Malicious Life Podcast: Can You Bomb a Hacker?

The 2008 Russo-Georgian War marked a turning point: the first time cyberattacks were used alongside traditional warfare. But what happens when the attackers aren't soldiers, but ordinary citizens? This episode delves into the ethical and legal implications of civilian participation in cyberwarfare, examining real-world examples from Ukraine and beyond.

 

Powered by RedCircle

ran-levi-headshot
About the Host

Ran Levi

Born in Israel in 1975, Malicious Life Podcast host Ran studied Electrical Engineering at the Technion Institute of Technology, and worked as an electronics engineer and programmer for several High Tech companies in Israel.

In 2007, created the popular Israeli podcast Making History. He is author of three books (all in Hebrew): Perpetuum Mobile: About the history of Perpetual Motion Machines; The Little University of Science: A book about all of Science (well, the important bits, anyway) in bite-sized chunks; Battle of Minds: About the history of computer malware.

Oona-Hathaway

Oona Hathaway

Gerard C. and Bernice Latrobe Smith Professor of International Law at Yale Law School

Oona A. Hathaway is the Gerard C. and Bernice Latrobe Smith Professor of International Law at Yale Law School, Professor of International Law and Area Studies at the Yale University MacMillan Center, Professor of the Yale University Department of Political Science, and Director of the Yale Law School Center for Global Legal Challenges. She has been a member of the Advisory Committee on International Law for the Legal Adviser at the United States Department of State since 2005.

Jose-Nazario

Jose Nazario

Senior Principal at Mandiant Intel, part of Google Cloud

Ph.D. in biochemistry, now working in cyber security. Focused on the cyber defender space, solving challenges by realizing unique capabilities. I build products and teams that create opportunities for businesses and customers.

About The Malicious Life Podcast

Malicious Life by Cybereason exposes the human and financial powers operating under the surface that make cybercrime what it is today. Malicious Life explores the people and the stories behind the cybersecurity industry and its evolution. Host Ran Levi interviews hackers and industry experts, discussing the hacking culture of the 1970s and 80s, the subsequent rise of viruses in the 1990s and today’s advanced cyber threats.

Malicious Life theme music: ‘Circuits’ by TKMusic, licensed under Creative Commons License. Malicious Life podcast is sponsored and produced by Cybereason. Subscribe and listen on your favorite platform:

All Posts by Malicious Life Podcast

Transcript

When you walk around every day, interact with other people, and do things, there are certain norms of society that you just know to abide by. Like: people should be treated as equals. You have to pay your taxes. Bicyclists don’t ride on the sidewalk, or in the middle of a lane of traffic. (Okay, maybe those are bad examples, since lots of people aren’t so good at following them. But you get the idea, right?)

These rules were developed over time, as people realized that without them, society tends to fall apart.

Like during the years 1643 to 1649, when 109 diplomatic delegations gathered in the neighboring cities of Münster and Osnabrück, in modern day Germany, then Westphalia. The delegations represented 16 European states, hundreds of imperial states within the Holy Roman Empire, and 38 interest groups. The immense scope of this yearslong diplomatic event was fitting — no, necessary — to match the immensity of the matter at hand: a religious war of three decades, which had killed somewhere in the range of 4.5 and 8 million people. Europe’s worst war to date, not to be eclipsed for another 275 years.

The deal they all hashed out in Westphalia — culminating in two peace treaties, signed in October 1648 — finally ended that war, bringing peace to the Holy Roman Empire, and Europe more broadly. But the effects of this deal were felt far longer still.

Some historians have since credited the Peace of Westphalia with defining the outlines of national sovereignty in Europe and, with it, ideas that we utterly take for granted today, like respecting borders, and not meddling in other countries’ internal affairs. Or, very basically, who’s allowed to fight in wars. For centuries before Westphalia, any pompous Lord or religious leader might have rounded up some mercenaries to go kill people over something, which, you can imagine, got rather messy. But as American University professor Gary Corn wrote in an article two years ago, quote:

“Since at least the Treaty of Westphalia and the consolidation of the legal monopoly of violence in the sovereign, the law has recognized that with very limited exception, only members of a State’s armed forces, that is, “those by whose agency the sovereign makes war,” are imbued with the “privilege” to participate in hostilities. In return, only combatants benefit from the attendant immunity from criminal sanction for doing so. Civilians, on the other hand, lack this “privilege” to participate directly in hostilities and their life should thus be respected and protected.”

It’s this commonly held understanding that keeps people as safe as possible during the most dangerous of times.

So what would happen if an individual broke this rule? Would they then lose their protection under the law? What then?

In fact, modern technology has allowed ordinary people to start taking part in wars again. The trend started just a decade-and-a-half ago.

A War In Georgia

Its impetus came at 8:00 A.M. on August 1, 2008, when two improvised explosive devices detonated on a road near Tskhinvali, in South Ossetia, injuring five police officers. Luckily for Jose Nazario, it took another week of skirmishing before war officially began. Otherwise, it would’ve interrupted his vacation.

“[Jose] I was in the airport, in particular in baggage claim with my wife. We had just flown from somewhere I forget where and I got this call.”

The call came from a colleague at his then-employer, Arbor Networks. (These days, Jose works at Mandiant.)

“[Jose] I got a call from our PR person. Kevin, who said hey, we got an inbound request. There’s a shooting war that’s broken out in Russia. They want to talk.”

There was a reason why, when a shooting war broke out in South Ossetia — a disputed northern region in the country of Georgia — somebody called Jose Nazario in Michigan.

“[Jose] The year prior, late April, literally May of 2007. Were the Russia Estonia attacks.”

When Russian cybercriminals collaborated to perform denial-of-service attacks against Estonia’s government, banks, and news outlets. We covered that story way, way back in Episode 4 of this podcast.

“[Jose] We would basically have our systems harvest every night: Here’s all the commands, we recorded the botnets here that we’ve sort of been tracking, here’s all the attacks commands that we’ve seen come across, because that’s how we did this. We would you know, capture samples, we’d reverse engineer the protocols, and then pretend to be the bot to log in and get the command issued to the bots. And when they do that, they typically tell you – watch this kind of attack against this target for this long.”

Jose and his colleagues began mapping out these botnets, their behaviors, and what they were collectively aiming at.

“[Jose] We were seeing attacks, you know, into, again, the former Soviet Union into the Baltics, into various countries in the Caucasus Mountains including Chechnya, Ingushetia . Again, all denial of service attacks against, you know, news sites public at radio stations and the like, all of which, you know, the common thread was that they were generally sort of counter to Moscow, a pro Moscow message.”

In particular, the researchers were keeping an eye out for “.gov” domains which might indicate politically-motivated attacks. And about a year into their project…

“[Jose] We get this report in July from our system saying, hey, this, here’s an interesting attack. Dig into it.”

It turned out to be targeting the website of the president of Georgia, Mikheil Saakashvili.

“[Jose] one botnet that we detected, launching a series of attacks against the website with a message actually in the request string saying ‘win, love in Russia.'”

The site — or, more specifically, the server hosting it, along with several other mostly non-government websites — went down for more than 24 hours.

Immediately thereafter, discussions flared on Russian-language web forums. Were DDoS attacks and website defacements a good idea? Surely they’d be used to support anti-Russian narratives. But those skeptical voices did not win out.

“[Jose] when the tank start rolling, we saw more than just that one botnet we had seen in July, light up with a whole bunch of different attacks into Georgian websites. [. . .] We have a guy or two who sort of spend a bunch of time looking at a bunch of other ad hoc open source materials to pastebins, and blog posts and underground forums where we see a lot of these attacks coordinated. “Hey, everybody, you know, we’re going to hit the Georgian websites. Here’s the target list for tonight.” And we would record that in traffic and we’d see many of these sites get hit.”

Websites belonging to the central government, the Ministries of Defence and Foreign Affairs, various commercial organizations, and, again, the president’s. This time, across a series of downed government sites, hackers plastered a collage of pictures of Saakashvili alongside Adolf Hitler.

“[Jose] The attacks weren’t big, maybe a couple 100 megabytes, but relative to what was provisioned for those websites, it was pretty substantial. Many of them were disruptive, so availability was affected.”

Estonia, All Over Again

It was Estonia all over again, with a twist: unlike in that case, here, soldiers and civilians were dying every day. (The first time in history, in fact, that a traditional war was simultaneously paired with cyberattacks.) The result was that websites belonging to the government and media were materially impeded in informing and advising citizens on how to stay safe.

Like, if you went to the news site civil.ge, the most recent article you would’ve seen published was titled ‘Russia Occupies Significant Part of Georgia’. Then nothing. If you’re in Georgia, what the heck are you supposed to do with that?

Besides the nature or scope of the damage, it was also the timing of these cyberattacks — beginning late on August 7th, 2008, and peaking on August 8th — that troubled analysts. The 7th was the day Georgian soldiers entered South Ossetia and, perhaps not so coincidentally, Russian troops as well. So this was either an incredibly swift response to the fighting, or, perhaps, a coordinated and prepared one.

By August 13th, Shadowserver, a nonprofit which tracks malicious activity online, had developed reliable intel that the overwhelming majority of the ICMP DDoS traffic was, as feared, coming from Russia, unlike with most botnets which tend to be geographically dispersed.

However, the activity derived from several internet service providers spread across the country, including both broadband and dialup users. If it were Russia’s military or intelligence behind all this, you wouldn’t expect them to be so geographically dispersed, and you definitely wouldn’t picture Russian troops connecting over dial-up.

It turned out that all of the malicious traffic into Georgia was performed using a single Windows batch script. (Batch scripts are plaintext files with instructions that get executed by the command line when it’s run.)

As far as malware goes, this one was rather simple. At the top, times at which it would be called — 6 PM, and 8 PM — and a message: “Thanks for support of South Ossetia! Please, transfer this file to friends!” Then, some commands and a list of 20 websites which would be targeted: Georgia’s parliament, the president, the police, the supreme court, news media, and so on.

This script had been published and disseminated online in several Russian-language forums.

“Basically,” Shadowserver explained, “people are taking matters into their own hands and asking others to join in by continually sending ICMP traffic via the ‘ping’ command to several Georgian websites, of which the vast majority are government.”

For example, the hackers at stopgeorgia.ru/stopgeorgia.info wrote online that, quote:

“We – the representatives of Russian hako-underground, will not tolerate provocation by the Georgian in all its Russian vs Georgia Cyber Attack manifestations. [. . .] We do not need the guidance from the authorities or other persons, and operate in accordance with their beliefs based on patriotism, conscience and belief.

“[Jose] these are people who are sort of responding in some fashion to what they see on the news, sort of hopping online and watching these attacks, responding to what they see as diplomatic tensions as opposed to tasking, you know, from headquarters.”

“You can call us criminals and cyber-terrorists, raz-vya-zy-vaya with war and killing people. But we will fight [. . .] We call for the assistance of all who care about the lies of Georgian political sites, everyone who is able to inhibit the spread of black information.”

Thanks to a Windows batch script, as soldiers, planes, and tanks started killing hundreds in South Ossetia, it was regular people who were crippling the region’s government and news media. Which raises the question: If a hacker is participating in a war, can you treat them like a soldier?

International Law

“[Oona] So civilians are insulated from attack and they retain their civilian status as long as they don’t directly participate in hostilities.”

You’re listening to Oona Hathaway, founder and director of the Center for Global Legal Challenges at Yale Law School, formerly special counsel to the general counsel at the U.S. Department of Defense. For the last decade and a half, she’s been one of the top ten most frequently cited international law scholars in the U.S.

“[Oona] Direct participation is enough for you to lose your civilian status, your protected civilian status and thus become targetable. Now the question is what is enough to be a direct participant in hostilities.”

If somebody picks up a gun and starts shooting, it’s obvious that you can shoot back. But what if that person uses a keyboard to more subtly endanger a soldier, or a civilian?

“[Oona] The Geneva Conventions in particular regulate the conduct of war and regulate in particular the conduct of war by states. There are very limited regulation of war being conducted by private actors, by citizens. Really all that the Geneva Conventions have to say about that is in common Article Three. There’s some like basic rules that regulate the behavior of private actors that are engaging in conduct of war, but it makes it clear that they’re not immunized from the ordinary criminal process that would apply to them.”

So if a person commits violence in a battle, for example, they aren’t protected just because they’re not wearing a uniform. But for less obvious acts, the Geneva Conventions become much blurrier — a situation which has real-world consequences for people in imminent danger.

eEnemy

Consider another, more recent phenomenon happening just a quick hop over the Black Sea from Georgia. In the last two years, thousands upon thousands of Ukrainian citizens have tested Geneva’s limits by chatting with “eVorog” (translated: “eEnemy”). eVorog is an AI chatbot developed by Ukraine’s Defense Ministry, which lives on the encrypted messaging platform Telegram. As Time Magazine wrote, quote:

“It all looks like a game at first. Verified users of Ukraine’s government mobile app are greeted with options illustrated by icons of military helmets and targets. An automated prompt helps you report Russian troop movements in your area, and rewards you with a flexed-arm emoji. “Remember,” the message says. “Each of your shots in this bot means one less enemy.” [. . .] One example of an interaction shared with TIME shows emojis and arrows guiding users through a series of automated prompts: first making sure they are safe, then telling them to focus their camera on enemy actions, shooting video for up to one minute, and attaching a timestamp and geolocation.”

Users can report on the locations of munitions, including unexploded bombs, or troop movements, or any other relevant intel. A government ID system called Diia verifies their identities, to weed out fake news merchants. To report the sighting of enemy aircraft, drones, or even missiles, citizens use a different app, “ePPO.” Other tools enable them to document damage to their homes, and various human rights abuses, or submit documents or apply facial recognition to identify individual Russian troops, and much more. In all, there are some half a dozen apps the government developed or adapted to help document war crimes and crowdsource the country’s defense against Russia’s invasion.

Thousands and thousands of ordinary people have taken up that call. In the first two months of war alone, more than 250,000 reports of Russian army developments flooded the government databases where these data are uploaded.

For a sense of the impact these reports have had, just look at the city of Kherson in southern Ukraine — north of Crimea, part of the territory Russia captured early in the war. In that first month, as Russian vehicles carrying missile launchers drove through the main streets of the city, locals uploaded photos and metadata to eVorog. Ukraine’s minister of digital transformation recalled to reporters how, quote, “Almost every apartment sent us a report. So we could geolocate them to almost every apartment on those two streets.”.

Later, in September of 2022, Kherson residents earned another win when they used eVorog to report the location of a warehouse Russians were parking military vehicles in. On the following day, that facility was pulverized by an airstrike. Similar stories have repeated themselves throughout Ukraine in months since.

And while thousands of regular people use eVorog, dozens of hacktivist collectives have also taken up the fight on both sides.

In one case, pro-Russia hackers destroyed communications equipment supplying internet connectivity to millions of people in Ukraine, including those in warzones, and knocked out the air-raid system in regions around the capital, preventing civilians from being warned of incoming projectiles.

On behalf of Ukraine, Anonymous is reported to have nearly exploded a gas control system in North Ossetia — which would’ve threatened lives, and was saved only by the quick thinking of an employee on-site.

Some Ukrainian hacktivists have also directly collaborated on missions with the military. (Russian cybercriminals have been doing this for years.) The people using eVorog are doing a version of the same thing.

So, can a Russian soldier target a civilian for using eVorog? Can a Georgian soldier target one for using a Windows batch script?

“[Oona] what is enough for an individual to cross the line to become a civilian directly participating in hostilities through engaging a cyber operations is really untested territory.”

Even though we’ve been dealing with this issue for some years now.

“[Oona] In 2008, we were still kind of trying to figure out what the rules were. And so there weren’t any cyber specific rules and there’s still really aren’t any cyber specific rules [. . .] And so what people were trying to do back then was to try to figure out how did the existing rules apply in cyberspace, you know, how do we take the rules that govern behavior of states generally? And how do we apply those in cyberspace?”

It isn’t an easy question to answer because, while hacking has contributed to life-threatening situations, it’s never directly caused a death. It’s also difficult to attribute cyberattacks and, even when you can, sometimes, you don’t want to tip your hand by doing so. And most malicious hackers involved in serious conflicts live in countries that don’t want to extradite them to face trials.

But these hurdles might have been overcome, and laws regulating this behavior might have been drafted, if certain powerful entities hadn’t the motive to do the exact opposite.

“[Oona] There were some, particularly the Chinese, who took the position that we needed special rules for cyber and that the ordinary rules of international law didn’t apply to cyberspace, and so you needed a whole new set of rules didn’t know how to regulate that, that behavior. [. . .] part of the reason may have been that China was and still is, to some degree, on the forefront of the capacity to engage in cyber operations, particularly cyber espionage, and may have preferred to keep this a space that was largely unregulated, and not accept the idea that existing legal principles applied in this space because that would have been to accept that there were limits, legal limits on their behavior, and that is violating those legal limits that they were subject to penalties for that – countermeasures that could be imposed for doing so.”

It wasn’t just China slowing down developing cybercriminal law.

“[Oona] And to be honest, you know, they’re not alone in being reluctant to adopt robust rules. The United States has not been a forward leaning actor in terms of thinking about how to apply international law to cyberspace. It came around to that view, and it has come around to that view, and it has been an advocate in recent years of applying sort of bare bones, international law principles, like the prohibition on use of military force in cyberspace or the idea that international humanitarian law can apply to cyber operations. But in these early years that the states that were, that had the greatest capabilities were in part for that reason, less enthusiastic about adopting a robust legal framework to govern what could and couldn’t happen in cyberspace.”

So there aren’t any rules yet. But according to Professor Hathaway, who knows the issue better than probably anyone else on the planet…

“[Oona] Some cyber operations might be enough to be a direct participant in hostilities, and particularly if a private organization is directly coordinating with the military, if they’re engaging in operations that are meant to disable the military capacity of one side or the other in the conflict, or if they’re engaging themselves in in attacks that that are sufficient to make them part of the conflict,    then it is enough for them to lose their civilians status and become become potentially targetable.”

Until cyber is integrated into the laws of armed conflict, militaries will enjoy the freedom to interpret these situations as they wish.

Russian soldiers could use eVorog as an excuse to justify their harsh treatment of civilians. It might look like what happened during the Bucha massacre, early in the Ukraine war, in which more than 400 civilians were killed. One survivor of the event recalled how Russian troops went from building to building, grabbing people and immediately checking their phones for evidence of anti-Russian activities.

Or it might look like what happened in 2019, when Hamas operatives attempted a large-scale cyber campaign against the state of Israel. In response, that May, the IDF air force bombed Hamas’ cyber headquarters, plus an equipment storage site it was using as a de facto data center, and an apartment building where its cyber operatives were hiding out. Three of them were eliminated, in the first ever kinetic response to a cyber attack in history.

Does it seem harsh to kill people over hacking? Maybe, but there’s no clear rule against it, even if the person responsible isn’t in a terrorist group, or a military, but is just some guy in his apartment. 

Today, amid some of the most devastating armed conflicts in recent history, there’s simply nothing stopping Russia, Israel, Pakistan, Ukraine, or any other nation from trying it. There may only be a matter of time before some keyboard warrior wakes up to find that the shield of an anonymous username and masked IP address doesn’t protect them from lead dropped from 10,000 feet in the sky.