The rules of War 2.0 (or 3.0) are murky. Experts and pundits say that cyberwarfare is happening. And it makes sense. But it has been very hard to prove.
A new report adds to the body of evidence, charging that the Russian military is waging a sustained cyber campaign against Ukrainian military and law enforcement agencies, and the purpose is to extract a steady stream of classified documents that can aid violence and on-the-ground combat.
A Sustained Campaign Targeting Military
Lookingglass, a security firm based in Arlington, Va., and Baltimore, publishes a report Tuesday documenting a real-life instance of a cyberwar campaign.
CEO Chris Coleman says the attacks are persistent, but not sophisticated. "We're not claiming we found some big exploit in the Windows operating system," he says. "We tracked malware that was in emails, and it shows full-scale coordination."
Lookingglass says a dedicated group of hackers is getting Ukrainian military, counterintelligence, border patrol and local police to open emails with malicious attachments.
Only, they look legit. It's masterful — so far as manipulation goes — because of the "lure documents" that attackers use as bait.
Lead researcher Jason Lewis gives an example of a Microsoft Word file, dated Jan. 15, 2015. Written in Ukrainian, it's an overview of the situation at the Russia-Ukraine border — apparently authored by Ukraine's State Border Guard Service. The words "not for distribution" are written on it.
"That document appears to be something that was on a Ukrainian military computer," Lewis says. Hackers stole the document, then sent it to another Ukrainian security agency — with the malware hidden inside. "So the idea being that someone would see: 'Oh, this is news for today. Let me go and take a look and open it.' "
The malware would then infect their computer, so that the hackers could extract more classified intelligence: on the numbers of Ukrainian troops in reconnaissance battalions, the equipment they use and the rebel leaders they want.
This so-called spear-phishing attack is the same kind that got Sony Pictures. Lewis, who used to work at the National Security Agency, says military officers are human, too. "You probably have folks that don't know better and will open documents without thinking twice," he says.
Lookingglass says the attacks that focused on collecting combat intel took off in late April 2014, right after Ukraine's acting president declared a military operation against pro-Russian separatists.
The firm is tracking the activity using virtual private servers set up in Ukraine, which enable them to get scans of different attacks.
Researchers also collect malware samples from Virus Total, a free online service where hackers and researchers can submit documents to test whether they'll pass or fail antivirus scans.
Virus Total saves documents scanned, thereby creating a huge repository that anyone can sift through. Lookingglass did advanced queries, using fields including date and location, to pull additional samples of malware that targeted Ukrainian military and law enforcement.
A Window Into The Rules
In cyberattacks, it's hard to know exactly who the hacker is.
Lookingglass names the Russian security service (what used to be called the KGB). And after Ukraine declared the same last September, researcher Jason Lewis says, the attackers tweaked their malicious software to slip under the radar again: "They said, 'Oh, we've been discovered. We'll change to this new remote access tool.' "
Researchers also found that when both sides negotiated a cease-fire last June, the cyberattacks stopped for that same period as well.
"That is incredibly interesting," says Fred Cate, a cybersecurity expert and professor at Indiana University Maurer School of Law. "It's like the adversaries are actually thinking of themselves as attacking."
It looks like the hackers see themselves as part of the battlefield, he says, "and so they stop those attacks when a cease-fire's in place — as opposed to thinking of themselves as just intelligence gathering, which usually continues even during a ceasefire."
This research is among the few documented examples of cyberwarfare. While it doesn't pinpoint specific stolen data that reconfigured a specific battlefield, it does reveal the edge of a new weapon against enemies.
"If you can substitute fake instructions, if you can get them to do the wrong thing, if you can get them to send the troops where you want them sent," Cate says, "this could dramatically alter the way in which we think about warfare."
It also raises the question of when hacking constitutes an act of war. It's an issue that NATO is trying to address through the Tallinn Manual, a multilateral process initiated after the cyberattacks that crippled Estonia, following that country's spat with Russia over the removal of a war memorial.
The Russian Embassy did not respond to NPR's request for comment.
Computer scientist Stefan Savage at the University of California, San Diego says in many cyber investigations, like this one, the evidence is circumstantial. Researchers have the digital version of tire tracks and gun casings — not DNA and fingerprints.
But from a technical standpoint, he says, entities who are not Russian could have carried it out. "The question has to be 'Who else would have the motivation to do it?' because this a significant piece of work. It's effort."
Lookingglass says neither country is its client, and it was not able to investigate whether Ukraine is hacking Russia as well.