Carl Philipp Gottfried von Clausewitz, the Prussian general who also was a theoretical thinker, wrote, “War is a mere continuation of politics by other means.” What exactly he meant by this is the subject of serious debate. Today, however, we are seeing another “continuation of politics by other means”, as cyber attacks are moving from data gathering and financial fraud and theft by criminals to attacks on physical systems, including elements of national infrastructures by nation states or organisations closely linked to nation states – in short, cyberwarfare.
I was forcibly made aware of this at a recent conference – System Safety and Cyber Security – organised by the IET – the British version, in some ways, of IEEE. I’d originally signed up for the system safety sessions, but drifted – fascinated – into the cyber sessions, driven in part by a keynote session on national cyber security strategy. Martyn Thomas, whose credentials would fill several pages and include stints in official capacities, was pessimistic about the future. He felt that, despite the British National Security Council declaring cybersecurity as a Tier One risk, there is no national strategy, and, instead, it is being treated like food poisoning – where the approach is better hygiene and treating outbreaks – accepting the problem as a part of living in a cyber world. Among the contributory factors, in his view, are: general acceptance of poor quality software (where there is typically one error in every 30 lines of code); providing users with tools that encourage certain actions and then telling them not to use those features (embedded URLs and attachments in email, for example), and insecure IoT products. The recent Distributed Denial of Service (DDoS, which brings a website down by swamping it with multiple requests) attack on the website of security journalist Brian Krebs, one of the largest ever seen, which brought down a major web hosting service, used messages sent from Internet-connected security cameras and DVD players. These had been identified and hijacked by a malware product called Mirai, which scanned the Internet looking for IoT products protected by factory default usernames and passwords. When one was found, it was infected with software that turned it into a “bot” that regularly checked with a control server. When Krebs exposed some bad guys, they turned on their “botnet” to overwhelm Krebs’s site with messages. At peak, it is estimated that the site was being hit with 620 Gbps. The code for Mirai is now publicly available. (This seems to me to be the perfect counter argument for people who ask, “Why should I be bothered if someone hacks my DVD player?”) Thomas, in using this as an example of the weakness of security, said that manufacturers who send out devices with default usernames should be fined, and that the insecure IoT posed an existential threat to the Internet as a whole.
In contrast, the second keynoter, Ian Levy, was much more positive and upbeat. Levy is the Technical Director of the UK’s recently established National Cyber Security Centre (NCSC). This brings together a number of units, such as the Computer Emergency Response Team UK, that were previously spread across different government departments, and it is a part of GCHQ – the UK’s version of America’s NSA. Its role is to “act as a bridge between industry and government, providing a unified source of advice and support on cyber security, including the management of cyber security incidents.” He disagreed with Thomas by saying that there is a national strategy – just that it wasn’t yet published. (Apparently it was due for publication in June but had to be held over until the dust settled after the vote for Brexit.) He confirmed a frequent argument of Thomas’s – that software, unlike real engineering, never learns from its mistakes – by demonstrating that buffer overflow – a favourite way of causing damage to a program or system – was first identified as a problem as far back as October 1972. And it is still not fixed. Buffer overflows are a regular and frequent problem. In addition to talking about the work of the NCSC (see more at www.NCSC.gov.uk ), he highlighted some of the common ways that organisations provide an open door for cyber attacks. Some of these will be discussed again later, but they include using administrator accounts for email and web browsing, connecting together different networks – particularly older networks – and providing users with bad advice, such as telling them to change passwords regularly.
Every paper in the two sessions was worthy of detailed reporting, but I will attempt to synthesise the two days.
Firstly – who are the cyber attackers? There was a general agreement that there is a hierarchy and that the scene is fluid. Some actors appear and then disappear; the motives for action can vary from destruction or damage to information gathering, which often includes stealing industrial secrets.
State Entities: there is agreement in the cyber community that national governments, despite protestations to the contrary, are active in cyber attacks. The Stuxnet attack on Iran’s nuclear processing plant is generally agreed to have been a joint exercise by the American and Israeli governments. Russia is almost certainly behind massive cyber attacks in the Ukraine and the Baltic states. State entities have huge resources, of both time and expertise, and their cyber teams will have access to state-gathered intelligence, the academic community, and other partners. Apart from open warfare, like Stuxnet, it is hard to attribute, and if the work is for information gathering – replacing traditional spying – it may leave no trace in the target systems.
Semi-state entities: these are organisations often found in the developing world that are working for the state, usually with access to state resources and support but not acknowledged officially. They carry out similar activities to the state entities, but they may, for example, be engaged in commercial activities.
State-tolerated or -permitted entities: these often carry out activities where the state needs complete deniability. However, they enjoy informal state support and may even exchange personnel. As with the semi-state entities, they frequently have high levels of competence.
Issue-based entities: varying from environmental and similar organisations all the way up to Daesh. (Daesh appears to be the preferred name in the intelligence communities for ISIL – ISIS – Islamic State.) There is an enormous variation in objectives, competence, and even levels of rationality. Some of these, like Wikileaks, merely publish material that is embarrassing or controversial; others deface web sites as propaganda, but some are more destructive.
Criminal entities: again with a wide variety of competence, but they are becoming increasingly sophisticated, and, to quote one speaker, “They are running rings around the state.” The successful ones have massive resources. There is geographically widespread co-operation between them. Some provide contract services to other groups and draw on academic and commercial resources. They have moved the centuries-old crimes of ransom and extortion into the cyber arena, holding entire organisations’ networks captive until a ransom is paid, or merely using the cyber equivalent of the criminal’s threat: “Nice little web site you have here – shame if something nasty happened to it.”
Enthusiasts, hobbyists and nut-jobs: these are the stereotype hackers with a wide range of skill and motives. While some of them are acting innocently, they have penetrated systems that should be very secure. A speaker said that they were playing big-boy games and had to accept big-boy rules, and that the penetrated organisations had suffered a sense of humour loss and were reacting severely. Typical of these is Lauri Love, an electronic engineering student who has Asperger’s syndrome. The US is seeking his extradition from Britain to face charges of data theft from NASA, the Federal Reserve, the Department of Defence, and the FBI, with a possible 99-year sentence.
Before we move to what these entities are doing – where are they getting their tools? Easily – they go onto the Internet and buy them. The sites are in what is called the Dark Net – or, more correctly, that huge area of the web that has blocked indexing by Google. On these sites, it is possible to buy malware, using PayPal or credit cards as well as BitCoin, or to rent a DDoS – you specify the target and pay a rate based on the time you want the target attacked. And the sums involved are not great – in the hundreds of dollars rather than the thousands.
A fairly standard approach has been developed to effect a cyber-attack, often called an Advanced Persistent Threat (APT), which uses social engineering and then technology. Before the attack begins, the actor researches the target organisation, using its web site and social media to identify individuals, often to assess possible administrators. The next phase is spear phishing – sending the identified individuals emails that appear to come from others in the organisation or some other trusted source – that contain links to a web site or an attachment. The web site may be legitimate, but it would have been previously targeted so that when contacted it can download malware, while the attachment can appear to be a boring Word document but has embedded macros that carry out activities in the target computer. Word no longer executes macros by default, so the message encourages the reader to run the macro “for an enhanced reading experience”. If the spear has hit someone using an administrator account to access the web or to read emails, the attackers have struck gold. They infiltrate the network and place malware in strategic places, together with multiple gateways for them to regain access, then go away and do nothing for several weeks. They return cautiously to see if they have been detected – if not, then they move from reconnaissance to action. This will depend on what they want to do, which could be anything from detailed information gathering – for example, downloading email archives – to active destruction of infrastructure.
According to Oleh Starodubov, Digital Forensic Investigator, Department of Information Security of the Security Service of Ukraine, who spoke over a Skype link from the Ukraine, this approach is part of a continuing and increasing attack on the Ukrainian infrastructure. Rising from 79 attacks identified in 2012/13, in 2014/15 there were 239 attacks identified. There is a strong probability that there may be more that are not yet found. These all seem to have been initiated in the office hours of the UTC +3 time zone – which includes Moscow. There have been a wide range of targets ranging from diplomatic missions to the Ukraine to power supply systems. There have been several attacks on power supplies, blacking out areas for several days at a time, with malware disrupting the internal phone system and the network control interfaces before breaking electrical connectivity. Operators could only helplessly watch lights going out all round them, with no way of communicating with each other. A big factor in delaying the restoration of power was that the entire control software had to be re-installed at multiple locations before it was possible to reconfigure the electrical supply network. If the SCADA (Supervisory Control And Data Acquisition) network had not been connected to other networks in the power companies, this attack would have been much more difficult.
Present in the room during the Ukrainian presentation was Andrey Nikishin, the Special Projects Director & Head of Future Technologies for the Russia-based Kaspersky Lab. He spoke later and gave some examples of threats that they have found. He identified humans as possibly the weakest link in a target company. In one instance, for example, a nuclear power station computer was infected by an operator user inserting a USB memory stick in a control computer. He also pointed out that espionage has changed by quoting from the latest James Bond film, where Q is no longer a “mad-professor” gadget pusher but, instead, a young spotty-faced geek who says, “I’ll hazard I can do more damage on my laptop sitting in my pyjamas before my first cup of Earl Grey than you can do in a year in the field.” In another nuclear plant, someone with sysadmin authority wanted to watch video, so uploaded onto a control PC a media player that came with malware. The infected computer held 42,000 documents, including emails – which may have been transmitted to a third party, but no one knows whether they have or where they might have gone.
References to Daesh made regular appearances as a major topic at the conference. The Islamic group is well funded, mainly from selling oil, which generates income estimated at between $20 million a month to $1.5 million a day. Some of these funds are being used to hire specialist skills from Arabic speaking countries, including computer skills. The public view of Daesh and cyber activities has been limited to DDoS and other attacks on web sites of web sites, which, as we discussed, can just be bought. More concerning are views that it may also be undertaking APTs. Press rumours that Daesh is planning to steal nuclear materials to make dirty bombs make great headlines, but why should it bother with that if it is possible to take control of an entire power station remotely? Daesh can either threaten to blow it up unless certain conditions are granted, just cut it off from the electrical power supply, or, in what one has to consider the worst case, blow it up without any warning.
This was briefly covered in a presentation on the way in which systems are being developed for Hinckley Point C, a new nuclear power station for the UK. The plant is being designed and run by the French state-owned company (EDF) Electricité de France and is being financed by EDF and two Chinese state-owned companies. There is a distinction between physical security – which has always been important – and cyber security, but there is also the issue of the requirements of safety and those of security. The speaker expressed confidence that everything was under control, but there were mutterings – at least in my area of the audience.
There were many suggestions on how to protect against cyber attacks, but one of the significant problems is that decisions have already been made that don’t just compromise security, but blow vast holes in it. The starting point is people. There are countless reports of even aware people falling for fake email phishing and spear phishing attacks. People with admin powers to reconfigure and adapt systems and networks shouldn’t use the same account for mail and web, but they do. Organisations are fallible. They make decisions to connect systems for different activities together, often for very good operational reasons, only to create a happy hunting ground for the cyber criminal. Obviously, connecting the SCADA network to a business network makes sense by providing management with timely reports, but it then opens SCADA to malware from people’s personal activities. Similarly, connecting the security camera network can be seen to have some advantages – but has every camera in the network had its password reset before going live? The list is endless. When did you last back-up your personal devices? And is your wifi router running the latest version of firmware, and have you changed its passwords from the default settings?
While writing this, either I have become more aware of the issues, or things are getting worse.
The Democratic National Committee in the US has been hacked. (And other, linked, organisations and individuals as well.) But who did it? And why?
It has been suggested that the Mirai malware and its variants, described by cryptographic expert Bruce Schneier as simple and childish, are now resident in half a million devices after the code was published. And there is no way to clean the devices.
After an Austrian supplier to the aerospace industry lost $59 million to a “fake president” attack, where an employee was fooled into transferring funds to a fake bank account, the aerospace companies are looking again at the security of their systems, where suppliers are closely linked to manufacturers’ IT systems to share information.
Irritating TV commercials are appearing on British TV for Hive, a British competitor to Google’s NEST: “The clever way to control your heating and hot water from your phone.” Having browsed the website, I am still unsure how secure the Hive hub – the link beween controls, the heating system, plus other and you broadband router – is.
At the end of the two days’ conference, many of the people I spoke to, who have in-depth experience in system safety and related issues, were distinctly down-beat. The aggressors in cybersecurity, including the ones who target the western governments, are always going to have the advantage. They will choose what ground on which to attack, and they will be investing heavily in the next generation of tools. The vast IoT will continue to grow with edge devices that are unprotected, offering more sites on which to add to a botnet.
We just have to hope that the whack-a-mole approach to cybersecurity doesn’t leave us too far behind.
While writing the final draft of this article on October 21 I became aware that there were significant delays in the Internet. It has emerged that there was a significant DDoS attack on Dyn, a company that is used for routing a lot of Internet traffic, using the Mirai malware discussed earlier. Since for much of the media this was a new phenomenon, there have been acres of discussion by “experts” on how this could have happened, with shadowy groups of criminals being blamed for building a botnet just for this exploit. Nowhere have I seen something that I find much more disturbing: the attack could have been carried out by a single disgruntled person renting DDoS from the half a million IoT devices where Mirai is resident, for a few hundred dollars.