This report is a review of Cyberwarfare, specifically geared towards critical infrastructures and power generation. It will also entail the evolution of cyberwarfare since 1998 and how the attacks have grown and developed into what they are today. Characteristics of APTs (advanced persistent threats) will also be detailed pre vs post inception of the “internet”. This report will also detail where the attacks were likely generated as well as the most common vulnerabilities and exposures (CVE). Lastly, a profile of the likely attacker(s) is described as well as it potential outreach, capabilities and access levels both internal and external.
A. The Evolution of Cyberwarfare
Cyberwarefare is the newest warfare domain, officially being recognized by NATO in 2016 (2016). Although the first official use of cyberwarfare, or a cyber-attack was in 1982, when the CIA altered software that caused the Trans-Siberian Pipeline to explode (Rowen, 2015), for this evolution cycle, we will focus on 1998 to now. In 1998, a couple teenagers hacked into the Air Force’s network, dubbed “Solar Sunrise”, causing the government to assess and develop a cybersecurity plan. In December of 1998, the DOD established a JTF (Joint Task Force) with its mission to protect the governments networks from attacks. Just as conventional warfare evolves and gets better with time, so does cyberwarfare, but at a much more rapid pace. What was in its infancy and unsophisticated in the 90’s, cyberwarfare grew to be robust and versatile in the 2000’s.
In 2001, a worm later named “Code Red”, was found and believed to have hacked more than 350,000 computers worldwide. This worm infected computers running the IIS role (Internet Information Services) via port 80. The worms total economic damage is estimated to top 2 billion dollars (Bennett, 2001) and shed light on the importance of computer patch management, considering Microsoft had deployed a security update to fix said vulnerability a month before. To double up on the importance of patch management, in 2003, SQL slammer hit and slowed the entire WWW internet. This patch was available 6 months before it became widespread.
As cyberwarfare becomes more relevant and its devastating potential is realized, governments start to put their names in the hat, and things get worse. Also in 2003 was Titan Rain, an APT (Advanced Persistent Threat), described more in depth later in this report, which is believed to have gained access to hundreds of US and British networks to steal information. The significance of this is that it is believed to be a state sponsored attack (China), and not the work or freelance hackers (Trisal, 2016).
Moving into 2005, and we have our first major example of a RAT (Remote Access Trojan) called “Poison Ivy”, which is loosely believed to originate from China. RATs can be a client or server install that is often hidden in purposeful software installs and create a back door for the intruder to gain access into the network. The RAT often goes unnoticed and the intruder can gain access into privy information inside the network such as key logging, screen capturing, video capturing, file transfers, system administration, password theft, and traffic relaying (FireEye, 2014). RATs have evolved and become more sophisticated, so it is important to keep your local and WAN firewalls current and up to date, as well as your local anti-virus and malware detector.
Seeing what was happening in the cyberwar world, in 2009 the USA created USCYBERCOM to combat cyberwar. Its overreach has since been expanded. On August 17th, 2017, from direction of the President, the Defense Department initiated the process to elevate U.S. Cyber Command to a unified combatant command. President Trump stated, “This new unified combatant command will strengthen our cyberspace operations and create more opportunities to improve our nation’s defense,” (Garamone & Ferdinando, 2017). This will give USCYBERCOM even greater capabilities to do its job more effectively and combat cyberwar.
Moving into the 2010’s, we are starting to see Cyberwarefare becoming one of the most prominent war domains, and Stuxnet was a gamechanger. Stuxnet, although never formally proven, is believed to be the work of the US and Israeli intelligence agencies. Stuxnet was a worm that was snuck into an air-gapped Iranian nuclear research facility via a USB drive and when installed, interfered with the centrifuges PLCs (programmable logic controllers). Stuxnet caused the centrifuges to spin to faster than normal, which ultimately destroyed them and rendered the enriched uranium useless. Talk about a gamechanger, as Josh Fruhlinger mentions from CSO online “We now live in a world where computer malware code is causing destruction at a physical level. It’s inevitable that we’ll see more in the future.” (Fruhlinger, 2017).
Since 2010, there have been many other sophisticated attacks similar in nature to Stuxnet and Code Red like the famous Sony Hack, the White house hack for social security numbers, and a spear phishing attack on US oil and gas pipelines to mention a few. Hackers, hacktivists, APTs and nation-states will continue to develop and improve upon security vulnerabilities of systems and networks, both known and unknown. What is important to understand is we now live in a world where cybersecurity should be considered the cornerstone of any defensive and offensive stand and will continue to grow in its importance. A proactive cybersecurity posture is needed to be successful both now and in the future.
B. Characteristics of an APT (Advanced Persistent Threat)
With the evolution of cyberwarfare, hackers today are required to put in much more work as well as be creative. The advancements of spam-filtering, white\black
listing, IPS\IDS, networking security protocols, NTFS security settings in windows, Next-Generation Firewalls with DPI (Deep-packet inspection) and on and on, makes hacking and compromising systems much more difficult. But even with all the security technology at the ready for disposal, networks are invaded daily and APTs play a big part in it.
Today’s APTs have evolved into something like a faction. They have rules, leaders, strict code enforcement, are driven by motive, financially backed and can often work in a group placed strategically all over the world. APTs are nasty and pose as a very real threat. APTs can be as clever as developing their own code to manipulate an instrument or appliance, to as simple as using social engineering tricks and trades to get things done or get a piece of hardware into your network and plugged in.
One of the most common characteristics of an APT is a Zero Day attack or exploit. What is done here is the APT will vigorously look at the code or software that is used to run the network, hardware and equipment for the power grid and once they find a hole, if this hole is unknown to the developers, they can use this to exploit and gather intel or possibly deploy malware or ransomware. Many times these zero day attacks are unknown until a security expert or software developer catches it. How you ask, do they get passed the air-gapped network and past security, past the Local and WAN firewalls to exploit? My favorite of the characteristics, more than likely it was from Social Engineering.
According to Kaspersky Labs, social engineering is defined as “A form of techniques employed by cybercriminals designed to lure unsuspecting users into sending them their confidential data, infecting their computers with malware or opening links to infected sites” (Kaspersky, 2018). Social engineering has several attack methods and one of the most popular and successful is Phishing. Phishing is the effort of sending fraudulent emails on the behalf of a reputable person or company in an effort for a person to reveal pertinent sensitive information, i.e. passwords, logins, access control information, internal email address etc.
Another popular attack method is Baiting. Baiting involves the natural curiosity of humans and exploits it. It can also involve enticement or the promise of goods in return. There have been many successful acts of Baiting. USBs being left in parking lots is a big one. The curious employee picks one up and brings it inside the facility. Once inside and plugged into a computer or network device they can exploit via zero day, malware, ransomware, create a back door into the network, or lie dormant for a special time. Stuxnet was a prime example of this.
The point to take away is its tricky when humans are involved. Thankfully, security firms and professionals are aware of this. A good security posture should always involve, at minimum, phishing and baiting employee security awareness training annually, with minor continued training and awareness throughout the year. This will help mitigate threats social engineering brings to the table.
C. Explain how the characteristics of a current APT are different than the threats or attacks that would have been attempted before the prevalence of the internet.
As with the evolution of cyberwar into what it is now, so have APTs evolved. In a time before firewalls, IPS\IDS (intrusion detection\protection systems), NIST and other security framework guidelines, protocols and appliances, there was your basic low-level hacker. These hackers, dubbed “Script-Kiddies”, would many times do little research, take an already created script and run with it. Even with their nominal knowledge and tools, they could often wreak havoc to systems and networks. Going back in the saga even further, before presence of the “internet” that we know now, there were hackers, but these hackers often had a great deal of knowledge about the operating system(s) and\or the software application, and its pinholes. They were successful because at that time few people understood the computer and network model, or even its existence, except for those directly involved in its development, deployment, production and maintenance, hence, why a majority of the first hackers were developers, code writers, system administrators and engineers.
Legacy APTs were more opportunistic where todays APTs are so advanced, they will target and attack you consistent and persistently until they get what they want. One of the biggest APTs out there are the nations themselves, carving out small task forces or departments, to which we call “Nation State Actors”. Kevin Mandia, CEO of US-based cyber security company FireEye, said at the 2017 Singapore Cyber Week “The majority of intrusions we respond to can be attributed to nation-state actors, by nations that condone cyber-attacks, or folks in uniform paid by sovereign nations to do intrusions,” (Tao, 2017).
One characteristic that makes todays APTs dangerous verses the days of the wild west are that they are multi-phase. This makes them detailed, it also means they can be compromised of different teams, some possibly local or onsite and others working from the dark web, or AWS where tracking can be extremely difficult. Before the internet was anywhere the size it was now, little was known about security and access controls.
Financial backing is also a key player in the APT realm. Gone are the days of the loosely organized coalitions with little monetary backing. It has been well documented that the vast majority of advanced persistent threats are being undertaken by criminal and state sponsored organizations who have the financial backing and wherewithal to successfully attack ANY organization (CTI, 2018). With all of this money at their disposal, they have many different fronts they can attack in an effort to gain control of the ICS (industrial control systems) and their internal networks. In 2014, the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) received and responded to 245 incidents reported by asset owners and industry partners. Of those 245 industrial incidents reported approximately 55% were from APTs (ICS-CERT, 2015). Since 2014, that number has surely increased but it is hard to quantify as the ICS-CERT has gone away with identifying who it came from and instead just the number of incidents and what type of attack methodology was used. In 2016 it was 290 (ICS-CERT, 2017).
With the attacks increasing and APTs becoming more organized, having a good security posture for protecting the power grid is essential. APTs can not only access and attack from outside, but also internally. This is why having a multi-level security posture and platform is essential.
D. Describe where on the network the attach likely originated.
The attack likely originated locally onsite through the network and with the help of some social engineering. The attacking APT had done their research. There is a big vulnerability to some of Cisco’s Grid Management System appliances and the exploit was added to the NIST NVD (National Vulnerability Database) late last year, so patching may not have taken place yet to all the stations (NIST, 2017). The base score for the known vulnerability is 7.8, meaning it is rated as high for potential damage.
Using a common social engineering attack method of baiting, some USBs branded with the power companies logo were dispersed across the parking lot, in an envelope with a branded keychain and pen, and a nice note thanking them for their hard work and dedication to the company. The APT had done some surveillance prior and were careful to only put these on the windshields of newer employees, or those that had paper parking passes and not the parking stickers because the newer employees are less likely to have security awareness training. Once the employee plugged the USB into their machine a .bat post script did a silent install of some software that would run on a scheduled task, in the background and unbeknownst to the user.
After installed and on a scheduled task, the computer would run packet capturing software and filter out based on the first octet of the MAC address. Using askapache, the APT has already prepopulated a database table of all Cisco hardware that matches the first octet MAC. Then, using the packet capture, is able to separate all Cisco network hardware from the database that are not sending out SYNs and ACKs. Once it has populated a new table of Cisco devices that are sending SYN and ACKs it can then start its attack on both fronts when the schedule hits.
Step 1: When the scheduled task time hits, the software will run a telnet scan for open ports to the Cisco devices that were sending SYNs and ACKs and each open port it finds it will flood with TCP SYN flood. Once it hits enough open ports with the Syn flood, due to the vulnerability mentioned above, it will cause the unit to reboot, causing 10-15 minutes of downtime and whatever configs were not saved will be overwritten.
Step 2: Another CVE (common vulnerabilities and exposures) is weak user authentication (Lanner, 2017). The software will now telnet and SSH to every device that matched the Cisco MAC database and using basic default login and passwords, hopes to gain access into the device. If they were able to gain access, a script is executed, something to the effect of:
If they are able to successfully execute the commands the running-config and startup-config will be overwritten to nothing, causing outage until backup configs are copied over.
E. Create a profile of the attacker who likely executed the attack
We believe this to be the work of a state-sponsored or nation-state actor. The attack profile modus operandi fits very closely to this profile type. Let’s take for example the time lapse and funding portion. Gavin Millard, Technical Director of well-known cybersecurity firm, Tenable, mentions this too. “Nation state actors can invest a significant amount of research and development time to target an organization and isn’t driven by recouping costs or generating profit” (Millard, 2016). Another key here is monetary compensation, there will be no requests for monies in exchange and that is because the attacker is motivated by nationalism and not financial gain. Another one is lack of ownership. It is highly unlikely you will have anyone taking ownership for this as nation-state attackers are very unlikely to take ownership and go to extreme lengths to cover their tracks. To finish off this profile lets make mention of resources. Nation-state actors have access to the most resources verses any other threat actor (Cybervista 2017). The Council of Foreign relations agrees, stating “State actors are the most likely perpetrators of a power grid attack” (Knake, 2017).
To summarize, profile summary will look something like:
- Nation or state sponsored actor
- Stealth and patience to penetrate the network and systems, utilizing social engineering
- Access to vast resources to achieve their goal
- No claim to ownership, meaning it could be years before it is found
- The actor will have a sense of duty and nationalism, not motivated by anything else
- Will operate with anonymity as they are very unlikely to be charged in their own country because they are seen as soldiers
- Physical access will be very limited, other than social engineering to get the hardware inside and plugged into a network device
- Logical access will be used to try to move laterally and vertically to challenge access limits
- Lager goals in mind
- Bennett, A. (2001, August 10). Study: Code Red costs top $2 billion. Retrieved May 05, 2018, from https://www.itworld.com/article/2795410/security/study–code-red-costs-top–2-billion.html
- Cybervista. (2017, February 28). Threat Actor Profiles: Nation State Actors and American Superconductor. Retrieved May 13, 2018, from https://blog.cybervista.net/threat-actor-profiles-nation-state-actors
- CTI. (2018). Advanced Persistent Threat (APT) Solutions. Retrieved May 08, 2018, from http://cticorp.com/security-solutions/advanced-persistent-threat/
- FireEye. (2014). POISON IVY: Assessing Damage and Extracting Intelligence. Retrieved May 06, 2018, from https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-poison-ivy.pdf
- Fruhlinger, J. (2017, August 22). What is Stuxnet, who created it and how does it work? Retrieved May 06, 2018, from https://www.csoonline.com/article/3218104/malware/what-is-stuxnet-who-created-it-and-how-does-it-work.html
- Garamone, J., & Ferdinando, L. (2017, August 18). DoD Initiates Process to Elevate U.S. Cyber Command to Unified Combata. Retrieved July 06, 2018, from https://www.defense.gov/News/Article/Article/1283326/dod-initiates-process-to-elevate-/igphoto/2001845768/
- ICS-CERT. (2015, February). INCIDENT RESPONSE/VULNERABILITY COORDINATION IN 2014. Retrieved May 08, 2018, from https://ics-cert.us-cert.gov/sites/default/files/Monitors/ICS-CERT_Monitor_Sep2014-Feb2015.pdf
- ICS-CERT. (2017, January). ICS-CERT Year in Review Industrial Control Systems Cyber Emergency Response Team 2016. Retrieved May 08, 2018, from https://ics-cert.us-cert.gov/sites/default/files/Annual_Reports/Year_in_Review_FY2016_Final_S508C.pdf
- Kaspersky. (2018). Retrieved May 07, 2018, from https://usa.kaspersky.com/resource-center/definitions/social-engineering
- Knake, R. (2017, April 3). A Cyberattack on the U.S. Power Grid. Retrieved May 14, 2018, from https://www.cfr.org/report/cyberattack-us-power-grid
- Lanner. (2017, August 31). 5 Common Vulnerabilities in Industrial Control Systems. Retrieved May 09, 2018, from https://www.lanner-america.com/blog/5-common-vulnerabilities-industrial-control-systems/
- Millard, G. (2016, January 18). State sponsored cyber-attacks are anything but fictional. Retrieved May 11, 2018, from https://www.infosecurity-magazine.com/opinions/how-can-you-fend-off-a-nation/
- NATO officially recognizes cyberspace a warfare domain. (2016, June 18). Retrieved May 05, 2018, from https://securityaffairs.co/wordpress/48484/cyber-warfare-2/nato-cyberspace-warfare-domain.html
- NIST. (2017, September 07). You are viewing this page in an unauthorized frame window. Retrieved May 09, 2018, from https://nvd.nist.gov/vuln/detail/CVE-2017-6780#vulnCurrentDescriptionTitle
- Rowen, B. (n.d.). Cyberware Timeline. Retrieved May 05, 2018, from https://www.infoplease.com/world/cyberwar-timeline
- Tao, A. (2017, September 22). Nation-state actors responsible for most cyber attacks. Retrieved May 07, 2018, from https://www.computerweekly.com/news/450426775/Nation-state-actors-responsible-for-most-cyber-attacks
- Trisal, S. (2016, October 27). Remembering Operation Titan Rain – Titan Rain Cyber Attack. Retrieved May 06, 2018, from https://cyware.com/news/remembering-operation-titan-rain-c54ad3e4