‘There are now three certainties in life – there’s death, there’s taxes and there’s a foreign intelligence service on your system’ – Head of Cyber at MI5 (2013)Over the last two decades, the scale and severity of cyber attacks has been very variable. It is probably safe to suggest that the secret sabotage of a nuclear facility by the Stuxnet worm is in a slightly different league to the theft of payment card data held by a commercial brand like Chipotle. Nonetheless, there are several underlying attributes that provide a common framework to compare unconnected incidents. The Diamond Model of Intrusion Analysis indicates that for every incident, there is:
There are also secondary meta-features which can provide additional context to the source of a cyber attack. A particularly interesting attribute involves the role of time and how it contributes to the success or failure of the attacker. It is apparent that when preparing and executing an attack, timing is pivotal.
It is widely known that detailed preliminary planning occurs in the preparation of a physical heist or a military operation. The date, and even the specific time, of execution can be crucial to a mission’s outcome. Time can also have an integral role throughout each phase of a cyber attack. Threat actors will factor in time when identifying targets, developing or configuring malware and deciding the precise moment to launch the attack. This is often calculated to increase the probability of infiltrating the target network or maximising the impact of the malicious cyber activity.
Choosing the right time to execute is a factor considered by all threat actors, irrespective of technical capability. Even an inexperienced ‘script-kiddy’ can increase the disruptive impact of a basic denial of service attack if the malicious packets are sent to the target at a predefined time. When coordinated with peers, a distributed denial of service can bring a website offline (where a series of single attacks would have been unsuccessful).
At the opposite end of the spectrum, a seasoned threat actor group will seek opportune moments to compromise a target organisation, pivot within the network and access critical assets. In combination with other attributes, such as the technical expertise of hacking group, the timing of a targeted attack can determine whether the network security team will have any reasonable prospect of thwarting the intruders.
There are numerous examples where careful timing has directly contributed to the outcome of a cyber attack. In August 2012, the notorious Shamoon wiper malware corrupted the master boot record (MBR) of approximately 32,000 workstations belonging to the Saudi Aramco state oil company. The Iranian threat actors that are suspected to be responsible intentionally configured the malware to execute on the holiest night of Ramadan known as Laylat al-Qadr (لیلة القدر).
The attackers predicted that many company employees would be absent, decreasing the likelihood that the malware’s wiper activity would be detected. If the hacking group launched the destructive attack on a different date, it is possible that the Shamoon wiper would have been contained at an earlier stage, significantly reducing the financial costs incurred by Saudi Aramco to replace the computer infrastructure of the company.
Likewise, in a recent case in August 2018, an ‘unlimited cash out’ operation resulted in the theft of 944 million rupees (13.5 million dollars) from Cosmos Bank in India, after the internal network was compromised. The perpetrators planned that the heist would occur over the weekend, outside of regular working hours. At a specified time, money mules based in 28 separate countries collectively made 14,849 ATM withdrawals in the space of two hours, before withdrawing thousands more rupees later during the same day.
Clearly, the Cosmos bank heist was staged for financial gain, which is completely unlike the coercive political statement intended by the Shamoon wiper attack. However, in both instances the two threat actor groups relied on careful timing to compromise the network when it was undermanned.
In this context, a perceptive attacker will seize opportunities to breach an otherwise secure network by determining moments at which the target is most vulnerable. In other disciplines, this can be understood as the element of surprise acting as a force multiplier for the attacker. It should come as no surprise that some of the most successful red team phishing exercises (in the West) take place on Friday afternoons.
Beside the practical advantages of staging an attack at a predefined time, there are also many instances where the timing has been specifically selected to send a poignant message. The attacker will identify and launch the attack on a date that carries symbolic significance to the intended target nation, company or even individual. This technique is frequently utilised by hacktivists and state-sponsored groups to gather publicity for a cause, protest a grievance or undermine confidence in the target.
It is common for cyber attacks to be timed to coincide with state anniversaries or in the run up to national elections. North Korea was attributed to a coordinated DDoS attack on more than 27 US and South Korean government websites in July 2009.
The compromised hosts that were used to mount the DDoS attack were left with a string embedded in the Master Boot Record stating ‘Memory of Independence Day’. Hacktivists exchanged fire with defacement attacks affecting North and South Korean sites on the 63rd Anniversary of the end of the Korean War in 2013.Similarly, the ongoing border conflict between Russia and Ukraine has been punctuated by severe cyber attacks that have been intentionally timed to make a political statement.
On 27thJune 2017, the devastating NotPetya ransomware-wiper crippled Ukrainian government and financial services. The Russian military intelligence service (GRU) staged the attack the day prior to Constitution Day in Ukraine. Protracted operations to infiltrate the Ukrainian power grid in December 2015 and 2016 were staged to cause blackouts during the Christmas period.By launching repeated attacks on Ukrainian national infrastructure to coincide with state anniversaries, events and public holidays, the Russian threat actors appear to act with impunity, undermining public confidence in the Ukrainian government.
In summary, there is no shortage of cyber intrusion incidents that could have been selected to illustrate the integral function that careful timing can have in magnifying the impact of a cyber attack. Timing can be the decisive factor in determining the outcome of a breach. Hacking the target on a date that has symbolic significance can generate publicity for a cause or convey a subtle political message.
It is fundamental that security teams identify periods when the network will be at its most vulnerable, prepare contingency plans and backup systems. When the team is undermanned, falls behind the patch cycle and disregards best practice, this will provide an opportunity for hackers to gain unauthorised access.
Being aware of events when attacks could have multiplied effects on the reputation of an organisation (e.g. during a product launch or times of heightened business activity such as holiday sales) is also advisable.