31 January 2019

Cyberwarfare alert: The new wired battlefields

Sandipan Deb

On 1 December 2018, Chinese telecom giant Huawei Technologies Co.’s deputy chairwoman and chief financial officer Meng Wangzhou was arrested in Canada at the request of the US, which accuses the company of violation of US sanctions on Iran. At the time of writing, she is awaiting extradition to the US amid a diplomatic battle between China and Canada. More recently, Wang Weijing, a sales director at Huawei in Poland, was arrested on charges of spying. The company was quick to fire Wang, saying that the allegations against him had nothing to do with Huawei.

The core issue with Huawei is not Iran, but its close links with the Chinese military. The company, which ranked 72nd in the Fortune Global 500 List 2018, and is the world’s second largest smartphone manufacturer, was founded by Ren Zengfei, a former engineer in the People’s Liberation Army. Over the years, it has faced numerous charges of intellectual property theft and industrial espionage, and lawsuits from companies like Cisco, Motorola and T-Mobile. Under the Donald Trump regime, the company has more or less been called a national security threat.


Huawei has always denied that Beijing uses its gear for spying, but its credibility is low. In addition to the US, Japan, New Zealand and Australia have banned Huawei equipment. Norway may also follow suit. Meanwhile, after initially refusing to invite the company for 5G trials, India, on 17 December, allowed it, and even complimented Huawei for developing the telecom sector in the country.

Cyberweapons are rewriting the rules of warfare. They are cheap to acquire, can be used to devastating effect, and are easily deniable. Plus, no country has yet figured out the appropriate response to destructive cyber aggression—what sort of an act of war is it? After all, one can hardly ever get 100% proof that a government and not some rogue hacker team is behind the attack. And even if you have the proof, you would often not wish to make it public since that would in turn reveal how deep your own cyber moles have penetrated into your enemy government’s systems.

While governments and intelligence agencies worry about cyberattacks being a bigger threat to international security than nuclear missiles and terrorism in the near future, here are the three biggest instances of cyberwarfare carried out by governments (though obviously denied by them).

Stuxnet vs Iran in 2000s

Sometime in the mid 2000s, then US president George W. Bush covertly authorized the building of a cyberweapon to critically damage Iran’s nuclear programme. The aim was to avoid another war in West Asia, as Israel was itching to bomb Iran’s nuclear facilities. Israeli Prime Minister Benjamin Netanyahu was brought on board and the US Cyber Command and Israeli military hackers began working on the computer worm that would come to be known to the world some years later as Stuxnet.

This was the first recorded act of cyberwarfare on real-world infrastructure by a government (in this case two). The target was Iran’s central facility for uranium enrichment located near the town of Natanz. In 2007, Iran announced it had about 3,000 centrifuges operational there.

Though both the US and Israel deny any involvement, later expert analysis of the Stuxnet worm revealed that it was an extremely sophisticated piece of software, which could not have been built without a significant budget and years of work, that is, it was a government project. It knew exactly how the Iranian centrifuges worked. (It was later learnt that both the US and Israel had built very elaborate replicas of the Natanz facilities.) It didn’t require anyone to pull the trigger—it relied on “zero-day" exploits, autonomously hitting its targets, and then going dormant. This is a complex and time-consuming engineering feat that no amateur hacker group can afford.

Lastly, since the computer network at Natanz was “air-gapped", that is, it was not connected to the internet, perhaps the only way to enter the network was to drop a few infected pen drives around the facility, hoping that a staff member would pick one up and insert it into his computer. This was clearly an intelligence agency operation.

As things turned out, sometime in 2009, someone seemed to have picked up a pen drive from the ground outside the facility and inserted it into his computer. The worm uploaded itself into the plant’s computer system. It probed for the “programme logic controller" (PLC), which controls the operation of centrifuges that spin at supersonic speed. It hijacked the PLC’s software and made the centrifuges spin dangerously fast, for about 15 minutes, before returning to normal speed. The operators at the plant detected nothing, because Stuxnet was faking all the data on their screens to appear normal. And, 27 days later, the malware struck again, slowing the centrifuges down for 50 minutes.

In a few months’ time, the sudden changes in speeds started causing the centrifuges to disintegrate—their aluminium parts expanded and started colliding with one another. By the time it stopped (the malware was programmed to abort at a certain point), Stuxnet had destroyed around 1,000 machines, or about 30% of Natanz’s centrifugal capacity.

Chinese hacks in US in 2014

This is perhaps the worst hack in US history and occurred at the US government’s Office of Personnel Management (OPM), which keeps records of the millions of people who have worked, currently work, or have applied to work for the US government as employees or contractors. The OPM is the storehouse of intimate details of the lives of 22 million Americans, or 7% of the population. It has some highly sensitive data about the most important people in the American security and intelligence community. For instance, the department collects information for conducting background checks on almost anyone who needs a “secret" or “top secret" security clearance.

The Chinese cracked the database open in 2014.

To obtain a security clearance from the government, prospective federal employees and contractors have to fill out Standard From 86 (SF-86), a 127-page form (yes, 127!), which lists every personal detail—every bank account, medical condition, illegal drug used, information about spouses, ex-spouses, affairs, children, every foreigner they have come into close and continuing contact with in the past decade. But the OPM’s computer systems were obsolete and all the data was totally un-encrypted.

The Chinese were probably inside its systems by 2013. It was a treasure trove. Here was the US national security elite: names, addresses, social security numbers, their postings, all financial and personal details. Theoretically, there was enough information to blackmail and turn some of them to work for China. Central Intelligence Agency (CIA) employees were not part of the database. But many CIA staff were posted abroad under diplomatic cover, so one could look for gaps in their career history to figure out whether these people could be American spies working in embassies or seemingly innocuous US agencies in foreign countries.

By the summer of 2014, 21.5 million SF-86 forms were copied from the network. By December, 4.2 million personnel files were with the Chinese. By March 2015, 5.6 million fingerprints stolen. This meant that US secret agents were no longer safe even if they were working under changed names. In fact, in the age of Big Data, the Chinese could now compare the OPM files with their own intelligence resources and even Facebook profiles and other digital trails that diplomats and spies left in their wake. And not only serving officers, but even those waiting for their assignments, or undergoing training, were at risk. Dozens of postings to China were cancelled. In late 2015, James Clapper, the then US director of national intelligence, in a rare slip of tongue, said in a forum: “You have to kind of salute the Chinese for what they did."

Putin Shut Ukraine in 2017

Russian President Vladimir Putin understood the value of cyberwarfare early and well. The US government suspects that there is a lot of Russian malware lurking deep inside vital American infrastructure networks. But it is the former Soviet Republic of Ukraine that Putin has turned into almost a laboratory for his brutal cyberattack techniques. In 2014, Russia annexed Crimea from Ukraine, and then tried to rig the elections in favour of its candidate. When that failed, it backed a separatist insurgency in eastern Ukraine in which thousands have died till date. Meanwhile, Putin ordered repeated cyberattacks on the country.

Putin sees Ukraine as a buffer zone between Russia and the West and wants to keep it under control. His means of control is cyber terror. On 23 December 2015, Russian hackers managed to paralyse the information systems of three Ukrainian power distribution companies. About 225,000 customers were plunged into darkness for several hours.

This was just the beginning. Minor cyberattacks followed on almost a daily basis, but merely at a harassment level. Then, on 27 June 2017, came NotPetya, so named later by security experts because parts of the malware resembled a previous ransomware called Petya.

NotPetya stood on three prongs. The first was M.E.Doc, outdated accounting software that almost all Ukrainian businesses used and was extremely easy to corrupt. The second was EternalBlue, a software key that exposed vulnerability in Windows and opened a backdoor to it. Microsoft had released a patch to fix that, but few had downloaded it. The third was Mimikatz, software that demonstrated that Windows left users’ passwords lingering in computers’ memory.

So, NotPetya infected computers that were not patched, grabbed passwords to infect patched computers on the network, hijacked M.E.Doc and went wild.

Across Ukraine, people saw their screens go blank and then a ransom message asking for $300 in Bitcoin, for getting their data unlocked. But this was a ruse. As the stunned computer user was reading the message, NotPetya was wiping out the user’s hard disk—all data, all back-ups, turning his computer into just so much useless metal and plastic.

Hospitals, banks, power companies, airports, ATMs, card payment systems, and almost all government agencies were hit. “The government was dead," Ukrainian minister of infrastructure Volodymyr Omelyan told Wired magazine.

Even the radiation monitoring system at the Chernobyl nuclear power plant went offline. The Ukrainian people were left wondering whether they had enough cash to buy groceries, petrol, medicines, whether they would receive their salaries till the systems were up again.

While the official Ukrainian government estimate is that 10% of all computers in the country were wiped out, the unofficial estimate is 30%. But the carnage did not stop at Ukraine. Many multinational companies which had operations in Ukraine saw their operations paralysed across the world, because NotPetya sped through their systems at lightning speed. It took days, if not weeks, to get things back to normal.

Some of the worst-hit were pharmaceutical company Merck (official estimate: $870 million), delivery company FedEx ($400 million), construction company Saint-Gobain ($384 million), and shipping company Maersk ($300 million). The White House estimated the global financial damages due to NotPetya at a staggering $10 billion.

But there was no strong response from any country to the most destructive cyberattack in the history. Putin had tested how much he could get away with, and got a satisfactory answer.

The bar had just been raised.

No comments: