Cyber Warfare – The New Battlefront for Defence Forces Dr ... · • Cyber-surveillance ... • Security experts say the attack was launched from

Cisco Confidential 1 © 2010 Cisco and/or its affiliates. All rights reserved.

Cyber Warfare – The New Battlefront for Defence Forces

Dr Peter Holliday

Chief Defence Architect APAC


Welcome

Cyber Warfare

Case Studies

Stuxnet – Ultimate Weapon

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 3

•  Protection of cyber space

•  Protection will include ‘conventional’ concepts: Confidentiality

Integrity

Availability

•  Exploitation of opportunities in cyber space Gathering intelligence on threat actors

Intervention against adversaries (countermeasures)


Colonel Bradley K. Ashley, US Air Force

“ 


•  It is a subset of Information Warfare (IW) Also called Information Operations (IO)

•  An adversary’s objective in IW is to disrupt (availability), corrupt (integrity) or exploit (confidentiality or privacy).

•  Can be directed against Military Forces, Critical Infrastructure, or other national interest (economic) targets

•  Symmetric or Asymmetric

•  Using civilian/military computer expertise and equipment

•  Integrate these units into regular military operations

•  More recently direct recruitment of Cyber Units PLA Cyber Warfare Units US Army Cyber Brigade


Command (6)

Reconnaissance/Planning Operations R&D

Advance Rec (6)

Battle mapping/ Situational Awareness (12)

Detailed Battle Plans (6)

Outside Damage Assessment (3)

Vulnerability Research (10)

Scripts and Tools (10)

Backdoor Access (10)

Defense suppression (20)

Offensive operations

Group 1 (10)

Group 2 (10)

Group 3 (10)

Could be tens of these

Logic Bombs


•  Cyber attacks represent a conundrum for legal scholars

•  In War, Cyber attacks are a legitimate

•  In Peacetime, Cyber attacks are considered a criminal act and not an act of war

But this is a very grey area….

•  Law of War - Transition from Peace to War UN Charter are Articles 2(4), 39, and 51 – Transition from Peace to War It is a war crime to go to war unilaterally without UN sanction Two Exceptions – UN Security Council and Self Defence

•  Non-State Actors States may apply self-defense law to armed attacks by non-state actors

•  Attribution can be difficult

Inside Cyber Warfare, J Carr, O’Reilly Media - ISBN-13: 978-1-4493-1004-2


•  2009 Cyber Attack on ROK

•  166,908 bots scattered across 74 different countries


•  Tactics differ according to levels of war: Strategic, Operational and Tactical

•  Destroy Strategic assets (usually Air/Maritime/SF Operations)

•  Destroy lines of communications

•  Destroy key Enemy Positions by indirect or smart weapons

•  Conduct PSYOPS and Diversionary Ops

•  Launch ground operation (Advance, Attack, Withdraw, Pursuit)

•  Hold Key Ground

•  Repeat


•  Reconnaissance Probe to discover weak points Understand communications patterns

•  DDoS using non-attributable asymmetric techniques that focus upon information suppression, destruction and alteration

•  IW Campaign – PSYOPS, Disinformation, Diversionary

•  Combine with other Electronic Attack (EA) vectors

•  Infiltrate embedded systems (avionics, radar etc)

•  Command and Control (C2) destroyed using Kinetic weapons

•  Residual C2 destroyed by Special Forces


• Have to pick enough key targets • Military and CI

HQ, Energy, Water, Financial

•  Simultaneous surprise attacks on them


•  Could a small band of hackers pull this off? No!

•  Huge amounts of obscurity •  Great diversity in embedded and SCADA systems

Need vulnerabilities in most of them Lots of testing needed No public community working on this to help

•  Great diversity in deployments Which IP range is power station XYZ?

•  Attackers know none of this ab-initio Either reconnoiter up front Or find out on fly


•  For each of O(100) operational targets, need Fairly detailed map of network/organization

What assets are where on network? What software is in use for most critical purposes? Brand/version

Where defenders are? Where key operational execs are?

To have developed vulnerabilities For all key software systems in use Requires being able to get copies of them Pretend to be a customer


•  Insiders Get spies jobs as (preferably) IT staff. Over time, stealthily map network and organization Ideally want several in different areas for 1-2 yrs Gives layer 8 view.

• Cyber-surveillance Remotely compromise some desktops internally Use them to map network at layer 2-7 Capture keystrokes etc Must be stealthy and untraceable

No Chinese strings in Trojan Communication path home must be convoluted


•  All major teams must deploy quickly from small beachhead

Backdoor team (highest priority) Compromises utility systems for other teams to use Installs backdoors, remote dial-ups, etc to get back in later Owns RAS servers, access routers etc Preferably 100s-1000s of systems so every system in enterprise must be thoroughly cleaned

Defense Suppression Team DOS, disabling, and destruction of systems used by defenders Firewalls, IDS’s, desktops and laptops used by sa

Offensive operations groups Cripple actual infrastructure assets (turbines, pumps, etc, etc) Physical damage where possible, Disable/corrupt control systems, delete data

Logic bomb group inserts logic bombs in many systems and turns them off


•  Attackers: 150-1000 attackers •  Defenders (today):

Security group: 1-10 Network group: 10-20 End-host sysads: 100s-1000s

•  Attackers have surprise, superior organization

•  Defenders know terrain better Have physical access (sort of)

•  Could your organization survive this kind of assault?


• Reboot the company Disconnect from network Turn everything off Unplug every phone cable Bring things up and clean and fix them one at a time

•  A single Trojan left untouched lets attacker repeat the performance

•  Likely to take weeks • Cannot have confidence that we fixed all the

vulnerabilities the attacker knows.


•  Discipline, training •  Hard to get hundreds of people to execute a complex

plan. Everyone must understand the plan Everyone must be extensively trained on tactics/technology so it’s second nature Must follow plan and replans flawlessly And yet be creative enough to improvise “Plan never survives contact with the enemy” “Fog of War”

These issues have always been critical in military operations

•  And have to repeat this for O(100) simultaneous operations


•  Small teams can do enormous damage Best hope of a small team is O($10b) in worm damage

Cannot target anything other than commonly available systems Cannot manage broad testing of attacks Only penetrate <10% of enterprise systems

Cannot seriously disrupt the economy Takes large sophisticated institution to cause serious economic disruption Only nation states can play at this level


•  Attacks in cyberspace can be anonymous True at micro-scale of individual technological attack Not true at macro-scale

Will be completely clear in grand strategic context who is conducting attack Will be very large amounts of control traffic that will be hard to miss 50,000 Chinese all doing something in US will get noticed

Attacker will generally want to be known


• Cyberspace erases distance Mobility is more like land/sea than air Battlefield is all information/knowledge Expertise on disabling power turbines

Takes years to acquire Is not instantly transferrable to, say, crippling bank’s transactional systems

Similarly defenders need deep understanding of the networks they defend. First day on new network, will be pretty useless

True for attackers and defenders


•  The networks of critical organizations will need to be run as a military defense at all times.

Constant alertness Well staffed Regular defensive drills Standing arrangements for reinforcement under attack Extensive technological fortification Excellent personnel and information security


•  It can effec)vely complement other combat opera)ons – it is not a subs)tute for these

•  Used pre-‐emp)vely, it may avoid other combat opera)ons •  Very cheap compared to other weapons systems etc, therefore more accessible to less wealthy or technically advanced states and non-‐states

•  Asymmetrical advantages •  Access to some targets otherwise not accessible •  Can place own troops in less danger •  Less collateral damage than use of conven)onal kine)c opera)ons

But some legal and control considera)ons


$1.5 to $2 billion

$80 to $120 million

What does a stealth bomber cost?

What does a stealth fighter cost?

$1 to $2 million What does an cruise missile cost?

$0 to $50,000 What does a cyber weapon cost?

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 25 25

Nuclear Weapons Facility Cyber Weapons Facility

Where’s the Cyber Weapons Facility?


•  Old fashioned

•  Some faked in English papers

•  The Internet dissemination of the Abu Ghraib photos did more to damage the political interests of the U.S. than all of the cyber attacks since the beginning of the Internet age!


Sun Tzu – 6th Century BC

“ 


•  A multi-tiered botnet attacked South Korean computers for 10 days in March 2011

•  When it stopped, the malware destroyed files on the zombie machines rendered the machines unbootable.

•  Security experts say the attack was launched from North Korea, and that its level of sophistication -- 40 command and control servers, code updates to thwart detection, multiple encryption schemes -- was far beyond what was needed to run an effective DDoS attack.

•  This was a reconnaissance mission designed to gauge how and how quickly South Korea's government and military contractors would react -- valuable information for a later, truly damaging attack.

Source: http://www.networkworld.com/news/2011/051311-interop-cyberwar-probes.html


•  Chinese (sourced) hackers infiltrated Oak Ridge Nuclear Weapons lab in 2007

•  1,100 attempts to steal data with a very sophisticated strategy that involved sending staff a total of seven ‘phishing’ e-mails, all of which at first glance appeared legitimate

•  11 staff opened the emails, which enabled the hackers to infiltrate the system and remove data

•  During 2007 and 2008, 12 986 direct assaults on federal agencies and more than 80 000 attempted attacks on Department of Defense computer network systems were reported

Source: http://www.nytimes.com/2007/12/09/us/nationalspecial3/09hack.html


•  Rolls Royce discovered that viruses of Chinese Government origin were uploading vast quantities of industrial secrets to Internet servers in China

•  German Chancellor, Angela Merkel, had three computer networks in her own office penetrated by Chinese intelligence services

•  Cyber-warfare units in the Chinese People’s Liberation Army (PLA) have already penetrated the Pentagon’s Non-classified Internet Protocol Router Network (NIPRNet) and have designed software to disable it in time of conflict or confrontation

•  China has already downloaded 10 to 20 terabytes of data from the NIPRNet – they are looking for user identities

•  Etc…

Source: http://gcn.com/articles/2006/08/17/red-storm-rising.aspx


•  LM is one of the US DoD largest contractors Stealth Fighter Satellites WIN-T

•  March 17 2011, the RSA network was breeched and algorithms used to generate SecurID passwords were stolen

•  Hackers managed to install a key logger on a machine that had access to the Lockheed network

•  They grabbed passwords used the compromised RSA algorithms used to generate access codes used in SecurID two-factor authentication tokens


•  A common problem in looking at cyber intrusions (or other attacks) is that of "attribution," or figuring out who really did it?

•  First of all, you may (or may not) be able to trace an attack or an intrusion to a system in a particular country -- some types of traffic (such as UDP traffic) can be trivial to spoof.

•  If you do succeed in tracing an attack back to a particular system, and it happens to hypothetically be in China, it may also have been subject to a cyber intrusion, and may just be acting as a "stepping stone" for a real attacker located somewhere else. There may even be a series or "chain" of stepping stones in use

•  Let's assume, however, that you do succeed in identifying the location of the system that originated the attack. Just because a system might be physically in Russia, for example, doesn't mean that the Russian government has authorized or initiated the attack that you hypothetically saw from that computer.

•  In fact, you need to be alert to intentional attempts at cyber deception.



•  Western Countries concerned over unsupervised nuclear programs – particularly Iran

•  Diplomatic attempts at nuclear inspections fail

•  US already fighting 2 conventional wars in Iraq and Afghanistan

•  Conventional conflict with Iran is not an option

•  Cyber Warfare is the only immediate solution


• 60% Infections in Iran

• No other commercial gain

• Stuxnet self destruct date

• Siemens specific PLC’s

•  Bushehr Nuclear Plant in Iran


•  Workstation – where engineers developed the Step 7 logic programs

•  FPG – the Field programming device for the PLC (stand alone)

•  PLC – Programmable Logic Controller that controls the industrial device

•  ICS – Industrial Control System

PLC FPG

Centrifuge Networked Workstation

Air Gap

ICS


•  ICS are operated by a specialized assembly like code on programmable logic controllers (PLCs).

•  The PLCs are programmed typically from Windows computers.

•  The ICS are not connected to the Internet. •  ICS usually consider availability and ease of

maintenance first and security last. •  ICS consider the “airgap” as sufficient security.



•  Attacker needed detailed knowledge of the PLC and the ICS Schematics (Hard to obtain for a nuclear facility)

•  Also would need a complete copy of the system to develop/test/debug the code (again, extremely had to obtain by an individual)

•  Stuxnet needed to be introduced into the organisation – thought to have been via a flash drive initially.

•  Once infected, Stuxnet used Windows zero day and two other exploits to spread in search of Step 7 project files and FPG devices.

•  Used two stolen device certificates from Realtek and JMicron

•  Infection of FPG was typically via removable drive.

•  Once and FPG was infected, Stuxnet would reprogram the PLC – but hid any modifications so that the program looked normal.

Source: http://www.symantec.com/connect/blogs/w32stuxnet-dossier


•  Self-replicates through removable drives exploiting a vulnerability allowing auto-execution. Microsoft Windows Shortcut ‘LNK/PIF’ Files Automatic File Execution Vulnerability (BID 41732)

•  Spreads in a LAN through a vulnerability in the Windows Print Spooler. Microsoft Windows Print Spooler Service Remote Code Execution Vulnerability (BID 43073)

•  Spreads through SMB by exploiting the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability (BID 31874).

•  Copies and executes itself on remote computers through network shares. •  Copies and executes itself on remote computers running a WinCC database server. •  Copies itself into Step 7 projects in such a way that it automatically executes when the Step 7 project is

loaded. •  Updates itself through a peer-to-peer mechanism within a LAN. •  Exploits a total of four unpatched Microsoft vulnerabilities, two of which are previously mentioned

vulnerabilities for self-replication and the other two are Zero-day escalation of privilege vulnerabilities •  Contacts a command and control server that allows the hacker to download and execute code,

including updated versions. •  Contains a Windows rootkit that hide its binaries. •  Attempts to bypass security products. •  Fingerprints a specific industrial control system and modifies code on the Siemens PLCs to potentially

sabotage the system. •  Hides modified code on PLCs, essentially a rootkit for PLCs.


W32.Stuxnet Dossier

Page 5

Security Response

Infection StatisticsOn July 20, 2010 Symantec set up a system to monitor traffic to the Stuxnet command and control (C&C) serv-ers. This allowed us to observe rates of infection and identify the locations of infected computers, ultimately working with CERT and other organizations to help inform infected parties. The system only identified command and control traffic from computers that were able to connect to the C&C servers. The data sent back to the C&C servers is encrypted and includes data such as the internal and external IP address, computer name, OS version, and if it’s running the Siemens SIMATIC Step 7 industrial control software.

As of September 29, 2010, the data has shown that there are approximately 100,000 infected hosts. The follow-ing graph shows the number of unique infected hosts by country:

The following graph shows the number of infected organizations by country based on WAN IP addresses:

Figure 1

Infected Hosts

Figure 2

Infected Organizations (By WAN IP)


W32.Stuxnet Dossier

Page 7

Security Response

The concentration of infections in Iran likely indicates that this was the initial target for infections and was where infections were initially seeded. While Stuxnet is a targeted threat, the use of a variety of propagation techniques (which will be discussed later) has meant that Stuxnet has spread beyond the initial target. These additional infections are likely to be “collateral damage”—unintentional side-effects of the promiscuous initial propagation methodology utilized by Stuxent. While infection rates will likely drop as users patch their comput-ers against the vulnerabilities used for propagation, worms of this nature typically continue to be able to propa-gate via unsecured and unpatched computers.

By February 2011, we had gathered 3,280 unique samples representing three different variants. As described in the Configuration Data Block section, Stuxnet records a timestamp, along with other system information, within itself each time a new infection occurs. Thus, each sample has a history of every computer that was infected, including the first infection. Using this data, we are able to determine:

Stuxnet was a targeted attack on five different organizations, based on the recorded computer domain name.12,000 infections can be traced back to these 5 organizationsThree organizations were targeted once, one was targeted twice, and another was targeted three times.

Domain A was targeted twice (Jun 2009 and Apr 2010).The same computer appears to have been infected each time.

Domain B was targeted three times (Jun 2009, Mar 2010, and May 2010).Domain C was targeted once (Jul 2009).Domain D was targeted once (Jul 2009).Domain E appears to have been targeted once (May 2010), but had three initial infections. (I.e., the same initially infected USB key was inserted into three different computers.)12,000 infections originated from these initial 10 infections.

1,800 different domain names were recorded.Organizations were targeted in June 2009, July 2009, March 2010, April 2010, and May 2010.All targeted organizations have a presence in Iran.The shortest span between compile time and initial infection was 12 hours.The longest span between compile time and initial infection was 28 days.The average span between compile time and initial infection was 19 days.The median span between compile time and initial infection was 26 days.

Note any timing information could be incorrect due to time zones or incorrectly set system times.

Figure 5

Rate of Stuxnet infection of new IPs by Country

Iran blocked all C&C traffic on 22

Aug



•  Stuxnet is a significant milestone in malicious code history It is the first to exploit multiple 0-day vulnerabilities. Used two (compromised) digital certificates. Injected code into industrial control systems. Hid the code from the operator.

•  Stuxnet is of great complexity Requiring significant resources to develop

•  Stuxnet has highlighted that direct-attacks on critical infrastructure are possible.


•  The Good Total development costs << conventional war Outcomes much more focused – no loss of life

•  The Bad Collateral damage to other nations Introduced new set of hacker tools into the wild

Duqu Victim will now revisit security requirements


•  Nicolas Falliere, Liam O Murchu, and Eric Chie, “W32.Stuxnet Dossier”, February 2011, Symantec.com

•  Ralph Langner, “Cracking Stuxnet, a 21st-century cyber weapon”, http://www.ted.com/, Mar 31, 2011.

•  Eric Byres, Andrew Ginter and Joel Langill, Stuxnet Report: A System Attack, A five part series, www.isssource.com/ stuxnet-report-a-system-attack/, March 2011

46


Thank you.

Documents

Cyber Warfare – The New Battlefront for Defence Forces Dr ... · • Cyber-surveillance ... • Security experts say the attack was launched from