Posts

Hybrid or Ambiguous, Asymmetric Warfare is Here to Stay

[As always, check the byline — this is Rayne with another minority report.]

After the hacking of the U.S. Office of Personnel Management, I wrote in early 2013 about asymmetric warfare. At the time I was puzzled by Americans’ surprise at such an extensive breach of a government asset by China.

We were warned in 1999 by the PRC in a white paper, Unrestricted Warfare, written by two Chinese military officers. They told us what they perceived about U.S.’ defense stance and where they were likely to press given their perception of our weaknesses and strengths.

Our own military processed this warning; it was incorporated into a number of military white papers. The U.S. intelligence community likewise digested the same white paper and military assessments of the same.

And yet the U.S. was not ready for an asymmetric attack.

More disturbingly, we were warned in 2013 — possibly earlier — that Russia was adopting asymmetric warfare. Valery Gerasimov, Chief of the General Staff of the Armed Forces of Russia, wrote a paper discussing the application of “hybrid warfare” or “ambiguous warfare,” partially exemplified in Russia’s 2014 annexation of Crimea.

Our Defense Department analyzed Gerasimov’s Doctrine, as it is now known. The CNA, a nonprofit research and analysis organization working for DOD, published a paper defining “ambiguous warfare” (pdf):

“Ambiguous warfare” is a term that has no proper definition and has been used within U.S. government circles since at least the 1980s. Generally speaking, the term applies in situations in which a state or non-state belligerent actor deploys troops and proxies in a deceptive and confusing manner—with the intent of achieving political and military effects while obscuring the belligerent’s direct participation. Russia’s actions in Crimea and Ukraine clearly align with this concept, though numerous participants pointed out that it is not a new concept for Russia.

CNA even applied a term used by the U.S. to describe Russia’s military action in Crimea — and yet the U.S. was not ready for an asymmetric attack.

The earlier paper PRC paper, Unrestricted Warfare, elaborated,

War in the age of technological integration and globalization has eliminated the right of weapons to label war and, with regard to the new starting point, has realigned the relationship of weapons to war, while the appearance of weapons of new concepts, and particularly new concepts of weapons, has gradually blurred the face of war. Does a single “hacker” attack count as a hostile act or not? Can using financial instruments to destroy a country’s economy be seen as a battle? Did CNN’s broadcast of an exposed corpse of a U.S. soldier in the streets of Mogadishu shake the determination of the Americans to act as the world’s policeman, thereby altering the world’s strategic situation? And should an assessment of wartime actions look at the means or the results? Obviously, proceeding with the traditional definition of war in mind, there is no longer any way to answer the above questions. When we suddenly realize that all these non-war actions may be the new factors constituting future warfare, we have to come up with a new name for this new form of war: Warfare which transcends all boundaries and limits, in short: unrestricted warfare.

If this name becomes established, this kind of war means that all means will be in readiness, that information will be omnipresent, and the battlefield will be everywhere. It means that all weapons and technology can be superimposed at will, it means that all the boundaries lying between the two worlds of war and non-war, of military and non-military, will be totally destroyed, and it also means that many of the current principles of combat will be modified, and even that the rules of war may need to be rewritten.

In spite of this warning, the U.S. has not been adequately prepared for asymmetric warfare.

More importantly, the U.S. has not grasped what is meant that “all the boundaries lying between the worlds of war and non-war” no longer exist.

We are in a permanent state of non-war warfare.

And we were warned.

If the CNA’s paper is any indication, the U.S. has been blinded by the lens of traditional warfare. This is an unintended conclusion we can take away from this paper: we are smack in the middle of a debris field in which our entire democratic system has been rattled hard and our president and his dominant political party in thrall to at least one other country’s leader, without a single traditional combat weapon aimed and fired at our military. Yet the paper on “Russia’s ‘Ambiguous Warfare'” looked at the possible effect such war would have on traditional defense, making only the barest effort to include information warfare. The shoot-down over Ukraine of Malaysian Airline flight MH-17 carrying EU citizens offers an example — there is little mention in this paper of Russian and separatists’ efforts to mask the source of the shooting using information warfare, thereby managing to avoid an official invocation of NATO Article 5.

Perhaps the scale of our traditional defense spending and the commitment to sustaining this spending driven by both states’ economies and by corporatocracy locked us into an unwieldy and obstructive mindset unable to respond quickly to new threats. But PRC warned us in 1999 — we have no excuses save for a lack of imagination at national scale, combined with a detrimental perception of American exceptionalism.

If there is something we can still use in this permanent state of non-war warfare, it is one of the oldest lessons of warfare, transcending place, culture, and tradition:

All warfare is based on deception. … Keep him under strain and wear him down. When he is united, divide him. Attack where he is unprepared; sally out when he does not expect you. … 

— Sun Tzu, The Art of War

What were we not expecting? For what were we not prepared? What form may the next ambiguous attack assume, and are we ready to defend ourselves?

More importantly, what does an effective, ambiguous offense look like?

Open Thread: All in the Families?

This is an open thread dedicated to this morning’s news. By now many of  you have heard that Alex van der Zwaan, a lawyer at mega-lawfirm Skadden, Arps, Slate, Meagher & Flom, was charged today by Team Mueller for making false statements while answering questions about his work for the Ukrainian Ministry of Justice in its case against Ukraine’s former prime minister Yulia Tymoshenko.

The “materially false, fictitious, and fraudulent statements and representations” arose from questions about interactions related to Paul Manafort’s partner Rick Gates and “Person A.”

[insert blogger’s laugh] Gee, I wonder who Person A could be? *

You can read the short and sweet court filing here (pdf).

These folks from Team Mueller signed the filing: Andrew Weissman, Greg Andres, Kyle Feeny, Brian Richardson. Add them and this assignment to Marcy’s bingo card

Richardson is a new name, which Marcy noted, already wondering if he is Mystery Prosecutor 17? She’ll probably elaborate in a separate post.

For a little background on Skadden Arps’ relationship to Ukraine, see this this NYT piece from September 21 last year: Skadden, Big New York Law Firm, Faces Questions on Work With Manafort

There was related legal news last autumn — emphasis on related.

Alfa Bank co-owners German Khan, Mikhail Fridman, and Peter Aven filed suit last October against Fusion GPS and Glenn Simpson claiming the Steele dossier was defamatory. Their reputations were “gravely” damaged as the dossier indicated they were engaged in criminal activity with Russia’s president Vladimir Putin.

Khan just happens to be van der Zwaan’s father-in-law. It’s a small world, yes?

It’ll be amusing if the Mueller-led investigation ends up unintentionally corralling multiple families.

* EDIT — 1:30 pm EST — I meant to add that  Andrea Manafort Shand, Paul Manafort’s daughter, was an associate at Skadden Arps-Washington DC office. I haven’t seen anything to suggest she’s involved in any way with today’s charges or that she’s Person A but stranger things have happened. Like the leaking of hacked text messages between Manafort’s daughters which have not been disavowed.

– – – – –

In case you missed it this morning, Marcy was on Democracy Now this morning, talking about the Mueller probe and the IRA indictment last Friday.

A transcript isn’t up as I type this but the video and audio are up on the main site under the Daily Show at the right side of Democracy Now’s homepage. I’ll add a link to the transcript as it becomes available.

Have at it!

 

Minority Report: An Alternative Look at NotPetya

NB: Before reading:

1) Check the byline — this is NotMarcy;

2) Some of this content is speculative;

3) This is a minority report; I’m not on the same paragraph and perhaps not the same page with Marcy.

Tuesday’s ‘Petya/Petna/NotPetya’ malware attacks generated a lot of misleading information and rapid assumptions. Some of the fog can be rightfully blamed on the speed and breadth of infection. Some of it can also be blamed on the combined effect of information security professionals discussing in-flight attacks in full view of the public who make too many assumptions.

There’s also the possibility that some of the confusing information may have been deliberately generated to thwart too-early intervention. If this isn’t criminal hacking but cyber warfare, propaganda should be expected as in all other forms of warfare. Flawed assumptions, too, can be weaponized.

A key assumption worth re-examining is that Ukraine was NotPetya’s primary target rather than collateral damage.

After the malware completed its installation and rebooted an infected machine, a message indicated files had been encrypted and payment could be offered for decryption.

Thousands of dollars were paid $300 at a time in cryptocurrency but a decryption key wouldn’t be forthcoming. Users who tried to pay the ransom found the contact email address hosted by Posteo.net had been terminated. The email service company was unhelpful bordering on outright hostile in its refusal to assist users contacting the email account holder. It looked like a ransom scam gone very wrong.

As Marcy noted in her earlier post on NotPetyna, information security expert Matt Suiche posted that NotPetya was a wiper and not ransomware. The inability of affected users to obtain decryption code suddenly made perfect sense. ‘Encrypted’ files are never going to be opened again.

It’s important to think about the affected persons and organizations and how they likely responded to the infection. If they didn’t already have a policy in place for dealing with ransomware, they may have had impromptu meetings about their approach; they had to buy cryptocurrency, which may have required a crash DIY course in how to acquire it and how to make a payment — scrambling under the assumption they were dealing with ransomware.

It all began sometime after 10:30 UTC/GMT — 11:30 a.m. London (BDT), 1:30 p.m. Kyiv and Moscow local time, even later in points across Russia farther east.

(And 4:30 a.m. EDT — well ahead of the U.S. stock market, early enough for certain morning Twitter users to tweet about the attack before America’s work day began.)

The world’s largest shipping line, Maersk, and Russia’s largest taxpayer and oil producer Rosneft tweeted about the attack less than two hours after it began.

By the end of the normal work day in Ukraine time, staff would only have just begun to deal with the ugly truth that the ransom may have been handed off and no decryption key was coming.

As Marcy noted, June 28th is a public holiday in Ukraine — Constitution Day. I hope IT folks there didn’t have a full backup scheduled to run going into the holiday evening — one that might overwrite a previous full backup.

The infection’s spread rate suggested early on that email was not the only means of transmission, if it had been spread at all by spearfishing. But many information security folks advocated not opening any links in email. A false sense of security may have aided the malware’s dispersion; users may have thought, “I’m not clicking on anything, I can’t get it!” while their local area network was being compromised.

And then it hit them. While affected users sat at their machines reading fake messages displayed by the malware, scrambling to get cryptocurrency for the ransom, NotPetya continued to encrypt files under their noses and spread across business’s local area networks. Here’s where Microsoft’s postmortem is particularly interesting; it not only gives a tick-tock of the malware’s attack on a system, but it lists the file formats encrypted.

Virtually everything a business would use day to day was encrypted, from Office files to maps, website files to emails, zip archives and backups.

Oh, and Oracle files. Remember Oracle pushed a 299 vulnerability mega-patch on April 19, days after ShadowBrokers dumped some NSA tools? Convenient, that; these vulnerabilities were no longer a line of attack except through file encryption.

While information security experts have done a fine job tackling a many-headed hydra ravaging businesses, they made some rather broad assumptions about the reason for the attack. Kaspersky concluded the target was Ukraine since ~60% of infected devices were located there though 30% were located in Russia. But the malware’s aim may not have been the machines or even the businesses affected in Ukraine.

What did those businesses do? What they did required tax application software MEDoc. If the taxes to be calculated were based on business’s profits — (how much did they make) X (tax rate) — they hardly needed tax software. A simple spreadsheet would suffice, or the calculation would be built into accounting software.

No, the businesses affected by the malware pushed at 10:30 GMT via MEDoc update would be those which sold goods or services frequently, on which sales tax would have been required for each transaction.

What happens when a business’s sales can’t be documented? What happens when their purchases can’t be documented, either?

Which brings me to the affected Russian businesses, specifically Rosneft. There’s not much news published in English detailing the impact on Rosneft; we’ve only got Kaspersky’s word that 30% of infections affected Russian machines.

But if Rosneft is the largest public oil company in the world, Russia’s largest taxpayer as Rosneft says on their Twitter profile, it may not take very many infections to wreak considerable damage on the Russian economy. Consider the ratio of one machine invoicing the shipment of entire ocean tanker of oil versus many machines billing heating oil in household-sized quantities.

And if Rosneft oil was bought by Ukraine and resold to the EU, Ukraine’s infected machines would cause a delay of settlements to Russia especially when Rosneft must restore its own machines to make claims on Ukrainian customers.

The other interesting detail in this malware story is that the largest container line in the world, Maersk, was also affected. You may have seen shipping containers on trucks, trains, in shipyards and on ships marked in bold block letters, MAERSK. What you probably haven’t seen is Maersk’s energy transport business.

This includes shipping oil.

It’s not Ukraine’s oil Maersk ships; most of what Ukraine sells is through pipelines running from Russia in the east and mostly toward EU nations in the west.

It’s Russian oil, probably Rosneft’s, shipping overseas. If it’s not in Maersk container vessels, it may be moving through Maersk-run terminal facilities. And if Maersk has no idea what is shipping, where it’s located, when it will arrive, it will have a difficult time settling up with Rosneft.

Maersk also does oil drilling — it’s probably not Ukraine to whom Maersk may lease equipment or contract its services.

Give the potential damage to Russia’s financial interests, it seems odd that Ukraine is perceived as the primary target.

 

NotPetya’s attack didn’t happen in a vacuum, either.

A report in Germany’s Die Welt reported the assassination of Ukraine’s chief of intelligence by car bomb. The explosion happened about the same time that Ukraine’s central bank reported it had been affected by NotPetya — probably a couple hours after 10:30 a.m. GMT.

On Monday, privately-owned Russian conglomerate Sistema had a sizable chunk of assets “arrested” — not seized, but halted from sale or trading — due to a dispute with Rosneft over $2.8 billion dollars. Rosneft claims Sistema owes it money from the acquisition of oil producer Bashneft, owned by Sistema until 2014. Some of the assets seized included part of mobile communications company MTS. It’s likely this court case Rosneft referred to in its first tweet related to NotPetya.

The assassination’s timing makes the cyber attack look more like NotPetya was a Russian offensive, but why would Russia damage its largest sources of income and mess with its cash flow? The lawsuit against Sistema makes Rosneft appear itchy for income — Bashneft had been sold to the state in 2014, then Rosneft bought it from the state last year. Does Rosneft need this cash after the sale (or transfer) of a 19.5% stake worth $10.2 billion last year?

Worth noting here that Qatar’s sovereign wealth fund financed the bulk of the deal; commodities trader Glencore only financed 300 million euros of this transaction. How does the rift between other Middle Eastern oil states and Qatar affect the value of its sovereign wealth fund?

In her previous post, Marcy spitballed about digital sanctions — would they look like NotPetya? I think so. I can’t help recall this bit at the end of the Washington Post’s opus on Russian election interference published last week on June 23:

But Obama also signed the secret finding, officials said, authorizing a new covert program involving the NSA, CIA and U.S. Cyber Command.

[…]

The cyber operation is still in its early stages and involves deploying “implants” in Russian networks deemed “important to the adversary and that would cause them pain and discomfort if they were disrupted,” a former U.S. official said.

The implants were developed by the NSA and designed so that they could be triggered remotely as part of retaliatory cyber-strike in the face of Russian aggression, whether an attack on a power grid or interference in a future presidential race.

I’m sure it’s just a coincidence that NotPetya launched Tuesday this week. This bit reported in Fortune is surely a coincidence, too:

The timing and initial target of the attack, MeDoc, is sure to provoke speculation that an adversary of Ukraine might be to blame. The ransomware hid undetected for five days before being triggered a day before a public Ukrainian holiday that celebrates the nation’s ratification of a new constitution in 1996.

“Last night in Ukraine, the night before Constitution Day, someone pushed the detonate button,” said Craig Williams, head of Cisco’s (CSCO, +1.07%) Talos threat intelligence unit. “That makes this more of a political statement than just a piece of ransomware.” [boldface mine]

Indeed.

Two more things before this post wraps: did anybody notice there has been little discussion about attribution due to characters, keyboards, language construction in NotPetya’s code? Are hackers getting better at producing code without tell-tale hints?

Did the previous attacks based on tools released by the Shadow Brokers have secondary — possibly even primary — purposes apart from disruption and extortion? Were they intended to inoculate enterprise and individual users before a destructive weapon like NotPetya was released? Were there other purposes not obvious to information security professionals?

Friday: Sinnerman

In this roundup: A look outside the U.S.’ borders — TTIP’s end, Turkey at risk, Chile and women’s reproductive rights, more.

Featured jazz artist today is Eunice Waymon, known best by her stage name Nina Simone. Recognized for her powerful political work, Mississippi Goddamn, Simone was an incredibly gifted pianist trained at Juilliard with a predilection for the works and method of Johann Sebastian Bach. She became a singer only after nightclubs for which she performed insisted she must sing and play piano together.

Two of my favorites apart from Sinnerman shared here are Feeling Good and I Put a Spell on You. I’ll always have a warm, fuzzy place for Ain’t Got No/I Got Life medley, a variation of the song from the 1960s Broadway musical Hair. I can remember singing along to this recording during long road trips.

Why Nina Simone today? Because of Sinnerman, which seems particularly appropriate during this election season.

Looking away from our nation’s navel

  • Op-ed: Is Turkey nearing civil war? (Süddeutsche Zeitung) — Guest contributor Yavuz Baydar reviews developments in Turkey after the so-called coup attempt, including calls to arm citizens, reestablish an Ottoman caliphate, and create militarized youth groups attached to mosques. Turkish media, operating with the blessing of President Tayyip Erdoğan, has shown maps featuring Mosul and parts of northern Greece as part of a Turkish empire.
  • TTIP may be in death throes, but resuscitation attempted (euronews) — This article quotes a Spanish automotive partmaker who complains the need to inspect parts both on export and import is expensive, and the Transatlantic Trade and Investment Partnership (TTIP) agreement would eliminate the costly redundancy. Except the existing duplicative inspections didn’t prevent Volkswagen Group and its vendor Bosch from shipping fraudulent vehicles and parts, did it? Yeah. Not so much…in spite of TTIP’s near-death, the US and EU met earlier this month to regroup and try to force TTIP through before the end of President Obama’s term.
  • Chile’s president aims to change restrictive anti-abortion laws (NPR) — Chile is among the five most restrictive countries in the world, outlawing abortion even to save the life of the mother. President Michelle Bachelet made it her goal to change the laws; the country’s lower house has already approved legislation to allow abortion in case of rape, to save the mother, or in case of mortal fetal defect. Chile’s senate must yet vote to approve this legislation before it becomes law. In the mean time, women must travel abroad to obtain abortions or risk jail if they attempt it in Chile on their own.
  • Radical Ukrainian nationalists rising (euronews) — Members of far-right groups Azo regiment and the Right Sector recently marched through Kyiv to celebrate Ukrainian patriotism while protesting pro-Russian separatists.

Tech Debris
Here’s a collection of odd technology bits I’ve run across recently worth a read:

  • Dutch researchers working on anti-hacking technology (euronews) — They’re working on unique identifiers for devices attached to the internet, like the myriad Internet of Things (webcams, baby monitors, so on). This seems like a waste of time given every device should already have an ID assigned by a network. Keep an eye on this; it’d certainly make surveillance easier. Ahem.
  • Troubling case of Facebook v. Vachani (NPR) — Fluffy overview of the suit filed against Steven Vachani whose portal site product pissed off Facebook greatly. But you should read the op-ed from July by Orin Kerr about this case — brace yourself for your freak out.
  • From the archives: Interview with John Arquilla on cyberwarfare (FRONTLINE) — Perspective on the origins of current cyberwarfare policies arising from Bush administration post-9/11. As you read this, keep in mind Arquilla is a proponent of preemptive warfare and the use of cyberwarfare against terrorism.
  • Twitter as a government tool against the people (Bloomberg) — We take for granted we can type anything we want in social media. Not so in much of the rest of the world, and Twitter is an example of social media with both great potential to inform while putting users at risk where speech is not free. Although after the recent revelations Twitter sold data to a U.S. intelligence front, speech isn’t exactly free on Twitter for U.S. citizens, either.

Longread: Did newspapers screw up?
We’ve watched the decline of newspapers for over a decade as its analog business model met the reality of a digital age. Jack Shafer wrote about the possibility newspapers may have made a critical error during the generational shift to online media — perhaps the seasoned existing outlets should have remained firmly committed to print. Two key problems with this analysis: 1) printing and distribution remains as expensive as all other factors in producing a newspaper, and 2) the population consuming newspaper content is changing, from a print-only to digital-only audience. This must be acknowledged or newspapers will continue to struggle, and large papers will continue to pursue consolidation in order to reduce costs to operate.

With that in mind, I still don’t understand why The Washington Post, owned by Jeff Bezos, hasn’t opted to offer a Kindle to subscribers willing to pay for a full print subscription a year in advance. A low-level Kindle is cheaper than the cost to print. Ditto to The New York Times; why hasn’t it considered a tie up with Kobo or another e-reader manufacturer?

That’s it for this week; have a good weekend!

Tuesday Morning: Flip Off

Flip off a few caps; Death came for a few more well-loved artists. Rest well, Glenn Frey, Dale Griffin, Dallas Taylor. Gonna’ be one heck of a band on the other side. [Edit: Mic Gillette, too? Stop already, Grim Reaper, check your targeting.]

Hope the cull is done because obituaries are not my thing. Hard to type and sniffle copiously at the same time.

GM Opel dealers may be altering emissions control software on Zafira diesel cars
Great, just great. Like GM didn’t have enough on its plate with the ignition switch debacle. A Belgian news outlet reports GM Opel dealers have been changing the software on the 2014 Zafira 1.6l diesel engine passenger vehicles in what looks like a soft recall. This comes on the heels of an EU-mandated recall of Zafira B models due to fires caused by bad electronics repairs. Sorry, I don’t speak Dutch, can’t make out everything in this video report. What little I can see and read doesn’t look good. Wouldn’t be surprised if the EU puts the hurt on GM Opel diesel sales until all are fixed to meet EU emissions regulations. Should also note that a different electronics manufacturer may be involved; images online of ECUs for late model Zafiras appear to be made by Siemens — unlike Volkswagen’s passenger diesel ECUs, which are made by Bosch.

Texas manufacturer swindled out of cash by fraudulent email request, sues cyber insurer
AFGlobal, based in Houston, lost $480,000 in May 2014 after staff wired funds based on orders in emails faked by crooks overseas. The manufacturing company had a cyber insurance policy with a subsidiary of the Chubb Group, and filed a claim against it. The claim was denied and AFGlobal filed suit. This isn’t the first such loss nor the first such lawsuit. Companies need to create and publish policies documenting procedures for authorizing any online payments, including two-step authentication of identities, and review overall spending authorization processes with an eye on audit trails.

Ukrainian officials say Kiev’s main airport hacked
Hackers who attacked Ukrainian power companies in late December are believed to be responsible for the malware launched on Kiev’s airport servers. There are very few details — okay, none, zero details — about the attack and its affect on airport operations. A military spokesman only said “the malware had been detected early in the airport’s system and no damage had been done,” and that the malware’s point of origin was in Russia. Among the details missing are the date the attack was discovered and how it was detected as well as the means of removal.

Hold this thought: FBI still looking for info on cable cuts, with eye to Super Bowl link
Remember the post last summer about the 11 communications cable cuts in the greater San Francisco Bay Area near Silicon Valley? This is a hot issue again, given the impending Super Bowl 50 to be held at Levi’s Stadium in Santa Clara. But reports now mention 15 or 16 cuts, not 11 — have there been more since last summer, or were there more not included in the FBI’s request for information? I’ll do some digging and post about this in the near term.

All right, carry on, and don’t drink all the añejo at once.

Ukraine’s Power System Hacking: Coordinated in More than One Way?

[original graphic: outsidethebeltway.com]

[original graphic: outsidethebeltway.com]

Analysis by industrial control team SANS determined hacking of Ukrainian electrical power utilities reported on 23-DEC-2015 was a coordinated attack. It required multiple phases to achieve a sustained loss of electricity to roughly 80,000 customers. SANS reported they “are confident” the following events occurred:

  • The adversary initiated an intrusion into production SCADA systems
  • Infected workstations and servers
  • Acted to “blind” the dispatchers
  • Acted to damage the SCADA system hosts (servers and workstations)
  • Action would have delayed restoration and introduce risk, especially if the SCADA system was essential to coordinate actions
  • Action can also make forensics more difficult
  • Flooded the call centers to deny customers calling to report power out

An investigation is still underway, and the following are still subject to confirmation:

  • The adversaries infected workstations and moved through the environment
  • Acted to open breakers and cause the outage (assessed through technical analysis of the Ukrainian SCADA system in comparison to the impact)
  • Initiated a possible DDoS on the company websites

The part that piques my attention is the defeat of SCADA systems by way of a multiphased attack — not unlike Stuxnet. Hmm…

Another interesting feature of this cyber attack is its location. It’s not near sites of militarized hostilities along the border with Russia. where many are of Russian ethnicity, but in the western portion of Ukraine.

More specifically, the affected power company served the Ivano-Frankivsk region, through which a large amount of natural gas is piped toward the EU. Note the map included above, showing the location and direction of pipelines as well as their output volume. Were the pipelines one of the targets of the cyber attack, along with the electricity generation capacity in the region through which the pipes run? Was this hack planned and coordinated not only to take out power and slow response to the outage but to reduce the pipeline output through Ukraine to the EU?

Tuesday Morning: Wow, You Survived Business Day 1

The post-holiday season debris field continues to thin out, making its way by the truckful to the landfill. I wonder how much oil the season’s plastic wrappings consumed.

Here’s what the trash man left behind this morning.

Hackers caused power outage — the first of its kind?
Marcy’s already posted about the electrical power disruption in Ukraine this past week, labeled by some as the first known hacker-caused outage. I find the location of this malware-based outage disturbing due to its location in western Ukraine. Given the level of tensions with Russia along the eastern portion of the country, particularly near Donetsk over the past couple of years, an outage in the west seems counterintuitive if the hackers were motivated by Ukraine-Russian conflict.

And hey, look, the hackers may have used backdoors! Hoocudanode hackers would use backdoors?!

Fortunately, one government is clued in: the Dutch grok the risks inherent in government-mandated backdoors and are willing to support better encryption.

‘Netflix and chill’ in a new Volvo
I’ve never been offered a compelling case for self-driving cars. Every excuse offered — like greater fuel efficiency and reduced traffic jams — only make greater arguments for more and better public transportation.

The latest excuse: watching streaming video while not-driving is Volvo’s rationalization for developing automotive artificial intelligence.

I’m not alone in my skepticism. I suspect Isaac Asimov is rolling in his grave.

US Govt sues pollution-cheater VW — while GOP Congress seeks bailout for VW
WHAT?! Is this nuts or what? A foreign car company deliberately broke U.S. laws, damaging the environment while lying to consumers and eating into U.S.-made automotive market share. The Environmental Protection Agency filed suit against Volkswagen for its use of illegal emissions control defeat systems. The violation of consumers’ trust has yet to be addressed.

Thank goodness for the GOP-led House, which stands ready to offer a freaking bailout to a lying, cheating foreign carmaker which screwed the American public. Yeah, that’ll fix everything.

Remember conservatives whining about bailing out General Motors during 2008’s financial crisis? All of them really need a job working for VW.

Massive data breach affecting 191 million voters — and nobody wants to own up to the database problem
An infosec researcher disclosed last week a database containing records on 191 million voters was exposed. You probably heard about this already and shrugged, because data breaches happen almost daily now. No big deal, right?

Except that 191 million voters is more than the number of people who cast a vote in 2012 or even 2008 presidential elections. This database must represent more than a couple election cycles of voter data because of its size — and nobody’s responding appropriately to the magnitude of the problem.

Nobody’s owning up to the database or the problem, either.

Here’s a novel idea: perhaps Congress, instead of bailing out lying, cheating foreign automakers, ought to spend their time investigating violations of voters’ data — those folks that put them in office?

Any member of Congress not concerned about this breach should also avoid bitching about voter fraud, because hypocrisy. Ditto the DNC and the Hillary Clinton campaign.

Whew, there it is, another mark on the 2016 resolution checklist. Have you checked anything off your list yet? Fess up.

Power Imbalances in Ukraine

The western press is ginning up alarm because hackers caused a power outage in Ukraine.

Western Ukraine power company Prykarpattyaoblenergo reported an outage on Dec. 23, saying the area affected included regional capital Ivano-Frankivsk. Ukraine’s SBU state security service responded by blaming Russia and the energy ministry in Kiev set up a commission to investigate the matter.

While Prykarpattyaoblenergo was the only Ukraine electric firm that reported an outage, similar malware was found in the networks of at least two other utilities, said Robert Lipovsky, senior malware researcher at Bratislava-based security company ESET. He said they were ESET customers, but declined to name them or elaborate.

If you buy that this really is the first time hackers have brought down power (I don’t), it is somewhat alarming as a proof of concept. But in reality, that concept was proved by StuxNet and the attack on a German steel mill at the end of 2014.

I’m more interested in the discrepancy of coverage between this and the physical sabotage of power lines going into Crimea in November.

A state of emergency was declared after four pylons that transmit power to Crimea were blown up on Friday and Saturday night. Russia’s energy ministry scrambled to restore electricity to cities using generators, but the majority of people on the peninsula remained powerless on Saturday night.

Cable and mobile internet stopped working, though there was still mobile phone coverage, and water supplies to high-rise buildings halted.

[snip]

On Saturday, the pylons were the scene of violent clashes between activists from the Right Sector nationalist movement and paramilitary police, Ukrainian media reported. Ukrainian nationalists have long been agitating for an energy blockade of Crimea to exert pressure on the former Ukrainian territory.

There was even less attention to a smaller attack just before the New Year. (h/t joanneleon, who alerted me to it)

Officials said concrete pylons supporting power lines near the village of Bohdanivka, in southern Ukraine’s Kherson region, were damaged on Wednesday night.

“According to preliminary conclusions of experts… the pylon was damaged in an explosion,” a statement from police said on Thursday.

[snip]

Crimean Tatar activist Lenur Islyamov suggested that strong winds might have brought down the pylon and denied that Tatar activists had been behind the latest power cut.

While the physical attack did get coverage, there seemed to be little concern about the implications of an attack aiming to undercut Russian control of the peninsula. Whereas here, the attack is treated as illegitimate and a purported new line in the sand.

I get why this is the case (though the press ought to rethink their bias in reporting it this way). After all, when our allies engage in sabotage we don’t consider it as such.

But the US is just as vulnerable to physical sabotage as cyber sabotage, as an apparently still unsolved April 16, 2013 attack on a PG&E substation in Silicon Valley demonstrated, and as the case of Crimea shows, physical sabotage can be more debilitating. We should really be cautious about what we treat as normatively acceptable.

Russia’s Sabre-Rattling: Not Just Bluster About Banks and Ukraine Unrest


Last Friday, CNBC interviewed Andrey Kostin, CEO of Russia’s second largest bank, following the EU’s decision to extend economic sanctions against Russia, ostensibly to punish Russia for hostilities against Ukraine. Kostin’s comments were combative.

“You know, we have quite a strong opinion on sanctions. Sanctions, in other words, is economic war against Russia. Economic war will definitely have and will have very negative implications on the Russian economy, but more than that it will have very negative implications on the political dialogue and on security in Europe. And who wants to live in a less secure world? I think nobody. I think it’s the wrong way to treat Russia like this. I think it will never to lead to any other consequences as to less stability and less secure Europe.” [sic]

“”You can’t treat any country like this. You know you can’t say, if you behave rightly, that’s a small [weep*] for you, if you behave wrongly, that’s a big [weep*] for you.’ That’s not a dialog, that’s a threat. … I think we should talk. I mean, politicians should talk, like business men. Business men do talk, and they are interested in working together. …”

In short, Russia feels the sanctions are warfare, and they want to deal. They’d really like the asymmetric attack on finance to stop short of terminating Russian banks’ access to SWIFT (the impact of which WaPo spells out).

But the banks’ discomfort with the sanctions and continued incursions against Ukraine aren’t the only signs of Russian belligerence. By year end, there had been forty events characterized as “close military encounters” during 2014, according to European Leadership Network, a non-partisan, nonprofit think tank. Read more

Kerry Castigates Putin For Using US Strategy of Training, Arming Rebels

So far, I have suffered no ill effects from this outdated beer.

So far, I have suffered no ill effects from this outdated beer.

Aside from the fact that the only craft beer served at the National Security Caucus session at Netroots Nation 2014 was an outdated California beer rather than a local Michigan beer, it was a session marked by interesting discussion. I received quite a bit of support during that discussion for noting that the US response to any crisis anywhere, for far too long, has been simply to ask “Which group should we arm?”. Further, I noted, as we had heard in the “Iran: Diplomacy or War?” session, there is reason for optimism among those of us who favor diplomacy over violence in the successful removal and ongoing destruction of Syria’s chemical weapons rather than the missile strikes the US had been planning and in the remaining strong possibility of a diplomatic solution to the Iran nuclear technology issue instead of a war to destroy the technology. I illustrated that point by mentioning the tragic downing of MH17 and how that demonstrated the folly of training and arming rebel groups that often veer into extremist actions that result in atrocities. That point ties to the mad push to arm Syria’s rebels with the shorter range MANPAD antiaircraft missiles even though they are less powerful than the Buk missile that took down MH17. As I noted, will Syrian “moderates” promise us never to take the MANPADS to a site where civilian aircraft are within range, and would there be any reason to believe such a promise?

In executing his Full Ginsburg yesterday, US Secretary of State John Kerry reached new heights of hypocrisy, as he went from Sunday morning talk show to talk show, proclaiming the evils of Russian actions in Ukraine. The evils for which Kerry is castigating Putin are precisely the evils that the US has been unleashing on the world in places like Iraq, Afghanistan, Yemen, Syria and beyond. From today’s New York Times:

 In presenting the most detailed case yet alleging Russia’s involvement in the Ukraine crisis, Secretary of State John Kerry said on Sunday that Russia had funneled large quantities of heavy weapons to Ukrainian separatists and trained them how to operate SA-11 antiaircraft missiles, the type of system that is believed to have been used to shoot down the Malaysian airliner over eastern Ukraine.

“We know for certain that the separatists have a proficiency that they’ve gained by training from Russians as to how to use these sophisticated SA-11 systems,” Mr. Kerry said on the CNN program “State of the Union.”

Just as when CIA Director John Brennan got his panties in a wad over al Qaeda training death squads in Syria after we had trained our own death squads to send there, Kerry is now saying that Russia choosing a group to arm and train is a horrible thing even though he has been instrumental in helping the Obama administration to do the exact same thing in other areas.

And just as the US now faces problems in its upcoming training of Iraqi troops because of the previous failures in training Iraqi troops, there is reason to believe that the atrocity of MH17 may be due in part to failed training by the Russians. From today’s Washington Post:

Meanwhile, in Kiev, the U.S. Embassy said American intelligence analysts had confirmed the authenticity of recorded conversations in which rebel leaders bragged about shooting down what they thought was a Ukrainian military transport plane moments after the Malaysian jetliner was blown apart.

So even though the separatists are good at using the missiles to blow aircraft out of the sky (the Times article notes they have downed “almost a dozen Ukrainian transport planes, reconnaissance aircraft and helicopters”), it would appear that they haven’t quite worked out that whole target verification thing and that this tragedy may not have been an intentional targeting of civilians as much as it is a training failure. But yes, the Russians own a large portion of this tragedy, as the evidence seems strong that they provided the weapon along with instructions on firing it (if not the full lesson on target verification). And their tactics in doing do were taken directly from the US playbook, all the way down to the training being an abject failure.