8 February 2015

Is this the future of cyberwarfare?

Aaron Ernst
February 5, 2015

Five years ago, the most sophisticated cyber weapon the world had ever seen ravaged Iran's nuclear program. Allegedly developed by the U.S. and Israel, the complex virus infected the computer system that ran the centrifuges. Slight tweaks to the software caused hundreds of the centrifuges to self-destruct, setting the program back years. The malware was dubbed Stuxnet.

Traditionally, foreign governments have used malware to spy and steal. But this was something entirely different.

“Stuxnet, it is a weapon, it’s not 'like' a weapon,” says German computer security expert Ralph Langner, who was the first to identify how the virus worked. “It is a weapon because it was designed to cause physical damage.”

Now, Langner worries that Stuxnet could come back to haunt the U.S. Those same vulnerabilities in Iran's nuclear control systems that the malware exploited can be found in similar systems throughout America. 

“These components are used in chemical plants, nuclear power plants, everywhere," Langner said. “We open Pandora's box without any idea, any clue, how we would deal with that when somebody turns that around. And that turnaround is only a question of time.”

But there are signs the threat that Langner has feared may have already arrived.

Espionage, then sabotage?

In early January, the world’s foremost experts in hacking and industrial control systems packed into a conference room in Miami for the buzziest event of the S4x15 security conference. The speaker was Kyle Wilhoit, a virus hunter who's been tracking the evolution of a sophisticated new threat known as BlackEnergy.

The Department of Homeland Security has identified BlackEnergy malware deep within the industrial control systems that operate critical infrastructure. Though BlackEnergy was initially designed to steal information, Wilhoit, a senior threat researcher at Trend Micro, believes it’s targeting some of the same types of industrial control systems exploited by Stuxnet. He fears this tool of espionage could be turned to sabotage.

Kyle Wilhoit tested BlackEnergy in his personal virus-hunting laboratory and found that it had the potential to be weaponized.America Tonight

“The concerning aspect about this malware is that it’s modular in nature,” he says. “You can take a piece of destructive code and easily introduce it into Black Energy and weaponize it to be destructive.”

Malicious code could theoretically be used to manipulate the controls of pipelines, water purification systems, power generators and other critical infrastructure, resulting in real-world physical damage. That could mean blackouts or disruptions to an entire city's water supply. In short, it could be catastrophic.

While Langner decoded Stuxnet in 2010, the vulnerability of industrial control systems to such an attack was known several years earlier. In 2007, researchers at the Idaho National Laboratory launched a simulated attack called Aurora to see if they could damage a power plant by hacking into its control system. This video, released by the Department of Homeland Security under the Freedom of Information Act, shows how they were able to throw a power generator out of phase, causing it to self-destruct.

Is this what the future of cyberwarfare looks like? 1:13

Experts worry that BlackEnergy could be programmed to do something similar, since its complexity hints at a highly skilled team of hackers with a broad technical background.

“The particular individuals that were writing this malware had not only IT security experience, but also engineering experience,” Wilhoit says. “The information that they're getting is very specific, and it's very specific to engineering technology.”

The next question, of course, is to discover who these hackers are. Finding out whether they're agents of a foreign government, an international criminal network or something else makes all the difference when it comes to fighting back.

From Russia with love


Russian President Vladimir Putin marches in a parade celebrating the public holiday Defend the Fatherland Day in 2013.

Jen Weedon and her team of sleuths at the cybersecurity firm FireEye have traced the targets and digital footprints of BlackEnergy to a well-known Russian-based group known as Sandworm. The group had previously used an earlier version of BlackEnergy to spy on targets of interest to the Russian government, including NATO and the Georgian government. But now, Weedon says, its target has shifted.

“The same group that was conducting political military espionage was also using BlackEnergy to get into critical infrastructure,” Weedon said.

While the malware has the fingerprints of the Russian government, Weedon can’t prove a definite link. After all, the Kremlin may have simply bought the malware from criminals.

‘There’s no benign explanation for why somebody in Russia is interested in how the lights go on and off in Ohio.’

David Smith

director, Potomac Institute Cyber Center

As the adviser to Georgia’s minister of defense during the 2008 Russian invasion, Khatuna Mshvidobadze was on the receiving end of one of these Russian cyber attacks. Before Russian troops crossed the border, the country’s Internet was crippled by denial-of-service attacks traced to a shadowy cyber criminal gang: the Russian Business Network.

“It was very hard to put our information in the website to reach the whole world [about] what's going on in Georgia,” she says.

For her husband David Smith, the director of the Potomac Institute Cyber Center, the timing of the cyber and military attacks suggested coordination.

“The Georgian war was kind of a watershed, because people kept trying to find [out], who did it? Was it criminals? Was it government?” he says. “The answer to both questions is yes. It's the Russian government using criminal groups.”

Smith believes the Russian government allows cyber criminals to operate with impunity in the country on the condition that they don't attack government interests and are ready and willing whenever state officials need their help.

“It's like having a reserve force and not paying a penny for it,” he explained. “When you need them, you've got an expert core of cyber warriors ready to go.”

But as BlackEnergy evolves to target industrial control systems, with the potential to physically damage American critical infrastructure, Smith believes Russia’s cyber-strategy is entering a dangerous phase.

“There's no benign explanation for why somebody in Russia is interested in how the lights go on and off in Ohio,” he says. “If you're asking me, is somebody preparing the battlefield against the United States and its allies? You bet somebody is.” 

Infiltrated infrastructure

In his State of the Union address last month, President Obama warned about growing cyber threats: “No foreign nation, no hacker should be able to shut down our networks," he said. But critics say the cyber bill he's pushing Congress to pass, which would push companies to share information about network threats and expand the authority to prosecute online crimes, does little to force utilities to address vulnerabilities in the critical industrial control systems of America’s power grid.

“These devices are becoming more interconnected,” says Wilhoit. “They’re becoming more network connected, which then exposes them to a wider target base.”

And it’s not just the Russians who are discovering the potential Achilles' heel in American infrastructure.

“It’s alarming,” Weedon said. “BlackEnergy isn’t the first malware that we've seen in this space. We’ve seen some China-based groups that look like they’re probing related information.”

In fact, Weedon’s company FireEye has found 50 different types of malware that were targeting energy companies.According to a 2014 survey by ThreatTrack Security, a malware detection firm, 37 percent of businesses in the U.S. energy sector were infiltrated in the previous year. The Department of Homeland Security was alarmed enough to publish a special bulletin in December about the dangers posed by malware like BlackEnergy.

“I would say right now, I’m not sure we are prepared,” says Weedon. “This is a wake-up call.”

For five years, Langner has been trying to sound that wake-up call, but he believes America's utility companies aren't taking the threat seriously enough to make the necessary, and significant, investments required to truly protect critical infrastructure.

“We positively know they could be turned into sabotage campaigns," he warns. "We just cannot continue this way any longer. The bad news is, it’s going to cost money. Unless somebody is going to do that, nothing’s going to change."

No comments: