Inside the Shadow War: Cyber Baddies are Upskilling

In May 2021, gas stations along America’s East Coast ran dry, triggering chaotic scenes of motorists queuing for blocks to fill their tanks. The culprit? A ransomware attack that slashed the region’s gasoline supply by a staggering 45 percent. Just a month later, a similar attack paralyzed meat-processing factories owned by JBS, a company responsible for more than one-fifth of America’s beef supply. These were not mere inconveniences; they were strategic attacks that disrupted the lives of millions.

But don’t get too comfortable—this is just the tip of the iceberg. A report from the Congressional Research Service paints a sobering picture: cybercrime inflicts an annual global toll of $388 billion, extracted from 24 nations studied. Marsh McLennan, an insurance firm, foresees 30 billion technological devices buzzing with activity by 2030. For those engaged in cyber warfare, these are bountiful hunting grounds, teeming with vulnerable government and organizational systems ripe for exploitation. While governments scramble to neutralize this digital menace, the very architecture of cyberspace makes it a haven for subterfuge and rapid-fire information warfare. This creates a labyrinth of challenges that sets cyberterrorism radically apart from its physical counterpart.

Cyberterrorism isn’t something that jumped into the discourse yesterday. The topic wormed its way into public consciousness during the late ’90s. Sure, it’s relatively young when juxtaposed against the United States’ broader experience with terror. Think back to the World Trade Center bombing in 1993 or the Oklahoma City bombing two years later—these were the cataclysmic events that nudged the Department of Defense into taking its first fledgling steps into evaluating its cyber defense mechanisms. Yet, it wasn’t until the fallout of 9/11 that the American legislative machinery got into full swing, churning out regulations like the Patriot Act of 2001 and the Terrorism Risk Insurance Act of 2002. Yet, for all their heft, these laws remain woefully inept at stemming the cyber tide.

Keyboard hand grenade
Photo illustration by John Lyman.

The FBI now views ransomware as a peril as acute as the post-9/11 terrorist threats, as reported by the New York Times. But defining what constitutes “cyberterrorism” is no simple feat. Dataconomy, a tech news outlet, pegs it as “the use of computer networks or systems to intentionally cause damage, disrupt operations, and/or intimidate individuals”—a description that generally syncs with what other experts are saying. Yet, the Congressional Research Service emphasizes that the boundless and ever-morphing nature of the digital realm defies a singular, definitive characterization of cyberterrorism. This creates a frustrating, complex scenario for both companies and governments alike. There’s no universal dictionary term to point to, and therefore, no one-size-fits-all solution to tackle this hydra-headed beast.

As the cyber landscape continues to evolve in complexity, so does the challenge of pinning down what exactly we’re up against. The danger is not just in the nebulousness of the term, but in the inherent flexibility it offers to potential perpetrators, whether they’re rogue states, loose-knit groups, or lone wolves. The narrative is clear: the world needs to get a grip on the digital leviathan before it consumes us all. And if current strategies are anything to go by, we have our work cut out for us.

In 2017, the world witnessed two starkly different but equally chilling templates for cyber-terrorism—WannaCry and NotPetya. These headline-grabbing assaults wreaked havoc across the globe, particularly in the United Kingdom, where over 80 National Health Service (NHS) facilities found their computer systems crippled, leading to a backlog of canceled appointments and compromised patient care. The Guardian details how these attacks leveraged two digital-age innovations—encryption and Bitcoin—to streamline and anonymize the extortion process. Simply put, ransomware could now be monetized sans the red tape of traditional banking systems.

The WannaCry episode was, in many ways, the coming-out party for ransomware as a global threat. According to Marsh McLennan, the assault touched down in over 150 countries, resulting in financial damages north of $300 million. More critically, the attack threw the UK’s NHS into chaos, compromising the agency’s ability to offer life-saving medical treatments. Yet, Amyas Morse, the head of the National Audit Office (NAO), pointedly noted that WannaCry “was a relatively unsophisticated attack” that could have been sidestepped had the NHS followed elementary IT security protocols. Even more maddening? Fixes for the exploited vulnerabilities had been available since March, says the NAO report, but remained unimplemented—a staggering oversight with calamitous consequences, spotlighting the desperate need for mandatory digital awareness within organizations.

Barely a month had passed when NotPetya entered the scene, a more malevolent cousin to WannaCry. Unlike its predecessor, however, NotPetya wasn’t in it for the money. Distributed through a compromised version of leading Ukrainian accounting software, this ransomware rippled across internal networks far beyond Ukraine’s borders. Notably, The Guardian reports that the malware was poorly coded—those who paid the ransom discovered their data was forever lost, effectively making the money irrelevant. This divergence in motivation was corroborated by the NATO Cooperative Cyber Defense Centre of Excellence, which stated, “malware analysis supports the theory that the main purpose of the malware was to be destructive because the key used for encrypting the hard disk was discarded.”

The implications of NotPetya’s motives are disturbing, particularly considering its initial focus on Ukrainian accounting software. The country has been a hotbed of cyber warfare, frequently locking horns with Russia in the digital realm while simultaneously grappling with military confrontations over Crimea. The question, then, becomes whether NotPetya was a flex of cyber-muscle, a global crisis engineered to demonstrate raw power. The UK’s National Cyber Security Centre asserts that “the Russian military was almost certainly responsible for the ‘NotPetya’ cyber attack.” Though not definitively proven, it’s an analysis that carries weight, especially given Russia’s history of state-sponsored cyber-ventures. Case in point? The two-year Advanced Persistent Threat (APT) campaign initiated by Russia in 1996, laid bare volumes of classified information from U.S. governmental bodies, leaving national security in a precarious state.

The WannaCry and NotPetya incidents underscore the evolving faces of cyber-terrorism—from profit-driven catastrophes to seemingly nihilistic exhibitions of power. The alarm bells have sounded, and the call is clear: the world needs to get its cyber house in order, and fast. Because the next attack is not a question of if, but when—and the stakes are getting deadlier by the day.

Ukrainian home destroyed by Russia
During the initial days of the war, Russia used both cyber attacks and conventional attacks to great effect. (Aleksandr Baranov)

In the fog of the Russia-Ukraine war, one of the less visible but equally formidable battlegrounds is cyberspace. The German Institute for International and Security Affairs (SWP) reports that as of August 2022, Ukraine recorded over 1,123 cyberattacks during the war’s initial phase. The opening salvo from Moscow was catastrophic, disrupting Ukraine’s Viasat satellite communications network, an essential military communication channel, right before Russian tanks crossed the border. Yet, against expectations, Russia’s cyber onslaught has been less disruptive than anticipated, but no less dangerous.

The collective cyber wisdom initially screamed catastrophe. Nick Beecroft, a Carnegie Endowment Scholar, punctuates the reality that Russia’s primary cyber efforts likely hinge on intelligence collection. High-value data, such as real-time geolocation information, can radically escalate the conflict, enabling chillingly targeted actions like the potential assassination of Ukraine’s President Volodymyr Zelensky or precise strikes against Ukrainian forces. What we’re seeing is not freelance hacking but a calculated move by Moscow to deploy state-sanctioned cyber-terrorism. International aerospace security company BAE Systems coins it a “license to hack”—essentially, carte blanche from the Kremlin for destructive digital undertakings, fully backed by governmental resources and impunity.

These state-sponsored hackers aim to cripple and destabilize enemy digital infrastructure, employing a cornucopia of digital terror tactics—from ransomware and DDoS attacks to data breaches. Though these acts can be lumped into the broader category of cyber warfare, the distinction lies in the motive. Cyber-terrorism serves as a dedicated, albeit sinister, arm of a state’s overall digital warfare strategy. It’s not merely an offshoot but a separate yet deeply interconnected key component.

One of the unexpected outcomes of this cyber siege is Ukraine’s resilience. Beecroft observes that Ukraine has managed to “deploy cyber defenses at a scale and depth never seen before,” a feat accomplished through an unlikely coalition of companies and governments united by a shared outrage over Russia’s invasion. Researchers at Talking About Terrorism emphasize that this sort of international cooperation is “critical” to combating cyber-terrorism. Yet the glaring deficiency lies in the lack of a cohesive global strategy—without united accountability from both state and non-state actors, we’re in a digital stalemate.

Forbes concurs, advocating for a new paradigm of geo-cyber stability—essentially, a mutual agreement among nations to harness the Internet for societal good while steering clear of actions that lead to “unnecessary suffering and destruction.” The robust cyber support Ukraine received from leading global enterprises and governments demonstrates the indispensable role of the private sector in safeguarding national digital networks. It’s a striking testament to how impactful collective action can be in deterring cyber threats.

The absence of an international legal framework for the digital realm remains a critical barrier, stalling global efforts for a unified front against cyber-terrorism. As technology advances, the threat landscape morphs, making national security ever more vulnerable. Cyber-terrorism isn’t just an issue; it’s an ever-evolving crisis. If governments worldwide don’t join hands to institute more robust digital protections and a globally recognized legal framework, we risk plummeting into a state of perpetual cyber instability. The Russia-Ukraine war has not just laid bare the raw power of state-backed cyber-terrorism; it’s served as a dire warning that the world can ill afford to ignore.

If you’re interested in writing for International Policy Digest – please send us an email via

This post was originally published on this site