Lessons to be learnt from the Nato –Serbia conflict

The NATO-Serbia conflict was the first chronicled war to demonstrate cyber warfare in retaliation to US and UK led aerial bombardment. Retaliation from hackers
sympathetic to the Taleban and Al-Qaeda network is expected to follow a similar

17 October 2001

Within one week of the air assault, Serbia-sympathetic hackers began attacking US defence computers and defence related businesses. These hackers originated from across the Eastern block. In the first week of April 1999, the US Department of Defense computer systems were hit with up to 100 hack attacks a day. John Hamre,
then US Deputy Secretary of Defence, told a closed hearing of Congress that hackers had found a new way into the Pentagon’s digital networks. Bill Richardson, then US Energy Secretary, shut down classified computers at three nuclear weapons laboratories due to fears over cyber-security lapses.

This followed confirmation from the Department of Defense in the US and the NATO command in Europe that Serbia sympathetic hackers had attacked their computer network by flooding the network with empty ping packets and computer viruses, thereby causing a Denial of Service. The US Government was concerned that civilian facilities within NATO countries were less well prepared than their military counterparts to deal with cyber attack.

Over two weeks a stream of virus carrying eMails were received by over 100 businesses, public organisations and academic institutions in a number of NATO
member countries. The contents of the messages were normally highly politicised attacks on NATO's unfair aggression and defended Serbian rights using poor English language and propaganda cartoons. The messages to the addressee were usually
incorporated in several viruses contained within an attachment. The messages arrived from a range of Eastern European countries. Typically, 25 different strains of viruses were detected by using commercial off-the-shelf anti-virus software.

Businesses hit in the NATO-Serbia conflict

USA - Leading daily newspapers in business centres like New York and Chicago; Internet service and access providers; Inter-media communications companies;
Network communities for human and minority rights;

Online businesses

UK - International newspaper publishers with world-wide circulation; Academic institutes with news media affiliations; Major internet access and service providers;

Online businesses

Europe - Germany (Berlin based newspapers); Italy (Milan based newspapers and the Electronics Institute); Switzerland (Major university IT department) Sectors were at risk in the NATO-Serbia conflict Communications, telecoms, healthcare, power generation, power distribution, financial services and municipal services were at risk and were advised to check their digital networks for any evidence suggesting the reception of communications from unknown
sources. Such communications could contain embedded viruses designed to become active at a preset future date or when stimulated by a particular signal.

Impact of misdirected bombing

Following the misdirected NATO bomb on the Chinese Embassy in Belgrade in May 1999, which killed three Chinese journalists, Far Eastern hackers used cyber attack as a protest. Computer hackers from China, Hong Kong and Taiwan continued mainly to attack US Government computer systems and US online businesses. The internet host computers of the Energy Department, Interior Department and the National Park
Service were cracked. The White House web site also came under attack. It was defaced and was temporarily inaccessible on several occasions.

Sophisticated espionage software tools - Trojans - were the new weapon deployed in the cyber war between NATO countries and China sympathetic hackers in May 1999.

Trojans were despatched to Western targets from the Far East and were used as a very effective way of gathering intelligence without risking the exposure of agents.

Protests against NATO countries were also made via floods of eMails. The US Government was the victim of concerted eMail assaults on their servers in attempts to
overload them on several occasions between April and May 1999. Administrators were advised to employ anti-spam measures to impede all eMail from China's '.cn'

Retaliatory digital attacks that could now be expected

The US and UK can expect electronic attacks from Taleban and Al-Qaeda sympathetic hackers which could be perpetrated on any combination of targets

1. The critical national infrastructure (defined as emergency services, central government services, transport, telecommunications, utilities, health care and
financial services)

2. Online businesses that may be directly or indirectly affected by malfunctioning communications, piracy, surrogacy (passing off), denial of service or social engineering (suborning employees)

3. Individual citizens, whose privacy may be overrun by a breach in security of an online service, or who may be made susceptible through electronic identity theft

10 stages in the development of cyber warfare

Experience from the Serbia-NATO conflict in 1999, relevant to the current response from the US and UK to the 11th September terrorist attack, suggests the following sequence of events:

1. Allied forces launch sustained attack
2. Internet and eMail discussion traffic increases. As discussion boards and chat rooms get busy, dedicated lists and online communities are activated
3. Malevolent groups on both sides plan retaliatory attacks
4. Security services attempt to track activity and anticipate retaliation
5. Owners of digital networks deploy known solutions (firewalls, anti-virus tool kits and intrusion detection)

6. Purpose-built digital attack weapons are released by malevolents. During the Serbia-NATO conflict attacks on NATO member countries could be identified by the following fingerprints:
o Messages from unknown sender
o Unsolicited attachments with political content
o Poor English language spelling and grammar in propaganda
o Cartoon graphics with an anti-NATO theme

7. Commercial and government digital networks are attacked and communication disrupted; with possible adverse effect on confidence and/or share price

8. Additional malevolent groups from around the world rally to the cause and escalate type and sophistication of attacks

9. Attempts are made by victim organisations to deny the attacks and meanwhile damage limitation PR campaigns are launched

10. Digital networks are repaired or replaced via migration to new technologies

As businesses audit and review their digital network security procedures in the aftermath of the ongoing US and UK bombardment, they face the issue of dealing with personnel policy, legal issues and comprehensive insurance cover in addition to reinforcing their IT systems and implementing a bespoke security architecture.

Report by