attacks: 2007, 2012, Estonia Arabia Saudi attacks: cyber- international of major cases five investigating by topic of this exploration arudimentary provides brief policy This cyber-attacks? to respond to helpful be tools policy foreign could way In what attacker. the to signals important inhelpful sending may be policy and foreign abroad, from originate all cyber-attacks Nearly attacks. cyber- international major to responding in well as role (supporting) an important play could policy foreign crucial, indeed is level technical the that acknowledging While attackers. and aims of the methods identity, the on evidence collect to try and to networks targeted the protecting by attack the end have to they technicians: cyber for atask considered generally is attacks cyber- international major to Responding Introduction contribute to limiting the damage of a cyber-attack as well. as of damage acyber-attack the limiting to contribute could and sanctions warnings, communication, diplomatic as such instruments policy foreign occurs, cyber-attack amassive when lead in the be always will technicians cyber although that, concludes brief policy The in hindsight? role their evaluate we can and how cyber-attacks, these to responses in play the instruments policy foreign did role What impact. of societal deal had agreat which cyber-attacks international of cases five by investigating topic this of exploration afirst provides brief policy This cyber-attacks? major to in helpful responding be instruments policy foreign could How Some Lessons Learned Lessons Some Cyber-attacks International to Responses Policy Foreign 2015september might oblige them to act, with an undesired an undesired with act, to them might oblige crossed, if that, lines red setting prevent to in order cyber-attacks to responses potential about precise too be to want not do they Moreover, policies. defence cyber their into insights with enemies (possible) provide to want not do Governments countermeasures. of) effectiveness (the concerning secrecy of the in view achallenge is countries by and responses cyber-attacks Analysing attack). military conventional aRussian with coincided which in 2008, Georgia on cyber-attack the as (such operation military classic more of a part being not while impact, societal their given ‘big’ were they because chosen been have cases five These in hindsight? them evaluate we can and how attacks, cyber- these to responses policy foreign 2014. the were What States United and the 2013, 2012, Korea South States United the

Sico van der Meer Policy Brief Clingendael Policy Brief

escalation as a result. Given this sensitivity It caused economic damage and annoyance, and secrecy, it is not surprising that little but nothing more.2 academic literature has been published on this subject. Interviews with diplomats The governmental response to the cyber- involved also proved hard to arrange. attack was mainly executed by the The analysis provided here is thus primarily Emergency Response Team (CERT), based on information that is available in linked to the Ministry of Economic Affairs the public domain, mainly media reports. and Communications. The CERT reacted Considering these facts, and the posture of especially by closing down the websites the governments involved in the five cases in under attack for foreign internet traffic, in an not bringing their response policies into the attempt to keep them accessible to domestic open, this policy brief can give no more than users. The CERT received assistance and a glimpse into the foreign policy activities intelligence from cyber security experts involved. These limitations notwithstanding, from various European countries in order to the information available provides a basis restore the normal cyber network situation, for some lessons learned that may help in and additional assistance was provided by formulating foreign policy responses to the NATO CERTs and the European Network and relatively new phenomenon of cyber-attacks Agency (ENISA) of the against a country. European Union.3

The role of the Estonian Ministry of Estonia 2007 Foreign Affairs in the response was limited, according to the public information that In April 2007 Estonia experienced a cyber- is available. Interesting, however, was attack targeting large parts of the country’s a public statement by the Minister of cyber infrastructure. This cyber-attack Foreign Affairs, Urmas Paet, shortly after – shutting down the websites of ministries, the start of the cyber-attack. He claimed banks, media, and political parties, thereby that the cyber-attacks “have been made suggesting an attempt to paralyze Estonia’s from IP addresses of concrete society – consisted of a wave of so-called and individuals from Russian government Distributed Denial of Service (DDoS) attacks, organs including the administration of by which public websites suddenly receive the President of the Russian Federation”.4 tens of thousands of visits, thus disabling The accusation linked the cyber-attack to them by overcrowding the bandwidths for the relocation of a Soviet-era war memorial the servers running the sites. Although in which had caused tensions in the attacks came from all over the world, diplomatic relations between Estonia and Estonian officials and during the preceding days, as well experts claimed that, particularly in the as riots by members of the Russian minority early phase, some attackers were identified in Estonia. The public accusation, probably by their internet addresses, many of which meant to force Russia to end its involvement were Russian, and some of them could be by focussing international attention on traced back to Russian state institutions.1 Moscow’s role, did not have much effect. Even while considering that Estonia is a Russia simply denied the accusation and highly cyber-dependent country where, for example, 97 percent of all bank transactions are conducted online, the attack was not able to effectively paralyze the country. 2 Andrzej Kozlowski, ‘Comparative Analysis of Cyberattacks on Estonia, Georgia and Kyrgyzstan’. In: International Scientific Forum Proceedings, 3 (2013), p. 236-246. 3 Stephen Herzog, ‘Revisiting the Estonian Cyber- attacks. Digital Threats and Multinational Responses’. In: Journal of Strategic Security 4 (2011) 1 Ian Traynor, ‘Russia Accused of Unleashing 2, p. 49-60. Cyberwar to Disable Estonia’. In: The Guardian, 4 Cited in: Kertu Ruus, ‘Cyber War I: Estonia Attacked 17 May 2007. from Russia’. In: European Affairs 9 (2008) 1-2.

2 Clingendael Policy Brief

warned Estonia against making accusations about 85 percent of the company’s computer without any evidence – and thus pointing devices was said to be disrupted.8 The cyber- at the problem of the attribution of cyber- attack appeared to be aimed at disrupting attacks; formal Russian involvement was oil and gas production in Saudi Arabia almost impossible to prove. The attacking IP and oil exports to the rest of the world; if addresses that Estonia tracked down to the successful, this would not only have severely Russian government could well have been damaged the Saudi economy, but could have hijacked ‘’ computers. Moreover, the created global economic disturbance as well. public accusation by the Minister of Foreign However, the attack failed to actually disrupt Affairs gave Russia an argument for not the flow of Saudi oil and gas. Saudi Aramco helping in any way in the aftermath of the claimed that the huge damage was limited to cyber-attack. Russia refused to cooperate office computers and did not affect systems with the Estonian authorities in investigating being used for technical operations. the case. When various attackers within the jurisdiction of the Russian Federation were The cyber-attack made use of a computer identified, the Estonian State Prosecutor virus known as ‘Shamoon’ and a group made a formal investigative assistance of , until then unknown, claimed request, which was rejected by Moscow responsibility, blaming Saudi Arabia for with the argument that procedural problems “crimes and atrocities” in countries like prevented cooperation.5 Syria and Bahrain. In the months prior to the cyber-attack, Saudi Arabia had supported The Estonian Ministry of Foreign Affairs rebel groups in Syria and had sent troops furthermore played a role in raising the into Bahrain to back its rulers, fellow Sunni cyber-attack issue with its diplomatic and Muslims, against Shiite-led protesters. political network in the European Union and NATO, in collaboration with the Ministry of As far as can be reconstructed from open Defence and the Office of the President.6 sources, the Saudi Ministry of Foreign Affairs These activities were mostly effective in was not directly involved in the response the longer term, for example by increasing to the cyber-attack. Saudi Aramco itself attention for cyber security in these fora, led the way in countering the cyber-attack. as well as significant investments in the The company shut down its internal network NATO Cooperative Cyber Defence Centre of for more than a week in order to stop the Excellence in Estonia in later years. spread of the virus and to restore or replace all infected computers. Next to the state- owned company itself, it was the Ministry Saudi Arabia 2012 of Interior which dealt with the cyber-attack at the governmental level; the cyber-attack Saudi Arabia experienced a cyber-attack was apparently considered to be a domestic in August 2012. Actually, the attack was affair, even though the Ministry of Interior targeted towards one specific company issued a statement during a press conference only, but also the biggest company in the that the attack originated from several other country: the state oil company Saudi Aramco. countries (while declining to identify these More than 30,000 computers were damaged countries).9 The Ministry of Interior especially by the attack, not only in Saudi Arabia assisted Saudi Aramco in investigating the but also in foreign offices like the ones in The Hague and Houston.7 The hardware of

5 Ruus, ‘Cyber War I: Estonia Attacked from Russia’. 6 Traynor, ‘Russia Accused of Unleashing Cyberwar 8 ‘Saudi Aramco Investigating Origins of to disable Estonia’. Shamoon Virus Following Attack’. In: Al Arabiya, 7 Christopher Bronk and Eneken Tikk-Ringas, Hack 12 September 2012. or attack? Shamoon and the Evolution of Cyber 9 Wael , ‘Saudi Arabia says Aramco Conflict, Working Paper, James A. Baker III Institute Cyberattack came from Foreign States’, Bloomberg, for Public Policy, Rice University, 1 February 2013. 9 December 2012.

3 Clingendael Policy Brief

origin and damaging effects of the attack.10 politicians considered that the attack was The results of this investigation have never too complicated to be executed by a non- been made public. Although some experts state actor. Fingers were almost immediately and media speculated that the government pointed at , which was assumed to be of Iran was the actual perpetrator of the seeking revenge in this way for the US-led cyber-attack, neither Saudi Aramco nor the economic sanctions against the country as Ministry of Interior have ever openly blamed well as the cyber-attack on Iran’s any country.11 It is conceivable that the Saudi nuclear installations some years earlier, for government deliberately tried to deal with which Tehran also blamed the US.14 the cyber-attack as a domestic issue and to give it as little publicity as possible in order The cyber-attack was mainly dealt with to limit the damage to its state company’s by the targeted banks themselves, in reputation, as well as to prevent any potential cooperation with cyber security companies further escalation by the cyber-attacker. hired by them – the banks are reported to have spent tens of millions of dollars to cope with the attack.15 They were assisted, 2012 however, by experts from various ministries and governmental agencies, such as the Only one month after the cyber-attack in Department of Homeland Security, the State Saudi Arabia, in September 2012 the United Department, the Agency States experienced a major cyber-attack as and the Cyber Command of the US Armed well. According to some media, this was “the Forces. According to some media reports, biggest cyber-attack in history”.12 Although the Obama administration considered but that claim may be questionable, the attack ultimately rejected an option to hack into definitely caused some nuisance in the the adversary’s network – assumed to United States. A DDoS attack, directing be in Iran – and crush the problem at its huge amounts of internet traffic at a website source. Also considered but rejected was a to make it crash, was launched against the diplomatic instrument: delivering a formal websites of six of the nation’s leading banks. warning to Iran through diplomatic channels. Although this did not affect the computer Both options are reported to have been networks of the banks themselves, the rejected out of fears that they could escalate websites suffered day-long slowdowns hostilities to undesired levels.16 and were sporadically not accessible to the attacked banks’ customers. This caused The governmental actors involved instead frustration more than economic damage, chose a response that was partly diplomatic, but if the attacks would have been more and partly technical. The diplomatic channels sophisticated and would have lasted longer, of the State Department were used to appeal one could speculate that they might have for assistance to 120 countries, asking them caused more economic damage.13 An Islamist to remove identified malicious computer cyber-fighters group claimed responsibility codes from the servers around the world for the cyber-attack, but various experts and that were being used as springboards for the attacks. Christopher Painter, the State Department’s coordinator for cyber issues,

10 Mahdi, ‘Saudi Arabia says Aramco Cyberattack came from Foreign States’; ‘Aramco says Cyberattack was Aimed at Production’. In: The New 14 Goldman, ‘Major Banks hit with Biggest York Times, 9 December 2012. Cyberattacks in History’. 11 Bronk and Tikk-Ringas, Hack or attack? Shamoon 15 Ellen Nakashima, ‘U.S. Rallied Multinational and the Evolution of Cyber Conflict. Response to 2012 Cyberattack on American Banks’. 12 David Goldman, ‘Major Banks hit with Biggest In: The Washington Post, 11 April 2014. Cyberattacks in History’, CNN Money, 27 September 16 Nakashima, ‘U.S. Rallied Multinational Response 2012. to 2012 Cyberattack on American Banks’; Ellen 13 Nicole Perlroth, ‘Attacks on 6 banks Frustrate Nakashima, ‘U.S. Response to Bank Cyberattacks Customers’. In: , 30 September Reflects Diplomatic Caution, Vexes Bank Industry’. 2012. In: The Washington Post, 27 April 2013.

4 Clingendael Policy Brief

said in a later interview: “The pitch was, attack incapacitated some 48,000 computers ‘We’re making a request of you, and we would and caused approximately 800 billion Won really like your help. You have just as much (600 million Euro) of economic damage.20 of an interest in taking action because these Although most damaged computer networks are compromised machines. Please do what had already been restored after one or you can to mitigate this ’.”17 It was not two days, the attacks went on only the diplomats of the State Department for several more weeks, without however who raised the issue with their counterparts causing much more disruption. around the world; the cyber technicians of the Department of Homeland Security also No responsibility for the cyber-attack was contacted their foreign counterparts with the claimed, but it was generally assumed that same request. Although this multinational North Korea was behind it. The attack mobilization did not end the cyber-attacks, came shortly after North Korea had reacted it diminished their effects considerably and furiously to tightened United Nations gave the cyber technicians within the banks Security Council sanctions in response and their hired cyber-security consultants to its latest nuclear test. A week before more room to lessen the consequences of the the attack the government in Pyongyang attack as well.18 accused the United States and South Korea of conducting cyber-attacks against North Korea, which was probably meant to make South Korea 2013 the cyber-attack on South Korea seem like a retaliatory attack. Initially, the source of the South Korea regularly experiences cyber- cyber-attack was linked to an IP address in attacks, generally attributed to North China, but both the Korea Communications Korea – according to some sources North Commission and the Chinese Ministry of Korea carries out several cyber-attacks Foreign Affairs stated that hackers from (large and small) every day against its other countries could have routed their southern neighbour.19 In March 2013, the attack through this address to obscure their largest cyber-attack so far was carried identity. Later it was reported that the trace out against South Korea. Malware called could indeed be followed back from this ‘DarkSeoul’ appeared to be specifically Chinese IP address to a North Korean one.21 designed to evade some of South Korea’s most popular antivirus programmes and to While the targeted banks and broadcasting render computers unusable. The attack was stations primarily dealt with restoring targeted at paralyzing three major banks their computer networks themselves, the and three national television broadcasting governmental response to the cyber-attack stations. In particular the effects of the attack was executed by various ministries and on the banks had a serious impact: ATMs, governmental organisations. An emergency payment terminals and mobile banking security meeting was convened by the systems throughout the country stopped Minister of Defence, and the military raised functioning. The effect on the media was their alert against cyber-attacks. The Ministry less visible, because TV broadcasts were not of Defence was also involved with press affected; the attack only created chaos in the communications. The Ministry refused to offices of the television networks. The cyber-

20 Nicole Perlroth and David E. Sanger, ‘Cyberattacks 17 Quoted in: Nakashima, ‘U.S. Rallied Multinational Seem Meant to Destroy, Not Just Disrupt’. Response to 2012 Cyberattack on American Banks’. In: The New York Times, 28 March 2013; ‘South 18 Nakashima, ‘U.S. Rallied Multinational Response to Korea Blames North for Bank and TV Cyber- 2012 Cyberattack on American Banks’; Nakashima, attacks’, BBC News, 10 April 2013; Hern, ‘North ‘U.S. Response to Bank Cyberattacks Reflects Korean “” Said to have Cost South Diplomatic Caution, Vexes Bank Industry’. Korea £500m’. 19 Alex Hern, ‘North Korean “Cyberwarfare” Said to 21 ‘China IP address Link to South Korea Cyber- have Cost South Korea £500m’. In: The Guardian, attack’, BBC News, 21 March 2013; ‘South Korea 16 October 2013. Blames North for Bank and TV Cyber-attacks’.

5 Clingendael Policy Brief

accuse anyone of the cyber-attack; the sent by top managers. They also implanted official statement read: “We cannot rule out a software program designed to erase all the possibility of North Korean involvement, data from the computer servers. The hackers but we don’t want to jump to a conclusion.”22 demanded financial compensation to stop Police teams were sent to affected sites, their attack, while releasing more stolen especially to prevent chaos because of information step-by-step. In December, paralysed ATMs and payment terminals. however, the hackers changed their demands The civil Korea Communications Commission and required the cancellation of the planned asked government agencies and companies release of the feature film ‘The Interview’, to triple the number of people monitoring for a comedy about the assassination of the possible hacking attacks on their computer North Korean leader Kim Jong-Un. They networks as well, while the Office of the also threatened cinemas which planned to President established a governmental task show the film with terrorist attacks. Sony force, led by the Ministry of Science, ICT and responded by cancelling the release of the Future Planning, to investigate the cyber- film, after which the hackers indeed ended attack and its effects. This governmental their cyber-attack.24 task force would later conclude that most of the evidence that could be found pointed Although the cyber-attack on Sony was towards North Korea. It discovered traces of initially not regarded as a massive attack IP addresses based in North Korea preparing with a major societal impact, the US the attacks for months and implanting government stepped in after the demand malware inside the banks’ computer to cancel the release of ‘The Interview’. networks.23 In media reports no mention The government announced that it now was made of any foreign policy activities regarded the hacking as a serious national regarding the cyber-attack; apparently the security matter, because, as the Secretary government tried to deal with the cyber- of Homeland Security stated: “The cyber- attack within the domestic context in order attack against Sony Pictures Entertainment to prevent a further escalation with its long- was not just an attack against a company time enemy in the North. and its employees. It was also an attack on our freedom of expression and way of life.”25 President Obama openly called Sony’s United States 2014 decision to cancel the film “a mistake” (Sony later distributed the film to a limited number The US company Sony Pictures of cinemas and published it online).26 Entertainment was the target of a major cyber-attack in 2014. Hackers, operating Although many media linked the cyber- under the name Guardians of , had attack to North Korea – which had previously presumably been active in the company’s officially protested against the film – the network for months and in November 2014 US government initially refused to name they released many confidential data stolen any country which was potentially involved. from the company’s computers – varying A few days after the cancellation of the film, from financial data to embarrassing e-mails however, the Federal Bureau of Investigation (FBI) formally stated that it had evidence that

22 Cited in: Choe Sang-Hun, ‘Computer Networks in South Korea are Paralyzed in Cyberattacks’. In: 24 Ben Child, ‘Hackers Demand Sony Cancel Release The New York Times, 20 March 2013. See also: Tania of Kim Jong-un-baiting Comedy’. In: The Guardian, Branigan, ‘South Korea on Alert for Cyber-attacks 9 December 2014. after Major Network Goes Down’. In: The Guardian, 25 ‘Sony Hack: White House Views Attack as Security 20 March 2013. Issue’, BBC World, 19 December 2014; Statement 23 Choi He-suk, ‘Seoul Blames Pyongyang for Cyber- by Secretary Johnson on Cyber-attack on Sony attacks’. In: Korea Herald, 10 April 2013; Jeyup Pictures Entertainment, Department of Homeland S. Kwaak, ‘“Dark Seoul” Behind some Cyberattacks Security, 19 December 2014. in South Korea. In: The Wall Street Journal, 26 ‘Obama Pledges Proportional Response to Sony 27 June 2013. Hack’. In: The New York Times, 19 December 2014.

6 Clingendael Policy Brief

the North Korean government was involved An important foreign policy instrument being in the cyber-attack. North Korea has always deployed was the use of diplomatic channels denied any involvement. to request assistance from other countries. Especially US diplomats in 2012 contacted According to media reports, the US their counterparts with a very focussed government was looking for a retaliatory question, requesting that malicious computer action of a symbolic nature to show North codes be removed from specific servers Korea (and other states) that cyber-attacks in each country that was approached. on US companies will not be tolerated, This diplomatic effort, combined with the while at the same time preventing any cyber technicians of the Department of international escalation.27 Retaliation came, Homeland Security, who also contacted their a few weeks later, with some rather limited foreign counterparts with the same request, economic sanctions against North Korean had an effect almost directly; the cyber- entities. According to the Treasury Secretary attack was weakened every time a country these sanctions were meant to defend US cleaned servers which the attackers were businesses and citizens from “attempts using. In the Estonian case the diplomatic to undermine our values or threaten the request for help was a little less focussed; national security of the United States”.28 most of the direct cyber assistance from A statement from the White House added: abroad was involved through the network of “We take seriously North Korea’s attack that the cyber experts in the Estonian Computer aimed to create destructive financial effects Emergency Response Team. The diplomatic on a US company and to threaten artists and channels were particularly useful for agenda- other individuals with the goal of restricting setting in the somewhat longer term. their right to free expression.”29 In the same period, North Korea suffered from internet In 2012 the United States also considered, but outages, but the US government refused to rejected, another foreign policy instrument: comment whether this was caused by any delivering a formal warning to Iran through covert US retaliatory action.30 diplomatic channels. This option was rejected because of the lack of convincing evidence for a formal accusation and the risk of Conclusion causing an undesired escalation. From this perspective, the diplomatic warning option This brief analysis of five major cyber- was somewhat similar to what the Minister of attacks in recent years indicates that Foreign Affairs in Estonia did after the cyber- governmental responses to cyber-attacks attack on his country had started: he publicly vary widely. In Saudi Arabia and South Korea blamed Russia, presumably in the hope that the cyber-attack was more or less treated this country would end its involvement as as a domestic affair, with no foreign policy soon as it was openly accused. This public instruments involved. Only in the Estonian accusation did not have any positive effect, and US cases were diplomats from the however. Russia simply denied that it was Ministry of Foreign Affairs directly involved, responsible and refused any cooperation as far as can be found in open sources. when Estonia wished to prosecute identified Russian individuals involved in the cyber- attack. It is difficult to say whether the public accusation had any negative effects 27 Danny Yadron, Devlin Barrett and Julian E. Barnes, (Russia might have refused to cooperate in ‘U.S. Struggles for Response to Sony Hack’. the prosecution anyway), but the lack of any In: The Wall Street Journal, 18 December 2014. positive effects seems rather obvious. 28 Carol E. Lee and Jay Solomon, ‘U.S. Targets North Korea in Retaliation for Sony Hack’. In: The Wall In 2014 the US deployed the foreign policy Street Journal, 3 January 2015. instrument of economic sanctions against 29 Lee and Solomon, ‘U.S. targets North Korea in Retaliation for Sony Hack’. North Korea, which was publicly blamed 30 Dan Roberts, ‘Obama Imposes New Sanctions by the US government as being guilty of Against North Korea in Response to Sony Hack’. the cyber-attack against Sony. Limited In: The Guardian, 2 January 2015. economic sanctions were meant to send a

7 Clingendael Policy Brief

signal to North Korea (and potential other the initial response to a massive cyber- cyber-attackers) that similar attacks would attack is probably best coordinated by not be tolerated. Economic sanctions were the more technical cyber experts, often thus used as a deterrent by retaliation. organized in a specialized governmental It should nevertheless be emphasized that agency like a CERT. Diplomats could play an public accusations and retaliations may only important supporting role, which of course be effective (and not cause an escalation) requires excellent communication channels if the sanctioning state is more powerful with the coordinating cyber experts. than the sanctioned party. As was seen in The more intergovernmental cooperation the Estonian case, where the accused state and communication, the more effective the is more powerful than the accusing state, response to any cyber-attack will be. proactive blaming (and/or retaliating) may not always be the best option. More research could be helpful to determine under which circumstances and at what In general, foreign policy responses to stage during a cyber-incident foreign cyber-attacks seem to be most effective policy instruments can be most effectively in the domain of requesting international employed to put pressure on a suspected assistance, as long as the requests are adversary, to request assistance from other focussed and aimed at direct actions. countries, or to seek redress through the Moreover, foreign policy tools can be appropriate international fora. Furthermore, useful after the cyber-attack: by diplomatic it would be interesting to explore how warnings and (economic) sanctions signals such diplomatic communications could can be sent that similar attacks will not be be strengthened by basing them on tolerated; in this way the foreign policy tools references to existing norms of responsible are not directly used to respond to the cyber- behaviour and obligations as established in attack at hand, but instead as a deterrent to international law. Last but not least, while prevent more of these attacks. this policy brief focuses on responses to cyber-attacks, more research into foreign Overall, foreign policy can mainly be policy instruments that could help in regarded as supporting instead of leading. preventing cyber-attacks could definitely be Based on the experiences analysed here, useful as well.

8 About Clingendael

Clingendael is the Netherlands Institute of International Relations. We operate as a think-tank, as well as a diplomatic academy, and always maintain a strong international perspective. Our objective is to explore the continuously changing global environment in order to identify and analyse emerging political and social developments for the benefit of government and the general public. www.clingendael.nl

About the author

Sico van der Meer is a Research Fellow at the Clingendael Institute. His main research topics are cyber security, and the non-proliferation and disarmament of Weapons of Mass Destruction. He graduated from the Radboud University Nijmegen in 1999 with a Master’s degree in History. Before joining the Clingendael Institute, he worked as a journalist and as a Fellow of a think tank on civil-military relations.