Without formulating a strategy that these measures, our cyber security doctrine will be, at best, disconnected and incomplete.

For policymakers and business leaders, cyber warfare and cyber security can no longer be regarded simply as the province of experts and technicians. The leadership of any public or private enterprise must consider the risks of and responses to cyber threats. This latest edition of Jeffrey Carr's volume is indispensable reading for senior executives as well as savants.

-The Honorable Michael Chertoff, former Homeland Security Secretary and co-founder of The Chertoff Group.


I was recently invited to partic.i.p.ate in a cyber security dinner discussion by a few members of a well-known Washington, DC, think tank. The idea was that we could enjoy a fine wine and a delicious meal while allowing our hosts to pick our brains about this "cyber warfare stuff." It seems that the new threatscape emerging in cybers.p.a.ce has caught them unprepared and they were hoping we could help them grasp some of the essentials in a couple of hours. By the time we had finished dinner and two bottles of a wonderful 2003 red, one of the Fellows in attendance was holding his head in his hands, and it wasn't because of the wine.

International acts of cyber conflict (commonly but inaccurately referred to as cyber warfare) are intricately enmeshed with cyber crime, cyber security, cyber terrorism, and cyber espionage. That web of interconnections complicates finding solutions because governments have a.s.signed different areas of responsibility to different agencies that historically do not play well with others. Then there is the matter of political will. When I signed the contract to write this book, President Obama had committed to make cyber security a top priority in his administration. Seven months later, as I write this introduction, cyber security has been pushed down the priority ladder behind the economy and health care, and the position of cyber coordinator, who originally was going to report directly to the President, must now answer to multiple bosses with their own agendas. A lot of highly qualified candidates have simply walked away from a position that has become a shadow of its former self. Consequently, we all find ourselves holding our heads in our hands more often than not.

Cybers.p.a.ce as a warfighting domain is a very challenging concept. The temptation to cla.s.sify it as just another domain, like air, land, sea, and s.p.a.ce, is frequently the first mistake that's made by our military and political leaders and policymakers.

I think that a more accurate a.n.a.logy can be found in the realm of science fiction's parallel universes-mysterious, invisible realms existing in parallel to the physical world, but able to influence it in countless ways. Although that's more metaphor than reality, we need to change the habit of thinking about cybers.p.a.ce as if it's the same thing as "meat" s.p.a.ce.

After all, the term "cybers.p.a.ce" was first coined by a science fiction writer. My own childhood love affair with science fiction predated William Gibson's 1984 novel Neuromancer, going all the way back to The New Tom Swift Jr. Adventures series, which was the follow-up to the original series of the early 1900s. By some quirk of fate, the first Tom Swift Jr. book was published in 1954 (the year that I was born) and ceased publication in 1971 (the year that I left home for college). Although the young inventor didn't have cybers.p.a.ce to contend with, he did have the "Atomic Earth Blaster" and the "Diving Sea Copter." In an otherwise awful childhood, the adventures of Tom Swift Jr. kept me feeling sane, safe, and excited about the future until I was old enough to leave home and embark on my own adventures.

Now, 38 years later, I find myself investigating a realm that remains a sci-fi mystery to many leaders and policymakers of my generation, while younger people who have grown up with computers, virtual reality, and online interactions of all kinds are perfectly comfortable with it. For this reason, I predict that the warfighting domain of cybers.p.a.ce won't truly find its own for another five to eight years, when military officers who have grown up with a foot in both worlds rise to senior leadership roles within the Department of Defense.

How This Book Came to Be.

This book exists because of an open source intelligence (OSINT) experiment that I launched on August 22, 2008, named Project Grey Goose (Figure 1). On August 8, 2008, while the world was tuning in to the Beijing Olympics, elements of the Russian Federation (RF) Armed Forces invaded the nation of Georgia in a purported self-defense action against Georgian aggression. What made this interesting to me was the fact that a cyber component preceded the invasion by a few weeks, and then a second, much larger wave of cyber attacks was launched against Georgian government websites within 24 hours of the invasion date. These cyber attacks gave the appearance of being entirely spontaneous, an act of support by Russian "hacktivists" who were not part of the RF military. Other bloggers and press reports supported that view, and pointed to the Estonian cyber attacks in 2007 as an example. In fact, that was not only untrue, but it demonstrated such shallow historical a.n.a.lysis of comparable events that I found myself becoming more and more intrigued by the pattern that was emerging. There were at least four other examples of cyber attacks timed with RF military actions dating back to 2002. Why wasn't anyone exploring that, I wondered?

Figure 1. The official logo of Project Grey Goose I began posting what I discovered to my blog, and eventually it caught the attention of a forward deployed intelligence a.n.a.lyst working at one of the three-letter agencies. By "forward deployed" I refer to those a.n.a.lysts who are under contract to private firms but working inside the agencies. In this case, his employer was Palantir Technologies. "Adam" (not his real name) had been a long-time subscriber to my blog and was as interested in the goings-on in Georgia as I was. He offered me the free use of the Palantir a.n.a.lytic platform for my a.n.a.lysis.

After several emails and a bunch of questions on my part, along with my growing frustration at the overall coverage of what was being played out in real time in the North Caucasus, I flashed on a solution. What would happen if I could engage some of the best people inside and outside of government to work on this issue without any restrictions, department politics, or bureaucratic red tape? Provide some basic guidance, a collaborative work s.p.a.ce, and an a.n.a.lytic platform, and let experienced professionals do what they do best? I loved the idea. Adam loved it. His boss loved it.

On August 22, 2008, I announced via my blog and Twitter an open call for volunteers for an OSINT experiment that I had named Project Grey Goose. Prospective volunteers were asked to show their interest by following a temporary Twitter alias that I had created just for this enrollment. Within 24 hours, I had almost 100 respondents consisting of college students, software engineers, active duty military officers, intelligence a.n.a.lysts, members of law enforcement, hackers, and a small percentage of Internet-created personas who seemed to have been invented just to see if they could get in (they didn't). It was an astounding display of interest, and it took a week for a few colleagues and I to make the selections. We settled on 15 people, Palantir provided us with some training on their platform, and the project was underway. Our Phase I report was produced about 45 days later. A follow-up report was produced in April 2009. This book pulls from some of the data that we collected and reported on, plus it contains quite a bit of new data that has not been published before.

A lot happened between April 2009 and September 2009, when the bulk of my writing for this book was done. As more and more data is moved to the cloud and the popularity of social networks continues to grow, the accompanying risks of espionage and adversary targeting grow as well. While our increasingly connected world does manage to break down barriers and increase cross-border friendships and new understandings, the same geopolitics and national self interests that breed conflicts and wars remain. Conflict continues to be an extension of political will, and now conflict has a new domain on which its many forms can engage (espionage, terrorism, attacks, extortion, disruption).

This book attempts to cover a very broad topic with sufficient depth to be informative and interesting without becoming too technically challenging. In fact, there is no shortage of technical books written about hackers, Internet architecture, website vulnerabilities, traffic routing, and so on. My goal with this book is to demonstrate how much more there is to know about a cyber attack than simply what comprises its payload.

Welcome to the new world of cyber warfare.


I'd like to thank Tim O'Reilly, Mike Loukides, Mac Sloc.u.m, and all of the great people at O'Reilly Media for supporting my work and making the difficult process of writing a book as stress-free as possible. I'd also like to thank my research a.s.sistants, Tim, Jennifer, and Catherine, for the hard work they put into researching the content for Chapters 16 and 17, which, while not complete, is the most comprehensive body of work on this topic that I believe exists anywhere in the public domain today.

Chapter 1. a.s.sessing the Problem.

You can't say that civilization don't advance, however, for in every war they kill you in a new way.

-Will Rogers, New York Times, December 23, 1929.

Whenever someone asks if anyone ever died in a cyber war, Magomed Yevloev springs to mind.

*** You are reading on ***

On August 31, 2008, in the North Caucasus Republic of Ingushetia, Yevloev was arrested by Nazran police, ostensibly for questioning regarding his anti-Kremlin website As he was being transported to police headquarters, one of the officers in the car "accidentally" discharged his weapon into the head of Magomed Yevloev.

In late December 2008, Israel launched Operation Cast Lead against Palestine. A corresponding cyber war quickly erupted between Israeli and Arabic hackers, which has been the norm of late when two nation-states are at war.

The unique aspect of this case is that at least part of the cyber war was engaged in by state hackers rather than the more common nonstate hackers. Members of the Israeli Defense Forces hacked into the Hamas TV station Al-Aqsa to broadcast an animated cartoon showing the deaths of Hamas leaders with the tag line "Time is running out" (in Arabic).

In contrast, during the Chechnya, Estonia, and Georgia conflicts, nationalistic nonstate hackers acted in concert but were not in the employ of any nation-state.

That is the second complication: attribution. And lack of attribution is one of the benefits for states who rely on or otherwise engage nonstate hackers to conduct their cyber campaigns. In other words, states gain plausible deniability.


The Second Russian-Chechen War (19972001).

During this conflict, in which the Russian military invaded the breakaway region of Chechnya to reinstall a Moscow-friendly regime, both sides used cybers.p.a.ce to engage in Information Operations to control and shape public perception.

Even after the war officially ended, the Russian Federal Security Service (FSB) was reportedly responsible for knocking out two key Chechen websites at the same time that Russian Spetsnaz troops engaged Chechen terrorists who were holding Russian civilians hostage in a Moscow theater on October 26, 2002.

The Estonian cyber attacks (2007).

Although there is no hard evidence linking the Russian government to the cyber attacks launched against Estonian government websites during the week of April 27, 2007, at least one prominent Russian Nashi youth leader, Konstantin Goloskokov, has admitted his involvement along with some a.s.sociates. Goloskokov turned out to be the a.s.sistant to State Duma Deputy Sergei Markov of the pro-Kremlin Unified Russia party.

The activating incident was Estonia's relocation of the statue "The Bronze Soldier of Tallinn," dedicated to soldiers of the former Soviet Union who had died in battle. The resulting ma.s.sive distributed denial of service (DDoS) attacks took down Estonian websites belonging to banks, parliament, ministries, and communication outlets.

The Russia-Georgia War (2008).

This is the first example of a cyber-based attack that coincided directly with a land, sea, and air invasion by one state against another. Russia invaded Georgia in response to Georgia's attack against separatists in South Ossetia. The highly coordinated cyber campaign utilized vetted target lists of Georgian government websites as well as other strategically valuable sites, including the US and British emba.s.sies. Each site was vetted in terms of whether it could be attacked from Russian or Lithuanian IP addresses. Attack vectors included DDoS, SQL injection, and cross-site scripting (XSS).


The Iranian presidential elections of 2009 sp.a.w.ned a ma.s.sive public protest against election fraud that was fueled in large part by the availability of social media such as Twitter and Facebook as outlets for public protest. The Iranian government responded by inst.i.tuting a harsh police action against protesters and shutting down media channels as well as Internet access inside the country. Some members of the opposition movement resorted to launching DDoS attacks against Iranian government websites. Twitter was used to recruit additional cyber warriors to their cause, and links to automated DDoS software made it easy for anyone to partic.i.p.ate.

*** You are reading on ***

Popular Novel