In recent years network attacks have grown dramatically, not only by sheer number but in their sophistication and precision. Converging computers and mobile phones, the global network absorb us through billions of computer-embedded devices that monitor, control and operate our infrastructure, health, commerce and trade.
They manage our privacy and interaction with the world, protect us from crime and maintain our national security.
However, that same infrastructure is also providing subversive elements with the means and access to compromise our security. These are ranging from rogue nations, hostile takeovers by corporations, to illusive, non-state organizations and anarchists.
Even individuals, with powerful tools, previously accessible only at the national security level have become security perils.
These tools are not limited to irritating E-mail spams, or obnoxious group messages, but also to endanger powerful encryption, adequately protecting information-exchange for tactical applications, and ‘logic weapons’. They are empowering individuals and groups to conduct stealthy, precision attacks against high-profile cyber-entities, causing effects which have potential lethality and damage, equal or exceeding notorious the 9-11 attacks.
Attacking strategic infrastructure networks such as electricity, gas and water is relatively easy once field attack vectors are taken into account” admits Eyal Udassin, IT manager at C4 Security, a ‘Red Team’ that hacks into such networks in an attempt to uncover security gaps. “Such networks can be easily discovered and compromised, utilizing reverse-engineering of SCADA and control protocols, to gain control of specific nodes, or even the entire network. “We can hack military networks in the same way” Udassin adds. “While companies are investing ever growing funds in securing their networks, many solutions are protecting the front gate, but leave many back-door accesses uncovered. The process cannot be considered complete, before verifying that the system can now successfully resist an attack launched by a serious adversary.”
Udassin and his team are certainly not the “bad guys”, as they purposely challenge the networks, at the request of their customers who want to know just how secure they are. On the contrary, they alert all the relevant governmental agencies of the found technical vulnerabilities and assist the vendors in remedying them. Yet, equally capable terror hackers are also lurking online, using the same methodologies to seek out the weak spots, which they can exploit, to gain information and access to meaningful targets, to create ‘high profile attacks’.
Media coverage of one such attempt that successfully compromised several nuclear power stations in the U.S., was suppressed by the authorities, to deny potential terrorists access to media leaks, they were hoping for.
“Without carrying out the type of attack in a controlled manner or its own network, the utility or critical infrastructure cannot know for sure that it can withstand such an attack” says Udassin. Utilities fear that conducting such controlled attack simulations will harm their operations, but this is where the role of experienced SCADA auditors come into play.
World CyberWarriors – Unite!
“Repairing the damages caused by potential cyber terror attacks could be extremely expensive” warnes Brig. General (Res) Nitzan Nuriel, head of the counter terror bureau at the Israel National Security Council, “Cyber Security authorities around the world should join together, establishing a network that can fight back against this network of cyber-terror.” Nuriel suggests that such a network could be deployed similar to the U.S. Defense Support Program, a network of satellites providing early warning on missile launches throughout the world. “Such a network should also develop the capability to counterattack these threats as they develop, through almost instantaneous action, thus taking toll of every attempt” he added.
Cross-national cooperation among piers in the different member countries should also contribute to better preparedness, as all member nations will have better knowledge and warning on imminent threats, sometime enabling them to take preventive action or preempting an attack.
“This is not a battle a nation or a single organization can fight alone” Gemeral Nuriel said. He agrees that cyber warfare is a powerful tool for the national authorities in fighting terror and crime, but such capabilities remain within the national realm. “nations should negate the access of non-state actors to these tools and capabilities.” He added.
Exploiting the persistence, anonymity and widescale reach of the modern computerized world, Cyber terror and cyber crime are today becoming the fastest growing threat, “almost every type of criminal behavior has a parallel in the cyberworld” said Israel Police Chief Superintendent Izhak Shopen, head of the
cyber crime unit.
Cyber crime and espionage are already wide-spread in the global network, and the next wave, targeting the ‘web apps’, becoming so popular in social networks and mobile phones, has already arrived.
According to Joseph Tal, a member of IBM Security Services (ISS), almost half of the known vulnerabilities that exist today are somehow related to these apps that have minimal (if any) security measures. One of the most widely used and fastest growing threats existing today is the ‘botnet’, a stealthy, compact code, planted in a targeted device through a deceptive approach (fake email from a friend, for example). Once contaminated with the botnet, the computer is at the mercy of a remote user, taking control of that device, without the user’s awareness. By taking over the victim, a hacker can use that computer to carry on further attacks, directed at other computers, penetrate into protected networks, (for example, when the unsuspecting victim, has access to his organization’s protected intranet compromised by alien elements) Hackers can actually ‘mine’ for information from the victim, or launch attacks against critical nodes connected to the system. Frequently, these planted botnets are also offered to other hackers for rent, at rates ranging from few hundred to several thousand dollars for operation.
The Cyber Attacker’s Dillema
Shai Blitzbau, technical director at Magelan information defense and intelligence services describes typical attacks simulated by his company, providing threat assessment audit for government, security and commercial organizations.
In recent exercises Magelan performed a threat simulation, that targeted an essential national infrastructure network responsible for the production and distribution of a vital product, considered as basic necessity for the entire population. The simulation demonstrated how, after 96 hour preparation, the team could bring a network,
producing and distributing critical goods to a standstill, and keep it idle for at least two weeks. The aggressor team that started with zero access to, or knowledge of the target, managed to study the target, write malicious code, penetrate the network and execute his attack in less than four days.
There are other means the intelligence can use to gather high quality information. A cyber attack should be executed only when the gain expected significantly exceeds the potential cost one could pay for such act. Blitzbau explains that a cyber espionage act
point-out the person and the information it targets, thus identifying the attackers and their interest.
Professional attacks are stealthy and deceptive, thus masking the true identity, intensions or cause of their perpetrators. For example, a wide-scale campaign launched in 2009 known as ‘Operation Aurora’ was attributed to Chinese hackers (or Chinese authorities?) although the code was allegedly ‘signed’ in Taiwan… The targets were unknowingly exposed to this ‘Advanced persistent Threat’ (APT) seemingly directed at specific source- codes of critical applications, developed and operated by mega companies in the U.S., like Google and Yahoo. What the hackers were after is still unknown. Maybe this phase was only the beginning, and the next phase will exploit the codes already having being compromised?
The fact remains that the attackers penetrated the most inner circles of these companies, and obtained highly sensitive data deliberately. This brute aggression caused Google to decide on leaving China, and brought a serious political rift between the USA and Beijing.
In another attack, directed at the Ford Company, the alien operators recruited in the U.S. company were found and indicted, but the actual targets were intercepted inside the organization and the final destination of the information stolen through the cyber scheme remains a mystery.
Network Intelligence is a powerful tool that is widely used as part of every modern intelligence campaign, yet, the cyber intelligence, in its common form poses major challenges for intelligence organizations, since it has the potential to point directly at the perpetrators, their senders and their targets. Once compromised, such means are instantly shut down, wiping out years of developments and untapped exploitations that could take advantage of such dormant assets. “Compromising such dormant ‘logic weapon’ represents the biggest risk for the hackers, whether they represent themselves, criminals or terrorists, or an intelligence agency.” Blitzblau said. He describes such a weapon recently uncovered by the Maglan team as an ‘innocent looking’ piece of code, only 8Kb in size, that has the potential to do much damage on the computer it was planted on and even beyond it. “Inserted into the targeted computer, this malicious code was acting on commands received from the remote computer through a maze of pathways hiding the source. Although it wasn’t highly sophisticated it was quite difficult to spot” he said.
According to Blitzbau, the most common type of attack known as ‘Defacement’ is still taken too lightly by security personnel and executives, measuring their effect only by the superficial damage they cause, by replacing the home page with humorous messages or political propaganda. ‘Almost 30% of defacement hits, commonly considered as the work of amateur hackers, are actually an act of deception, where the attackers hide a malicious code somewhere in the computer being compromised, hitting the home page to hide their tracks. Most webmasters being attacked simply reload the original data and consider the case closed, although their website now becomes a ‘zombie’, contaminating the site, while users remain unaware about the risk being hit with the stealthy, malicious codes.
Cyber Warfare was the theme discussed at the Tel Aviv Workshop for Science, Technology and Security, April 13, 2010.