By Richard Stiennon, Chief Research Analyst, IT-Harvest
Dec 15 2009 - A recent spate of news reports and scholarly publications have discussed the policy aspects of cyber war: offensive versus defensive, military buildup, and appropriate reactions.
There have been no reports dealing with the technology of engaging in cyber war.
This excerpt from my chapter The Four Pillars of Cyber War, which will appear in the soon to be published Surviving Cyber War (Government Institutes, 2010), may serve as a basis for considering the weaponization of digital technologies for engaging in cyber war:
Every new form of war drives changes in technology. Conversely the technology causes the change in the methods and outcomes of wars. Effective cyber war is driven by the cyber equivalent of an arms race. The attacker discovers and devises new attack methodologies while the defender shores up his defenses by blocking ports, patching systems and deploying technology. There are eleven areas of development in offensive technology to be brought to bear on the problems of cyber war.
1. Vulnerability discovery and exploitation. Every application on every server has what are called attack surfaces. These are program inputs and outputs that may be vulnerable to exploitation. T
he exploit could take advantage of a bug in the code that exposes its internal workings and accepts arbitrary commands that are passed through to the operating system, which in turn could give the attacker complete control of the target computer.
The input vectors could come from network ports the application is listening on or user input from a web form or communication with another application.
The attacker studies each application by looking at source code if it is available (as it is in all open source programs such as Firefox, Apache or Joomla) or assembly code which they access through a process called reverse engineering.
An attacker can also pummel the application with randomly "fuzzed" input and watch for responses that indicate a previously undiscovered vulnerability has been exposed.
An effective cyber war operation would include a team whose sole purpose would be discovering such vulnerabilities and developing attack methodologies.
Those attack methodologies should be designed to be easy to execute quickly and should be engineered so that the exploitation is hard to detect by the defender.
In addition to new vulnerabilities most systems are replete with previously discovered vulnerabilities because they have not been patched or protected. A cyber war operation would devise new ways to attack those systems by exploiting known vulnerabilities.
2. Automation is the best way to multiply the effectiveness of cyber attacks. Once a specific IT asset has been identified an automated attack can open it up, search for and steal information and then clean up its tracks.
The defender may never know of the event. Completely automated attack solutions could scan for targets, identify them, exploit them, and retrieve data for later analysis.
3. Management of cyber warfare operations is in its infancy. Most attacks are still orchestrated by one individual sitting at a computer.
Managing the simultaneous attack against multiple targets using diverse tools, by many cyber operatives, and collecting the data or managing the control programs left behind after the attack is a capability that, when addressed by cyber warfare operations, will yield valuable results.
Cyber criminals have already made progress in managing their operations. Phishing attacks involve copying the look of a target system, usually a bank but potentially any application that has user access controls, spamming millions of email accounts, and finally recording user access credentials and breaking into accounts and transferring funds out of them.
Today there are management consoles that can be installed on a compromised machine that provide a web interface to the entire phishing operation, including storing the identities of compromised accounts.
That level of automation and central management will soon be practiced by cyber warriors.
4. Malware. Some discovered exploits lend themselves to the writing of software packages that can take advantage of vulnerabilities to install themselves on the target system. This is the realm of viruses, worms, and Trojan horses. A cyber warfare operation would employ teams whose responsibility it was to create such malware. The purposes would be multi-fold. Viruses and worms can be used to recruit vulnerable machines into a bot-net. This is no more than a collection of compromised computers that listen and respond to commands. Those commands could be instructions to download new components which could in turn launch denial of service attacks, sniff and report network traffic, or eavesdrop on email, IM, and web conversations. The spread of malware can also have the effect of a widely cast net.
The attacker hopes that by sifting through the results of reports from thousands, even millions, of infected machines he may identify a machine belonging to a key member of a target organization. It is hypothesized that this is the manner in which a significant chunk of source code for the Windows OS was stolen. A computer belonging to a Microsoft developer who worked from home was infected. His remote access (VPN) credentials were stolen and Windows source code eventually ended up on the Internet as the object of an auction. Trojan horses are a primary technology of cyber warfare. A Trojan horse is code that is surreptitiously installed on a computer and grants the attacker remote control over his target.
The defense against them that is most widely deployed is signature based anti-virus software.
It is very easy for an attacker to write new code or customize existing code so that it is not detectable by AV programs because they have no signature for something that the AV researchers have never seen before. Refer back to the Haephrati Trojan fiasco in Israel. Private investigators in Israel used malware customized by Michael Haephrati to steal data from competitors of their industrial espionage clients. The GhostNet researchers discovered that China was using similar methods against the Dalai Lama's operations.
Cyber war operations should be constantly evolving such tools to enhance the ease with which they can be installed on a target machine, the ability to avoid detection, and the ability to create un-noticed connections back to a data collecting server. Cyber defense operations have to concern themselves with detecting and rendering harmless such Trojan horses.
5. Rootkits are a special form of malware. They attack the kernel of an operating system and can work "under the wire" at a lower level than defensive measures such as AV software so they are undetectable even from a careful examination of the computer. Rootkits could be distributed as part of a commercial application. A cyber war effort could even enlist the producers of commercial software that would be sold to targets.
6. Backdoors. The inclusion of spyware or hardware backdoors in products shipped to an enemy is a powerful way to wage cyber war. Accusations of such activity are usually no more than paranoia. To date. It is maintained by many that printers shipped to Iraq before the first Gulf War contained back doors that allowed the US to access Iraqi command and control networks in advance of the invasion.
Most vendors of IT products address a global market and would not readily jeopardize their sales by acquiescing to the inclusion of backdoors in their products because of the harm to their reputation if they are uncovered.
But the development and deployment of such tools in an enemy's environment is a valuable goal and would be pursued by any cyber war effort.
One scheme has been proposed that a nation, particularly the United States, could in times of extreme need, induce their software industry to push updates to their installed base that included malware that could be used to disable their enemy's computers.
Imagine the impact Microsoft, Cisco, or Oracle could have if they used their automatic update capability to secretly infect millions of machines with back doors, Trojan horses, or kill switches.
7. Analysis. If ever there was a task for business intelligence (BI) solutions, the evaluation and reduction of the terabytes of data collected from cyber espionage activities is it.
Technologies developed for this analysis will be a critical factor in the escalation of cyber capabilities. Signal analysis, mentioned above, is just one such task. Others include:
Tracking sources and the information derived from them. A database of military personnel including their ranks, specialties, training, commendations, and deployments would be updated continuously. Tracking those changes and their significance would be a difficult task without assistance from data analysis tools.
Correlating information derived from different sources or dates.
A missile design for instance goes through hundreds of revisions for each component as dimensions, materials, and manufacturing processes are optimized throughout the life-cycle of a design.
An attacker may have different copies of CAD models, process sheets, and engineering specifications that vary with time, model, and manufacturer. Determining which was the best design or which reflected the current state of the missile in question would require sophisticated BI tools.
The acquisition of a single email between two parties does not represent their entire conversation on a topic. Any correspondence may contain errors or be updated by a follow-on email. Pulling together the entire thread of a conversation is a challenge even for the participants!
If the goal of cyber war is total information dominance the generals would want to know the economic, military, supply, staffing, and technological standing of their advisaries who are engaged in collaboration, and mutual defense accords.
Only by developing powerful and automated analytical capabilities will modern day generals be able to conduct cyber war.
8. DDoS technology. Denial of Service can take many forms. Developing new methods of attacking routers, servers, and switches via specially crafted packets or floods of packets are critical areas of technology development for cyber warfighting capability. A whole chapter of Survivng Cyber War is dedicated to DDoS defense.
9. Compromising routing infrastructure via BGP route announcements is another weapon of cyber war. Planning how to achieve the desired results of shutting off an advisory while maintaining network functionality for the attacker is an area of technology to be investigated.
10. DNS attacks. By controlling DNS servers or simply making them inaccessible an attacker can gain the upper hand in a cyber conflict. If Georgia's attackers in 2008 had simply owned the DNS server for the .ga Top Level Domain they could have simply pointed all traffic to alternative sites with their own messages instead of the intended destination.
11. SCADA attacks. SCADA is a protocol used specifically for sending commands to and receiving data from the switches and pumps that control power grids and oil and gas pipelines. Developing the tools to attack these networks that control critical infrastructure would be a primary technology advantage in cyber war.
Farewell Dossier and US targeted attack against the Soviet Union
Thomas C Reed, former Secretary of the US Air Force, and member of Reagan's National Security Council relates a magnificent story in "At The Abyss: An Insider's History of the Cold War"(Ballantine Books, 2004).
He draws on unpublished notes of Dr. Gus Weiss, NSC member in Reagan's first term. Reagan had been told of a KGB agent who had been turned by France into a double agent in a summit meeting with French President Mitterand in Ottawa.
This agent, code named, in a premniscent coincidence, Farewell, had revealed a massive Soviet espionage apparatus that was actively collecting intelligence from US military and industrial organizations.
Colonel Vladimer I. Vetrov, the Farewell agent, provided details of the Soviet's infiltration of US laboratories, factories, and government agencies.
As Reed points out, the arms race between the two countries was being led by the US with the Soviet Union right behind as they engaged in well coordinated intelligence gathering involving hundreds of case officers, agents in place and informants.
He claims that even one of the Soviet Cosmonauts delegated to the Apollo-Soyuz joint space mission was a KGB agent.
The information gleaned from agent Farewell provided an understanding of the Soviet shopping list for technology that proved key to the US response.
Under the direction of Dr. Weiss the US began to systematically poison the information that the KGB gathered.
"Extra ingredients" in the form of buggy software and Trojan horses were added to the software and components that these agents acquired.
"Pseudosoftware disrupted factory output. Flawed but convincing ideas on stealth, attack aircraft, and space defense made their way into Soviet ministires." (p. 268)
The penultimate example that Weiss reveals in his notes shows how the placement of a ticking time bomb in control software was used to disrupt the life blood of the Soviet economy: oil and gas distribution. It is a lesson those responsible for critical infrastructure protection should take to heart.
A KGB agent suposedly penetrated a Canadian control software vendor. Learning of this, the US is alleged to have planted control software at the vendor that contained a Trojan horse, a ticking time bomb.
The buggy software was deployed throughout the Soviet Union's pipeline control system.
The software running the pumps, valves, and turbines was set to disrupt those operations at a future time, when pump speeds, and valve settings would cause pressure fluctuations that would destroy the pipeline.
The ensuing explosion was recorded by US spy satellites. What appeared to be a three kiloton explosion from space was in fact the result of a software time bomb.
UPDATE: Thanks to questions posed by Alex Klimberg, security researcher in Austria, I have determined that these alleged notes from Gus Weiss are the single source for the story of the exploding gas line.
No other evidence has been published that the "3 kiloton" explosion ever occurred. Numerous sources discuss these events but always with the same data provided in the link above at the CIA's archives.
Even William Safire, a contemporty of Weiss' in the Reagan White House, writing in the New York Times, does not add anything.
The economic disruption from the loss of a major pipeline was one claimed result of this cyber attack.
Another effect was that, as the Soviets came to understand what had happened, they lost faith in all of their software and controls as well as other intelligence they had been relying on.
When the US and NATO rolled up the Soviet spy ring in 1984-85 the Soviet Union became blind to further US technological advancement.
They were in the dark about the progress of the Strategic Defense Initiative (StarWars) and had lost faith in their earlier intelligence gathered from a now disrupted source.
The lesson to be learned is that cyber warfare techniques were used successfully in the early 1980's.
The military leaders of the world are now fully aware of the damage that can be done by the surreptitious introduction of bugged code.
Now that the Internet, which was in its infancy in 1982, has connected critical systems to a global network, the possibilities for exploitation are much greater.
Cyber war methodologies focused on similar types of disruption - economic, physical, and psychological, must be developed to achieve "information dominance".
