What capabilities and coalitions may emerge in war’s newest front?
The latest round open warfare between Armenia and Azerbaijan goes on despite a ceasefire agreement. Armed clashes between the two have been far bloodier than those which occurred in 2016, representing a significant break in the shaky peace that has held since 1994. Renewed conflict between Yerevan and Baku has been quite lethal, with combat deaths are rumored to be in the hundreds. Concern that Azeri forces may seek to overrun Nagorno Karabakh and engage in ethnic cleansing is palpable.
Although aging Soviet Bloc arms form the bulk of both countries’ arsenals, increasingly sophisticated weapons have been introduced including drones and ballistic missiles. Regional powers, including Turkey, Israel, and Iran, have interests in the conflict, as does Russia of course. As with other conflicts in the former Soviet sphere, the latest spasm of violence in the Caucasus has generated cyber action as well. This conflict raises larger questions regarding the delivery of aid in the form of cyber operations tools or services as well as cyber coalition action undertaken by multiple states supporting one belligerent or another.
New Malware in Old Bottles: PoetRAT
While drones and missiles may get media attention, a cyber component to the conflict has appeared. Cisco’s Talos Intelligence division has identified PoetRAT, a remote access trojan with the capability to operate on compromised systems. RATs can be powerful pieces of software, able to perform everything from serving as a beachhead on a compromised computer network to collecting information and exfiltrating it by covert means. RAT packages have been around for a long time, with Dimitri Alperovitch’s report on a Chinese variant, Shady RAT, bringing RATs to the attention of leaders beyond the cybersecurity sector.
According to a pair of Talos blog posts, it appears the first malware to be detected in the Armenian-Azeri conflict is PoetRAT, named so “due to the various references to William Shakespeare,” contained within comments in the programs code. Initially discovered in April, new evidence of its employment was publishedby Cisco’s intelligence division this week. Apparently, it has likely compromised targeted systems and organizations in Azerbaijan, although attributing its creation to Armenian programmers is not a given.
There is little in PoetRAT that we haven’t seen before. As RATs go, it simply isn’t very sophisticated. Primarily a cyberespionage intelligence gathering tool, it employs macro features for Microsoft products that are largely turned off by default in most organizations. Nonetheless, macro-delivered malware remains effective when aimed at unwitting organizations or individuals. Early speculation on PoetRAT considered its target likely to be the Azeri energy sector, however its capacity to manipulate or subvert oil and gas computer systems remains largely unknown.
What PoetRAT does open the door to is escalation in cyber action between the two countries. If the conflict grinds down to a stalemate, asymmetric attacks, including those against critical infrastructure of the two countries, may increase. Obviously, military operations like those ongoing since late September aren’t likely sustainable. As things bog down, we may see Stravidis’s “New Triad” — drones, special ops, and cyber — come to this festering crisis in the Caucasus.
PoetRAT is a part what may be escalating cyber action between the Armenians and Azeris if the conflict continues. What’s more is that it may also involve others in the region with interests in the conflict including Iran, Turkey, Israel, and perhaps most importantly, Russia. Although it appears that Armenia has been the first caught engaging in a cyberespionage campaign, it is quite likely that Azerbaijan can and will hit back, perhaps with similar tactics, or something of greater impact, such as broad-based denial of service attacks of the sort undertaken by Russia against Estonia in 2007 and Georgia the following year.
Low intensity coalition cyberwarfare
There is a growing record of cyber conflict. For the better part of the last decade Ukraine has been largely on the receiving end of Russian cyber action, beginning with the fall of the Yanukovich government and intensifying after the outbreak of hostilities in the Donbass. Russia’s cyber campaign against Ukraine’s electrical grid in 2015 was as serious of an attack on critical infrastructure as any. A slew of Ukrainian companies and government entities were hit by the Petya/NotPetya crypto-locker malware two years later. (NotPetya spilled beyond Ukraine, impacting a number of multinational firms.) The aforementioned attacks are generally attributed Russia, which may well have campaigns ready or underway for this latest conflict in the Caucasus.
But Russia is not the only potential cyber player and Azerbaijan certainly has some friends with cyber capabilities. Most significant and more importantly, likely to use them, is Turkey, which sells arms to and exercises with the Azeri security forces. Turkey has probably shared its expertise on digital censorship with the Aliyev government as well. In addition, there are strong links with Israel, which has sold “suicide drones” that have been used to great effect (with video evidence) against Armenian forces. Israeli provision of cyber tools and support to Baku would radically alter the cybersecurity balance between the two countries.
In measuring offensive cyber capability, both Turkey and Israel are ranked as being in the top 30 of the world’s cyber powers by a Harvard Belfer Center program. While most of Turkey’s cyber capabilities have been aimed at deterring or stifling public speech critical of the Erdogan government, it no doubt has significant ambitions. As for Israel, it is without peer in its region, having likely employed cyber techniques to defeat the Syrian integrated air defense system. There is little doubt that the IDF punches far above weight in its use of cyber techniques to achieve intelligence and military goals.
As for Armenia, it has few major allies in the West or its more immediate neighborhood. Relations with Greece are cordial, but how it or other NATO members could provide support is unclear. Iran could potentially serve as an ally in providing cyber operations expertise and source code. Indeed, the ostensibly Armenian-produced malware found on Azeri systems this month is of a level of sophistication not beyond the capability of Iran’s cyber forces. A series of cyber incidents in Saudi Arabia, commencing with 2012’s Shamoon and continuing with attacks against commercial and government entities in the Kingdom are widely-assumed to be the work of Iran’s Cyber Defense Command.
What else may come to pass?
Even with a ceasefire in place, the potential for foreign intervention in the Armenia-Azerbaijan civil conflict is not entirely diminished. One press outlet observed, “After Russian airstrikes in Syria killed Turkish soldiers earlier this year, Turkey soon appeared on other battlefields where Russia was vulnerable.” It is unconstructive to see Armenia and Azerbaijan solely as proxies of Russo-Turkish conflict, however. Russia’s sale of S-400 anti-aircraft missile systems, forcing a U.S. cancellation of the F-35 Joint Strike Fighter deal with Ankara, indicates that relations between it and Moscow are complicated. How this translates to either country in providing cyber support is still largely an unknown.
Instead, we should expect the indigenous development of cyber operations capabilities. Although highly structured cyber campaigns may require financial investment and time beyond the means of minor powers, smaller actions like PoetRAT are still achievable. We should consider the potential for Kalashnikov cyberwarfare, that is, the development and employment of reliable, cheap, and effective cyber offensive tools produced by computer hackers and engineers in smaller, developing countries. Like supplies of the globally ubiquitous Soviet-designed assault rifle, there are now lots of readily available malware pieces that may be harvested, modified, repurposed, and deployed by technologically sophisticated, but resource constrained military and paramilitary groups. Reuse of cyber operations tools is a given as we are already aware that malware used against one target has been employed for others on many occasions.
In the case of this conflict, Azerbaijan enjoys significant military and economic advantages over Armenia, but in cybersecurity, that may not be the case. Yerevan was a center of computing research in the Soviet Union. Established under Khrushchev in 1956, the Yerevan Computer Research and Development Institute produced mainframe computers in the 1960s and at its peak employed a staff of 5,000. It still employs a small number of computer technicians and scientists today, according to a number of LinkedIn profiles. Armen Sarkissian, the country’s president, is also a computer scientist (and commercialized a variant of the Tetris computer game). Members of the Armenian diaspora have found success in IT startups abroad, with Sarkissian’s son the CEO of a cybersecurity firm headquartered in London.
Although it is an unsophisticated measure, the health and development of a nation’s computing sector is as good an indicator of cyber operations capacity as any. This is where Armenia likely stands above Azerbaijan as it can mobilize talented computing professionals able to modify and employ existing computer code to achieve results. Because of its scant supplies of natural resources, Armenia may emulate similarly disadvantaged states such as South Korea or Israel in leveraging talent for economic prosperity. Development of the tech sector has attracted international attention. Microsoft worked with USAID to establish its Innovation Center Armenia, an education and startup development center that has trained more than 7500 students since opening its doors. IBM partnered with USAID to open a tech center at Yerevan State University in 2016.
These items present a picture of Armenia as a nation that can organize the tools for cyber conflict, but there is the matter of whether Azerbaijan is vulnerable to cyber action. Digitizing the Azeri oil and gas sector certainly appears a priority, but that process is likely to be led by foreign vendors delivering products and services, not through the development of domestic firms and the local workforce. Like Saudi Arabia, the UAE, and other resource wealthy rentier states, Azerbaijan may choose to buy the services of external actors and firms as local capacity remains insufficient to meet challenges posed in creating and operating cyber offense and defense forces. In addition, Azerbaijan has dedicated significant resources to monitoring Internet activity and internal dissent, funneling resources away from other cyber activities.
Moving forward, if the military conflict between Armenia and Azerbaijan grinds down to stalemate, increased employment of cyber capabilities grows likely. Without Russian support, Armenia will likely tap its IT workforce to stitch together capabilities in a cyber effort to accomplish everything from damaging Azerbaijan’s economy, and particularly its energy sector, to fomenting online dissent of the sort Ilham Aliyev has dedicated significant resources to quash. This is a conflict that students of cyber international relations and international security should probably watch closely.