August 31, 2012

TSG IntelBrief: Boomerang: Asymmetric Warfare’s Inherent Risk

As of late August 2012, the two recent cyber attacks against major energy companies in the Middle East — Saudi Aramco and Qatar RasGas — are an indication that regional tensions in the Gulf between Iran and Syria, on one side, and the primarily Sunni nations of the Gulf Cooperation Council (GCC), on the other, have entered a new and more worrisome stage. They also offer sobering examples of a misunderstood and even more worrisome aspect of asymmetric warfare: the boomerang effect.

From designing and deploying malicious computer code with the objective of disrupting Iran's nuclear program to arming and training Afghan soldiers with the goal of disrupting the Taliban, the international community is now witnessing an exceptionally problematic yet highly predictable situation in which the weapons and methods of cyber and proxy warfare are being systematically retargeted back against the initiating nation-state. From hiding one's power through covert actions to projecting one's power through counterinsurgency efforts, there are risks inherent with introducing tactics and tools into arenas where there is limited control of that power and less understanding of its consequences.


The Law of Unintended Geopolitical Consequences

In the eyes of governments using asymmetric strategies such as cyber attacks (or proxies), the most attractive feature of this increasingly employed form of warfare is that it appears to be the long-sought middle ground between frustratingly slow or ineffective political and/or economic pressure and devastatingly destructive yet often equally ineffective armed conflict in the form of kinetic energy. To these policymakers, asymmetric warfare offers the preferred "clean hands" and "targeted strike" approach to solving difficult and complicated problems. But appearances are indeed deceiving.

The recent cyber attacks might prove to be an intriguing example of the boomerang effect. Cyber specialists have reported that the August 15th attack on Saudi Aramco, and possibly also the August 29th attack against Qatar RasGas, involved the employment of malware known as Shamoon that was designed to completely wipe the data stored on infected hard drives and servers. According to cyber firms such as Kaspersky, Shamoon appears to be a less advanced version of malware called "Wiper" that had been used against the Iranian oil industry earlier this spring.

The discovery of "Wiper," in turn, led to the discovery of a highly advanced piece of malware called "Flame" that was designed not to destroy information but rather to surreptitiously transmit that information back to the unidentified originator of the code. Previously, Iran's nuclear efforts had been targeted with other forms of advanced malware called Stuxnet and DuQu. To more clearly understand the boomerang effect — not an easy task within the murky cyber realm — it helps to examine the timeline as well as the targets of the Shamoon and Wiper attacks.


The Double-Edged Cyber Sword

In April 2012, Iran revealed that its oil sector had been targeted by Wiper, which shared forensic characteristics with the earlier Stuxnet and DuQu attacks. In this last week, Saudi Arabia and Qatar, both allies of the United States and both also by far the most prominent Arab critics of the Iranian regime, saw their oil and gas sectors attacked by Shamoon, which is thought to have been inspired by — if not partially created from — Wiper. Likewise, it is not known if Tehran is behind the Shamoon attacks against Saudi Arabia and Qatar...and their supporter, the U.S. The planted image of a burning U.S flag on the hacked Aramco website suggest it is probable but as shall be seen, blame and responsibility are relatively meaningless in such attack scenarios.

One of the hallmarks of the cyber attack form of asymmetric warfare is the lack of claimed responsibility, leaving the afflicted government or enterprise without a confirmed target for revenge. However, the cyber campaign against Iran is an open secret regardless of the lack of official acknowledgement (much as are the U.S. drone capabilities and activities) and so the matter of choosing a counterstrike target is actually far less complicated and muddied than what the proponents of cyber warfare might suggest. Indeed, the intended ambiguity of such warfare means the probability of a counterstrike is actually higher precisely because of the intentional anonymity and vague culpability that cuts both ways. Furthermore, even the most advanced cyber attacks leave recoverable traces on their targets, traces that can then be exploited by the target against the attacker. It is akin to launching an airstrike using a sophisticated and expensive stealth bomber and then leaving the airplane behind at the target so that the adversary can perhaps use it — or its unique technology — against the attacker.


Code and Rifles Operate Under Similar Principles

And it is not only in the virtual cyber world that the asymmetric boomerang is twirling around the international community. In the decidedly low-tech world of training Afghan soldiers to fight the Taliban, the West is providing vast amounts of weapons and training to the Afghans as an alternative to the politically unpalatable option of continuing the armed foreign presence for many more years to come. The oft-stated goals of the NATO-ISAF (International Security Assistance Force) presence in Afghanistan are the defeat of al-Qaeda and its former patron, the Taliban, and to ensure that Afghanistan is never again a sanctuary for terrorism. And to do this, the West is in effect conducting an asymmetric war using proxies (Afghan troops instead of Western troops) and cyber attacks against insurgent targets. The U.S general in charge of international troops from 2010-2011, Marine Lieutenant General Richard P. Mills, admitted this week that he had used cyber warfare against insurgent forces to ""to get inside his nets, infect his command-and-control, and in fact defend myself against his almost constant incursions to get inside my wire, to affect my operations.""

While it has not been demonstrated that Afghans have turned American cyber weapons against Western forces, it has been well documented that there is an ongoing and dramatic increase in instances where Afghans have turned their rifles against Western forces, killing 44 Western troops so far in 2012, more than double the amount for all of 2010 (a scenario described in the April 19th IntelBrief). In a clear example of the boomerang phenomenon, NATO-ISAF efforts to arm a third party to assist in defeating a common foe — however noble the intentions — are increasingly being met with resistance by that third party, and doing with the very arms they had been provided.

To be sure, asymmetric warfare has a place in modern conflict  — just as it has since antiquity. At the same time, it must be stressed that there is no such thing as a "clean hand" when talking about conflict, nor can the tactic of "targeted strike" be employed without the possibility of commensurate repercussions that often unfold in very unexpected ways. In constructing overarching strategies, policymakers would thus be well-served to carefully consider the expanding array of very serious boomeranging risks that are inescapably inherent in asymmetric conflict.



Also available: TSG Specialized Reports: The Soufan Group’s world-class network of intelligence analysts produces specialized geopolitical and risk assessment products tailored to the unique needs of our clients in the public and private sectors. We welcome the opportunity to discuss your requirements and explore how our intelligence services can assist you in achieving your strategic objectives. For more information, please contact us at:

 Screen Shot 2013-10-21 at 9.32.42 AM