On Friday 17 January 2020, a handful of Greek government sites were attacked by a Turkish hacking group called “Anka Neferler Tim” (Phoenix’s Helmets). The attacks were typical Denial of Services (DoS) attacks which resulted in the sites of the National Intelligence Service, the Greek Parliament, the Athens Stock Exchange and the Ministries of Finance and Foreign Affairs not being accessible for some time.
Listen to the article:
A few days later, Reuters exclusively reported that hackers, who bear “the hallmarks of a state-backed cyber-espionage operation conducted to advance Turkish interests,” have attacked more than 30 organizations, including Cypriot and the Greek government email services and the Iraqi government’s national security advisor.
The reason for this post is not the incident itself, but rather the way it was covered by certain Greek media outlets. What really annoyed me was the lighthearted approach. Journalists said that “the attack is not dangerous” and that “the Greek hackers are better, and they are going to hack back.” Let me elaborate a bit on these narratives.
“The Attack is not Dangerous”
Any security incident is important. Whether it is merely an incident, or it evolves into an actual attack. We can learn a lot from any security incident, let alone an attack. How did the adversary launch his attack? What vectors did he employ? How did we respond to the adversary’s actions? Were incident response plans adequate? Did we identify any shortfalls? Do we need to revise our security plans and policies?
In the Armed Forces and cybersecurity, we say that you train as you will fight. What better opportunity to train yourself than a real-life event. The real-life cybersecurity events are not predictable. You expect that sometimes they may (or will) happen, but you never know when. Just like earthquakes. You must be always vigilant. And when the time comes, you have to be able to demonstrate that you can actually fight. Otherwise, your opponent will win.
Events like the one I described in the introduction offer the opportunity to learn about your adversary as well as yourself. Sun Tzu, in his masterpiece The Art of War, says that “If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.” You should never underestimate the importance of any security incident!
In addition, any security breach event can evolve into a dangerous situation. This DoS attack only affected some public-facing government sites. But let us consider what might have happened if the same DoS attack had affected some critical infrastructure.
What would be the consequence if the Athens water supply system was disrupted and millions of citizens were left without water for hours? Or what would have happened if the attack had disrupted the traffic management system of the Greek capital? Chaos, traffic jams, accidents, injuries and maybe even deaths. What would have been the consequences if the Air Traffic Control system of the Athens International Airport had not been functioning? How many inbound aircraft had to be diverted? How many flights had to be cancelled? And if there was an accident because of this chaotic situation?
These types of attacks target what Clausewitz named as “Center of Gravity”, “the source of power that provides moral or physical strength, freedom of action, or will to act.” They aim at the citizen’s morale. You may say that I am causing alarm and demonizing these events. Well, what better proof than the recent news covering attacks against critical infrastructure:
- The Onslow Water and Sewer Authority in North Carolina has been targeted by cyber criminals. The agency’s internal computer system, including servers and personal computers, have been subjected to a sophisticated ransomware attack.
- The US Power Facilities were hit by a cyberattack. Hackers exploited firewall vulnerabilities to cause periodic “blind spots” for grid operators in the western US for about 10 hours on March 5, 2019.
- On 23 December 2015, the Ukraine power grid cyberattack took place, and hackers were able to successfully compromise the information systems of three energy distribution companies in Ukraine and temporarily disrupt electricity supply to the end consumers.
- A report by the US Department of Transportation and another from the EUROCONTROL have warned that the air traffic control system is vulnerable to attack through the Internet.
- The cities of Pensacola, Atlanta, Baltimore and others, as well as many schools, have suffered from ransomware attacks during the past year, which halted the services offered to citizens.
And the list goes on. Arrogance and ignorance can only lead to another cybersecurity incident with an even more dreadful impact. Every security incident should be treated as a serious and “dangerous” one. We would be naïve to think otherwise.
“The Greek hackers will hack back”
Here’s an interesting concept. Have you ever thought of the consequences of hacking back? Are you prepared for these consequences?
The “hack back” is a much-debated and controversial concept, which involves many risks. Though understandable in moral terms—we all have a right to self-defence—hacking back, may create challenges that outweigh its benefits.
The main problem is attribution. Identifying an attacker, or even determining their location, is difficult. The victim may well strike back at an innocent party, who in turn could strike back at yet another innocent bystander, and the situation can easily get out of control.
Moreover, retaliating against a cyber hacker is still illegal under international law, so hacking back across national borders could create an international incident. Therefore, a cyber action can as well evolve into a kinetic counteraction. Hacking back can only lead to darker places. So, the question in cybersecurity that arises is simple: Are you ready for war?
Instead of raising questionable tactics, public and private sectors should cooperate on how to fortify a country’s cyber defences. Luckily in the EU, as well as in the US, there are regulations, such as the NIS Directive, and standards, such as the ISA/IEC 62443, which provide both the framework and the practices on how to apply good cyber hygiene in your infrastructure.
And most importantly: Cybersecurity is not a lighthearted topic to make fun of. Cybersecurity is to be taken seriously and is everyone’s responsibility.
If you are interested in cybersecurity, check out our favourite cybersecurity books!