Hackers and horror
11 April 2018 | 0
Hacking, for many years, was considered an annoyance.
It was generally a source of frustration and embarrassment as disruption, rather than damage usually left organisations red-faced and scrambling.
That has evolved in recent years, as profit motivation has meant that hackers have become ever more professional as they pursue monetary gain. This has led to some particularly abhorrent episodes where highly vulnerable people are targeted. James Lyne, global head of security research at Sophos has reported instances of medical facilities being hacked for lists of parents of terminally ill children, so that hackers might exploit their desperation for cures.
“Nott immediately suspected that as a result of the news broadcast, his PC had been targeted and hacked, with the location of the hospital gleaned from his communications with the it”
However, this was still somewhat ethereal, and hacking still had a lack of physical reach in most cases. That changed of course, when the American and Israeli joint effort of Stuxnet targeted an Iranian nuclear facility and caused to physical damage to delicate refining machinery by allowing it to run out of specification. A further instance was documented in 2015, when a German metal foundry was hacked and physical damage caused. A report by the German authorities said that multiple systems began to go outside of specification, meaning that a blast furnace could not be shut down in an orderly manner. This resulted in massive damage.
It had long been predicted that hacking would lead to physical consequences, but few instances, apart from these reported ones, had been effective. In 2015, in Ukraine, power blackouts blighted several areas. Three different energy suppliers were compromised leaving hundreds of thousands without power in December. It was reported as the first successful cyberattack on a power grid.
It had by then become clear that hacking can have real world consequences, far beyond mere data loss, and that the motivations of the threat actors were malicious in the extreme.
However, in the opinion of this hack, these pale when compared to what transpired in the besieged Syrian city of Aleppo in 2016.
A makeshift hospital had been operating from an underground facility in the city. Known only as M10 in an effort to hide its location, the hospital had been attacked many times. This was not unusual in the conflict, and according to a story in the UK Telegraph, aid workers had reported some 450 such attacks on medical facilities since 2011.
But M10 was struggling on and managed to establish an operating theatre, the Telepgraph story reports, where internationally trained surgeons operated as best they could on the casualties that flooded in.
On one such occasion a local man was having reconstructive surgery to his jaw after he had been injured in an aerial bomb attack. The surgeons were being guided by the most unusual means of a smart phone on a selfie stick. Using Skype and WhatsApp, far away from war torn Aleppo, David Nott in the UK, a renowned teacher and surgeon, was guiding the local clinicians as they worked.
The BBC, in September, broadcast a news report of Nott’s efforts to help medical practitioners in the conflict areas, guiding and advising where he could using his phone and laptop, connected via messaging platforms.
Shortly afterwards, in October of 2016, ground penetrating munitions targeted the M10 facility, with the very operating theatre where Nott had guided the surgeons, targeted and destroyed. Two patients were killed, medical staff were injured and the entire facility was forced to close.
Nott immediately suspected that as a result of the news broadcast, his PC had been targeted and hacked, with the location of the hospital gleaned from his communications with the it.
Nott has now ceased such communication with doctors in Syria for fear of further attacks being carried out.
The attack was so specifically targeted, and type of munition used so sophisticated, says the Telegraph, that it is most likely carried out by Russia.
In several other attacks against hardened, or underground targets, the Russian air force used BETAB-500 munitions that carry a 475kg high explosive charge. The munition is an air dropped, guided weapon that uses a rocket motor in its final stages to penetrate the ground or even layers of concrete, before detonating its massive charge. The shockwaves then multiply and shatter infrastructure.
However, because of the sophisticated nature of the weapon, it is only deliverable from newer generation aircraft. While the Syrian air force does have the capability for guided, ground-attack weapons in its force of aging Su-24 attack aircraft, the BETAB-500 requires the more advanced capabilities of the Su-34 — an aircraft only operated in the theatre by Russia.
The article goes on to say that the policy of attacking medical facilities has been used extensively by both the Syrian government and Russian forces, as it drives people out of those areas by denying them medical care.
There can be few more horrifying examples of the physical consequences for hacking.
This most cynical of strategies in targeting those who would help in medical efforts to relieve the injured and the sick are the very definition of inhumane. When authorities in both camps are fully aware of the numbers of civilians caught in conflict zones, to target medical facilities as a strategy is utterly abhorrent. To do so by targeting external disinterested parties who are trying to provide humanitarian relief, merely adds another layer of disgust.
What it shows is that certain regimes will stop at nothing to achieve their ends and will carry on with utter disregard for human rights, international law and agreed treaties.
But what can be done?
There are two issues at play here, firstly the willingness of governments to use such tactics in war, and secondly the protection of those providing humanitarian efforts for those affected.
The former is nothing that could ever be tackled in these pages, but the latter is a different matter.
Secure, encrypted communications is not beyond the bounds of the information security community. Developments recently have seen systems that are not only encrypted end to end, but that use randomised connections between various modules to ensure that routing is near impossible to track, let alone predict.
These facilities must and are being made available to the likes of frontline practitioners in hot zones to protect them and those who provide support from being targeted by authorities. Whether it is medics in war zones, human rights activists in repressive regimes, or even free speech advocates where expression is restricted, there is a duty to protect and provide the best that information security technology can provide to prevent the crime that was the M10 attack from ever happening again.