Collateral damage is, unfortunately, an all too familiar concept. Whether it is by design or accident, civilians and their property are often caught in the crossfire whenever there is conflict. While most people associate collateral damage with conventional warfare, collateral damage caused by cyber warfare is becoming increasingly common.
In international law, collateral damage is defined as "incidental loss of civilian life, injury to civilians and damage to civilian objects … caused by an attack on a lawful target." Of particular importance is the fact that collateral damage is incidental. If civilians are intentionally targeted, they are technically not collateral damage. Fortunately, such attacks are prohibited and classified as war crimes. As for true collateral damage, modern militaries seek to minimize collateral damage when possible.
Even though technology allows for the reduction in collateral damage in conventional conflicts, those same technological advancements have enabled collateral damage in cyberspace. Cyber attacks have the potential to inflict significantly more collateral damage than modern, kinetic attacks. While tragic, the accidental detonation of a single bomb is geographically limited in how much damage it can inflict. However, a computer virus doesn’t have the same geographic limitations of conventional weapons.
The Morris worm, one of the first computer worms, was developed in 1988 and was intended to simply highlight the weaknesses of computer systems of the time. Unfortunately, the worm was far more successful than its author intended and infected a few thousand of the approximately 60,000 computers connected to the internet at the time and cost between $100,000 and $10,000,000 in damages.
In fact, cyber collateral damage can be beneficial to the attacker. It can be used to achieve a desired outcome or simply test the capabilities of a particular attack. Intentional cyber collateral damage can be used to place pressure on a government or to simply create domestic chaos. Depending on the type of the attack, attackers can target specific victims and still benefit from collateral damage if the attack is indiscriminate. Often, there will be both intentional and unintentional collateral damage. The largest danger is that collateral damage spreads to unintended targets, which elicits a response that inadvertently escalates the situation.
To complicate the matter, defining collateral damage in the context of cyber warfare is challenging. While irrevocably encrypting an organization's data is obviously damaging, what if destructive malware is deployed to a system, but not activated? The data is technically not damaged at this point, but most would agree that the system's integrity has been affected. For the purposes of this discussion, cyber collateral damage to civilian computer systems will be defined as damage, whether incidental or intentional, resulting from a cyber attack that requires resources to remediate. The following historical examples illustrate the differences between unintentional, intentional, and indiscriminate collateral damage in cyber warfare.
Unintentional Collateral Damage
One of the largest examples of unintentional collateral damage in a cyber attack is the WannaCry virus. In May of 2017, the Wannacry virus rapidly spread throughout the internet. Reportedly developed by North Korea using the leaked EternalBlue exploit created by the National Security Agency, WannaCry infected over 230,000 computers in 150 different countries around the world and caused approximately $4 billion in financial losses.
The National Health Service hospitals in England and Scotland were significantly impacted by the virus and had to turn away patients and cancel appointments and surgical operations. Of particular note is that WannaCry included a relatively simple kill-switch. Once activated by security researchers, the virus shutdown and stopped infecting computers. Given the simplicity of the kill switch, researchers have theorized that WannaCry escaped its development environment and was accidentally unleashed on the world.
Less than two months later, NotPetya broke the record of damages set by WannaCry, causing an estimated $10 billion dollars in damages and impacting organizations in 65 countries. In the wake of the attack, the White House referred to it as “the most destructive and costly cyberattack ever.”
NotPetya was a destructive malware masquerading as normal ransomware. It was modeled after the original Petya ransomware, but didn't include a recovery mechanism. This means that, even if the victims paid the ransom, the attacker would not have been able to decrypt their data.
Researchers have attributed the attack to the Russian threat group Sandworm. The attack targeted Ukrainian organizations using a back door installed into tax-preparation software. However, the malware quickly spread beyond Ukraine due its use of EternalBlue, the same exploit used in WannaCry. One of the largest victims was the shipping giant Maersk. At the time, Maersk handled one fifth of the world's shipping and had to reinstall their entire IT infrastructure. Experts continue to argue whether or not the collateral damage of NotPetya was really unintentional as it definitely sent a message to all Russia’s adversaries.
Intentional and Indiscriminate Collateral Damage
While examples such as WannaCry and NotPetya are easy to classify as collateral damage, an argument can be made that cyber attacks that intentionally target civilian organizations or indiscriminately use cyber weapons that affect large numbers of organizations also produce collateral damage.
For example, in October 2021, the power grid in Mumbai, India went down, leaving millions of residents without power. While researchers were unable to definitively link the malware used in this attack to a specific threat actor, they were able to link it to previous attacks attributed to Chinese threat actors. Given the ongoing tensions between India and China, it is likely that the collateral damage was intended to send a message to the Indian government.
Between the extremes of intentional and incidental collateral damage resulting from a cyber attack is indiscriminate collateral damage. Given the nature of cyber weapons, they can easily spread far beyond their intended targets. While the WannaCry and NotPetya attacks spread far beyond their initial targets, it can be argued that many of the victims were unintentional. However, cyber weapons can affect others simply because the attacker is indifferent to the potential spread.
Russian cyber attacks are frequently referred to as "indiscriminate and reckless." One example is the SolarWinds attack in 2020. In this large-scale supply chain attack, Russian threat actors compromised the build process of SolarWinds' network management system and inserted malicious code containing a backdoor. While only about 100 organizations and a dozen government agencies experienced post-compromise activity, over 18,000 SolarWinds customers downloaded the update and were compromised.
The attackers may not have conducted post-compromise activities, but these victims still had to expend significant resources in incident response. Although it appears that the goal of the SolarWinds attack was cyber espionage, such an attack could easily be weaponized to deliver ransomware or wiper malware to disrupt systems in a large number of organizations all at once.
Potential Collateral Damage from Future Conflicts
While the current conflict between Ukraine and Russia would be the most pressing example of potential collateral damage, other conflicts with a significant cyber component would also be a source of concern. For example, should China attempt to invade Taiwan, significant cyber attacks would accompany the more conventional, kinetic attacks. A localized, hybrid conflict that includes cyber attacks would play out in a series of phases: preparation, kinetic warfare, and retaliation. Each of these phases have different potential targets that would be emphasized in cyber attacks and associated collateral damage.
Phase 1: Preparation
In the first phase, the attacker will prepare for kinetic warfare by targeting telecommunications infrastructure, including internet service providers and IT systems. In Russia's 2014 invasion of Crimea, Russian forces disrupted mobile phone service and other radio signals.
More recently, Microsoft identified a destructive malware, referred to as WhisperGate, that targeted Ukrainian organizations in January of 2022. The malware looked like typical ransomware, but does not include the ability to recover the encrypted data, much like the NotPetya malware used in 2017. In February 2022, Ukraine also suffered a series of distributed-denial-of-service (DDoS) attacks targeting government websites and banking systems.
Beyond performing cyber attacks against the target nation and its systems, cyber attacks could also target systems in other nations as a distraction. This could be done by state-sponsored threat actors or by proxies, such as cybercriminal actors, to create chaos as a means of diverting attention. Diversion attacks are a popular tactic leveraged in the preparation phase. Kaspersky researchers reported in 2016 that over half of the organizations surveyed believed that DDoS attacks were used as cover for other activities.
Phase 2: Kinetic Warfare
Once kinetic warfare begins, the attacker will expand cyber attacks to target critical infrastructure, oil, and energy production. Crippling these systems will hinder the defender's ability to effectively combat the attacker. Beyond affecting the defending military's abilities, crippling infrastructure also distracts the government's attention as it must divert resources to the civilian population.
The most well-known example of such an attack is Russia's 2015 cyber attack on the Ukrainian power grid. While over 230,000 Ukrainians were only out of power for a few hours, the effects rippled throughout the country and infrastructure damage took months to repair. The power grid attack was repeated the following year in 2016 with Kiev losing about one-fifth of its power. While Ukraine and Russia have been in conflict since 2014, it is important to note that both of these attacks were done during times of relative peace.
Years before, during the Russian invasion of Georgia, the Baku-Tbilisi-Ceyhan oil pipeline came under attack. While a terrorist group initially claimed responsibility, researchers discovered circumstantial evidence that indicated the true cause was a cyber attack that deactivated safety systems and initiated a sequence of events that led to the explosion.
Phase 3: Retaliation
Assuming the initiation of open warfare doesn't merit a response in kind, the worldwide community will most likely respond by imposing sanctions against the attacking nation. In the current Ukraine-Russia conflict, both the U.S. and European Union imposed largely financial sanctions on Russian banks and officials on Feb. 22, 2022. After Russia invaded, a series of additional sanctions expanded financial sanctions, imposed export restrictions, and even prevented public and private Russian aircraft from entering the airspace of many European countries.
One way the attacker can retaliate is by targeting the countries’ systems that imposed the sanctions. However, the aggressors must be careful to not cross a red line and provoke a more significant response from the sanction imposing nations.
Conducting cyber attacks on the critical infrastructure of these nations would certainly be construed as an act of war. Unfortunately, there are other systems that can be targeted which will have significant effects yet still avoid critical infrastructure, and the associated threat of escalation. For example, in May of 2021, JBS Foods, the world's largest meat supplier, was hit with a ransomware attack. The attack drove up wholesale meat prices and would have likely had more significant effects had JBS not paid the ransom to recover their systems.
The preparations for potential retaliatory strikes in the Ukraine-Russia conflict are most likely already in the works. A Department of Homeland Security bulletin from January 23, 2022, stated, "[w]e assess that Russia would consider initiating a cyber attack against the Homeland if it perceived a US or NATO response to a possible Russian invasion of Ukraine threatened its long-term national security." Researchers saw a dramatic increase in cyber activity by Russian threat actors at the end of January 2022. Unfortunately, Russia is not the only nation that has demonstrated the capability to initiate such cyber attacks against the U.S. and its allies.
While many organizations attempt to prepare contingencies for these situations when conflict seems imminent, the reality is that it is probably too late. Nation state threat actors often plan these attacks months to years in advance. If a victim is intentionally targeted, threat actors will gain access well in advance of the attack itself. They could conceivably quietly maintain access for years so they are able to weaponize it when needed.
Although some incidental and indiscriminate collateral damage will use zero-day exploits, standard cybersecurity best practices are still the first-line of defense. Beyond best practices, behavioral analytics of network traffic is still an excellent method for detecting novel attacks. For these to be effective, it is important for organizations to know what normal is for their network. This can then be used to identify anomalous traffic, be it between an internal host and external host or between two internal hosts.
Government officials including President Biden have stated how important collective defense is to defending against Russia in this conflict. In large-scale cyberattacks that spillover to unintended targets, collective defense provides visibility into a wide variety of networks. This visibility can be used to rapidly detect novel attacks and communicate them for the benefit of everyone.