Cyber Operations E-Book

Table of Contents

Cover

Table of Contents

Title Page

Copyright Page

Dedication

Preface

Section I: Cyber Operations Introduction

I.1 Phases of Cyber Operations

1 Cyber Operations

1.1 Cyber Operations Introduction

1.2 Early Internet and Cyber Operations

1.3 Cyber Operations’ Stage Descriptions

1.4 Cyber Operations Wrap‐up

Bibliography

2 ISIS and Web‐Based Insurgency

2.1 Introduction

2.2 Cyber‐Based Irregular Operations

2.3 ISIS and Web‐Based Insurgency Wrap‐up

Bibliography

3 Cyber and Crime

3.1 Cyber and Crime

Bibliography

4 Nation‐State Cyber Operations

4.1 Nation State Cyber Operations

Bibliography

5 Russian Cyber Operations

5.1 Russian Cyber Operations

Bibliography

6 Chinese Cyber Operations

6.1 Chinese Cyber Operations

Bibliography

7 DPRK Cyber Operations

7.1 DPRK Cyber Operations

Bibliography

8 Iranian Cyber Operations

8.1 Iranian Cyber Operations

8.A Cost of Iranian Cyber Attacks

Bibliography

9 Independent Cyber Operators

9.1 Independent Cyber Operations

Bibliography

Section I: Cyber Operations Summary

I.1 Introduction

I.2 Phases of Cyber Operations

Bibliography

Section II: Introduction to Cyber Effects

II.1 Cyber Effects Introduction

Bibliography

10 Strategic Cyber Effects

10.1 Strategic Cyber Effects

Bibliography

11 Strategic Cyber Effects (2)

11.1 Critical Infrastructure Strategic Cyber Effects

11.A Strategic Effect Examples

Bibliography

12 Tactical Cyber Effects

12.1 Cyber Tactical Effects

12.A Cost of Example Tactical Cyber Attacks (Iran)

Bibliography

13 Cyber Crime Effects

13.1 Criminal Cyber Effects

Bibliography

Section II: Cyber Effects Conclusions

II.1 Cyber Effects Overviewew

II.2 Cyber Effects’ Wrap‐up

Bibliography

Section III: Cyberspace Environment and Tools Introduction

Bibliography

14 Criminal Cyber Operations and Tools

14.1 Criminal Cyber Operations and Tools

Bibliography

15 Russian Cyber Operations and Tools

15.1 Russian Cyber Operations and Tools

Bibliography

16 Iran, China, and DPRK Cyber Operations and Tools

16.1 China, DPRK, and Iran Cyber Operations and Tools

Bibliography

17 Strategic Cyber Technologies – ICS/SCADA, Election Machines, and Crypto Currencies

17.1 Strategic Cyber Technologies

Bibliography

18 Cyber Case Studies Conclusion

Section III: Cyberspace Environment and Tools Conclusion

III.A Appendix I – Tool Examples

Bibliography

CCS Glossary

Index

End User License Agreement

List of Tables

Preface

Table P.1 Technical and Operational Cyber Timeline.

Chapter 1

Table 1.1 Example Stages of Internet Use for Coordination, C2, and Social M...

Chapter 2

Table 2.1 Al Qaeda in Iraq (AQI), the Arab Spring, and ISIS Information Ope...

Table 2.2 Insurgency Phases – Comparison of Physical and Virtual Space Oper...

Table 2.3 News Reporting on Counter‐ISIS Cyber Operations.

Chapter 3

Table 3.1 Cybercrime Quadrant.

Table 3.2 Top 5 Cybercrime Types (2020).

Table 3.3 Phishing Types (6).

Table 3.4 Ransomware Groups.

Table 3.5 Ransomware Attack Stages.

Table 3.6 Organized Crime Membership Size Example.

Table 3.7 Cyber Gang Life Time (average).

Chapter 4

Table 4.1 DHS Critical Infrastructure List (CISA).

Table 4.2 Nation‐State Critical Infrastructure Scan and Attack Examples.

Table 4.3 Cyber and Espionage from the Beginning of Networked Computers.

Chapter 5

Table 5.1 Russian Federation Intelligence Agencies.

Table 5.2 Russian Cyber Teams (APTs).

Table 5.3 Estonia Cyber Campaign – Phases and Skill Levels.

Table 5.4 Operation Dragonfly (2012–2017).

Table 5.5 GRU Cyber Operations Units.

Chapter 6

Table 6.1 BAH Themes and Supporting Case Studies.

Chapter 7

Table 7.1 DPRK Cyber Teams (APTs).

Table 7.2 DPRK Cyber Operations.

Chapter 8

Table 8.1 Example Iranian Cyber Operations.

Table 8.2 Iranian Companies Supporting Cyber Operations.

Table 8.3 Hamas Cyber Operations.

Table 8.4 Iranian Cyber Teams.

Table A.1 Iranian Cyber Operations and Reconstitution Costs.

Chapter 9

Table 9.1 Chinese Hacker Group Development.

Table 9.2 Anonymous Attacks on Russia.

Table 9.3 Independent Cyber Operations.

Chapter 10

Table 10.1 STUXNET Versus Operation Desert Fox – Strategic Cyber Operations...

Chapter 11

Table 11.1 Energy System Attacks.

Table 11.2 Water System Attacks.

Table 11.3 Agriculture Company Attacks.

Table 11.4 Cyber Media Operations – The Panama Papers, the 2016 Presidentia...

Table 11.A.1 Estimated Costs of Strategic Effects.

Chapter 12

Table 12.1 Operation Orchard – Conventional Cyber Operations with Cost/Bene...

Table 12.2 ISIS and Tactical Effects.

Table 12.3 Estimated Steady State Costs to Suppress ISIS in the Physical Do...

Table A.1 Iranian Cyber Operations and Reconstitution Costs.

Chapter 13

Table 13.1 Data Breach Statistics.

Table 13.2 Year versus Confidentiality Impact (2006–2019).

Table 13.3 Geometric Growth of Ransomware Costs.

Table 13.4 2021 Ransomware Group Activity.

Table 13.5 Cyber Gangs, Lifetimes, and Earnings.

Chapter 14

Table 14.1 Example Malware Loaders.

Table 14.2 Ryuk Ransomware Development from Hermes.

Table 14.3 Trickbot/Emotet/Ryuk Cyber Attack.

Table 14.4 HIVE Malware Attack Stages.

Table 14.5 Criminal BOTNETs.

Table 14.6 Criminal Cyber Tool Examples.

Chapter 15

Table 15.1 Russian Cyber Tools.

Chapter 17

Table 17.1 Election Machine Types.

Table 17.2 Bitcoin Mining by Country.

Section 1

Table I.1 Cyber Operations Development – 1980s to Present Day.

Section 2

Table I.1 Cyber Operations Development – 1980s to Present Day.

Section 4

Table II.1 Estimated Costs of Criminal Operations.

Section 6

Table A.1 Tool Uses by Respective Actors.

List of Illustrations

Preface

Figure P.1 Cyber Case Studies Book Organization.

Chapter 1

Figure 1.1 Example Commercial Cyberattacks and Cost (2006–2019).

Figure 1.2 Cyberattackers Operate in Multiple Domains.

Figure 1.3 Kinetic/Non‐Kinetic Line of Hostility.

Figure 1.4 Tactical Cyber Operations – Social Network Analysis (SNA) and Att...

Figure 1.5 Graph of tweets regarding Ukraine over time.

Figure 1.6 Weaponized Social Media Timeline.

Chapter 2

Figure 2.1 Raqaa, Syria (ISIS Headquarters (2014–2017)).

Chapter 3

Figure 3.1 Online Fraud Landing Page Example (Federal Trade Commission).

Figure 3.2 Cyber Tool Development Timeline.

Chapter 4

Figure 4.1 Research/Engineering/Intelligence – Nation‐State Cyber Organizati...

Figure 4.2 Cyber Attack Elements (Criminal, Tactical, Strategic).

Chapter 5

Figure 5.1 Russian Intelligence Organizations, APTs, and Operations.

Figure 5.2 Moscow Headquarters of Russia's Federal Security Service, the Suc...

Figure 5.3 Corporations, Criminal Gangs, and the FSB.

Figure 5.4 Russian Cyber/Kinetic Attacks on Ukraine.

Chapter 6

Figure 6.1 China's Timeline of Cyber Capabilities Development.

Figure 6.2 China's J‐31 Versus U.S. F‐35.

Figure 6.3 Tan Dailin (APT 41).

Figure 6.4 2010s Chinese Data Extractions – Identity, Health, and Credit Sco...

Figure 6.5 Booz Allen Hamilton China Analytic Framework.

Chapter 7

Figure 7.1 North Korea – Borders on South Korea, China and Russia.

Figure 7.2 Kim Il Sung.

Figure 7.3 Kim Il Sung (left) with son and heir Kim Jong Il (right).

Figure 7.4 Mandiant Assessment of DPRK Cyber Programs.

Chapter 8

Figure 8.1 MOIS and Quds Force – Internal and External Cyber Operations.

Figure 8.2 MOIS and Quds Force with Suppliers who Support Cyber Operations....

Figure 8.3 MOIS, the National Information Network (NIN) and Contractors.

Figure 8.4 Iranian Cyber Proxies.

Figure 8.5 Iranian Cyber Operations Include Russian and Chinese Support.

Figure 8.6 Iranian Cyber Advanced Persistent Threats (APTs).

Figure 8.7 Iranian Cyber Operators, Suppliers, and Proxies.

Chapter 9

Figure 9.1 Robert Tappan Morris – author of the Morris Worm.

Chapter 14

Figure 14.1 EMOTET Dropper Example.

Figure 14.2 EMOTET Timeline of Activity.

Figure 14.3 Emotet/Trickbot/Ryuk.

Chapter 15

Figure 15.1 Attacker Path in “The Cuckoo's Egg”.

Figure 15.2 Operation Moonlight Maze Attack Connections.

Figure 15.3 SolarWinds Attack Cycle.

Figure 15.4 Russian Propaganda Index.

Chapter 16

Figure 16.1 Park Jin Hyok – Sony Pictures, Bangladesh Bank, and WannaCry Ran...

Chapter 17

Figure 17.1 Industrial Control System Protocols and Frequency of Use.

Figure 17.2 Commercial Organization Hash Rates and Changes (early 2022).

Section 3

Figure II.1 Cyber Attackers Operate in Multiple Domains.

Section 4

Figure II.1 Strategic, Tactical, and Criminal Domains and Operations.

Guide

Cover Page

Table of Contents

Title Page

Copyright Page

Dedication

Preface

Begin Reading

CCS Glossary

Index

WILEY END USER LICENSE AGREEMENT

Pages

i

ii

iii

xiii

xiv

xv

xvi

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

169

170

171

172

173

174

175

176

177

178

179

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

239

240

241

242

243

244

245

246

247

248

249

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

271

272

273

274

275

276

277

278

279

280

281

282

283

284

285

286

287

288

289

290

291

292

293

294

295

296

297

298

299

300

301

302

303

304

305

Cyber Operations

A Case Study Approach

Copyright © 2024 by John Wiley & Sons, Inc. All rights reserved.

Published by John Wiley & Sons, Inc., Hoboken, New Jersey.Published simultaneously in Canada.

No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per‐copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, (978) 750‐8400, fax (978) 750‐4470, or on the web at www.copyright.com. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748‐6011, fax (201) 748‐6008, or online at http://www.wiley.com/go/permission.

Trademarks: Wiley and the Wiley logo are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates in the United States and other countries and may not be used without written permission. All other trademarks are the property of their respective owners. John Wiley & Sons, Inc. is not associated with any product or vendor mentioned in this book.

Limit of Liability/Disclaimer of Warranty While the publisher and author have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Further, readers should be aware that websites listed in this work may have changed or disappeared between when this work was written and when it is read. Neither the publisher nor authors shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages.

For general information on our other products and services or for technical support, please contact our Customer Care Department within the United States at (800) 762‐2974, outside the United States at (317) 572‐3993 or fax (317) 572‐4002.

Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in electronic formats. For more information about Wiley products, visit our web site at www.wiley.com.

Library of Congress Cataloging‐in‐Publication Data applied for:Hardback ISBN 9781119712091

Cover Design: WileyCover Image: © Yuichiro Chino/Getty Images

Dedication

The development of this book had many hands. Mr. Ed Waltz was key to the early discussions, feedback, and support for this work. In addition, I would like to thank Adam Gordon and Pat Adrounie for reviewing each of the chapters during the writing phase. I would also like to thank Aileen Storry, my editor at Wiley, whose patience was key in completing this project.

I would like to dedicate this book to Monica, Sophie, and Ella for the time and patience that they provided. In addition, I would also like to thank my parents, Gus and Mary, for providing an example of persistence and faith.

Preface

The goal of this book is to help the reader understand cyberattacks. And case studies are one way to untangle the teams, targets, and tools that compose a cyber operation. While current cyber operations’ reporting can be a challenge to “unpack,” this book defines the terms, describes the operations, and profiles some of the key players that scan our critical infrastructure, broadcast fake news, and influence our elections.

One excuse for challenges in understanding cyberattacks is that cyber is “new.” Cyber is not new. We have had cyberattacks in their current form since at least the 1980s, with the former Soviet Union using German hackers to steal US Star Wars missile defense system secrets (Stoll, 2005). In addition, intelligence operations that include the now‐key cyber actions of denial, data theft, and disinformation have been around for millennia.

There are shifting definitions of “cyber” due to overlaps between changing technology and operation types. For example, a cyberattack in the early 2000s would likely have been theft or website defacement. By 2020, a cyberattack was more likely to be a system locked down by ransomware with a payment required in Bitcoin to regain system access.

We will track the relatively short history of cyber operations in terms of the technologies developed, the operations performed, and the effects achieved. A shortened version is provided in Table P.1.

As shown in Table P.1, the use of cyber spans from simple data exfiltration to information operations to delaying a nation‐state nuclear program (e.g., 2010 STUXNET). In addition, cyber operations developed in phases from hackers to hacktivists to cyber teams. This development occurred in time phases, supported by web technology and social media development, with the 2010 STUXNET and WikiLeaks attacks proving the ability to deliver strategic effects via cyber. This was also the same time frame when multiple political transitions seemed to have led to increased cyber operations’ investment. Using Table P.1’s timeline, we will describe nation‐state and independent/hacker cyber actors in terms of operations, effects, and environment (Figure P.1).

Table P.1 Technical and Operational Cyber Timeline.

Technical Development

First(s) of a Kind in terms of Cyberattack

1960s to early 1990s

1960s: Research network (i.e., ARPANET) set up between universities and government labs

1980s: Soviet Union uses ARPANET for espionage to attempt to extract US Star Wars missile defense system secrets

1989: Morris worm – used to shut down ARPANET

1990s: Russian Federation launches Operation Moonlight Maze

1993: Windows NT Released

1994: Netscape Browser released

2000: The Onion Router (ToR) anonymous connection capability released

2003: China starts Operation Titan Rain/Byzantine Hades intrusion set (i.e., extract US F‐35 data)

2007: Estonia DDoS attack

2008: Georgia cyber/kinetic attack

2009: Bitcoin paper released

2009: Reveton requires ransomware payment in Bitcoin (Shea, 2023)

2010: STUXNET

2011: ISIS emerges from the Internet as a “state”

2011–2013: Silk Road used the Internet to sell drugs using ToR for communications and Bitcoin for payment

2012: Nation‐State Cyber Operations Professionalize

2012: Russia (Operation Dragonfly) and China (Operation Night Dragon) probe US energy pipelines

2012: Iran attempts to use cyber to induce an energy and banking crisis through Operations Al Shamoon and Al Ababil, respectively

2014: ISIS live streams the capture of Mosul on Twitter

2016: DPRK attempts to steal $1 billion from the Bank of Bangladesh

2016: Nation‐state tools compromised and released to the wild (Shadow Brokers)

2017: NotPetya malware results in $10 billion remediation cost

2017: WannaCry malware results in $100 million remediation cost

2021: SolarWinds supply chain attack used to compromise approximately 20,000 organizations

2022+

Russia attacks Ukraine leading with cyber wiper attack

China probing US critical infrastructure

Iran monitoring and suppressing protests

DPRK continuing to exfiltrate digital wallets

As shown in Figure P.1, Section I starts with tactical operations’ examples (e.g., ISIS, Russia) (Chapter 1). We will then provide an example of ISIS using the web as a maneuver space to move from a Phase I to a Phase III insurgency (Chapter 2). Chapter 3 is a background on cybercrime, including the Shadow Brokers and the proliferation of ransomware. Chapters 4 through 8 describe nation‐state operations, including those in Russia, China, the DPRK, and Iran. And Chapter 9 is a review of independent cyber operators, including current operations’ development from hacktivists and the global effects felt from WikiLeaks in 2010.

Figure P.1 Cyber Case Studies Book Organization.

Section II discusses effects in terms of strategic, tactical, and criminal. Strategic effects cause a nation‐state level change of plans. And STUXNET is a good example. In addition, we will look at tactical effects, especially those employed by Russia in the Ukraine. We will also look at criminal cyber operations, many stemming from the Shadow Brokers tool release (e.g., ransomware), along with potential strategic effects stemming from criminal attacks (e.g., critical infrastructure shut down, etc.).

Section III is a review of cyber terrain and is designed to discuss the current composition of the Internet and which systems really have the ability to change our way of life (e.g., voting machines, critical infrastructure, …, developing crypto currencies). Section III includes tool examples, from operational command and control frameworks to example firing paths used in actual operations.

Section ICyber Operations Introduction

Cyber attacks can produce nightmare scenarios. For example, a 2015 Lloyd’s of London study, “Business Blackout,” showed a possible 93 million Americans, across 11 states and the District of Columbia, being without power due to a cyber attack, costing an estimated $243 Billion, $1 Trillion in the most stressing scenario (Trevor Maynard, 2015). This is a factor of 25 times more than the $10 billion NotPetya attack in 2017 that brought global trade to a standstill (Greenberg, 2017).

In addition to catastrophic scenarios, we now have ransomware gangs, criminals, attacking critical infrastructure targets, and holding them hostage. For example, Russian ransomware gangs became famous for attacking critical infrastructure in Brazil (JBS Foods), Costa Rica (Government IT), and the United States (Colonial Oil, NEW Cooperative) in 2021. These critical infrastructure targets are considered strategic due to the life sustaining necessity of keeping these services available.

In the following Section I chapters, we will cover cyber operations in terms of their phased development. This includes a brief history of ISIS operations, and then Russia, in an overview of the use of cyber operations for tactical and strategic effects (Chapter 1). Chapter 2 includes a look at ISIS using cyber as a maneuver space in transitioning through the phases of an insurgency, maturing to a Phase III insurgent with a firm base in Raqqa, Syria. And Chapter 3 includes a review of criminal cyber, including the development of ransomware.

Nation‐state operations are introduced in Chapter 4, including a description of the research, development, and clandestine operational resources applied to their cyber operations. This is followed by chapters on Russia, China, North Korea, and Iran in order to compare/contrast the different countries’ policy implementations of cyber operations. This Section’s examples span the current history and development of cyber operations. This progression spans from early hactivism to current political uses of social media platforms. Section I also includes examples from simple, experimental hacks, to nation‐state operators performing cyberspace espionage and information operations (IO) (Table I.1).

As shown in Table I.1, cyber operations have often included nation‐state interest, with “The Cuckoo’s Egg” (Stoll, 2005) documenting the Former Soviet Union (FSU) use of hackers to attempt to steal U.S. military secrets near the end of the Cold War (Chapter 4). The near success described in “The Cuckoo’s Egg,” in the late 1980s, likely inspired Russian operators to continue their cyber collection pursuits, eventually succeeding with Operation Moonlight Maze in the mid‐1990s.

Table I.1 Cyber Operations Development – 1980s to Present Day.

Time Period

Stage

Examples

1980s to late 1990s

Hacking and Experimentation

1988 Morris Worm

1989 Cuckoo’s Egg – example of Russian KGB collecting on U.S. Star Wars program (Former Soviet Union)

1998 Moonlight Maze (Russian Federation)

1998 Honker Union Hackers (1998 Indonesia, 2001 U.S. White House web page) (China)

Early 2000s to mid‐2010s

Development

2002 Titan Rain (China)

2007 Estonia Denial of Service (DoS) (Russia)

2008 Georgia Multi‐Domain (Russia)

2010 Stuxnet attack on Iran’s nuclear program

2010 Wikileaks (State Department Cables)

2011 DigiNotar (Iran)

2011–2016 ISIS emergence from the Internet

2014 Ukraine Denial of Service (DoS) (Russia)

≥mid‐2010s

Implementation

2014 – present Ukraine cyber kinetic attack (Russia)

2014 Mosul Offensive broadcast live on Twitter (ISIS)

2014–2018 “Big Data” exfiltrations (China)

2016 U.S. Presidential election attack (Russia)

2016 Bangladesh Bank (DPRK)

2017 NotPetya (Russian Federation)

2017 WannaCry (DPRK)

2019 Great Cannon (China)

≥mid‐2020

Proliferation

2021 Colonial Pipeline Attack, JBS Foods …

2022 Counter Protest (Iran)

During this hacking and experimentation period of networked computers, we will also looked at potentially damaging hacks (Chapter 9). For example, the Jester Worm (1997), the Slammer Worm (2003), and the Sobig Worm (2003) were examples of critical infrastructure denial capabilities. These hacks produced effects that included shutting down telephony systems, nuclear reactors, trains, telephones, and air traffic control systems.

While hackers have provided worst‐case scenarios by literally shutting off critical parts of our infrastructure, nation‐states have also leveraged their hackers to develop cyber capabilities. For example, while Russia (Chapter 5) started with the use of cyber for espionage, China (Chapter 6) developed a little differently. Starting in the late 1990s, China’s hackers self‐organized to deface Indonesian Government web sites (in 1998) in order to protest attacks on ethnic Chinese (Nuttall, 1998). Similarly, in 1999, Chinese hackers attacked U.S. Government web sites in order to protest the bombing of the Chinese embassy in Serbia (Messmer, 1999). Chinese hackers also attacked U.S. Government web sites in 2001 to protest a PRC plane colliding with a U.S. spy plane (Tang, 2001). China then matured this capability for wide scale collection a few years later, in the form of Operation Titan Rain from 2003 to 2007.

And, while China was conducting its first widespread cyber collection campaign (i.e., Operation Titan Rain) Russia incorporated cyber into all‐domain operations, initially using Denial of Service (DoS) in Estonia (2007), and expanding the use of cyber to include information operations in Georgia (2008). Russia subsequently developed the Gerasimov doctrine (2013) and then integrated cyber kinetic operations in their 2014 annexation of Crimea (Greenberg, 2019).

As introduced in Chapter 4, and elaborated on in Chapters 5 through 8, there are approximately 50 nation‐state‐level advanced persistent threat (APT) teams that are currently accounted for (Mandiant). Within this number are crypto currency operators, ransomware group members, tool suppliers, and other support folks working for foreign intelligence services who are contributing to the cause. Independent cyber operators, discussed in Chapter 9, can also provide strategic effects. For example, we reviewed Wikileaks’ publishing classified U.S. military documents, State Department cables, Panamanian corporate charters, and Democratic National Committee e‐mails – each of which led to geopolitical change.

I.1 Phases of Cyber Operations

As discussed in the preceding chapters, cyber operations to date have transitioned in roughly three phases over the development from hackers to nation‐state and professional ransomware cyber operations. This includes Internet development (1980s–2002), operations experimentation (2003–2012), and professional cyber operations (2013 to present).

I.1.1 1980s–2002

Even before the roll out of personal computers, hacking was a game of wits between the hacker and machine. Early incarnations of the Internet (e.g., Arpanet) included thousands of networked computers. It was only a matter of time before a determined hacker would test the limits of this new, networked, cyber world. The popular movie “WarGames” (Badham, 1983) raised awareness about the dangers of computers and led to policy makers writing the Computer Fraud and Abuse Act (Congress, 1986). It was only a few years later, in 1988, that this law was used to prosecute Robert Tappan Morris for the damages that his “Morris Worm” perpetrated on the early Internet.

Due to the government’s use of the pre‐Internet to connect government and university computers, one of the first documented cyber operations included the KGB experimenting with the use of West German hackers to steal information on the U.S. Star Wars missile defense system in the 1980s.

In 1984, Judge Greene broke up the AT&T monopoly, decentralizing telecommunications initially into seven regional companies. This led to opportunities for developing operating system and routing companies to enter a new market space. A few years later Microsoft went public (1986). In addition, Cisco, one of the first big Internet routing companies, went public in 1990. These are the companies that provide the building blocks for the current Internet.

At the same time that telecommunications, personal computers, and networking were rapidly changing, the geopolitical order was also put in flux with the fall of the Soviet Union (1991). This included changes in the military/political landscape. While Russia started working its way toward a non‐Soviet system, client states (e.g., DPRK, Iraq) lost their super power sponsorship.

1991 was also the year that the United States, along with a coalition, expelled Saddam Hussein’s Iraq from Kuwait after a surprise invasion. This war included the use of “smart bombs” and cruise missiles, computer‐based weapons fielded for the first time. The United States suffered few casualties, while winning decisively against Iraq’s Soviet Russian trained and equipped army. This was at least partially due to the employment of new information‐related capabilities.

China watched the Gulf War closely and processed their lessons learned as the need to strike first, before an adversary builds a decisive position that predetermines a victorious engagement (Chapter 6). China’s offensive cyber ops tempo for the last two decades may very well be their longer term, slow motion, “first strike.” The late 1980s were also the time period when China began to open up to foreign business and send scholars overseas for education, including post‐doctoral appointments to U.S. national laboratories.

The 1990s and early 2000s were characterized by hactivists, cyber operators using the web with a political axe to grind. One of the more famous hactivist groups was from mainland China (Chapter 9), protesting the treatment of ethnic Chinese during riots in Indonesia (1998) and the crashing of a Chinese fighter that was harassing a U.S. intelligence aircraft in the South China Sea (2001). One form of protest for these Chinese hactivists web site defacement, including the U.S. White House.

I.1.2 2003–2012

The latter 1990s included the disintegration of Soviet Russian institutions, minimizing Russia as a threat in the minds of Western policy makers. This was until U.S. government cyber operators discovered the Russian Federation’s Operation Moonlight Maze (1996–1999), a cyber exfiltration that resulted in the loss of 5 GB of data (Doman, 2016), an extraordinary amount at that time. As a newly organized Russian Federation, and intelligence service, Turla (i.e., FSB) performed Operation Moonlight Maze against U.S. military targets (Chapter 5).

The Iraq insurgency (2004–2008) included a novel development in al Qaeda and al Qaeda in Iraq (AQI) using cyber operations to support their recruiting, financing, and communications. A plethora of videos and documents that spanned from recruitment sermons, weapons manuals, and executing infidels developed into a rich cyber footprint that characterized AQI. This included using cyber to coordinate and to participate in physical attacks (Chapter 1). The web also provided a maneuver space for AQI’s gestation into ISIS just after Coalition Forces left Iraq’s Anbar province. This was also during the Arab Spring (2011), which included Syria’s partial disintegration. ISIS emerged from the web with a physical entity with a capital in Raqqa, Syria (2013). Uncannily, ISIS’ development followed classic insurgency phases, using cyberspace for the initial phases (Chapter 2).

The first decade of the twenty first century, prior to 2012, also included nation‐states experimenting with cyber. For example, Russia tested tactical cyber with denial of service operations in Estonia (2007) and information operations in Georgia (2008) (Chapter 5). And China collected a surprising amount of data on U.S. defense programs during Operations Titan Rain and Byzantine Hades (Chesaux, 2019) from 2003 to 2007 (Chapter 6). In 2009, Iran (Chapter 8) used cyber to suppress Twitter in order to quash dissent to the re‐election of political hard liner Mahmoud Ahmadinejad.

In 2010, STUXNET was outed as a first in the use of cyber to deny a nation‐state nuclear development program. This unexpectedly effective use of cyber occurred just before new leaders ascended in China, DPRK, and Iran; with each of these countries having an already proven cyber capability. The early 2010s were also when Russia stepped up its cyber game with the formation of the Internet Research Agency (IRA).

By 2009, cyber had proven itself for both strategic/espionage and tactical effects. Operation Aurora (2009), for example, included China exfiltrating key Google technologies. 2009 was also the year that China was found to be probing U.S. energy infrastructure via Operation Night Dragon (Chapter 6).

In 2009, Iran debuted as a cyber actor to perform its first denial attack against the Green Movement on Twitter. The Green Movement was protesting election results that favored political hardliner Mahmoud Ahmadinejad being re‐elected. Then, the 2010 STUXNET revelation resulted in a spate of Iranian cyber attacks. For example, DigiNotar (2011) was the compromise of a Dutch certificate authority so that the MOIS could access 300,000 gmail accounts in order to provide information on the internal and external communications of Iranian citizens. Operation Newscaster (2011) was a set of fake Facebook personas that imitated journalists and was used by Iran to get access to policy makers that could influence thinking on Iran. Operation Cleaver (2012) was an Iranian cyber penetration operation that directly preceded Operation Al Shamoon I (2012), a cyber denial attack that destroyed 30,000 disk drives at Saudi Aramco and the penetration of the U.S. Navy’s e‐mail system (NMCI) (2012). 2012 was also the year that Iran executed a denial attack on the U.S. financial system (Operation Ababil).

These early stages of cyber operations also saw major outing attacks. For example, Wikileaks (Chapter 9) released secret U.S. military and State Department data that potentially influenced the Arab Spring (2011), resulting in governments falling across the Islamic Maghreb. In 2013, the cyber attack on Mossack Fonseca, a Panamanian legal firm, outed several Chinese and Russian officials’ tax shelters. This was colloquially known as the Panama Papers. The Panama Papers also resulted in the abdication of the Sigmundur Gunnlaugsson, President of Iceland, in 2016.

Julian Assange’s taking asylum in 2012 was uncanny timing, as this was also the same time frame that multiple political changes, and strategic cyber effects, became news. STUXNET was outed in 2010, Kim Jong Un was elevated to DPRK Supreme Leader in 2011, the Russian Federation experienced the Snow Revolution in 2012, Xi Jinpin became President of the People’s Republic of China in 2013, Edward Snowden performed one of the largest leaks in U.S. intelligence history in 2013, and the Internet Research Agency (IRA) was formed in 2014, in time for elections in the Ukraine. As big hacktivism slowed down, nation‐state cyber operations picked up.

I.1.3 2013–present1

In 2012, Russia experienced the Snow Revolution in Bolotnaya Square, a rally coordinated using Facebook that included tens of thousands of people protesting the lack of fair elections. This was a wakeup call that led to the formation of the Internet Research Agency (IRA) in 2014, with a goal of controlling the message as Russia annexed Crimea from the Ukraine (Chapter 5).

And in Iran, Dr Rouhani, assuming the presidency in 2013, expanded Iran’s cyber program several fold in building out the National Information Network (NIN) during his term (Chapter 8).

By 2013, both the Russians (Operation Dragonfly) and the Chinese (Operation Night Dragon) were actively probing U.S. critical infrastructure networks. This included technically scanning critical infrastructure systems and using social engineering to get more information about the people, processes, and technologies supporting U.S. natural gas pipelines. These cyber operations included profiling the system administrators and computer support personnel responsible for keeping the systems available.

In totalitarian states, the evolution of cyber coincided with leadership transitions. Kim Jong Un, in the DPRK, ascended to Supreme Leader in 2011, followed by the DarkSeoul (2013) and Sony (2014) cyber attacks (Chapter 7). This was an unheard of DPRK cyber force that attacked Sony in 2014, outing private e‐mails, destroying executive careers, and threatening terrorist attacks at theaters that played a film, “The Interview,” parodying the new Supreme Leader, Kim Jong Un.

In 2013, Xi Jinpin became President of the Peoples Republic of China (PRC) (Chapter 6). This directly preceded a spate of cyber espionage attacks on the United States (e.g., OMB (2015), Anthem Insurance (2015), and Equifax (2017)).

As discussed in Chapter 3, around 2016 the U.S. intelligence community suffered one of the largest leaks in its history due to cyber at the NSA and CIA. These leaks, roughly corresponding in time with the Shadow Brokers advertising a new set of cyber tools for sale, directly preceded a rash of ransomware that continues to the time of this writing.

It was also during 2016 that the DPRK used an elaborate, multi‐time zone, International, plan, in an attempted $1 billion heist from the Bank of Bangladesh. While the larger plan did not work, the DPRK still managed to steal $81 million in the effort (Chapter 7). 2016 was also a first for using social media to live broadcast a military offensive. In this case, it was ISIS, using a force of only 800 “soldiers,” defeating a U.S. trained and equipped Iraqi Army in Mosul, on Twitter, for all to see.

With the large cache of Shadow Brokers tools coming on line in 2016, the DPRK used these tools in the WannaCry ransomware attack in 2017, causing $4–8 billion in damage. This was the beginning of the DPRK’s presence on the cyber scene, beginning a rash of crypto theft operations that are believed to have produced over $1 billion in illicit gains by 2023, the same amount targeted in the 2016 Bangladesh Bank cyber attack, money that goes directly into nuclear weapons and delivery programs.

Current cyber operations are used to earn billions of dollars for criminals and pariah states, to extract nation‐state secrets and to penetrate or to shut down strategic defense programs. It is hard to believe that these are mature cyber operations started as simple computer‐based espionage or covert communications. As we will see in Chapter 1, both nation‐states and guerillas started with the web as a necessary innovation in order to perform their collections, communications, financing, and coordination.

Note

1

It might be noted that these first two phases of cyber operations align with Healey's work on cyber operations, which spanned from 1986 to 2012 (Healey, 2013).

1Cyber Operations

1.1 Cyber Operations Introduction

Cyber operations include the collection of data. This collecting of information is an enduring activity that existed long before cyber (Crumpton, 2012). However, with the advent of networked persistent memory devices (e.g., personal computers, and iPhones), using technology to access “end points” and exploit resident data became both a viable alternative to conventional spying and a new, usable tradecraft.

1.1.1 Cyber – A 21st‐Century Collection Channel

One of the key issues inspiring the recent increase in the use of cyber, as a collection channel, is the volume of information that can be collected by cyber means. For example, a Cold War spy’s ability to move information, even with the most advanced collection and data transfer techniques, likely peaked on the order of kilobytes, megabytes at best, of information transfer. With the current capacity of cyber storage and communication, however, terabyte downloads are common for commercial attacks (Warner, 2017).

Cyber provides a geometric increase in data transfer. In addition, the comprehensive collection provides the cyberattacker with the ability to distill the current situation, frame the desired effects, and perform cyber operations in order to produce the desired effects without traveling to the event location. The amount of data collected, and remediation cost due to a cyberattack, can be significant (Figure 1.1).

As shown in Figure 1.1, cyberattacks are increasing in both record count and subsequent remediation cost, and this is just in the commercial sector. Many private companies do not disclose that they have experienced a cyberattack due to the feared loss of customers. Government‐operated, or provoked, cyberattacks can be an order of magnitude higher than the commercial attacks as found in Figure 1.1.

Figure 1.1 Example Commercial Cyberattacks and Cost (2006–2019).

Government attacks are not so clearly spelled out, in terms of the number of records compromised or the remediation cost. In addition, government‐operated attacks can be much larger. For example, the estimated $10 billion NotPetya attack in 2017 (Greenberg, 2019) brought global shipping to a standstill after infecting the back office planning and scheduling computers of Maersk, one of the largest goods transporters in the world. Computing the cost of cyber is an active area of research (Swallow, 2022).

The development of network‐based computers also included a broad set of actors coming online. From media organizations to political campaigns to banks – every direct marketing organization interested in accessing a specific demographic developed an Internet presence. Political campaigns went online to bond with their potential voters, banks went online to do business with their customers in real time, and people who just wanted to connect went online via social media. In addition, sales and marketing players use the Internet in order to increase their mind share through well‐connected, lightly secured data, with cyberattackers (i.e., hackers) not far behind (Figure 1.2).

Figure 1.2 Cyberattackers Operate in Multiple Domains.

Media, political, and finance organizations shown in Figure 1.2 came online in order to expand their market reach and subsequently became common locations for cyberattack. One thing that each online organization has in common is a similar data access, management, and storage technique. Similar means and technical understanding are used to access, extract, and exploit the data of a media company, a political campaign, or a bank’s key data stores. For example, cyberattackers used similar tools to access data from the U.S. State Department (i.e., cables exposed by Wikileaks) (Domscheit‐Berg, 2011) or divulge data about shady offshore investments by global leaders (Panama Papers) (Bernstein, 2017). Each of these operations included collecting data from an “end point,” and using that data to embarrass or steal from a target.

1.1.2 Hackers – Pre‐Cyber Operations

Cyber operators span from hackers to nation‐state operators. Hackers are often characterized as genuinely curious, computer‐savvy folks who exceed their boundaries in tapping into private computer systems. White Hat hackers are known to tell the vulnerable system owner about what they found. Other hackers might publicize private data, believing that “information wants to be free” (Levy, 2014).

Even before the rollout of personal computers, hacking was a game of wits between the hacker and the machine – a game of mental prowess. Early incarnations of the Internet (e.g., Arpanet) included hundreds, then thousands, of networked computers. It was only a matter of time before a determined hacker would test the limits of this new, networked, cyber world. The 1980s were therefore a time of early, but significant, activity in the cyber domain.

The U.S. Government published the Computer Fraud and Abuse Act (Congress,

1986

)

The Morris Worm (1988), a rapidly replicating worm, was the first malware to shut down the ARPANET and cost hundreds of thousands of dollars to remediate

“The Cuckoo’s Egg,” (Stoll,

2005

), a book published in 1989, put a Soviet Russian KGB attack on U.S. government computers into story form – the goal of the KGB attack was to gain U.S. missile defense secrets

The popular movie “WarGames” (Badham, 1983) raised awareness about the dangers of computers and led to policymakers writing the Computer Fraud and Abuse Act (Congress, 1986). It was only a few years later, in 1988, that this law was used to prosecute Robert Tappan Morris for the damages that his “Morris Worm” perpetrated on the early Internet.

Due to the government’s use of the pre‐Internet to connect government and university computers, one of the first documented cyber operations included the KGB experimenting with the use of West German hackers to steal information on the U.S. Star Wars missile defense system in the 1980s. This occurred just before the breakup of the Soviet Union and subsequent government turmoil that delayed Russian use of cyber for espionage and information operations for approximately a decade.

In terms of technical development, Judge Greene broke up the AT&T telecommunications monopoly in 1984 (PINHEIRO, 1987). This ruling opened up the information technology market space in unforeseen ways, leading to the rich cyberspace landscape that we now have. The 1980s were also the years when Microsoft (1986) and Cisco (1990) went public, providing the computing and connectivity that dominates cyber terrain to this day.

At the same time that personal computers and networking were rapidly changing, the geopolitical order was put in flux due to the fall of the Soviet Union (1991) and the rapid changes in the military/political landscape. Russia started working its way toward a non‐Soviet system and client states (e.g., Iraq) lost their superpower sponsorship.

Within a decade, during the late 1990s, Russian cyber operators were found hacking U.S. Air Force sites via Operation Moonlight Maze, pilfering approximately 5.5 GB of documents (Kaplan, 2017). It was also around the end of the 20th century that Patriotic Hackers made their debut, becoming famous for defacing the White House website to protest the crash of one of their fighters harassing a U.S. EP‐3 spy plane in the South China Sea (2000).

It was a few years later, in 2006, that Wikileaks came on the scene, using the Internet to expose offshore money laundering capers by foreign dignitaries, even causing Sigmundur Davíð Gunnlaugsson, President of Iceland, to abdicate over revelations in the Panama Papers (Bernstein, 2017).

Al Qaeda in Iraq (AQI) also debuted in the 2004–2005 time frame, using cyberspace to recruit, move money, and perform command and control. AQI’s use of the web continued as the organizations morphed into the Islamic State of Iraq and Syria (ISIS) only to emerge from cyberspace as a military organization in 2011 and acquire a physical capitol in Raqaa, Syria, by 2014.

At the same time that ISIS and other players were sharpening their operational web techniques, Russia developed its cyber playbook by using Ukraine as a cyber‐test bed (Greenberg, 2019). Russia conducted technical cyberattacks on power systems, banks, and tax authorities (i.e., NotPetya resulted in $10 billion in damage (Greenberg, 2019)). In addition, Russia mixed these technical cyberattacks with kinetic force to challenge governments in Georgia (2008) and Ukraine (≥2014). Russia also transitioned traditional active measures to the cyber domain in order to manipulate elections in the United States (2016 U.S. Presidential Election) (Mueller, 2019) and Europe (Cyware, 2021). Russia’s use of cyber therefore goes above “the line” of non‐kinetic conflict defined in Joint Doctrine Note 1–19, “Competition Continuum” (Joint Chiefs of Staff, 2019)(Figure 1.3).

As shown in Figure 1.3, cyber operations are generally “below the line.” However, as cyber increasingly finds tactical applications, “above the line” actions have the potential to become more common for military/intelligence applications.

1.1.3 Cyber and Counter‐Terror/Insurgency

Other examples of cyber operations include the ISIS using social media messaging to recruit, fund, and coordinate attacks. This included combining operations in ISIS’ media and political domains in order to project a fundamentalist image and advertise battlefield successes during their development and operational stages, resulting in a 10 million person proto‐state with a capitol in Raqaa, Syria, and a land mass that covered the size of Britain (Fox, 2019).

The development of Al Qaeda, AQI, and ISIS cyber operations coincided with the counter‐terror (CT) and counter‐insurgency (COIN) missions that spanned the first decades of the 21st century. As CT and COIN operations developed, the use of cyber to support tactical coalition operations rapidly expanded during counter‐insurgency campaigns in Afghanistan and Iraq.

Figure 1.3 Kinetic/Non‐Kinetic Line of Hostility.

Source: Adapted from Joint Chiefs of Staff, 2019.

While the use of the Internet by 9/11 attackers was a wake‐up call, it was not until Coalition Operations in Afghanistan and Iraq, CT missions that morphed into COIN operations, that all source analysis started leveraging cyber in the form of social network analysis (SNA). For example, the overall theme of “Attack the Network” (AtN) (U.S. Joint Forces Command, 2011) required human targeting that included capturing leadership elements of adversary organizations on an unprecedented scale (Figure 1.4).

As shown in Figure 1.4, SNA is used to understand the composition and command structure of a given terror cell in order to identify cell members. Some of this membership/relationship information may be available via cyber, providing counter‐IED/insurgency analysts with a tool for reducing the threat to coalition forces.

More specifically, counter‐improvised explosive device (C‐IED) operations used all source analysis in order to provide some of the beginnings of cyber analysis and targeting. The employment of AtN and SNA techniques and technologies, therefore, developed into a solution to find and target these key individuals via their e‐mail, social media, and communications traffic.

Figure 1.4 Tactical Cyber Operations – Social Network Analysis (SNA) and Attack the Network (AtN).

1.2 Early Internet and Cyber Operations

The importance of command and control (C2) in military operations inspired the idea of providing a network that could withstand a nuclear war. This resilient network eventually became the Internet (RAND). The Internet, provided to the public at the end of the Cold War, gave the world the ability to communicate globally, post information on newly pioneered websites, and search this information, for free. This was an incredible gift to a pre‐Internet world that paid high rates for long‐distance telephone calls and information searches that required a trip to the library.

A decade or so later, in the early 2000s, Chinese patriotic hacktivists were defacing the White House website as a means to protest the crash of a People’s Liberation Army (PLA) jet, in the South China Sea, that was harassing a U.S. Navy EP‐3 surveillance aircraft (2001) (Elisabeth Rosenthal, 2001). These were early signs that the Internet was being used by foreign actors to perform cyber operations. Then, in the aftermath of the 9/11 attacks (2001), the revelation that al Qaeda was using the Internet to communicate and transfer funds ended the Internet’s age of innocence, with terrorists using the Internet for command and control (9/11 Commission, 2004).

The use of the Internet by Al Qaeda for e‐mail communications/coordination, and website postings to disseminate their message, initially surprised counter‐terror analysts. While “Network Centric Warfare” was still seen as a next‐generation technical capability in the West, the employment of social media for tactical effect was already a developing tactic on the part of terror and IED networks in Iraq and Afghanistan (Schachtman, 2007).

1.2.1 Maturing of Cyber Operations – ISIS and Russia

Growing terror organizations’ use of the web to publicize their activities, to attract funding, and to mobilize recruits created a new, cyber, domain of terror operations. Al Qaeda, then AQI, ISIL, and finally ISIS, refined their web presence, broadcasting many of their attacks in real time on Twitter (e.g., Capture of Mosul (2014)) (Emerson T. Brooking and Singer, 2016). ISIS effectively expanded from proselytization and funding operations to live messaging of kinetic attacks. ISIS also developed an ability to manufacture crowds on social media (Diresta, 2018), providing an implied substance, via the number of observable followers, that made them seem much larger than they were actually.

Terrorist organizations increased their coordination and media skills in conjunction with the growth of social media. Social media was just beginning during the AQI period (2004–2006). Facebook, for example, the main social media application for connecting people to long‐lost classmates, friends, and relatives, debuted in 2004. Similarly, Twitter, the social media app for sending quick messages, pictures, and videos dates back to 2006.

The year 2006 was also the year that AQI remnants were defeated in Western Iraq’s Al Anbar province via the U.S. Marine counter‐insurgency program (Russell, 2010). This success inspired the U.S. Army’s 2007 Surge, including the infusion of thousands of U.S. and Coalition troops into Eastern Iraq. The goal of the 2007 Surge was to isolate and defeat AQI and other groups, causing many of the insurgents to now conduct their propaganda, finance, and recruiting exclusively in cyberspace. This resulted in the remnants of the AQI guerilla network retreating to cyberspace, only to emerge as ISIS.

1.2.2 ISIS Cyber Operations

In the 2010–2011 time frame, the same time that the post‐AQI organization was regrouping on the Internet, Wikileaks released a batch of U.S. Government “cables” that provided an insider’s view of what U.S. diplomats thought of their peers across the world. These documents included an unflattering picture of Tunisia’s ruling family, resulting in civil unrest and an eventual overturning of the government (Dickinson, 2011).

Starting in Tunisia, these mass protests spread across North Africa, with the governments of Egypt and Libya soon being overturned, as well. Called the Arab Spring (Rodenbeck, 2013), much of the reporting and coordination was performed on social media (e.g., Facebook, Twitter), showing the value of these platforms to target niche populations and messages for effect. The Arab Spring therefore became a cyber means to channel protestor frustration and overturn a Government locally, with International participation via online supporters and Internet‐based social media technology (i.e., Facebook and Twitter). The Arab Spring also used social media to provide an alternative means to enfranchise both resident and nonresident (e.g., diaspora) “voters,” in order to select candidate leaders and provide the messaging required to fuel protests, rallies, and demonstrations. These movements used social media to coordinate rallies and remove the existing government structure, leaving a power vacuum to be filled by more organized, and less liberal, politico‐religious factions.

While the Arab Spring was overturning governments in North Africa, protests broke out in Syria, with a similar intent of overturning the Syrian government. Syrian government forces, however, fought back violently, resulting in a civil war that left large areas of the country effectively ungoverned. One of these geographical security vacuums was filled by ISIS, emerging in January 2014, with a physical capitol in Raqaa, Syria, and near continuous social media operations. This was on the heels of Facebook’s 2012 initial public offering (IPO) (Weidner, 2013) of their stock, and nearly coincided with Twitter’s 2013 IPO (July 11, 2013) (Gabbatt, 2013).

1.2.3 Russian Cyber Operations

While social media was being used as a channel for antiregime protests and coordination in the North African Maghreb and Syria, Facebook was also being used to channel political angst in Russia. For example, the Snow Revolution (2011–2013) had up to 85,000 protestors showing up in Moscow’s Bolotnaya Square to protest election results on December 10, 2011 (Ioffe, 2011). The power of social media was quickly recognized, with the Russian people starting to show their political Internet presence via Facebook accounts and tweets.

In reaction to the Snow Revolution, the Putin regime became aware of the power of social media. One action coming out of the Snow Revolution was for Putin’s friend, Ilya Prigozhin1, “Putin’s Chef,” to start the Internet Research Agency (IRA), in 2014. Among the IRA’s tasks was to develop counter‐messaging for adversaries to the Putin regime. As shown in Figure 1.5, the 2009–2018 timeline describes how the IRA provided a blitz of tweets against Ukraine during key events that include the Crimean invasion, the Internet response to the downing of Malaysian airliner MH‐17, and the angry response to the 2014 Ukrainian elections.

The graph in Figure 1.5 shows the number of IRA‐linked accounts created per day, overlaid with the number of tweets referencing Ukraine. The IRA was therefore developing additional accounts in conjunction with its message dissemination, adding an implied substance, via the size/scope of followers, in combination with the messaging. This is similar to what was observed in ISIS operations through the artificial construction of a movement via false accounts, manufactured personas, and super users “liking” content to provide implied validity.

Both Russia and ISIS showed a scaling up of followers, either from other countries/regions (ISIS) or completely virtual (Russia), in order to increase the online credibility of their messaging. And, while ISIS remained focused on political messaging and military exploits, Russia quickly shifted its cyber operations/propaganda between Ukrainian election results to counter‐messaging on the reporting on Russian troops’ shooting down of a civilian aircraft (Bellingcat, 2015), to whitewashing its 2014 invasion of the Crimea. In short order, Russia showed the agility of its cyber operations to expand both the scale and scope of Internet messaging over a broad range of issues in order to promote the regime’s objectives.

Figure 1.5 Graph of tweets regarding Ukraine over time.

Source: Cardiff Crime and Security Research Institute, 2019/Cardiff Crime and Security Research Institute.

The longer‐term response to the Snow Revolution included the Russian Federation’s scaling up of online political operations. For example, the IRA set up a large number of new accounts in 2014 in order to target elections in Ukraine (Figure 1.5). In addition, these new accounts contributed to a campaign of increased scale and intensity surrounding the annexation of Crimea and the shooting down of Malaysia Airlines flight MH‐17. This was also when Russia first turned off Ukraine’s power with Industroyer malware (Slowik, 2019), duplicating their physical shutdown of Ukrainian gas pipelines in the 1990s (Smolansky, 1995).

1.3 Cyber Operations’ Stage Descriptions

Long before the Russian use of cyber to bring active measures into the 21st century, the Internet was used by Al Qaeda and AQI to manage media, communications, recruiting, and money (Economist, 2007). Initial Al Qaeda use of the Internet was primarily the action of hackers. These initial Al Qaeda cyber operations were the first actions in what will be shown to be a three‐staged progression of cyber tactics that range from the late 1990s to the present, and scale from early ideological hacking to current nation‐state operations.

1.3.1 Stage I (late 1990s—~2010)(Community Development)

One of Al Qaeda’s first reported webmasters, Younis Tsoulis (aka Irhabi007), managed money, recruiting, and website content from an apartment in London’s West End during the early 2000s (Economist, 2007). Irhabi007 was followed by Anwar al‐Awlaki, who provided direct inspiration for multiple attacks, several inside the United States, including Fort Dix (New Jersey) (2007), the Little Rock (Arkansas) military recruitment center (2009), and Fort Hood (Texas) (2009).

1.3.2 Stage II (~2010—~2015)(Tactical)