Cybersecurity Disinformation Internet Iran Russia Technology & Innovation United States and Canada
New Atlanticist October 29, 2020

The 5×5—Trick or threat? The ghouls and goblins behind this year’s cyber incidents

By Simon Handler

This article is part of the monthly 5×5 series by the Cyber Statecraft Initiative, in which five featured experts answer five questions on a common theme, trend, or current event in the world of cyber. Interested in the 5×5 and want to see a particular topic, event, or question covered? Contact Simon Handler with the Cyber Statecraft Initiative at

This year has witnessed its fair share of unnerving cyber incidents from a range of spooky characters. Wicked Panda used video game distributors to infect users with malware and steal their information. Cozy Bear was caught swiping research from a US pharmaceutical company on a potential COVID-19 vaccine. And Iron Viking was credited by the Department of Justice with one of the most expensive and destructive known cyberattacks yet.

Recently, threatening characters have shifted their sights to manipulating the 2020 US presidential election. Dragonfly, known for breaching electrical grids and nuclear power plants, is creeping around US state and local computer networks, while Kitten was unmasked by US intelligence for obtaining US voter registration data and used it to target American voters with spoofed emails.

But 2020 is not over yet. What further ghouls and goblins might lurk? Cyber Statecraft Initiative experts go 5×5 to discuss spine-chilling cyber incidents this Halloween.

#1 Which unsolved cyber incident fascinates you most and why?

Gil Baram, cyber policy and strategy expert; cybersecurity postdoctoral fellow, Center for International Security and Cooperation (CISAC), Stanford University; research fellow, Blavatnik Interdisciplinary Cyber Research Center, Tel Aviv University:

“Well, it’s surprisingly tough to think of a true ‘who dunnit’ mystery, because there’s so much data out there from governments, security firms, and journalists that even without public attribution, there’s enough information to figure it out. Personally, I’m always fascinated by the under-reported incidents, the ones that take a long time to surface. It’s the ones that have stayed under the radar for a long time that are interesting.”

Kenneth Geers, senior fellow, Cyber Statecraft Initiative; analyst, Very Good Security:

“On February 18, 2002 at 20:17:06, a program on my home computer called ‘WINSIP32’ tried to contact the US General Services Administration. As far as I know, all the other cyberattacks have been solved!”

Trey Herr, director, Cyber Statecraft Initiative:

“What is in the bloody Gauss malware? Almost a decade ago, researchers clued into the capable-looking espionage platform called Gauss, potentially related to the Flame and Stuxnet families which each received far more voluminous coverage. Gauss contained a payload which was coded to a specific environmental variable—something on a target machine like a specific file path—which would unlock its contents. The technique, though not novel (see Schneier and Riordan from 1998), was effective and stymied forensic investigation. To this day, I don’t know if anyone aside from the malware’s original creators have managed to peer inside.”

Nina Kollars, fellow, Cyber Statecraft Initiative; associate professor of the Strategic and Operational Research Department and core faculty member, Cyber and Innovation Policy Institute, Naval War College:

“My favorite cyber mysteries are ghost systems and zombie code…old information systems that mindlessly plot to kill us. State unemployment systems were literally the bottleneck for getting people unemployment assistance earlier this year…who remembers COBOL? That’s what I thought. Among the unparalleled champions of this kind of research is Chris Rock (the cyber mercenary not the comedian). If you haven’t seen his DefCon talk ‘I will kill you and birth you’ you shouldn’t… you’ll be horrified… legit John Carpenter meets H.R. Giger.”

Min Livanidis, industry professor, Deakin University:

“The incidents we have not found. Once the impact of an incident is felt, you can typically understand the likely context or motive behind it, even where attribution isn’t possible. Cyber activity is simply an extension of human and state behavior articulated through technical means; it is those quieter intrusions that recall traditional statecraft and espionage, with their emphasis on the long-game rather than an immediate outcome, that fascinate me.”

#2 Who’s your cyber zombie—a threat actor that’s been quiet for a while but is poised to awaken in the next five years? Who will they prey on?

Baram: “In recent months, it seems like all major actors have been highly active. Even Israel, which is quite famous for its ambiguity strategy concerning offensive cyber (and kinetic) operations, has gotten chattier about its operations against Iran. There are bound to be surprises ahead though, with new actors arriving on the scene as economies, interests, and technologies evolve and the stakes grow higher all around.”

Geers: “Canada. No wait, Vatican City. The fact is that every government is hacking these days, wearing many different disguises, and any of them could be unmasked.”

Herr: “Relief from distributed denial-of-service (DDoS) attacks in exchange for a ransom used to be all the rage. If attackers keep innovating on how to avoid the defenses deployed by the likes of Cloudflare or Akamai, incidents like the multi-day shutdown of New Zealand’s stock exchange this September might become more common and costly.”

Kollars: “The Ghosts of Access National Capitol Region—COVID forced countless government employees to work from home. Well-meaning government employees merged their work lives with their private lives. Workers of all levels of classification accustomed to security defense in depth in the workplace logged in from home. And so did their children, partners, and pets…all on the same computers. 

“Adversaries will have gone wardriving in all the right neighborhoods where employees of Fort Meade and the Pentagon tend to live. But also, spearphishing campaigns, sketchy apps, and robo-dialing are more successful when people are under duress. They know that parents are desperate for connectivity, entertainment, and supplies. We cannot yet know the access and data compromise costs of the current pandemic… we will only come to understand it years from now.”

Livanidis: “I would suggest they are very much awake. The reports last year around Naikon were a strong indication that groups who have seemingly gone quiet remain active, reflecting that point around the quiet long-game of traditional statecraft and espionage. The pandemic is reinforcing cyber-enabled espionage as an effective tool of statecraft and that trend will certainly continue, particularly targeting critical infrastructure and tech innovations.”

#3 Tell us a cyber horror story from your career (we’ll anonymize to protect the innocent).

Baram: “A few years ago, there were reports of an Iranian cyber campaign against various countries in the Middle East. It then turned out that they’d hacked several faculty members at my university and other academic institutes in Israel.”

Geers: “I have had numerous computer security scares in hotels around the world. Trust me: beware the evil maid attack!”

Herr: They were reading a colleague’s email. Not faceless cyber criminals or the eight-hundred-pound hacker but them, a persistent state adversary who didn’t have to be all that skilled or persistent to burrow into half a dozen of the organization’s email accounts. Discovering them did less to put the fear of God into leadership then set off a scramble for who would tell the bosses and who would pay for whatever we might have to do in response. Sometimes, the only way to win it seems is not to play…”

Kollars: “From an insider threat perspective: I recall once upon a time that a well-meaning administrator of a prior employer decided to copy the entire student folder with all the personally identifiable information…social security numbers, home addresses etc. to be able to work more easily on their own desktop. What they accidentally did was left it on a public folder open to the internet. And there it stayed, until the school got a phone call one day. Some well-meaning person just perusing random files on the internet stumbled across all that data. We got lucky.”

Livanidis: “Thankfully, I cannot think of an incident that I would describe as a horror story. What I have found most troubling is the alarmism surrounding cybersecurity and opaque language in cyber-related discussions. In my experience, these tendencies create a sense of task paralysis surrounding cyber security within organizations, or a feeling of helplessness for individuals. We need to make the issue more approachable and manageable.”

More from the Cyber Statecraft Initiative:

#4 How can government sweeten the incentives for defenders to improve their cybersecurity?

Baram: “Cybersecurity is everyone’s business—from the most sensitive national systems to business and industry all the way down to private citizens. So, really, it’s about education on all levels. Raising awareness of the threat goes a long way but it has to come with solutions too. Governments must invest in cyber education early on but also provide citizens with practical defense tools, something more solid than saying ‘no more 12345 passwords.’”

Geers: “This is America: free candy, seriously. Failing that, they should trade indicators of compromise as if they were Halloween candy.”

Herr: “If you are going to share information, make sure it is high quality, based on accurate reporting, and if at all possible, something new rather than regurgitated private sector intel with a ‘For Official Use Only’ stamp at the top. Kids know which houses give out the good candy, and people doling out toothbrushes or apples past their sell-by date get lonely fast.”

Kollars: “Do you mean besides actually prioritizing defending? Because I’d try that first.”

Livanidis: “Government can play an important role in reframing cybersecurity from the current short-term and reactive focus of most organizations to a longer-term and proactive focus. The Eisenhower Matrix is a good way to think about it—there’s a lot of emphasis on what’s urgent but not necessarily on what’s important, especially when an incident, however minor, makes the news. Government can lead by example and take steps to encourage the important, long-term, and more difficult cybersecurity programs.”

#5 Trick or treat: The United States is well-positioned from a cybersecurity standpoint ahead of next week’s election.

Baram: “The United States is definitely in a better place than it was four years ago. It has made significant efforts to learn from the misadventures of 2016, and new strategies have been adopted. At the same time, there are new tricks out there. The threat landscape has grown more complex and many actors are trying to manipulate and influence US public opinion.”

Geers: “Trick and treat. There will be no cyber pandemic, but plenty of cyber poltergeists. It would be great for our government to shine a light on them.”

Herr: “If you mean cybersecurity only in terms of the machines counting ballots then we are probably okay. If cybersecurity is the databases and networks of various secretaries of state and voter registration organizations? Well, ransomware is just the cybersecurity gods’ way of saying you’re doing it wrong. But if we say cybersecurity and mean cognition in people as well as machines, then it does not take much more than a glance at cable news to realize how phenomenally manipulable our sense of what is real has become. Trick.”

Kollars: “Technically? Treat… all the way… but it’s like the treat like giving pennies for Halloween is a treat. It’s boring and nobody wants them. Socially? Trick….it remains far too easy to undermine truth and confidence in government. And the scariest part…. “the call is coming FROM INSIDE the house!””

Livanidis: “I’ve been conditioned throughout 2020 to never make predictions, but there’s no doubt that cyber-enabled activity surrounding the election will peak in the coming days. Whether anything substantive will come of those attempts is another question. Whatever the case: everyone who can vote, should vote.”

Simon Handler is the assistant director of the Atlantic Council’s Cyber Statecraft Initiative under the Scowcroft Center for Strategy and Security, focused on the nexus of geopolitics and international security with cyberspace. He is a former special assistant in the United States Senate. Follow him on Twitter @SimonPHandler.

The Atlantic Council’s Cyber Statecraft Initiative, under the Digital Forensic Research Lab (DFRLab), works at the nexus of geopolitics and cybersecurity to craft strategies to help shape the conduct of statecraft and to better inform and secure users of technology.

Related Experts: Trey Herr, Kenneth Geers, and Nina Kollars