Weekend Cyberattacks Target NATO, U.S. Military Commands
Russian group hits several NATO websites on eve of Crimea vote, but U.S. military denies Syrian hacktivists breached CENTCOM, PACOM, others. By Patrick Tucker
From the Middle East to Ukraine, it was a great weekend for anti-Western hacktivists looking to score cheap shots. Both NATO and U.S. Central Command fell victim to separate cyberattack attempts on the eve of the Crimea referendum to secede from Ukraine and join Russia.
The Syrian Electronic Army, or SEA, an anonymous hacker group sympathetic to Syrian President Bashir al-Assad's regime, took to Twitter on Friday to announce that they had successfully hacked into networks of CENTCOM, which oversees U.S. military operations from Turkey to Afghanistan, as well as Pacific Command. The group claimed to have stolen "hundreds" of documents and that more information would be forthcoming, an indication that they may intend to release the documents to the public. The group posted a picture purporting to be a screen capture of the folders containing the files.
In the coming days we will update you with specific details and hundreds of documents that the #SEA has obtained.
— SyrianElectronicArmy (@Official_SEA16) March 14, 2014
If the claim is true, then the group has made good on a threat from earlier in the month in which they announced plans to hack the Tampa-based command. The SEA claims that the attacks are a response to the Obama administration, which intended to launch cyber operations against the Syrian regime as revealed last month in The New York Times. The screen capture that SEA published lists a network of folders titled with the names of U.S. military organizations, including PACOM, Fleet Forces Command and several Air Force offices, including Air Force Cyber Command.
“CENTCOM assures me no attack or intrusion. False rumor,” Pentagon press secretary Rear Adm. John Kirby told Defense One on Sunday. CENTCOM spokesperson Oscar Seara told Defense One on Saturday that the agency "had no indications of any kind of a breach, whatsoever."
It was all quiet out in the Pacific, too. “As of 1330 [1:30 p.m. EST] local time today, US PACOM has had no attempts to breach any of our network [sic] and we're experiencing no disruptions at all. In other words, business as usual at PACOM,” said Maj. Dave Eastburn, PACOM spokesman.
Shortly after SEA tweeted its claims, the Defense Intelligence Agency’s former chief technology officer, Bob Gourley, told the The Tampa Tribune that the files shown in the screen picture did not appear to be of high value or indicate that any classified or sensitive systems had been accessed. CENTCOM's denial of an attack was, he said, “probably right.... Statistically if they have thousands of websites on servers around the globe there is a good chance that SEA has found a vulnerability in one of them. Certainly it is bogus in terms of SEA having any mission impact.”
SEA, in a subsequent tweet, claimed that the hacking was continuing and not all of the stolen files had been disclosed. "We didn't publish everything we have and the operation is still on-going so don't assume you what don't yet know."
A few hours after SEA boasted of its CENTCOM infiltration, a group called Cyber Berkut took credit for blocking access to several NATO sites, including the NATO Cooperative Cyber Defence Centre of Excellence. Shortly after the attacks were launched, the group wrote that they would not allow the presence of NATO in their "homeland."
The perpetrators used a series of distributed denial of service, or DDoS, attacks to take down the NATO sites. DDoS attacks flood websites with phony traffic rendering the sites inaccessible from the outside. NATO officials would not comment on the origin of the attack or the identity of the attackers. A NATO official described it as "certainly a significant denial of service attack, well-coordinated and has lasted a fairly long time." DDoS attacks are not considered invasive, so the attackers are not able to steal data. NATO was attempting to fix the problem by filtering out those Internet protocol, or IP, addresses that were flooding the NATO sites with faux traffic.
Shortly after the attacks, NATO press representative Oana Lungescu tweeted that they "hadn't affected the integrity of #NATO's systems. And as @IlvesToomas tweeted, http://ccdcoe.org is back up." The Cooperative Cyber Defence Centre of Excellence is a think tank associated with NATO, but not part of the NATO chain of command.
"There are literally over 100 NATO websites from all the different headquarters. Only a handful were affected. It happened to be the highest headquarters. It was localized to Brussels. The [headquarters] in Italy, Germany, dozens all over the world were not affected," the official said.
Peter Singer, director of Brookings’ Center for 21st Century Security and Intelligence and author of Cybersecurity and Cyberwar: What Everyone Needs to Know, questioned if the attack on NATO even rose to the level of being labeled an attack. "The NATO one was the umpteenth time someone failed yet again at the equivalent of trying to stand in the NATO public affairs building’s online lobby," Singer told Defense One.
NATO is taking steps to better protect itself from DDoS attacks, the NATO official said. "NATO is 28 nations, each one has experts in this. That's the power of the alliance. A threat against one is a threat against all."
While both the NATO attack and the CENTCOM hack occurred as Crimea was preparing to undergo a major secession vote, experts said that they saw no direct evidence that the two attacks were linked. The damage to NATO and CENTCOM appears to be minimal but the weekend's cyberattacks suggest that international disputes are likely to be marked by an increasing number of attempted hacks, defacements, cyber operations and misinformation campaigns ranging in severity and annoyance.
Pro-Western groups and organizations weren't the only ones who were targeted for Internet attacks over the weekend. The Russian news outlet Voice of Russia on Sunday reported that the website for the Crimea referendum vote – which the U.S. opposed -- had also seen an intrusion attempt. The origins of the attack seemed to be, Singer said, the United States.
"Indeed, someone is in the midst of doing the same to the Russians’ faux referendum office in Crimea, routing part of it through [the University of Illinois at Urbana–Champaign]."
Kevin Baron contributed to this report.