What Is Cyberwar? The Complete WIRED Guide

The 2008 Georgian war was perhaps the first real hybrid war in which conventional military and hacker forces were combined. But given Georgia’s low rate of internet adoption—about 7 percent of Georgians used the internet at the time—and Russia’s relatively simplistic cyberattacks, which merely tore down and defaced websites, it stands as more of a historic harbinger of cyberwar than the real thing.

First Shots

The world’s conception of cyberwar changed forever in 2010. It started when VirusBlokAda, a security firm in Belarus, found a mysterious piece of malware that crashed the computers running its antivirus software. By September of that year, the security research community had come to the shocking conclusion that the specimen of malware, dubbed Stuxnet, was in fact the most sophisticated piece of code ever engineered for a cyberattack, and that it was specifically designed to destroy the centrifuges used in Iran’s nuclear enrichment facilities. (That detective work is best captured in Kim Zetter’s definitive book Countdown to Zero Day.) It would be nearly two more years before The New York Times confirmed that Stuxnet was a creation of the NSA and Israeli intelligence, intended to hamstring Iran’s attempts to build a nuclear bomb.

Over the course of 2009 and 2010, Stuxnet had destroyed more than a thousand of the six-and-a-half-foot-tall aluminum centrifuges installed in Iran’s underground nuclear enrichment facility in Natanz, throwing the facility into confusion and chaos. After spreading through the Iranians’ network, it had injected commands into the so-called programmable logic controllers, or PLCs, that governed the centrifuges, speeding them up or manipulating the pressure inside them until they tore themselves apart. Stuxnet would come to be recognized as the first cyberattack ever designed to directly damage physical equipment, and an act of cyberwar that has yet to be replicated in its virtuosic destructive effects. It would also serve as the starting pistol shot for the global cyber arms race that followed.

Iran soon entered that arms race, this time as aggressor rather than target. In August of 2012, the Saudi Arabian firm Saudi Aramco, one of the world’s largest oil producers, was hit with a piece of malware known as Shamoon that wiped 35,000 of the company’s computers—about three-quarters of them—leaving its operations essentially paralyzed. On the screens of the crippled machines, the malware left an image of a burning American flag. A group calling itself “Cutting Sword of Justice” claimed credit for the attack as an activist statement, but cybersecurity analysts quickly suspected that Iran was ultimately responsible, and had used the Saudis as a proxy target in retaliation for Stuxnet.

The next month, Iranian hackers calling themselves Operation Ababil hit every major US bank, knocking their websites offline with sustained volleys of DDoS attacks, a far more focused version of the takedown technique Russians had used against sites in Estonia and Georgia. Again, cybersecurity analysts detected the hand of Iran’s government in the attack’s sophistication despite the “hacktivist” front, perhaps a more direct message from Iran’s state-sponsored hackers that any future US cyberattacks wouldn’t go unanswered. A little over a year later, in February 2014, Iranian hackers launched another, more targeted attack on American soil: Following public comments from Zionist billionaire Sheldon Adelson suggesting the US use a nuclear weapon on Iran, sophisticated hackers hit Adelson’s Las Vegas Sands casino, using destructive malware to wipe thousands of computers, just as in the Saudi Aramco case.

By 2014, Iran was no longer the only rogue nation exploiting the potential for cyberattacks to reach across the globe and inflict pain against civilian targets. North Korea, too, was flexing its cyberwar muscles. After years of staging punishing DDoS attacks on its favorite adversary, South Korea, North Korean hackers launched a more daring operation: In December 2014, hackers revealed they had deeply penetrated the network of Sony Pictures ahead of its release of The Interview, a low-brow comedy movie about an assassination plot against North Korean dictator Kim Jong-un. The hackers, calling themselves the Guardians of Peace, stole and leaked reams of emails along with several unreleased films. They capped off their raid by wiping thousands of computers. (Though the leaks might be called a mere influence operation, the disruptive data deletion pushes the incident across the cyberwar line.) The hackers left a menacing image on wiped computers of a skeleton, along with an extortion message; they demanded both money and that the release of The Interview be canceled. Despite that cybercriminal ruse, the FBI publicly named the North Korean government as the perpetrator of the attack, based in part on a slip-up that revealed a Chinese IP address known to be used by North Korean hackers. The roster of global powers entering the fray of cyberwar was growing.

Scorched Earth

Even as North Korean and Iranian hackers wreaked havoc in attacks like the ones against Las Vegas Sands and Sony Pictures, cyberwar circa 2014 was limited to isolated incidents and periodic acts of disruption. Around the same time, however, Ukraine was undergoing a revolution—one that would trigger a Russian invasion and lay the groundwork for the world’s first full-blown, real cyberwar.