Europeans began planned testing of their ability to defend against sophisticated computer hacking attacks today following the announcement of new sanctions on Russian individuals and companies.
More than 200 government and private organizations from 29 countries in Europe began what they described as one of the largest tests ever of their ability to defend vital computer networks. While the exercise is a bi-annual event, the timing coincides with new warnings from U.S. officials and security specialists that Russian hackers may respond to sanctions by attacking the networks of U.S. banks and other companies.
“The incidents in Cyber Europe 2014 are very realistic, mimicking unrest and political crisis at a pan-European level, disrupting services for millions of citizens across Europe,” Udo Helmbrecht, executive director of the European Union Agency for Network and Information Security, which is organizing the cybersecurity stress test, said in a statement.
The Obama administration today imposed sanctions on seven Russian officials and 17 companies linked to Russian President Vladimir Putin’s inner circle involved in banking, energy and infrastructure.
Two people with knowledge of a White House review of the effects of further penalties on Russia said April 25 it includes revisiting previous classified exercises in which small numbers of computer experts showed they were able to cripple the U.S. economy in a few days. U.S. officials involved in the review didn’t respond to questions about whether the study explores the risk of cyber-counterattacks.
Cybersecurity specialists consider Russian hackers among the world’s best at infiltrating networks and say evidence exists that they already have inserted malicious software on computers in the U.S.
The Financial Services Roundtable, an industry group that includes Citigroup Inc. and Bank of America Corp., is watching for any signs of hacking attacks, although nothing appears imminent, Paul Smocer, head of the technology policy division of the Washington-based trade group, said in a telephone interview April 25.
“A cyber-attack is a real concern that we all need to have,” Smocer said. “Nation states’ ability to launch cyber-attacks is certainly real nowadays, and so in any conflict, I think that the possibility exists as we worry about escalation.”
The European Union today imposed new sanctions on 15 Russian officials. The U.S. and European sanctions are over Russia’s conflict with Ukraine, where officials say Putin’s government is helping fuel a separatist movement as part of efforts to destabilize their country.
If Russia decides to retaliate for new sanctions on its banks and Putin associates, it could be difficult to trace any cyber-attacks to his government because hackers can easily mask their identities and locations online.
It took experts months to trace an eight-month series of distributed-denial-of-service, or DDOS, attacks on the largest U.S. banks in 2012 and 2013 to Iranian hackers calling themselves the Al Qassam Cyber Fighters and retaliating for U.S. and international sanctions on that country. Such attacks flood websites with Internet traffic to knock them offline.
“There’s been a history of cyber-attacks against the industry, so we’ve prepared in terms of both strong defenses and strong information-sharing,” Smocer said.
U.S. officials, though, say Congress’s failure to pass new legislation allowing companies to share information on cyber-attacks without fear of antitrust action or shareholder liability suits has hampered efforts to bolster the nation’s online defenses.
The officials, who requested anonymity to discuss policy matters that involve classified material, also said that while some of former National Security Agency contractor Edward Snowden’s revelations about U.S. cyber espionage exposed excesses, the resulting public backlash has made intelligence agencies reluctant to take more aggressive action.
Russia, where Snowden now lives, has no such problem, the officials said, and its aggressive pursuit of offensive digital capabilities began in 2007 after a group of young Russian hackers carried out a series of denial-of-service attacks on Estonia, the officials said. The hackers, they said, were angered by an Estonian plan to move a statue memorializing Soviet World War II soldiers from the capital of Tallinn to a more remote location.
While evidence indicates that the Russian government had no involvement with those attacks, since then Russia’s military and intelligence services have rapidly developed their capacity for offensive cyber-warfare, the officials said. Russia launched cyber-attacks against Georgia’s Internet infrastructure in 2008, and has used them again this year in Crimea and other parts of Ukraine, one of the officials said.
The attacks against Estonia used 100 megabytes per second, which is small compared to the capabilities that now exist, said Jaime Blasco, a malware researcher and labs director for AlienVault LLC, a network-security company based in San Mateo, California.
An DDOS attack in December on unnamed companies in the U.S. and France used 400 gigabytes per second, Blasco said in a telephone interview. That’s 4,000 times larger than the Estonia attacks.
“Russia could launch denial-of-service attacks against critical infrastructure in the United States,” he said. “It could be much bigger than we have ever seen.”
Large DDOS attacks have spiked so far in 2014, according to new data compiled by network-security company Arbor Networks Inc. in Burlington, Massachusetts.
The company has tracked a 1.5 percent increase in attacks using at least 20 gigabytes per second in 2014 compared with all of 2013, the largest being a 325 gigabyte-per-second attack against a target in France in February that lasted four hours and 22 minutes, according to the company.
A network of computers called Dirt Jumper that’s been used in denial-of-service attacks is believed to have been created in Russia, Dan Holden, director of security research for Arbor Networks, said in a telephone interview.
“Historically speaking, the Russians probably are the best spies in the world,” he said.
If Russian hackers wanted to attack U.S. targets, they would have thousands of Internet-connected devices to use, including off-the-shelf routers inside many American homes, Holden said. Hijacking multiple computers with malware to form a network that attacks websites is known as a botnet.
“You could have bot zombies in America attacking America,” he said. “Think of all the companies in the U.S. that are doing business on the Web, whether they’re selling computers or whether they’re selling pizzas.”
Russian hackers also are believed to have already infiltrated U.S. computer networks, said Jen Weedon, manager of threat intelligence at computer security company FireEye Inc.
“A lot of the security community is tracking specific malware campaigns targeting the energy industry and attributing them to Russian actors,” Weedon said in a telephone interview. FireEye has seen similar campaigns targeting the computer technology, health-care and manufacturing industries, as well as local governments, she said.
The malware is believed to be of Russian origin, though direct attribution to the government is difficult to determine, and it creates “back doors” to access computers and steal data, she said.
Weedon said those back doors also could be used for carrying out destructive attacks. Even so, she doubted that destructive attacks would occur and that if freelance hackers tried to do so, the Russian government would intervene.
“If they were suddenly to attack U.S. assets, I think that would cross a red line,” she said. “What incentives do they have to allow that to happen or do it themselves? I think they would expect a U.S. response, and the U.S. probably would respond.”
Other experts are less confident.
“Our experience and evidence tends to support the notion that Russia is sufficiently organized and equipped to wage a very effective cyber-guerrilla campaign against the U.S. and avoid public attribution,” said Rodney Joffe, senior vice president and chief technologist for Sterling, Virginia-based Neustar Inc.