Check out the podcast on our YouTube channel – here.
Iran dominated the headlines at the beginning of January after a US drone strike killed Iranian Major General Qassem Soleimani. In the immediate aftermath of the strike, the media, numerous cybersecurity vendors, and even various governments warned of swift retaliation from Iran: World War 3 was mooted; US critical infrastructure was claimed to be under immediate threat of cyberattack.
There were protests in the streets of Tehran and MPs in the Iranian parliament chanted “death to America”, missiles were launched at various US-linked airbases in Iraq and the situation appeared perfectly poised to be spun in favour of the Iranian regime and against the US administration. Then the Iranian military mistakenly shot down Ukrainian Airlines flight 752 with the loss of everyone on board, including dozens of Iranians and Canadians. Once more the Iranian regime was under pressure from both the international community, as well as its own people, reeling from one calamity to another.
From the moment of Soleimani’s death, however, de-escalation appears to have been the actual aim of both parties in this geopolitical tinderbox. The Iranians know they cannot win a ground war with the US, let alone if various American allies in the region, Iraq, Saudi Arabia, and others were to assist. As such, it is a fair assumption that the country’s cyber-capability will be used to hit US proxies in the Middle East, rather than risk provoking a conventional military response from the Americans. Will the energy sectors of Iran’s immediate neighbours be targeted, as they have been in the past, or will poorly protected US banks, for example, be the next avenue of attack? Will we see Shamoon Three? One thing is for sure: Iran has shown it has the technical expertise to bring down targets of critical importance, and there is no reason to suspect that it will not do so again.
East Med Pipeline
A little further west and a less bloody but equally globally significant geopolitical wrangle has been shaping up in the Mediterranean between Greece and Turkey – with Israel and Cyprus also in the mix. New maritime boundaries agreed between Libya and Turkey in November 2019 redrew the political map of the Aegean without so much as consulting the Greek administration. Then, at the beginning of this year, Israel, Greece, and Cyprus signed an agreement to build the EastMed pipeline, which will ship natural gas from the Eastern Mediterranean region to Europe, eventually providing around 10% of the continent’s natural gas. The pipeline is slated to run straight through the newly arranged Turkey-Libya economic zone in the Mediterranean. Israel, meanwhile, is also making waves, as a result of the aptly named Leviathan gas project which is likely to make the country a net gas exporter.
Some have commented that an energy war in the Mediterranean is a genuine possibility. Though this seems far-fetched given the NATO membership of the key players – Greece and Turkey – their membership draws a clear red line against military action of any sort. Cyberattacks, however, are another matter entirely. Whilst we are not suggesting that the Turkish state could or would hit Greek targets of any serious value, we have seen small, politically motivated attacks from threat actors loyal to the Turkish regime: the Greek foreign ministry, its parliament, and the Athens Stock Exchange, among others, were hit by DDoS and defacement attacks in late-January.
There is no suggestion that these were state-sanctioned attacks, and it should be noted that DDoS attacks against government domains are rarely more than a nuisance at most. But the reality is that attacks such as these – as is also the case with the targeting of numerous Israeli and Israel-linked domains in operations such as #OpIsrael – show the potential public support for bigger cyber-strikes should the need arise. Embattled regimes strike out, as a show of strength to the outside world and in the hope of distracting their citizens from the paucity of democracy or other hardships they may be suffering. An under-pressure Erdogan may – in the absence of traditional military options and facing growing unrest at home – choose to execute destructive cyberattacks with plausible deniability.
Another of the major stories of January 2020 has been the impeachment of US President Donald Trump on charges of abuse of power and obstruction of Congress. Cybercriminals were quick to use the impeachment as a way of gaining more victims, but perhaps not in the way most people would expect. It was reported in the last days of January that the developers of the TrickBot Trojan had inserted snippets of articles from CNN and the Independent into the Trojan’s code, thus changing the hashes of malware and potentially bypassing security software for because content from those media institutions is whitelisted. It is unclear how successful this novel tactic was in terms of numbers of infections, but it does serve as a demonstration of the creativity of malicious developers at the top of their game.
In our podcast, we touched on the question, “Is truth under threat?”, the answer to which seemed to be that it’s “teetering on the edge”. While it is President Trump that is believed to have been duplicitous, lead House impeachment manager, Adam Schiff has demonstrably stretched certain facts to fit his arguments, and other players in the case have been shown to have downright lied. In a hyper-partisan environment, the delicacy with which the facts have to be handled is highly important, as is the critical role of trust in politics, politicians, and democratic institutions. In the absence of both of these factors lies fertile ground for malicious actors to push the two sides further apart – and this goes for the 2020 presidential election, as much as it does for the impeachment trial.
One way to drive a wedge between two sides of a political argument is through the dissemination of disinformation, fake news, or whatever you want to call it. Advanced Persistent Manipulators (APM) are only the latest in a long line of threat actors seeking to warp the democratic process in various countries. These APMs are an evolution of the Advanced Persistent Threat (APT) groups that are generally state-sponsored and have been used by various countries around the world to further their geostrategic interests. APMs are being used in much the same way: one example of this was a recent fake story that Iranians were being detained at the US-Canada border, irrespective of citizenship. In this case, it is not the fact that this was a complete falsehood, but that it was picked up so quickly, treated as fact by people on both sides of the argument, and ends up hardening everyone’s position rather than facilitating a helpful dialogue. It is in the persistent dissemination of stories like this, over long periods of time, that the middle ground is abandoned in favour of more partisan positions.
Malicious actors spreading fake information concerning the novel coronavirus was never going to take long. The World Health Organisation (WHO) recently declared that the coronavirus outbreak was a global health emergency, mainstream media outlets in countries around the world carried stories that were finely tuned to convey the severity of the situation, and social media was alight with warnings of this virulent disease spreading throughout the globe: all this despite a significantly lower infection rate than the SARS virus, a comparable global health crisis in 2003 which also originated in China.
Among the stories of travellers trapped in China and others unable to return home was a supposedly live map of a plane, travelling from China to San Francisco, carrying numerous sick passengers. This tracker was completely fake but could have resulted in panic amongst the population of a city apparently about to receive highly contagious visitors.
In a slightly different abuse of people’s concern over the coronavirus, the controllers of the Emotet botnet – described by some researchers recently as the most dangerous malware in the world – used emails purporting to have attached notices regarding infection-prevention measures for the disease. The majority of the emails that have been spreading this malware were written in Japanese, with the malicious actors behind this campaign specifically targeting those areas of the globe, predominantly East Asia, that have been more heavily impacted by the outbreak. In an extra display of cunning, the subject of the emails contains the current date and the Japanese word for “notification,” in order to make it even more likely that an already scared recipient will open the attachment and infect their device with malware.
Is this the logical conclusion of the anti-vax movement: convincing people that a spurious scare story is the truth and causing them to change their behaviour to their detriment? Or are populations in 2020 more media-savvy than ever? Will disinformation play a defining role in the 2020 presidential election? And will tensions in the eastern Mediterranean be played out in cyberspace? Tune in next month as we look back on our comments from January and tackle a host of new topics, as well.