On some level, all of us are waiting for the big one—the hack that downs the internet, paralyzes infrastructure, maybe launches a couple nukes. If that day never arrives, it will be largely thanks to the legions of malefactors who, over the years, have hacked this or that government or corporation and thus forced those institutions to plug up their vulnerabilities, or at least try to. Some of these hacks have been staggering in scope—acts of sabotage and/or theft inconceivable in an unconnected world. But which of these can lay claim to being the most destructive? What was, in other words, the most significant hack of all time? For this week’s Giz Asks, we reached out to a number of experts to find out.
Director and Professor, Criminal Justice, Michigan State University, whose research focuses on computer hacking and malware, among other things
The first that comes to mind is the Morris worm, from 1988. A college student named Robert Tappan Morris wrote a piece of code that he claimed he thought would simply ping servers and assess the size of the internet at that time. But there was either a deliberate or unfortunate error in the code, and instead of simply pinging and reporting back, it started to replicate and spread, and effectively caused a denial-of-service attack against almost the entire internet. Morris claims this wasn’t intentional, but he nonetheless became one of the first people successfully prosecuted for a piece of malicious software, and the whole incident led to the formation of the first Computer Emergency Response Team. Because the internet at that time was mostly limited to universities, NASA, government entities, etc., the idea behind CERT was to get all these different players around the table to try to figure out a rapid solution to eliminate future problems, and then shore up their resources to make sure it couldn’t be effectively used again.
Another contender for the most significant hack is the Office of Personnel Management data breach around 2014. This was thought to have been performed by China, in order to acquire the sensitive data used for FS86 forms for the government. FS86 forms are essentially the forms you fill out when you’re trying to get clearance to handle classified material.
No one knows exactly how much information was accessed, because the government has been kind of cagey about it. But millions of these forms and the data they contained were lost. The reason this is critical is that those forms are what individuals fill out to be hired by the FBI or the Secret Service, and contain very private, potentially damaging information, which foreign agents or any other person could potentially leverage to their benefit. For instance, if you have massive amounts of debt reported in your FS86, then that’s an indication that you might be a risk for giving away state secrets, if you were paid to do so.
Finally, there’s the NotPetya hack, from 2017, which [affected Europe and Asia]. It was called NotPetya because it looked like ransomware called Petya, but it wasn’t—effectively, it caused a given computer to brick, and that’s about it. It just destroyed computer systems.
It’s thought to have been Russian-made in origin, and was implanted on Ukrainian servers. It was installed in the backdoor of tax software that was widely used in Ukraine. Any company or entity that does business in Ukraine would have had to use this software for business purposes, so when the code was executed all those systems that were connecting back to this tax software were affected, and it caused millions of dollars in losses. Lots and lots of equipment had to be replaced. For two weeks, parts of Ukraine had effectively no internet. It impacted shipping and all sorts of physical infrastructure. I think it’s significant because it’s not often that the main function of a hack is to just destroy the system itself, and that was very much the goal here.
The answer here invariably depends on your perspective—and probably also your security clearance. But if pressed, I do have a favorite that I think helps set the course of history as well as represent some of the biggest challenges in cyber conflicts. And that hack was the so-called Soviet pipeline attack, which resulted in “the biggest non-nuclear explosion ever seen from space.” This was in 1982 (or 1983, depending on who asked), way before there was the World Wide Web and even before there was the global Internet that we recognize today. Not only was the hack possibly one of the most significant attacks on critical infrastructure, but it also was an information warfare attack, a psychological operation. It therefore shows the duality of cyber conflict better than anything else. And just by chance it happened almost exactly 41 years before the attack on US pipeline company Colonial Pipeline, with all the disruption it entailed. If it really happened.
The story started in a 2004 publication by a key adviser to President Ronald Regan, Thomas Reed, a former Secretary of the Air Force. Reed said that the CIA, which was countering a flood of Industrial espionage attempts by the Soviet KGB aimed at supporting the collapsing economy of the USSR, launched a counter operation called FAREWELL. Central to this operation was to allow the Soviets to steal the technology they were after, but to alter it to make sure that it caused more harm than good—maybe much more harm. In this particular case, the Soviets were after industrial control system software to better manage gas and oil pipelines. The CIA allowed the KGB to steal the software in question, but slipped a “logic bomb” into the code—making sure that at a specific time the system would go haywire. At the appointed time the White House and the satellite analysts were warned not to be too concerned when they saw a large explosion in Siberia—“the biggest non-nuclear explosion ever seen from space,” as it was all part of the plan. This—supposedly—was not the first or the last time the “Poisoned chalice” cyber stratagem was used. But it was devastatingly effective. Supposedly.
There are real doubts that this event ever took place. Until 2012 It was even mocked. However, in 2012, a Canadian TV documentary provided many additional details, and featured a number of credible witnesses—including a former Soviet deputy minister. He said the event took place in 1983, on a different pipeline than Reed suggested, and even caused dozens of fatalities. And then of course there was the issue that Reed’s account was actually publicly re-produced by the CIA’s own academic research organization. Clearly this was a story that someone wanted to be told.
Why? As we know now, when Reed’s account was reproduced by US intelligence they were launching OLYMPIC GAMES, the internal codename for what is now known as the Stuxnet cyberattack on the Iranian uranium enrichment program. It’s possible that someone thought it was important to support the evolving cyber strike with an information warfare attack—to remind certain audiences not only that this had happened before, but that it had been worse. Whether or not it was true, a message may have been sent. But then again, it may have all been a coincidence—a combination of bureaucratic errors and overactive imaginations.
The Soviet pipeline attack may have been the first cyber attack in history—paving the way for the CUCKOOS EGG cyber espionage case a couple of years later. But what it certainly is is an example of how cyber warfare and information warfare can overlap—feed into each other, or even masquerade as each other. This is the most important takeaway from the story—not that attacks on critical infrastructure could occur and be incredibly devastating, but that information warfare—propaganda and covert influencing attacks—are an ever-present shadow of cyber activities. As every true hacker knows, the most effective hacks are those that target human decision making. Technology—and data—are often just enablers to this end.
Professor of Criminology, Director of HateLab at Cardiff University, UK, and author of The Science of Hate
My area of expertise is the human dimension in cybersecurity, so my greatest ‘hack’ comes more in the form of social engineering rather than intrusion via software/hardware shortcomings. Humans, not technology, are the weakest link in the cybersecurity chain, and hackers that exploit the shortcomings in our psychology, via fabrication, misdirection and obfuscation, can cause as much damage as those who hack code.
The creation of the fake MartinLutherKing.org website by the white supremacist Don Black (as part of the Stormfront hate forum) is one of the most insidious ‘hacks’ in history. Up until the beginning of 2018, when it was reported to Google as being owned by Stormfront, the site frequently appeared in the top four hits on searches for ‘Martin Luther King.’ At first glance, there was no hint of white supremacist rhetoric, apart from the note at the bottom of the page in small font that read ‘Hosted by Stormfront’.
Before its removal, the site masqueraded as a bona fide information resource targeted at schoolchildren, opening with the line ‘Attention Students: Try our MLK Quiz!’ A click led to a page titled ‘How Much do you really know? Here’s a little MLK quiz to coincide with the upcoming MLK holiday! Enjoy!’ All of the questions criticized or defamed Dr King. One asked ‘According to whose 1989 biography did King spend his last morning on earth physically beating a woman?’; another, ‘Whom did King plagiarize in more than 50 complete sentences in his doctoral thesis?’ At the end of the quiz schoolchildren got to tot up their scores.
The site purported to offer ‘A True Historical Examination’. Links to ‘Rap Lyrics’ led to the text: ‘Here’s what black rappers say, and what their followers do. Keep in mind that most of this is produced and distributed by Jewish-run companies’, alongside lyrics that described black people committing violence and sexual acts against whites. The webpage encouraged children to download and print off pamphlets for distribution in schools on Martin Luther King Day. The pamphlets called for the abolition of that national holiday and accused King of domestic and sexual violence.
MartinLutherKing.org was a sock puppet site; a gateway to the extreme right in America, targeting the most vulnerable in society with disinformation in an attempt to sow division and foster hatred between races.
Founding Director of the NYU Center for Cyber Security and Vice Dean for Academics and Student Affairs at the NYU Tandon School of Engineering, whose research interests include digital forensics, biometrics, data compression, network security, and security & human behavior.
This might seem like an obvious answer, but I view SolarWinds as one of the most significant hacks for a number of reasons related to its scale and the challenges it poses.
SolarWinds was a huge wake-up call: the hackers’ vehicle of delivery was just the kind of highly trusted systems-update software which we all use to fix bugs and enhance system performance — in this case, for SolarWind’s Orion network management system. And so the attackers here damaged more than just their targets: they also damaged our sense that official updates are trustworthy.
The targets—including Microsoft, Intel and Cisco, and a dozen or so federal agencies including Treasury, Justice and Energy departments, the Pentagon, and ironically the Cybersecurity and Infrastructure Security Agency—also evince the attack’s level of sophistication and the peril we face going forward as a result: the attack deliberately hit the sort of monitoring software that touches every node in a system. It was FireEye, an outside organization, that detected irregularities.
And maybe most importantly, the combination of those factors illuminated something many of us in cybersecurity have long seen coming—that cyber systems are the next major global battlefield. SolarWinds brought the reality of that to the forefront for the general public, as well as some in government. We need to be training cybersecurity professionals the way we train soldiers, where we equip professionals with an arsenal of very effective and tactical tools, while at the same time training people how to adapt to and counter an evolving threat landscape—for example through simulation exercises and other means of instilling a security mindset. Some organizations are relying on professionals who have gone through a 6-week cybersecurity certification, and I just don’t believe that’s enough to address the level of threats we’re seeing. And if we don’t start taking this more seriously and train properly, the effects have the potential to be wide-ranging and hugely impactful in people’s daily lives, as we’ve seen with the Colonial Pipeline. With traditional wars, the people closest to the battlefield are impacted. With cybersecurity, we’re all at risk.
Additional timeline by Dell Cameron. Do you have a burning question for Giz Asks? Email us at [email protected]