Tag Archives: Cyberwarfare

Real Phone Hacking

Interesting glimpse into the real world of phone hacking–not the amateurish stuff we’ve been absored by in the UK–by Sharmine Narwani: In Lebanon, The Plot Thickens « Mideast Shuffle.

First off, there’s the indictment just released by the Special Tribunal for Lebanon which, in the words of Narwani,

appears to be built on a simple premise: the “co-location” of cellular phones — traceable to the accused four — that coincide heavily with Hariri’s whereabouts and crucial parts of the murder plot in the six weeks prior to his death.

Indeed, the case relies heavily on Call Data Record (CDR) analysis. Which sounds kind of sophisticated. Or is it? Narwani contends that this could have been manufactured. Indeed, she says,

there isn’t a literate soul in Lebanon who does not know that the country’s telecommunications networks are highly infiltrated — whether by competing domestic political operatives or by foreign entities.

There is plenty of evidence to support this. The ITU recently issued two resolutions [PDF] basically calling on Israel to stop conducting “piracy, interference and disruption, and sedition”.

And Lebanon has arrested at least two men accused of helping Israel infiltrate the country’s cellular networks. What’s interesting about this from a data war point of view is that one of those arrested has confessed, according to Narwani, to lobbying for the cellular operator he worked for not to install more secure hardware, made by Huawei, which would have presumably made eavesdropping harder. (A Chinese company the good guy? Go figure.)

If this were the case–if Lebanon’s cellular networks were so deeply penetrated–then it’s evidence of the kind of cyberwar we’re not really equipped to understand, let alone deal with: namely data manipulation.

Narwani asks whether it could be possible that the tribunal has actually been hoodwinked by a clever setup: that all the cellular data was faked, when

a conspiring “entity” had to obtain the deepest access into Lebanese telecommunications networks at one or — more likely — several points along the data logging trail of a mobile phone call. They would have to be able to intercept data and alter or forge it, and then, importantly, remove all traces of the intervention.

After all, she says,

the fact is that Hezbollah is an early adherent to the concept of cyberwarfare. The resistance group have built their own nationwide fiber optics network to block enemy eavesdropping, and have demonstrated their own ability to intercept covert Israeli data communications. To imagine that they then used traceable mobile phones to execute the murder of the century is a real stretch.

Who knows? But Darwani asserts that

Nobody doubts Israel’s capacity to carry out this telecom sleight of hand — technology warfare is an entrenched part of the nation’s military strategies. This task would lie somewhere between the relatively facile telephone hacking of the News of the World reporters and the infinitely more complex Stuxnet attack on Iran’s nuclear facilities, in which Israel is a prime suspect.

In other words, there’s something going on here that is probably a lot more sophisticated than a tribunal can get behind. I’m no Mideast expert, but if only half of this is true it’s clear that cellphones are the weakest link in a communications chain. And that if this kind of thing is going on Lebanon, one has to assume that it’s going on in a lot of places.

Libya’s Stuxnet?

A group of security professionals who have good credentials and strong links to the U.S. government have outlined a Stuxnet-type attack on Libyan infrastructure, according to a document released this week. But is the group outlining risks to regional stability, or is it advocating a cyber attack on Muammar Gadhafi?

The document, Project Cyber Dawn (PDF), was released on May 28 2011 by CSFI – the Cyber Security Forum Initiative, which describes itself as

non-profit organization headquartered in Omaha, NE and in Washington DC with a mission “to provide Cyber Warfare awareness, guidance, and security solutions through collaboration, education, volunteer work, and training to assist the US Government, US Military, Commercial Interests, and International Partners.”

CSFI now numbers about 7,500 members and an active LinkedIn forum.

To be clear, the document does not advocate anything. It merely highlights vulnerabilities, and details scenarios. It concludes, for example:

CSFI recommends the United States of America, its allies and international partners take the necessary steps toward helping normalizing Libya‘s cyber domain as a way to minimize possible future social and economic disruptions taking place through the Internet.

But before that it does say:

A cyber-attack would be among the easiest and most direct means to initially inject into the systems if unable to gain physical engineering attacks against the facility. Numerous client-side attack vectors exist that support payloads capable of compromising SCADA application platforms.

Elsewhere it says:

The area most vulnerable to a cyber-attack, which could impact not only the Libyan‘s prime source of income, but also the primary source of energy to the country, would be a focused attack on their petroleum refining facilities. Without refined products, it is difficult to fuel the trucks, tanks and planes needed to wage any effective war campaign.

The document itself is definitely worth a read; it doesn’t just focus on the cyberweapon side of things. And complicating matters is that one of the contributors to the report, a company called Unveillance, was hacked by a group called LulzSec around the time that the report was being finished. It’s not clear whether this affected release of the report.

Emails stolen from Unveillance and posted online by LulzSec indicate that two versions of the report were planned: one public one, linked to above, and one that would “go to staffers in the White House.” In another email a correspondent mentions an imminent briefing for Department of Defense officials on the report.

The only difference between the two reports that I can find are that the names of some SCADA equipment in Libya have been blacked out in the public version. The reports were being finalized when the hack took place–apparently in the second half of May.

Other commentators have suggested that we seem to have a group of security researchers and companies linked to the U.S. government apparently advocating what the U.S. government has, in its own report International Strategy for Cyberspace released May 17, would define as an act of cyberwar.

I guess I’m surprised by something else: That we have come, within a few short months, from thinking as Stuxnet as an outlier, as a sobering and somewhat shocking wake-up call to the power of the Internet as a vector for taking out supposedly resilient and well-defended machinery to having a public document airily discussing the exact same thing, only this time against non-nuclear infrastructure.

(The irony probably won’t escape some people that, according to a report in the New York Times in January, it was surrendered Libyan equipment that was used to test the effectiveness of Stuxnet before it was launched. I’m yet to be convinced that that was true, but it seems to be conventional wisdom these days.)

Frankly, I think we have to be really careful how we go about discussing these kinds of things. Yes, everything is at arm’s length in the sense that just because bodies such as CSFI may have photos of generals on their web-page, and their members talk about their reports going to the White House, doesn’t mean that their advice is snapped up.

But we’re at an odd point in the evolution of cyberwar presently, and I don’t think we have really come to terms with what we can do, what others can do, and the ramifications of that. Advocating taking out Libyan infrastructure with Stuxnet 2.0 may sound good, but it’s a road we need to think carefully about.

“One Technician Unplugged The Estonian Internet”

In all the hoo-ha about the Arab Revolutions some interesting WikiLeaks cables seem to be slipping through the net. Like this one from 2008 about Estonia’s view of the cyberattack on Georgia. Estonia had learned some tough lessons from Russia’s cyberattack on its defenses the previous year, so was quick to send cyber-defense experts to “help stave off cyber-attacks emanating in Russia”, according to the Baltic Times at the time.

The cable, dated Sept 22 2008, reports on meetings with Estonian officials on both the lessons from its own experience and some candid commentary on Georgia’s preparedness and response. Here are some of the points:

  • Russia’s attack on Georgia was a combination of physical and Internet attack. “[Hillar] Aarelaid [Director of CERT-Estonia] recapped the profile of the cyber attacks on Georgia: the country’s internet satellite or microwave links which could not be shut down (inside Russia) were simply bombed (in southern Georgia).”
  • Russia seemed to have learned some lessons from the Estonia attack, suggesting that Estonia was a sort of dry-run: “the attacks on Georgia were more sophisticated than those against Estonia, and did not repeat the same mistakes. For example, in 2007, the ‘zombie-bots’ flooded Estonian cyberspace with identical messages that were more easily filtered. The August 2008 attacks on Georgia did not carry such a message.”
  • That said, Georgia itself learned some lessons, Aarelaid was quoted as saying. While it failed to keep “archives of collected network flow data, which would have provided material for forensic analysis of the attacks,” the country “wisely did not waste time defending GOG (Government of Georgia) websites, he said, but simply hosted them on Estonian, U.S. and public-domain websites until the attack was over.” This “could not have been taken without the lessons learned from the 2007 attacks against Estonia.”
  • Estonia felt it got off lightly, in that it would have made more sense to have tried to trigger a bank-run. (This is not as clear as it could be). “Aarelaid felt that another cyber attack on Estonia ‘…won’t happen again the same way…’ but could be triggered by nothing more than rumors. For example, what could have turned into a run on the banks in Estonia during the brief November 2007 panic over a rumored currency devaluation was averted by luck. Money transfers into dollars spiked, he explained, but since most Estonians bank online, these transfers did not deplete banks’ actual cash reserves.” I take this to mean that if people had actually demanded cash, rather than merely transfered their money into another currency online, then it could have had far more damaging effects on the Estonian banking system.
  • Finally, the debate within Estonia focused on clarifying “who has the authority, for example, to unplug Estonia from the internet. In the case of the 2007 attacks, XXXXXXXXXXXX noted, it was simply one technician who decided on his own this was the best response to the growing volume of attacks.”

Singapore Details ‘Waves’ of Cyberattacks

Officials and delegates from APEC economies were targeted ahead of last year’s Singapore meeting with malware-laden emails faked so they appeared to have been sent by Singapore government officials on the Organising Committee.

Singapore officials have said the attacks were not the first on the country. Although Singapore regularly highlights threats to national security—including Islamic terrorism—the admission that it has been the victim of cyber attacks is, according to the Straits Times, its most detailed account.

Although it’s hard to read too much into the statements made to judge who may have been behind the attacks, it’s interesting that Singapore is drawing attention to this—not least because there’s bound to be speculation about just this point. The current flood of WikiLeaks cables about this very issue is a coincidence. But the description of the attacks fits a pattern familiar to security experts:

Between September and November 2009 APEC officials, and delegates of several APEC economies were targeted with Trojan-laden emails “with the aim of infiltrating their computers and extracting privileged information.” There were at least seven waves of such attacks, focusing on members of the APEC organising committe and APEC delegates whose email addresses were published on websites or in APEC mailing lists. (APEC, Asia-Pacific Economic Cooperation, is a forum for 21 regional economies set up in 1989. Singapore hosted meetings throughout 2009 culminating in a leaders’ meeting in Singapore from November 14-15.) 

The attacks were first mentioned in a speech by Ho Peng Kee, Senior Minister Of State For Law & Home Affairs, who told a seminar on Sept 28 that “Singapore has its fair share of cyber attacks.” More details were  added in an internal but publicly accessible Ministry of Home Affairs magazine, the Home Team Journal, by Loh Phin Juay, head of the Singapore Infocomm Technology Security Authority and reported in the Straits Times on Saturday, December 4.  (The Straits Times called the perpetrators “cyberterrorists”.)

Loh wrote in the magazine article that “between 2004 and 2005, the Singapore government saw waves of Trojan email attacks which were commonly referred to as the Trojan Riler attacks.” The attacks came in four waves over a span of two years, he said, in the form of more than 900 emails targeting officials in several ministries.  

Loh Phin Juay said that the first two waves in the 2009 attacks used PowerPoint and PDF attachments to emails puportedly warning about possible terrorist attacks on the meeting. A subsequent wave included “legitimate information relevant to the APEC 2009 meetings”—in this case an invitation to an actual APEC symposium.

Some of the malicious emails “contained details of actual APEC events (date, time, venue) not known to the general public.” This suggests to me that either the first wave was successful in gaining access to some sensitive information, or, less likely, that those perpetrating the attack were already privy to it (raising the question why they didn’t use that information in the first wave.) Both officials said no significant disruption was caused by the APEC attack.

Singapore last year set up a special body, the Singapore Infocomm Technology Security Authority (SITSA), “to safeguard Singapore against infocomm technology (IT) security threats. SITSA will be the national specialist authority overseeing operational IT security. SITSA’s mission is to secure Singapore’s IT environment, especially vis-à-vis external threats to national security such as cyber-terrorism and cyber-espionage.”

Neither official speculates about the origin of the attacks. In his speech Ho Peng Kee referred separately to Operation Aurora, a cyber attack from mid 2009 to December 2009 on dozens of Western companies including Google, which alleged the attacks began in China. Loh Phin Juay referred in his article to GhostNet, a cyber espionage network which had its command and control network based in China and which penetrated government and embassy computers in a number of countries, including some in Southeast Asia. (Singapore was not mentioned in reports of the compromised computers.)

But he writes that “to date, the perpetrators of GhostNet remain unknown,” and neither man links the Singapore attacks to either event. The Trojan Riler was, according to Symantec, first discovered on September 8, 2004; It has been associated with corporate espionage but also the GhostNet attacks.

Virus Hits British Defences

image

I wrote a couple of weeks ago about how KL’s airport information system had been infected by a virus. I shouldn’t have gotten so het up. Turns out that the UK’s air force and navy have bigger problems.

ITV News reported on Friday that the Ministry of Defence’s computer network has been shut down “because of a mysterious virus that is causing wholesale disruption of MoD sites.” Among those affected were Royal Navy ships including the Ark Royal and RAF [Royal Air Force] bases including Brize Norton.

The Register quotes a statement from the “MoD that [s]ince 6 Jan 09 the performance of the MOD IT systems in a number of areas was affected by a virus.” The Register says “no command or operational systems had been affected, though many of these are based on similar hardware. Spokespersons also stated that “no classified or personal data has been or will be at risk of compromise” due to “pre-existing security measures”.”

This is less than a month after the Royal Navy announced it had switched its nuclear submarines to a “customized Microsoft Windows system” dubbed, snappily, Submarine Command System Next Generation (SMCS NG).

In 1998 the USS Yorktown was “dead in the water” for about two and a half hours after a glitch in its new Smart Ship system, which used off-the-shelf PCs to automate tasks sailors traditionally did manually. The mishap sunk the Smart Ship initiative, which was quietly dropped a couple of years later.

A report in Portsmouth Today said the virus had affected 75% of the navy’s ships, preventing sailors from sending email and performing tasks (like finding out how many sailors are joining the ship at its next port of call). A blog on the Ministry of Defence’s website denied a report in The Sunday Times that ‘all email traffic from a number of RAF stations has been sent to a Russian internet server’ as a result of a ‘worm virus that entered MOD systems 12 days ago’. (The report makes it appear like it was a Russian attack, which is unlikely. But I’m not sure how the MoD can be so sure that emails were not diverted in that way.)

Neither do I know how they can be sure that it wasn’t a targeted attack. As Graham Cluley of Sophos points out, it’s more likely it was human error. But aside from the issues that raises—just how many MoD computers are hooked up to the Internet, and how smart is this? What kind of antivirus software do they have installed on the computers that are?—I would prefer the MoD not to jump to the conclusion that it’s not a targeted attack.

The reason? We need to stop thinking about cyberwar and malware as two different things. Governments rarely launch cyberattacks. But individuals and gangs do—and they usually do it for a mix of nationalistic and commercial motives. This case probably is just a screw-up. But it’s foolish to discount the notion that the information that may have been gleaned—accidentally, perhaps—would prove of value to a government or an agency.

(Image above is the result of my trying to search the Royal Navy website for the word “virus”. )

Articles | MoD computers attacked by virus – ITV News

Some Early Lessons from The Georgian Cyberwar

image

illustration fron Arbor Networks

There’s some interesting writing going about the Georgian Cyberwar. This from VNUnet, which seems to confirms my earlier suspicion that this was the first time we’re seeing two parallel wars: 

“We are witnessing in this crisis the birth of true, operational cyber warfare,” said Eli Jellenc, manager of All-Source Intelligence at iDefense.

“The use of cyber attack assets in conjunction with kinetic military operations in the current crisis now stands among the most significant developments ever seen in the field of information security or cyber conflict studies.”

Others suggest that in fact there are examples of earlier parallel conflicts: Kosovo, among them, says Arbor Networks’ Jose Nazario.

ZDNet’s Dancho Danchev takes the idea that this is all about denying participants a chance to get their message out a stage further: those put out of action are being forced to get their message out through other channels. Georgia’s foreign ministry, for example, has set up a blog at Blogger and the website of the Polish president.

The mainstream press is having a go at the story, too, including the Journal and the NYT. The main culprit, the articles suggest (following Georgia’s own claims), is the Russian Business Network, a St. Petersburg-based gang.

But as this article points out, finding out who is responsible is a slow business. Indeed, this is a strange feature of cyberwar that makes it more akin to terrorism than to warfare. This kind of makes the notion of establishing responsibility a little beside the point. Cyberattacks are a chance for ordinary (well, sort of ordinary) citizens to do their bit for the war effort. In this sense the government is a customer for the services of botnet and hacker groups or individuals with skills the government is happy to see deployed on its behalf, while able to plausibly deny it has anything to do with.

Indeed, we may be missing the more interesting aspect of this, one that predates South Ossetia. Now we’re just seeing cyber attacks work alongside the physical, or kinetic, attacks. A sort of psywar, since it’s mainly about getting the word out and winning hearts and minds.

But what about a cyberwar conducted on its own, but one that leads to a physical war—at least, a cold one? Joel Hruska at arstechnica points out in a piece written a week ago, that an uncovered little cyberwar—or rather cyber-hacktivism—in Lithuania, led to a serious cooling of relations between its government and that of Russia. As with Estonia last year, the attack “marked the first time I was aware of in which a single individual with a computer was able to notably impact relations between two neighboring nations.”

Georgia, however, represents the first time we’ve seen a government almost wiped off the Internet. Whether this is a prelude to it being wiped off the map is something we’ll have to wait and see. But already some conclusions are becoming obvious:

  • Cyberwar is too powerful a tool for any government to ignore, both offensively and defensively;
  • Cyberwar is not just about putting citizens of a target country in the dark; it’s about making it impossible for the target government, and its citizens, to get their side of the story out.
  • As these tools get more powerful, when will we see cyberwar as a specific phase in a physical war designed to achieve what used to be done by the physical bombardment of communication centers?
  • Botnets, and their owners, are powerful players beyond the underworld of spam and phishing. A government that has them operating within their borders must surely know of their existence; if it hasn’t shut them down already, is it too great a leap of logic to suggest there must, at some level, be a relationship between them?

Georgia gets allies in Russian cyberwar – vnunet.com

Cyberwar, Or Just a Taste?

Some interesting detail on the Estonian Cyberwar. This ain’t just any old attack. According to Jose Nazario, who works at ARBOR SERT, the attacks peaked a week ago, but aren’t over:

As for how long the attacks have lasted, quite a number of them last under an hour. However, when you think about how many attacks have occurred for some of the targets, this translates into a very long-lived attack. The longest attacks themselves were over 10 and a half hours long sustained, dealing a truly crushing blow to the endpoints.

There’s some older stuff here, from F-Secure, which shows that it’s not (just) a government initiative. And Dr Mils Hills, who works at the Civil Contingencies Secretariat of the UK’s Cabinet Office (a department of government responsible for supporting the prime minister and cabinet), feels that cyberwar may be too strong a term for something that he prefers to label ‘cyber anti-social behaviour’.

Indeed, what surprises him is that such a technologically advanced state — which uses electronic voting, ID cards and laptop-centric cabinet meetings — could so easily be hobbled by such a primitive form of attack, and what implications that holds:

What IS amazing is that a country so advanced in e-government and on-line commercial services has been so easily disrupted. What more sophisticated and painful things might also have already been done? What else does this indicate about e-security across (i) the accession countries to the EU; (ii) NATO and, of course, the EU itself?

Definitely true that this is probably just a little blip on the screen of what is possible, and what governments are capable of doing.

(Definition of Cyberwar from Wikipedia here.)

 

Cyberwar On The World SMS Capital?

I don’t know how often this happens, but if true, it must be a worry. It’s either a hoax, a script kiddie adventure, or the first bit of post-US election cyberwar.

According to Filipino news website INQ7.net (no live URL available), a group of hackers today “breached the short messaging service (SMS) servers of both Smart Communications and Globe Telecom”. It quoted a posting on the blog of a concerned hacker, Hacker PI_Flashbulb, who appears to be a regular commentator on security issues and claims to have alerted the government to several holes in their security.

What’s intriguing is that the story has since been removed: A message on the link says “temporarily unavailable or has been taken down from our server”. The same hacker, PI_Flashbulb, was quoted earlier this month by the same publication as warning of “a group of hackers who said that they will soon launch coordinated attacks against Philippine websites. Their main reason: “their government is supporting Bush.” Akala nila Singaporean ako (they thought I was a Singaporean)”.

Today’s article, since removed, says that to see “the hacker group’s message, one has to create a new SMS message, key in “FLT RB9” on the message body, and send it to 2333 for Globe and 211 for Smart subscribers. After sending the cryptic text message to 211 or 2333, the subscriber will receive this message: “Greetz to PATz, Luvchris, Verum, Fed-X, hEps, ch1m3ra, TriSha22, powerb0xx, clown AFeD-XA, Bryle, royX, Crayden at sa mga wanabee hacker groups ng masang Pilipino!”” The article says that as of Wednesday evening, “the Smart service was still sending this same message to subscribers, while the Globe number gave an error message.”

Intriguingly, the earlier article, published Nov 6, said anonymous readers had posted messages on PI_Flashbulb’s blog saying that “that the digital subscriber line (DSL) service of both Digital Telecommunications Philippines Inc.(Digitel) and Globe Telecom were open to possible attacks”. One comment appeared to suggest the hackers PI_Flashbulb were referring to are Indonesian. Many Indonesians — the world’s largest Muslim population — are opposed to George W Bush’s administration for his war on terror.

I’m trying to reach PI_Flashbulb to learn more about this. His website is usually given as phackers.org but that has not been reachable, although there’s a separate blog to which he contributes here. I could find no mention of the attack there.