26 July 2017

Cyberwar: A Look at the Arms Race of the Future

Eric Olson

Russian meddling in elections, U.S. sabotage of North Korean missiles and shadowy hacker groups stealing secret NSA data: these acts of aggression were not carried out with conventional weapons like guns or bombs, but rather were the result of actions in the abstract world of cyberspace. Cyberwar is an increasingly significant threat on the world stage. It consists of offensive and defensive actions, such as cyberattacks, carried out by one entity against another’s computers or networks. These attacks can be aimed at gathering intelligence, disrupting computer function, or causing damage to critical infrastructure such as electric power grids.

Real-time world map of cyberthreats populated by data from Kaspersky Lab’s malware detection software. Image Credit: AO Kaspersky Lab

Nations develop cyberweapons to achieve their objectives in cyberwar engagements. These weapons consist of software, known as malware, developed to perform cyberespionage such as surveillance or theft, or to carry out cyberattacks directly. States that engage in cyberwar typically seek to obscure the nature and origin of the attack to hide their involvement by designing malware that conceals itself from protection mechanisms such as virus scanners.

What is Malware?

Malware comes in many different varieties, each tailored to achieve one or more objective, such as surveillance, theft or destruction of data. 

Viruses exploit software vulnerabilities to infect computers for various nefarious purposes such as deleting or stealing data, or generating botnets. 

Worms, similar to viruses, exploit operating system vulnerabilities to infect computers. In contrast to viruses, they are capable of spreading independently of human activity after self-replication. They typically deliver payloads aimed at stealing information or creating botnets. 

Spyware is aimed at covertly monitoring user activity and collecting private data such as passwords, account numbers and financial information.
 
Trojans disguise themselves as normal computer files to trick people into using them. Once executed, the Trojan gives remote access to attackers, who can then tamper with the computer, steal data or install further malware.
 
Rootkits provide root or administrator access to infected computers, providing the attacker with remote access or control. Rootkit detection is difficult due to their signature masking characteristics. 

Ransomware restricts access to the files and programs on a user’s computer and demands payment to unlock the system. 

Cyberattacks

As the world has become increasingly interconnected, with classified information and critical infrastructure potentially exposed to the internet, nations have taken a growing interest in cyber defense and offense. There have been numerous instances of nation states initiating cyberattacks. Those targeting industrial control systems have had some of the most immediate physical consequences.

In 2007, the U.S. government conducted the Aurora Generator Test to demonstrate that a cyberattack could destroy physical parts of the power grid. The experiment consisted of a cyberattack against a 2.25-megawatt generator that opened and closed its circuit breakers in such a way as to cause an out-of-sync condition between the generator and the power grid. The over-torque created by this nonsynchronous state caused the generator to shake and bounce, eventually tearing itself apart and ejecting pieces up to 80 feet away.

Stuxnet

The Idaho National Laboratory conducted a cyberattack test for the Department of Homeland Security against a generator to demonstrate the destructive potential of cyberattacks. Image Credit: Wired

The first real-world case of malware developed to disrupt or destroy industrial control systems was the “Stuxnet” worm. Jointly developed by U.S. and Israel, it was deployed in 2009 and 2010 with the objective of sabotaging Iran’s nuclear program.

Stuxnet was a sophisticated piece of malware with multiple components and functionalities. It infected computers after being loaded via a USB stick, then exploiting a vulnerability in Microsoft Windows. The worm then checked if the computer was running the Siemens Step 7 software used by Iran to control uranium enrichment centrifuges.

Ultimately, Stuxnet targeted the centrifuge programmable logic controllers (PLCs) by modifying the instructions they sent to frequency converter drives to slow down or speed up the rotation of centrifuge motors. Spinning at unsafe speeds caused the centrifuges to fail. Stuxnet destroyed almost 1,000 of Iran’s 6,000 centrifuges and delayed Iranian progress toward building a nuclear weapon by a year.

Dragonfly HAVEX

Another cyber operation aimed at industrial control systems was the Dragonfly campaign. Dragonfly used malware known as HAVEX to gather information about industrial control systems (ICS) in the energy and pharmaceutical sectors over several years, ending in 2014. It infected hundreds of business computers and then scanned for network details over the Open Platform Communications (OPC) industrial protocol to search for ICS devices on Transmission Control Protocol (TCP) ports 502 (Schneider Electric), 102 (Siemens) and 44818 (Omron, Rockwell Automation). Dragonfly was an information-gathering espionage campaign rather than one aimed at causing physical damage. It was suspected to be a state-sponsored campaign run out of Eastern Europe.

CrashOverride

Excerpt from the source code of the HAVEX malware. Image Credit: F-Secure

The first cyberattack on a power grid occurred in Ukraine on December 23, 2015. Malware known as CrashOverride disabled one-fifth of the electricity-generating capacity in Kiev and cut power to 225,000 customers. It was only the second cyberweapon that was specifically aimed at destroying industrial control systems.

Like HAVEX, CrashOverride targeted vulnerabilities in industrial protocols to map the ICS environment and sabotage devices on the network. It created a prolonged power outage by instructing components that operate circuit breakers to keep the breakers open even if an operator tried to close them. It also wiped software on the systems controlling the circuit breakers so that operators would need to manually restore power. Analysis of the malware suggests that CrashOverride was created by a group known as Electrum that has ties to the Russian government.

Simplistic mock-up of electric grid operations systems and communications relevant for CrashOveride. Image Credit: Dragos Inc.

Attacks for Profit

The effects of cyberattacks are not limited to the political sphere. Hackers are constantly probing corporations and citizens to steal data and identities for profit. In May, hackers initiated a scheme to infect computers around the world with ransomware that threatened to delete user’s files unless they paid a ransom in bitcoins to the attackers.

The ransomware, known as WannaCry, was introduced to users' computers by exploiting a vulnerability in Microsoft Windows known as EternalBlue. It was one of several exploits leaked in April by a group of hackers that calls itself the Shadow Brokers. The exploit was part of a cache of data that the group stole from the National Security Agency (NSA) in 2013.

The Shadow Brokers have threatened to sell more unreleased NSA attack tools — or publish them publicly — if no one is willing to pay. In addition, they threaten to release secret NSA intelligence on Russian, Chinese, Iranian or North Korean nuclear and missile programs, as well as on the Society for Worldwide Interbank Financial Telecommunications (SWIFT) system that is used by financial institutions for money transfer transactions.

The NSA/CSS Threat Operations Center provides situational awareness on any adversarial attempt to exploit and attack U.S. networks. Image Credit: NSA

Cyberweapons represent an increasingly important part of military arsenals. In Iraq, the U.S. combines cyberoperations with ground and air missions to disrupt the command and control capabilities of Islamic State fighters.

Russia reportedly leverages cyber espionage to influence elections, notably the 2016 U.S. presidential election. North Korea, Iran, China, the United Kingdom and many other countries are actively engaged in the development of cyberwarfare capabilities. With the vast majority of intellectual property stored on electronic devices, critical infrastructure controlled by digital systems, and all of these components often possessing a conduit to the internet, the importance of cybersecurity is intensified on the world stage. With so much at stake in a thoroughly interconnected world, nations and rogue individuals will continue to develop cyberweapons of ever greater sophistication, with far-reaching consequences.

No comments: