Monday, March 10, 2014

Threat Agent Profile: Government Cyber Warfare

Cyber warfare encompasses nation-state activities taken against enemy computer systems and networks with the intent of controlling, compromising, or disabling function through electronic methods. The potential impact of cyber warfare is perhaps best described by an unnamed Chinese general who stated in 1996, “We can make the enemy's command centers not work by changing their data system. We can cause the enemy's headquarters to make incorrect judgment(s) by sending disinformation. We can dominate the enemy's banking system and even its entire social order.”[1]

In 2007, according to a Gartner report, thirty nations were developing cyber warfare capabilities and predicted that 30% of all nations will have cyber warfare capabilities by 2012.[2]  The United States is leading the world in investment in cyber warfare infrastructure.   In 2006 the U.S. announced the creation of the Air Force Cyberspace Command.  During the announcement of the division, Secretary of the Air Force Michael Wynne said “The aim is to develop a major command that stands alongside Air Force Space Command and Air Combat Command as the provider of forces that the President, combatant commander and the American people can rely on for preserving the freedom of access and commerce, in air, space, and now cyberspace.”[3]

Cyber Warheads – Stuxnet
Until early 2010, what a cyber weapon would actually look like, when it would be first used, and against whom and what it would be launched against remained in the realm of conjecture. On June 17, 2010, the Belarus-based security firm VirusBlokAda Ltd discovered a new piece of malware resident on an Iranian-based client’s system that made cyber warfare manifest. Stuxnet isn’t just a one-off piece of malware. It is a framework for development of future cyber-warheads. 

In short, the function of Stuxnet is to damage the Iranian Natanz nuclear fuel enrichment plant and, possibly, the Iranian Bushehr nuclear power plant. Nuclear fuel enrichment plants use centrifuges to produce low enriched uranium. Stuxnet reprograms the Siemens industrial control system used at the Natanz enrichment facility to cause the IR-1 centrifuges to spin at rates and in patterns harmful to the centrifuges. Stuxnet also shutdown related warning and safety controls that would alert plant operators of the odd centrifuge behavior.

While Stuxnet infections did not remain isolated to Iran, data collected by Symantec through its monitoring infrastructure revealed that Iran hosted 58% of the total infected systems. Indonesia and India followed distantly with 18% and 10% of the total infected hosts.[4] And, it seems to have achieved at least some of its intended effect. In late 2009 to early 2010 Iran replaced about 1,000 IR-1 centrifuges at their Natanz facility.  On November 23, 2010, the leader of Iran’s Atomic Energy Organization, Ali Akbar Salehi, confirmed reports of cyber attacks against Iran’s nuclear facilities: “One year and several months ago, Westerners sent a virus to [our] country’s nuclear sites.” On November 29, 2010, Iranian President Mohmoud Ahmadenejad confirmed the reports in a news conference. “They succeeded in creating problems for a limited number of our centrifuges with the software they had installed in electronic parts.”[5]

Natanz Hijacking Requirement Stuxnet Solution
The location of the Natanz industrial control systems is not known, so the software would have to crawl systems autonomously and auto detect if it was on one of the control systems. Stuxnet contains four zero-day vulnerabilities for spreading through network communications and through USB drives and for escalating local privileges. Additionally, it copies itself to remote computers through network shares. Once on a system, Stuxnet examines its host to determine if it in fact is a system used to control IR-1 centrifuges known to be in use at Natanz.
The industrial control systems (ICS) are not connected to any network that is connected to the Internet, so the malware has to jump the network air gap. Stuxnet contains a zero-day vulnerability for infecting systems through USB media.
The malware has to operate undetected for a long period of time to prevent detection before achieving its objectives. Stuxnet employs advanced rootkit techniques and malicious binary driver files are signed using stolen valid digital certificates to avoid detection. It also contains features to bypass security products.
The malware would need to be able to update without having to call back to a command and control server. Stuxnet-infected systems update each other using a peer-to-peer mechanism. Infected systems search for each other on their LAN. When one Stuxnet install detects another, they exchange version information. If the versions are not the same, the older instance is updated from the newer one.
The IR-1 centrifuge attack code would need to work against the exact configuration of the programmable logic controllers used at Natanz. Stuxnet contains the first-ever programmable logic controller rootkit that hijacks the control system and disables alarms and modifies alerting messages to remain undetected by plant operators.

Compromising the industrial control systems of the Natanz fuel enrichment processing facilities was no trivial task. Once released, the malware had to autonomously achieve some seriously daunting tasks. Ralph Langner, the pre-eminent Stuxnet expert, summed up Stuxnet best. “Stuxnet is like the arrival of an F-35 fighter jet on a World War I battlefield. The technology is that much superior to anything ever seen before, and to what was assumed possible.”[6]

With Stuxnet out of the bag, Governments around the world are scrambling to respond; assessing the exposure of their own critical infrastructure to Stuxnet-like malware and, no doubt, developing their own cyber warheads for use against all sorts of industrial control systems.

One of the prime target of cyber weaponry is critical infrastructure controlled through electronic Supervisory Control and Data Acquisition (SCADA) systems. The SCADA systems allow remote monitoring and control of a broad deployment of physical world infrastructure. In the hands of asset owners and operators SCADA systems greatly increase operational efficiencies and capabilities. In the wrong hands SCADA systems could disrupt or corrupt delivery of essential services. Consider how SCADA systems are used across a few industries:
Railroad – Automatic Train Control (ATC) systems provide remote computerized monitoring of train position, control of train speed, and rail switching.
Water – Water Works organizations use SCADA systems to monitor water quality, flow, pressure, and operational status. They also use SCADA systems to control water production, distribution, and blending. Back in 2008, a California municipality published details of their SCADA water systems on its web site, going as far as showing a screenshot of their SCADA Human-Machine Interface (HMI).Probably not a great idea.

Nuclear Fuel Enrichment Processing – SCADA systems are used to control the complex nuclear fuel enrichment process.
Power Generation – Power generators use SCADA systems to monitor boiler temperatures, turbine performance, and environmental conditions and to control power generation equipment in real-time.
Power Distribution – Power distributors use SCADA systems to manage power supply into their distribution network, manage flow, and monitor supply and demand.

As most SCADA systems are not directly Internet-accessible, the likely SCADA system compromise path is to compromise a system that has access to the network on which the SCADA system resides and use that as a staging point for the attack against the SCADA system. With advanced malware kits that provide hackers persistent, stealthy remote control this possibility is very real.

[1] Cyber Threats and the US Economy, Statement for the Record Before the Joint Economic Committee on Cyber Threats and the US Economy, John A. Serabian, Jr., Information Operations Issue Manager, CIA, February 23, 2000. 
[2] Gartner, 5 June 2007, Cyberwarrior: Re-examine the Risks as Cyberwarfare Evolves, Herbert Strauss
[5] “Iran says cyber foes caused centrifuge problems,” Reuters, Nov 29, 2010.