INDUSTRY INSIGHT

Cyber weapons: 4 defining characteristics

Nations can take advantage of anonymity and deniability while conducting military campaigns in cyberspace, enabling a type of “clean coercion” warfare. The number and sophistication of cyberattack campaigns by nations will continue to increase because they minimize the need to risk military personnel or costly equipment. Unlike personnel and equipment, computer code may be instantly redeployed to any area, and because code is reusable, it offers a practically bottomless magazine for future attacks.

News reports now describe cyberattacks that can result in severe physical damage to facilities and equipment, and a tendency has arisen for the media to compare malicious cyber code to weaponry. But, what is the definition of a weapon, and how can we more clearly identify when a cyberattack should be correctly labeled as a “cyber weapon”?

Each U.S. military service has its own written definition for what comprises a weapon. However, a “weapon” must also meet international legal standards. The Hague and Geneva conventions describe how a “capability” that is called a weapon cannot legitimately be used by the military until after a legal review. These conventions are intended to protect the civilian population from unnecessary suffering during a war. The “Tallinin Manual on International Law Applicable to Cyber Warfare” was developed after a series of cyberattacks were directed against Estonia in 2007, causing extensive disruption to civilian services. This manual defines a cyber weapon as a “cyber means of warfare” that is capable, by design or intent, of causing injury to persons or objects. So, if there is intentional injury, or if computer functionality is intentionally disrupted through a cyberattack, then we might be experiencing a cyber weapon.

With most cyberattacks, however, the attribution and intention may be unknowable. In addition, cyberattacks often create cascade effects that were outside the original intentions of the attacker. However, reverse-engineering and analysis of malicious code used in recent sophisticated cyberattacks have revealed four common characteristics that help provide a clearer and more useful definition for a cyber weapon:

  1. A campaign that may combine multiple malicious programs for espionage, data theft, or sabotage.
  2. A stealth capability that enables undetected operation within the targeted system over an extended time period.
  3. An attacker with apparent intimate knowledge of details for the workings of the targeted system.
  4. A special type of computer code to bypass protective cybersecurity technology.

The most frequently discussed example of a state-sponsored cyber weapon attack resulting in physical damage involved a years-long campaign of stealth, data theft and sabotage targeting the nuclear program in Iran. Malicious programs, given names such as Flame, Duqu, and Stuxnet and reportedly created by the same design team of hackers, were crafted to steal sensitive information, monitor internal messages and then disrupt and disable targeted industrial control systems for a specific type of centrifuge equipment in a special nuclear facility in Iran. The entire campaign may have been in operation secretly from 2006 through 2010 before being discovered by security personnel working outside Iran. Analysts agree that such a sophisticated and long-running cyber campaign showed that the designers of the malicious code had acquired an intimate knowledge of the targeted systems before launching the cyberattacks.

A recent cyberattack that resulted in physical damage occurred in 2014, when the German Federal Office for Information Security (BSI) reported that a steel mill suffered severe damage and forced a shut down due to a cyberattack that caused heavy equipment to go out of control. Analysts have concluded that the attack was effective primarily because the unknown hackers had an intimate knowledge of the workings of the steel mill plant, according to BBC News.

Technologies used for cybersecurity defenses are becoming less reliable in providing adequate protection as attacks become more sophisticated. A major cause of this reduced effectiveness is the zero-day exploit, which is a type of computer code specially designed to defeat protective cybersecurity controls.

A ZDE is added onto the larger malicious payload of a cyber weapon and is designed to take advantage of a vulnerability that is new and unknown within the targeted system. A ZDE is able to bypass or temporarily suspend the operation of protective technology used for cyber security controls, and thus it can open a targeted computer system so the malicious payload can enter and begin its mission. Many highly skilled hackers around the globe work diligently to discover computer system vulnerabilities that allow creation of newer ZDEs. These hackers are motivated because ZDEs can be sold for large amounts to bidders such as nation states or extremists. The ZDEs that are discovered by hackers are growing in numbers as software systems become more complex, making them an important player in current and future generation cyber weapons.

A cyber weapon campaign can also have problems of control. Although Stuxnet operated undetected, it reportedly was secretly updated several times to add new functionality. However, the code unexpectedly escaped the confines of the Iranian uranium enrichment facility, and since that time instances of Stuxnet infections have been detected in facilities operating in many countries outside of Iran. However, the equipment in other countries escaped damage because the Stuxnet payload was designed to attack only the specific equipment inside the nuclear facility in Iran. Future cyber weapons that are not as carefully designed as Stuxnet could spread unexpectedly and cause unintended collateral damage to facilities in other countries.

The Stuxnet cyber weapon campaign caused Iran’s nuclear program to suffer a setback, but one that lasted only a short time. Since the attack was discovered, Iran has taken steps to increase management of its security and has revived its capabilities for enrichment of nuclear materials. Future generation cyber weapons will undoubtedly take greater advantage of opportunities that are expanding as more intimate knowledge about designs and vulnerabilities for equipment and facilities becomes available over the internet. Future targets will likely include complex military weapon systems, along with command and control (C3/C4 Computer) systems, or even missile defense systems.

As another example of growing vulnerabilities for sophisticated military equipment, the Defense Science Board reportedly has given the Pentagon a classified list of U.S. military weapons systems where designs were stolen by cyber espionage. The list includes designs for the advanced Patriot missile system, known as PAC-3, according to the Washington Post. A separate report, also available on the Internet, shows research on vulnerability analysis of U.S. national missile defense software, including the PAC-3 Patriot Missile System.

It is clear that cyberattacks are becoming more sophisticated, and when the following characteristics are combined, it is fair to label the attack code a cyber weapon:

(a) use of ZDEs to bypass cybersecurity technology;

(b) use of a coordinated campaign of malicious programs for espionage, theft and sabotage;

(c) use of stealth to prolong malicious operations; and

(d) an attacker with apparent intimate knowledge of the workings of the targeted system – then the attack code can be labeled as a cyber weapon.

As more information describing details and possible vulnerabilities of sophisticated civilian and military equipment is acquired through cyber espionage, or is published openly, these systems may become the targets for future generation cyber weapons. The Stuxnet example has shown that future generation cyber weapons can go out of control, with unpredictable consequences.

While there has been no reported loss of life directly linked to cyberattacks, there is a growing temptation for nations to view cyber weapons as a “cleaner” form of warfare, to be favored over, or perhaps even replace, traditional negotiations that can be prolonged or frustrating. However, the next generation of cyber weapons will increasingly target and destroy physical equipment in industrial and military facilities, and the time may come when we also begin to see human casualties.

About the Author

Clay Wilson is a retired program director for Cybersecurity Studies at American Military University and past program director for Cybersecurity Policy at University of Maryland University College.

inside gcn

  • augmented reality training (Army Research Laboratory)

    Army seeks virtual training environment for squads

Reader Comments

Sun, Nov 22, 2015 Ben Knight Greenbelt Md

Now, DOD is preparing to attack targets with special cyber weapons? What could possibly go wrong?

Mon, Jun 29, 2015 Otaku Tech Japan

This article shows the stages and components that must be combined for an attack using a self-directed cyber weapon. Hackers must first infiltrate a system, learn its details, before designing and then sending out a cyber weapon to attack. We need to recognize that security technology by itself is no longer blocking this cyber-espionage used to gather information needed for planning by hackers. Research for cybersecurity must now shift to focus more on better policy and training to interfere with the cyber espionage, and to more quickly spot a cyber weapon at work.

Mon, Jun 15, 2015

Writing about new technology trends often invites criticism. The author here gives a framework to start understanding what cybersttacks might do next. Technology alone is not enough for protection. But Cold War methods may not deter use of cyber weapons.

Fri, Jun 5, 2015 Boston Boston

This article was very informative and full of eye opening issues. I hope solutions for combating these hackers continue and somehow serious consequences are dealt to discourage future attacks.

Thu, Jun 4, 2015 Some Guy

Well ... "... if computer functionality is intentionally disrupted through a cyberattack, then we might be experiencing a cyber weapon." Key word being "might" ... flash.c or smurf.c anyone? Page one also says "espionage, theft and sabotage" but page two says "espionage, theft and sabotage" ... so which one is it? If it's the latter, even something like Flame wouldn't qualify. The zero-day portion is written with an unnecessary and strange amount of obscuring language. Also who are we kidding with "special type of computer code to bypass protective cybersecurity technology"? Do you mean exotic stealth infection techniques like autorun.inf? The "apparent intimate knowledge of details for the workings of the targeted system" part is weird too. Yes this is kind of interesting if it's some obscure PLC used by two countries and it's clear somebody went to great lengths to know exactly how to gain control. But unlocking the intimate "workings" of Windows Server are less indicative of, well, much of anything. Lots of researchers looking into vulnerabilities are not "motivated because ZDEs can be sold for large amounts to bidders such as nation states or extremists". Some are but it's way too broad a stroke, lots of people research with the intent to responsibly disclose. In the context of the current export debate this stuff should be handled better, it deserves it. Then the zero-day fixation serves to muddy the second list ... if a piece of code can do all this stuff but with a vuln released last week, that's just the usual? Also why not get into C&C, not just the whole co-ordinated part? Not sure this author has helped to clarify much of anything here.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above