Last week, Brian Krebs reported that a Russian security vendor was attacked by Molotov cocktails after it published its analysis of an ATM skimmer. When cyber attacks become physical, it is an interesting trend to observe. Unfortunately, it seems the trend has been increasing during the past few years, with reports of physical attacks, “swatting” and even kidnapping, which can all be tied back to cyber security.
Most cyber attacks have real-world consequences, most frequently these consequences are economic; however, some cyber attacks have physical ramifications. For example, Stuxnet attacked Iranian SCADA systems that were being used to enrich uranium gas. The result was the physical failure of centrifuges.
The hacktivist group, Anonymous, also straddles this cyber-physical line. Early Anonymous operations include Project Chanology, which combined denial-of-service (DDoS) attacks with real-world protests. Later Anonymous operations, such as Operation Payback, were conducted almost entirely online through DDoS attacks. More recently, Anonymous has participated in real-world protests, such as the Occupy Movement, donning its eponymous Guy Fawkes masks and taking to the street to demonstrate solidarity.
Another practice that crosses the cyber-physical line is doxing, the tactic of researching personally identifying documents (hence: doxing) about a target for the purpose of further harassment. A more recent trend related to doxing is swatting, which spoofs phone calls to 911 in an effort to dispatch emergency services – primarily police and SWAT teams – to respond to the false report of an emergency situation.
In 2013, Brian Krebs found himself the target of a swatting attack (at the same time his Web site was under a DDoS attack) after reporting about a black market identity theft Web site. Krebs later learned that the young hacker responsible for the attack “got pissed that you released the site he uses.”
Krebs, in turn, was able to deduce the identity of one hacker and provided it to the police, which resulted in his eventual arrest. However, Krebs believes this arrest may have been a diversion from his true attacker.
It is worth noting that the swatting attack against Krebs was motivated by his publication and analysis of identity theft attacks. Similarly, the Molotov cocktail attacks against Dr. Web was motivated by the analysis of its ATM skimmer attack.
The “International Carders Syndicate” attacked Dr. Web after warning it to remove all references to ATM malware from its site. Dr. Web CEO Boris Sharov believes the Molotov attack was ordered over the Internet, “through a black market where you can order almost any crime…all the attacks had been ordered by the Internet. And since they never succeeded against our office, it showed us that not much money was paid for these attacks.”
Here we get to the most likely modus operandi for many of these cyber attacks that become physical: money. Brian Krebs was swatted because he threatened the economics of an identity thief. Dr. Web was firebombed because it threatened the economics of ATM skimmers. Eugene Kaspersky, son of Kaspersky CEO Yevgeny Kasperky, was kidnapped for a ransom. Silk Road mastermind Ross Ulbricht, hired multiple hitmen through his black market forum, in an effort to track and kill those that sought to expose him.
Unfortunately, it seems that lines between the digital realm and the real world are increasingly blurring. It is unlikely that these cyber-motivated physical attacks will be the last. The only good news for information security practitioners is that it remains highly unlikely that any of these physical attacks would ever target their enterprises. These physical attacks have been motivated by money (or desperation) when the anonymity of the Internet has been threatened.
One final parting thought is that if cyber attacks are becoming physical, why can’t cyber security become physical as well? In fact, it can. Bromium vSentry utilizes hardware-isolated micro-virtualization, which creates a secure environment where users tasks are isolated from each other, the protected system and the network. If you’re interested in learning more about how physical security can be applied to information security, please visit: http://www.bromium.com/products/our-technology.html