In a cyberwar

Blog

October 30, 2016

WARFARE EVOLUTION BLOG: This is another broad, sticky, and complex topic, much like the previous article on cryptology. So, let?s get started by offering some definitions.

A cyberwar is when computers in one country’s critical infrastructure are attacked by computers (and specific software) on the Internet, or through movable memory devices, controlled by another country’s intelligence groups, military services, or government sponsored hackers. The attackers typically use proxy (hijacked) computers, unknowing mercenaries, to carry out the attack so the malfeasance cannot be tracked directly back to the initiator.

This suggests there are basically two ways of looking at cyberwar: outgoing attacks and incoming attacks. Therefore, the attackers must have offensive cyberweapons (like stealth bombers flying into enemy territory to bomb targets). The targets must protect themselves with defensive cyberweapons (like air defense missiles, to shoot down the bombers).

To read more Warfare Evolution Blogs by Ray Alderman, click here.

Let’s look at outgoing attacks first. Pieces of malware (malicious software) are installed on the targeted computers by worms, viruses, trojan horses, bots, back doors, or spyware. This malware can be tasked with destroying data, altering data, stealing data, taking control of other computers, shutting down critical systems controlled by the infected computers, or destroying physical equipment.

Outgoing attacks

-In the early 1980s, Col. Vladimir Vetrov of the Russian KGB was trying to surreptitiously acquire sophisticated SCADA software (Supervisory Control And Data Acquisition) from the west, that could control the valves, pumps, and compressors on the Trans-Siberian gas pipeline. He tried to get it from a Canadian company first, to no avail, and then contacted a French spy. That spy told the U.S. Central Intelligence Agency (CIA) about Vlad's inquiry, and the game was on. CIA agents modified the desired SCADA software to run perfectly for some period of time, and then reset the pump speeds, valve settings, and compressor levels. Those settings would create overpressure conditions that would cause the pipeline to explode. The software, with this trojan horse embedded, was delivered to Col. Vetrov by the French spy, it was installed on the pipeline controllers, and everything was running perfectly as expected.

In late October 1982, the malicious code took over and the Trans-Siberia pipeline exploded with an estimated force of about 3 kilotons of TNT. The flash and fire were detected by U.S. satellites in space. Luckily, no people were killed. This event is disputed by several sources and denied by the Russians, but you can read about it in Air Force Secretary Thomas Reed’s book, "At The Abyss."

-In 2010, Iranian scientists were running nearly 5,000 centrifuges, furiously enriching uranium for their nuclear program. The U.S. and Israel were both concerned about the threat of a nuclear-armed Iran. But they couldn’t justify flying in and bombing them like the Israelis did to the Iraqi reactor on 7 June 1981 (Operation Opera) or the Syrian reactor on 6 September 2007 (Operation Orchard), since the Iranians are backed by the Russians. They found a better way: STUXNET.

STUXNET is a worm that was written to spread among Windows-based computers on the Internet. But the trojan horse inside the worm was specifically targeted at the Siemens SCADA control systems, that ran the uranium centrifuges. The assumption was that the worm would eventually spread to the computer of some engineer working in the Iranian nuclear complex, who connected his computer to the Internet at home in his off time. He would later take his computer to work, or move some of his work to a memory stick, plug it into the local network controlling the centrifuges, and the trojan horse would be delivered. That’s exactly what happened.

Sometime in the fall of 2010, the STUXNET software spun the Iranian centrifuges up to dangerous speeds, and about 1,000 of them suffered an RUD (a "Rapid Unscheduled Disassembly", a term coined by aerospace engineers for explosions or plane crashes). Both Israel and the CIA denied they had anything to do with STUXNET, or with “Operation Olympic Games”, the name of the intelligence program. In mid October 2016, General “Hoss” Cartwright pled guilty to a charge of disclosing classified information, that the U.S. and Israel had created and spread the STUXNET virus to the Iranian nuclear facilities.

-Some intelligence books talk a little about USB sticks loaded with malware, trojans, and worms, being dropped on streets and in marketplaces in cities in the Middle East. Kids will pick them up and sell them to street vendors, who then sell them to regular people and terrorists. When those memory sticks are plugged into computers or cellphones, the malicious software goes to work. Files, contact lists, and documents on that computer or phone will be downloaded over the network to U.S. and allied intelligence computers. Our enemies are doing the same thing to us, salting the shopping center and restaurant parking lots around the CIA, National Security Agency (NSA) NSA, Pentagon, and military contractor buildings. When people find a USB stick on the ground, they just can’t resist the urge to plug it in to their computer and see what’s on it. If you see one on the ground, in a parking lot anywhere, stomp on it and crush it.

Obviously, in both the Pipeline trojan and the STUXNET trojan examples, these are cyberweapons. There are probably hundreds of these weapons being designed and deployed, whose objective is to shut-down power plants, water supplies, telecommunications systems, and military systems during a war. The Russians did it to the Georgian government servers and communication systems in August of 2008. The Iranians shut-down the power grid in half of Turkey in April 2015, to protest Turkey’s support of Saudi Arabia in the Yemen war.

Incoming attacks

Incoming cyber attacks are even more interesting, mostly because you don’t know you are being attacked until it is too late. In June 2015, NSA announced that the Chinese military hacked-in and downloaded about 20 terabytes of data from DoD servers. They got the employment files of over four million present and retired government workers. In January 2015, Edward Snowden disclosed that the Chinese had stolen 50 terabytes of data from U.S. defense and government network servers, including the blueprints for the F-35 fighter jet and the details about its advanced radar modules. He also disclosed that the NSA had tapped into foreign intelligence group’s servers and stolen their data. So, the game is being played both ways.

NSA estimated that the Chinese military had conducted over 30,000 cyberattacks at that time, against U.S. military-related servers, and about 500 of them were successful (i.e., they got into the DoD systems and stole sensitive information). How did the specifications for the avionics and protective armor on the president’s helicopter get to the Iranian military? How did Wikileaks get classified diplomatic cable messages? How did the Chinese get the engineering details of the quiet electric drives used on our nuclear submarines? How did the Chinese get the details of the advanced radar systems used on our AEGIS cruisers?

Aside from pure cyber activities, spies are still using old tried-and-true methods to gather intelligence information. The French have bugged the first class seats of their Air France airplanes, to record the conversations of U.S. executives flying in and out. Russian trade and agriculture delegations come to the U.S. regularly: many of them are actually intelligence officers. They sprayed their shoe soles with adhesive before a tour of a Boeing production plant, to pick-up metal shavings to take home and analyze. Chinese-American workers at defense contractors have stolen classified information on naval platforms and weapons, sending it to China. But human-based intelligence collection is dangerous and slow. Obviously, our intelligence people discovered what was going on in the examples above.

The countries trying to hack into our military networks include the usual suspects: Russia, China, Iran, and North Korea. The list also includes Israel and France. How do they get into our protected systems? For a while, they used the buffer overflow vulnerabilities in Microsoft operating system (OS) code. Port 135 and 3460 are favorite examples. I don’t have the space here to explain it, but it’s very simple and documented in articles on the web. This technique has been fixed with patches in the code, so they say. Another method is to bombard a computer with millions of possible passwords, to gain access. Many people are lazy about creating their passwords. QWERTY, PASSWORD, ZXCVB, ASDFG are all examples of lazy passwords that are easy to break by brute-force methods. And, there’s the ever-popular attached file or bogus website link in your email that can get you hacked if you click on them. The ultimate cyber defense is to dynamically detect attacks as they happen and thwart them before they can gain entry into the system.

There are many more examples of how our enemies are getting into our computers, both military and commercial systems, and stealing our sensitive information. And we have not even touched on the many instances of credit card and banking information theft for profit by Russian and Chinese hackers. If you want to dig deeper into this subject, read Joel Brenner’s book, “America The Vulnerable”. Then read Mark Bowden’s book, “Worm”. You won’t sleep for a week.

So, what are the U.S. authorities doing about this situation? As you can see, the CIA and NSA have created cyberweapons, to attack our enemy’s critical systems. But, the NSA Cyber Command server run by their internal “Equation Group” got hacked in August by Shadow Brokers, and those hackers supposedly stole a lot of NSA’s malware weapons and put them up for sale. The Cyber Command was created inside the NSA in 2009. President Obama is considering making it independent of NSA, on an equal footing with the Army, Navy, and Air Force. Cyber Command will have advanced cyberweapons, and should be treated like the other services that have weapons, as the thinking goes. Right now, they report to the NSA. If they are made independent, they will report to the Pentagon. As you can probably surmise from all this, our newer cyberweapons will have the capability to do as much damage to our enemies as our conventional and nuclear weapons. The big question here is….when does a cyber attack constitute an act of war? So far, none of the documented attacks have instigated a shooting war.

As far as cyberdefenses are concerned, it’s all over the map. The Army, Navy, Marines, Air Force, NSA, and CIA all have cyber defense groups, focused on military systems. The Department of Homeland Security (DHS) and Department of Commerce (DoC) both have cyber groups, but what they are supposed to protect is fuzzy. The FBI has a cyber group, to investigate the criminal aspects of attacks. There are many private companies that sell security software and services for commercial systems and networks. In early September, Obama appointed retired Brigadier General Gregory Touhill as the first federal cyber security chief, to protect administrative government systems from attacks. That could roll the DHS and DoC cyber groups under his authority. I have tried to draw a diagram of how all these organizations will be connected together, who reports to who, and how information will flow between them. It cannot be done on a two-dimensional sheet of paper. Based on my many attempts at this illustration, I believe it will take at least ten spatial dimensions to show how these organizations are connected. It’s the same situation that exists for the sixteen intelligence groups in the U.S. Now, try integrating all these cyber groups into the intelligence community: it probably takes at least 26 spatial dimensions to connect them.

Want to see the cyber attacks going on around the world, as they are happening in real time? Go to http://map.norsecorp.com/#/ and watch it for 10 minutes. You’ll see thousands of attacks, with the IP address and geolocation of where the attack is coming from. You’ll also see the targeted server and its geolocation. And, you will see the attack type and the port number they are using to hack into that system. There are several more websites that track attacks in real time, but this one has more data. That should keep you busy for a while, so I can research and write my next article: A war in space.