Hackers are attacking government computers. They take the websites of online newspapers offline, cut the power supply to tens of thousands of households and sabotage the control systems in our homes. Black Monday in Austria! A digital mega-attack hits our country.
It could be Islamic fundamentalists. Terrorists, a criminal organization or even a hacker collective that sees Austria as an ideal testing ground for larger tasks. Regardless, on this Monday – which will later be called “Black Monday” – the people behind the attacks don’t play a role at first. First of all, astonishment spreads on this day X. Astonishment that unknown attackers can simply change media content at the touch of a button and thus disrupt our orderly daily routine – at least to some extent. Day X, 7.34 a.m.
We have soft-boiled eggs and bacon for breakfast, along with coffee and a distributed denial of service (DDoS) attack. Austrian online newspapers and news portals go offline under the strain of an attack capacity of 280 gigabits per second. The websites of the Federal Chancellery and the Federal Ministry of the Interior are “defaced”, meaning that terrorists take control of them and use the sites to spread propagandistic slogans. The attackers announce their successes on Twitter (#WarOnAustria) and Facebook. The Austrian population (still) reacts largely uninterested. Day X+1, 9.06 a.m.
The DDoS attacks continue the next day. Foreign content appears on TV channels after broadcasting has already been replaced by streaming. Annoying, but there is no sign of concern in the country. Day X+4, 6.30 a.m.
Now it’s time to get down to business. The water supply in major cities is attacked. The malware is reminiscent of Stuxnet, which was used against Iranian nuclear facilities years ago. Back then, the control systems worked incorrectly but reported that they were functioning. The attacks fail because the PLC control systems (Programmable Logic Controller = industrial control systems controlled via the Internet) are only used for monitoring purposes. Day X+4, 1.12 p.m.
Three Austrian authorities and companies experience cases of inconsistent data. The data loss is due to targeted attacks, so-called Advanced Persistent Threats (APT). During the course of the day, CERT.at receives 14 more such reports. The Austrian Computer Emergency Response Team is the first point of contact when it comes to cyber security and takes action against the attacks. Day X+6, 10.01 a.m.
Six days after the attacks began, the server of an Austrian energy supply company sends out a flood of false SCADA packets. SCADA (Supervisory Control and Data Acquisition) systems monitor and control technical processes digitally and are operated remotely via the web. The attack means that the balance between production and consumption can no longer be read. A resulting cascade effect requires a segment shutdown, 89,000 households are temporarily without power (blackout). Day X+8, 8.10 a.m.
Private webcam recordings of two members of the government are published on Instagram and Facebook.
One video shows intimate details, the other a case of domestic violence. William Binney, the former head of the NSA department, has probably advised people to tape over laptop cameras and deactivate their microphones for good reason. The Austrian population reacts to the revelations with shock, and trust in the political elite is lost to some extent in the midst of this crisis. Day X+9, 11.23 a.m.
On day nine, the personal data of 1.6 million customers of an insurance company is posted online. The DDoS attacks continue, the population is massively worried. Day X+11, 7.16 a.m.
1.2 million private email recipients and 238,000 corporate email accounts receive an official message from the Ministry of the Interior with a “recommendation on how to deal with the current crisis situation”. The email is fake and contains a PDF with malicious code that infects 98,000 private PCs and 15,000 company computers. Half of the infected PCs encrypt the network drives and render them unusable. The other half launches a concerted DDoS attack against domestic websites. Day X+13, 16:05
PLC controls that can be accessed via the internet are taken over by attackers. As a result, companies are significantly impaired in their production and orders for goods can no longer be processed. The damage now amounts to hundreds of millions of euros, but the attacker is still invisible. The authorities neither know who they are dealing with nor where the attacks are coming from. To make matters worse, many building control systems are no longer working properly. The German government is considering restricting internet data traffic. Back to the here and now and the question of whether developments like those in our horror scenario are actually possible. “Yes,” says cyber security expert Harald Reisinger, Managing Director of IT security service provider RadarServices. “Modern societies are highly networked and dependent on functioning information technology structures.” According to Reisinger, DDoS attacks have long been a reality. “The central IT infrastructure of an Austrian telecommunications provider was recently paralyzed for several days,” says Reisinger, citing one example. “Internet access for customers did not work or only worked partially. Media reports spoke of blackmail, allegedly demanding a multi-digit million amount in bitcoins (digital currency) to stop the attacks.” Television has also been the target of attacks. In May 2015, the Islamic State almost took over the program of the French channel TV5 Monde. This would have allowed the terrorist organization to spread its propaganda unhindered in more than 200 countries.
According to ORF security officer Pius Strobl, such an approach by terrorists would be impossible at Austrian Broadcasting: “Our digital access routes for transmission are blocked because the broadcast-relevant systems are separated from the others. The data stream cannot be manipulated in this way and the transmission cannot be altered vis-à-vis the viewer.” In an interview with Militär Aktuell, Strobl believes that small and medium-sized companies in particular are being targeted by digital aggressors. “For the comparatively large ORF, security is a balance sheet-relevant expense item,” says Strobl. “But it is also becoming increasingly difficult for us to keep pace with technological developments.” For Philipp Timmel, a penetration tester for many years, even private individuals are not immune to cyberattacks: “Smartphones have increased our level of connectivity enormously. They have features that go far beyond making phone calls and offer numerous opportunities for attacks.” Reisinger explains: “With a cryptolocker, for example, an attacker can take personal data digitally hostage and demand money for its release. Or they can threaten to deactivate all the digital functions of a home. Digital protection rackets have long since become a global business and terrorists could also use this method to spread insecurity and fear.”
Reisinger expects the dangers to increase as digitalization progresses. “Our data reveals a lot about our everyday lives and makes us vulnerable. However, hardly anyone thinks about the negative consequences of this technological development.” Philipp Timmel is sceptical about the possibility of shutting down the internet or restricting data transfer in the event of an attack on the scale of Black Monday: “It’s technically difficult to imagine, the internet is and will remain decentralized. It can also be assumed that there are terrorist actors in the country itself.” The penetration tester also believes that prophylactic countermeasures are difficult: “Something has to happen before you can react. It is therefore important to prepare for this reaction in the best possible way.” This includes the perfect interplay between legislators, society and companies. But also the military. In the event of a crisis, redundant means of communication and a good connection to the large software companies, such as that maintained by CERT.at, are needed. When it comes to redundant systems, Timmel relies on the army and armed forces in general: “Military systems today are of civilian origin. They are therefore just as vulnerable, but the military also has good old radio, which should be spared from internet failures as long as an independent power supply is available. This channel could be used for initial crisis communication and coordination between different decision-makers.” Reisinger also sees military structures at risk: “If the military believes that it is not affected by such attacks, then this is an illusion. If only because members of the military, as human beings, are also affected by the impact of a digital attack on society. So all the issues described in the Black Monday scenario are also relevant for the military.”
