In cyber-scenario, 'Blueland' cripples European infrastructure

Finland detects Blueland's attack on 8 January — but, even so, system failures cascade to power plants and hospitals in more than 10 EU countries causing casualties.

By 21 February, EU foreign ministers are holding snap talks on sanctions against Blueland, and on whether to invoke a mutual defence clause.

That was the scenario discussed last week by EU diplomats in Brussels, according to a so-called scene-setter memo on the EU's ongoing "Cyclone" cyber exercise seen by EUobserver.

Cyclone is an EU model for joint alerts, intelligence assessments, and sanctions in the event of a cyber-attack with cross-border effects.

It was first tested last year, before Russia built up troops around Ukraine and before an actual, genuine, cyber-strike knocked out Ukrainian government websites, last month.

The EU foreign service declined to say if the exercise was making direct reference to Russia. But while this year's Blueland test was purely fictional, it was also designed to reflect the new reality of heightened Russia tensions in Europe, the EU memo indicated.

"To be realistic, the scenario is based on situations that have already occurred in real life or that we fear could occur in a near future," the EU memo said.

"This is realistic, and a good scenario to rehearse for," Mikko Hyppönen, chief research officer at Finnish cyber security firm F-Secure, told EUobserver on Monday (14 February).

In the EU exercise, Blueland is described as "an authoritarian state" in the EU neighbourhood that "positions itself as a global power aiming to strengthen its influence worldwide."

Blueland initiates the strikes to punish the EU for hosting opposition leaders who, while in exile, have encouraged citizens of Blueland to hang green ribbons in their windows in a snowballing protest movement against the Blueland authorities.

The French EU presidency organised the exercise "in view of the increasing number and severity of cyber-attacks targeting the EU and its member states," EU foreign service spokesman Peter Stano said.

But for Hyppönen, the meaning was obvious. "The most-likely attackers as described in this [Blueland] scenario are: Russia, Russia, and Russia," he said.

China, Iran, and North Korea also have high-end offensive cyber capabilities, Omer Dostri, a defence expert at The Jerusalem Institute for Strategy and Security, an Israeli think-tank, said.

But it was "clear" that the EU's Blueland was Russia, Dostri also said.

"This [EU exercise] is only one scenario of a realistic attack, but there are other threats that may materialise in the near future," said Dostri, who described how essential infrastructure was particularly at risk.

"It is possible to remotely disconnect patients from respiratory machines in hospitals. To this must be added a possible cyber-attack on water infrastructure, which will lead to disconnection of residents from water supply, or even poisoning of water," Dostri said.

Meanwhile, the EU exercise did not neglect to game-out the media and political dimensions of cyber warfare.

In the fictional scenario, a genuine US cyber security firm, Palo Alto, is the first to link the attack to Blueland and make it public.

"Referring to the Palo Alto report, the New York Times publishes an article on its front page also accusing Blueland of being responsible for the cyberattacks affecting Europe," the EU memo said.

Blueland fights back with "fake news on social media" and the fictional power outages come on amid wintry conditions and tight energy markets.

"Political groups take advantage to blame the situation on EU Green Deal policies" which are "accused of incapacitating national efforts to respond to the higher demand in energy in the European market," the EU memo said.

Hackers linked to Russia by Israel's Dostri also caused real power outages at three plants in Ukraine in 2015.

The joint EU strategy on cyber warfare is purely defensive in nature; that is in contrast to the stance taken by the United States and Israel.

"The United States develops and employs attack techniques, but is rarely caught using them. This is a question of attitude. China and Russia do not really care if their cyberattacks are noticed," Hyppönen said.

Israel broke into the computers of Russia's top internet security firm Kaspersky Lab in 2015 and remained undetected for months, he added. "It speaks volumes about the capabilities of Israeli intelligence", Hyppönen said.

"Despite its tiny size, Israel has offensive and defensive cyber capabilities at the level of a world power," Dostri said.