Over the last few years, we’ve witnessed a wave of planted malware and cyber-attacks directed at governments, companies and other organizations. These range from the Stuxnet and Flame viruses infecting industrial control systems and computers in the Middle East to North Korea reportedly attacking systems in South Korea.
Yet the boundaries of cyber-warfare continue to expand. A new “Threat Intelligence Report” from Arbor’s Security Engineering & Response Team (ASERT) reports that there has been an uptick in advanced persistent threat (APT) activity aimed at members of the Tibetan community, as well as journalists and human rights workers based in Hong Kong and Taiwan.
A tool to exploit the victims, dubbed the “Four Element Sword Builder,” relies on weaponized Microsoft Office RTF documents to conduct these campaigns. Researchers examined 12 different targeted exploitation incidents from a larger universe of attacks and found links to pre-existing patterns referred to as the “Five Poisons.” These targeted groups include Uyghurs, Tibetans, Falun Gong, members of the democracy movement and advocates for an independent Taiwan.
The targeting scheme, along with various malware artifacts and associated metadata, suggest that the threat actors have a Chinese nexus, Arbor reports. The perpetrators use spear-phishing techniques and malware to view and steal data, encrypt and lock files, and engage in other destructive activities. The payloads include Grabber, T9000, Kivars, PlugX, Gh0StRAT and Agent.XST.
Arbor has also identified Remote Access Trojan (RAT) Poison Ivy attacks aimed at activists in Myanmar—including behavior that the threat detection firm hadn’t witnessed previously. In fact, these types of attacks have been unleashed across Asia over the past 12 months.
Unfortunately, this is just the tip of the proverbial iceberg. Various other nation states, terrorist groups and others are ratcheting up the ferocity of the assaults. In fact, NPR recently reported that the U.S. is stepping up cyber-attacks on ISIS, including the use of spying and geolocation tools to conduct surveillance and identify the organization’s leaders.
Amid all of this, there are few, if any, rules of engagement, and there are few of the protocols and restrictions that apply to conventional warfare. How and when cyber-attacks are justified remains murky.
For example, as the NPR story points out, what happens if the U.S. and its allies target terrorists using a cellular network, but mistakenly take down a hospital with them? When and how does a country fight back, particularly if it’s not entirely clear who is perpetrating the attack?
For now, there are many more questions than answers, including what, if any, international treaties should exist. Michael Sulmeyer, previous director of plans and operations for cyber-policy at the U.S. Defense Department, describes cyber-warfare as the “fifth domain”— following land, sea, air and space.