pk.org: Computer Security/Lecture Notes

Part 3 - Adversaries and Cyber Warfare

WHo are the attackers and targets?

Paul Krzyzanowski – July 26, 2025

Part 3: Adversaries and Cyber Warfare

Computer security is not only about vulnerabilities and exploits. Behind every attack is an adversary — a person, group, or state pursuing specific goals. Understanding adversaries is essential for anticipating threats and preparing defenses. At the highest level, some adversaries use cyberattacks as instruments of national power, turning security into a matter of international conflict.

Characteristics of Adversaries

Adversaries differ in several ways:

Types of Adversaries

Economic Incentives

Underground markets provide a thriving economy for adversaries. Botnets, stolen credentials, and exploit kits can be bought and sold. Zero-day vulnerabilities may fetch millions of dollars. At the same time, legal bug bounty programs reward defenders for responsibly disclosing flaws. The same technical skills can be monetized on both sides of the law.

Advanced Persistent Threats (APTs)

At the high end are Advanced Persistent Threats (APTs): skilled, well-funded, often state-backed.

Well-known examples include Russia’s Fancy Bear, China’s APT41, North Korea’s Lazarus Group, and Iran’s Charming Kitten.

Naming conventions vary. Mandiant numbers APTs sequentially (APT1, APT29). CrowdStrike uses animals (Panda for Chinese groups, Bear for Russian, Kitten for Iranian). Microsoft uses weather-based names like Midnight Blizzard (Russia) and Volt Typhoon (China).

Cyber Warfare

Cyberattacks are no longer isolated incidents — they are tools of statecraft. Cyber warfare refers to state-sponsored operations that disrupt, damage, or disable critical infrastructure and military systems. Unlike espionage, which gathers intelligence, cyber warfare seeks direct impact.

Stuxnet

Discovered in 2010, Stuxnet marked a turning point. It targeted Iran’s uranium enrichment program by infecting Windows systems and then Siemens industrial controllers. The facilities were protected by an air gap, meaning they were physically isolated from the Internet. Stuxnet overcame this barrier by spreading through infected USB drives carried in by workers. Once inside, it reprogrammed centrifuges to spin at destructive speeds while reporting normal values to operators.

Stuxnet was the first known malware to cause physical destruction. It showed that software alone could achieve what once required bombs or sabotage.

Russia and Ukraine

Russia has repeatedly used cyber operations alongside military action:

China

China has focused on infiltration and pre-positioning for future conflicts.

These operations go beyond espionage. They demonstrate preparation for sabotage in the event of geopolitical conflict.

Other Examples

GPS Spoofing

Cyber operations are not limited to computers. GPS spoofing attacks feed false navigation signals, disrupting aviation, shipping, and military operations. In 2024, more than 900 flights per day were affected in conflict zones by spoofed GPS data.

Countermeasures

Cyber warfare is not one-sided. Defenders actively fight back.

In 2024, the U.S. Department of Justice announced that it had disrupted a Chinese-controlled botnet used to mask intrusions into U.S. infrastructure. The botnet relied on compromised small-office routers. By seizing command-and-control servers and coordinating with ISPs, the U.S. dismantled the network.

International cooperation has also brought down major criminal botnets like Emotet. Increasingly, governments and private companies share intelligence and act jointly to counter large-scale cyber threats.

Implications

Cyber warfare blurs the line between war and peace. Malware can spread globally in seconds, attackers can reroute operations through compromised machines, and attribution is difficult. States often deny involvement, maintaining plausible deniability.

For defenders, this means that critical infrastructure — from power grids and telecoms to hospitals and pipelines — is now a battlefield. Security planning must account not only for opportunistic criminals but also for patient, well-funded adversaries preparing for conflict years in advance.