Cyberwarfare Task 1

Cyberwarfare Task 1

This report provides a brief analysis of the recent incident of intrusion detected in the Western Interconnection power grid network. The report briefly discusses how the cyberwarfare has evolved since 1998 in both its capabilities and technologies. The report also sheds light on the characteristics of advanced persistent threats (APT) and the tradecrafts they use to reach their mission’s goals. The report discusses how, in the given power grid scenario, the attacks by the APTs would be different if the Internet was absent in the power grid. The report then points out the possible areas of vulnerabilities in the power grid that can be exploited in the Internet. It speculates where the power grid intrusion attacks might have originated from. The report finally speculates the attacker’s profile, the resources that might be involved and their capabilities. It also explains briefly the probably type of access involved in the power grid intrusions.
Evolution of Cyberwarfare
Cyberwar tactics, capabilities and technologies have evolved over the past three decades (Chappel and Seidl, 2014; SANS Institute, 2005). The earliest signs of an approaching cyberwar surfaced in the late 1990s when a locally initiated attack, Solar Sunrise, relayed from local university servers, took down US Air force workstations nationwide. Although the attacks were traceable and were found to be conducted by local recreational hackers, the worrisome aspect was that the attack was successful despite military’s security assessment exercise, Eligible Receiver.

The military’s vulnerable security conditions became even more alarming when another intrusion attack, Moonlight Maze, was detected and traced back to Russian servers. But since the attack could be relayed using the traced Russian servers, the attacker’s political involvement could not be proven. In the same year, NASA computer containing sensitive confidential data about air traffic system, GPS navigation satellite configurations and Stealth aircraft information was hacked. The origin of hackers/terrorists were traced to Persian Gulf area. Although the attack could have been relayed but the threat of such possibilities of untraceable organized International cybercrime became imminent.
Over the next decade, as the Internet technology became introduced into daily lives of people on a massive scale, cyber weapons were designed to target Internet users worldwide. The attackers developed self-spreading worms (e.g. Y2K and SQL Slammer) and Trojans (Poison-Ivy) that could exploit software vulnerabilities and affect millions of people in a matter of hours. Attacks were designed that could target different organization networks of specific countries (e.g. Titan Rain and Stokkato). On the basis of the frequency of International cyberattacks the US faced annually, cyberspace become the fifth domain of warfare alongside sea, land, space and air. And thereafter, the cyberwar operations became government funded military and political initiatives that aimed to access and keep watch on the enemy’s military equipment (e.g. Senior Suter) (Paganini, 2012).
By 21st century, the US state sponsored attacks had become sophisticated enough that they could remotely target an offline critical infrastructure of a foreign country through worms that could access and destroy specific programmable chip (e.g. Stuxnet worm). Attackers evolved into advanced persistent threats (APT), that use social engineering to lure targeted factions from anywhere in the world, gain access to their confidential information, remove traces of the intrusion and conduct zero-day attacks (e.g. Operations Aurora, Duqu, Flame and Foxacid).
Characteristics of an APT
As identified by Chapple and Seidl (2014), an APT has five characteristics;
Has access to uncommon advanced attack technology and tools that may include vulnerabilities of targets, gathered by the APT or sponsor, impossible to defend against.
Can use APT tradecraft to gain access within the target organization. The APT tradecraft includes zero-day attacks, malware, phishing and social engineering, and strategic web compromises.
All actions are directed towards the mission.
Has access to skilled human resources, abundant finances and intelligence products from the sponsor.
Is highly disciplined individual that behaves in a command-and-control style.
An APT group spends an abundant amount of resources (time, money, human resources, tools) to develop attacking tools that help them complete their mission without the enemy noticing it. For instance, in zero-day attacks, an APT group find a vulnerability in a software or operating system and keeps it a secret from the manufacturer. The attack goes undiscovered till the manufactures themselves detect the attack. Meanwhile, an APT may execute a remote access Trojan (RAT) to have permanent access to the target system even after the manufacturer runs the patch for the vulnerability. When using social engineering, an APT chooses a target with privileges in an organization, then through research gain enough insight to craft an effective phishing email the user would believe and click the enclosed Trojan or link. Lastly, APT may infect the target’s frequently visited website with a malware which is triggered when the target visits the site, infecting his/her computer.
Effect of the Internet on the Attacks
When critical infrastructures are connected to the Internet, they become vulnerable to terrorist attacks from all over the world (SANS Institute, 2005). In the power grid intrusion scenario, Internet facilitates all of the mentioned APT tradecrafts. However, if there was no Internet, the APT tradecrafts would not work. This is because, without the public network i.e. the Internet, logical (remote) access of the grid system would have been impossible. The attacker would have to either physically access the grid’s computer and infect it directly with a malware, or exploit one of the grid employees to use an infected device on a grid computer.
For instance, in the zero-day attack, even if an APT found a vulnerability in the grid’s software or operating system, without the remote connection, the APT would need to physically access the grid’s computer to exploit the vulnerability. And even if the APT managed to install a RAT, in the absence of Internet, the RAT would not be able to send information to the attacker. The attacker would have to revisit the computer physically to collect the data. The social engineering skills of APT would only help them gathering information about the grid’s employees. Without the Internet, there would be no clickable links to Trojans through compromised websites or phishing emails. The APT would have to physically give the infected disc to the target employees without raising suspicion. Also APT would have to convince the employee to use the disc on the grid system.
Attack Origination and Perpetrator
There are numerous endpoints through which the attacker could have infiltrated the power grid. For instance, through the local wireless network, employees, dial-up modems, digital programmable devices, the Internet, the very small aperture terminal (VSATs) or a web server without a firewall (Chappel and Seidl, 2014; SANS, 2005; Shea, 2003; Storm, 2014). The number of International cyberattacks on the US critical infrastructures per year have increased over the years (SANS, 2005). Based on this fact, the attack may have been originated from and sponsored by a foreign attacker.
In a recent attack on Ukrainian power grid, the attackers used stolen credentials (acquired through phishing emails with malware infected word and excel sheet attachment) of employees to access and manipulate the grid control systems remotely, causing massive power outage (Higgins, 2016). In view of this strategy, the APT group may have used social engineering skills and data sniffing tools to acquire grid communication formats and employees’ expectations, to craft a convincing phishing email. The target of the mail could be all employees or a particular employee, who has access to internal grid control systems.
To get hold of the employee’s credentials, the APT group could also have compromised the target employee’s frequently visited a website and used it to infect the employee’s computer (home or grid’s) with a Trojan or key logging malware. If employee opened the attachment at home, the malware could eventually affect the employee’s USB disc with the worm. Similar to the Stuxnet worm attack, the virus or Trojan could have eventually entered the network through the target employee’s USB disc or a phishing email. If the phishing email had targeted all employees, the malware could have stolen credentials of users with different administrative powers in the grid system. Once the credentials were acquired, the APT would have used them to map the grid network and clear their tracks to remain hidden for a zero-day attack.
Profile of Attacker
Based on the general characteristics of attackers highlighted by National Security Agency (2010) and Storm (2014), in the current power grid scenario, the attackers (APTs) could be well funded nation states or terrorists with the motivation of causing denial of service (DoS), stealing intellectual property on new technology, gathering intelligence data or merely to feel proud of having compromised a critical US infrastructure.
Based on the findings from a recent critical infrastructure hack on a Ukrainian power grid, the attackers in the current power grid scenario too seem to be APTs, sponsored by a resourceful foreign third party that can fund and provide resources to conduct a long term attack (Higgins, 2016; Kovacs, 2016). The attackers may have the skills to use and develop sophisticated tools to monitor grid communications passively, probe active networks, exploit employees and find loops through grid’s IT resources’ vendors (National Security Agency, 2010). Similar to the Ukraine power grid attack, the attackers might have the necessary skills and knowledge to develop a malware that can capture user credentials, hide the malware within a seemingly legitimate file, activate the malware on file opening and to make the malware work without raising any suspicion (E-ISAC, 2016).
Similar to the Ukrainian power grid hack, the attackers’ tradecraft may include zero-day attacks, malware insertion, social engineering and phishing in the Western Interconnection power grid situation as well (Higgins, 2016; E-ISAC, 2016; Murdock, 2016, Zetter, 2016; Kovacs, 2016). Since the attack has remained unnoticed for several months, the attackers could be accessing the grid systems remotely rather than physically, as was the case with the Ukrainian power grid hack (E-ISAC, 2016; Kovacs, 2016).
References
Chapple, M. & Seidl, D. (2014). Cyberwarfare. Jones & Bartlett Publishers
E-ISAC. (2016). Analysis of the Cyber Attack on the Ukrainian Power Grid, Defense Use Case. SANS Industrial Control Systems. Retrieved from https://ics.sans.org/media/E-ISAC_SANS_Ukraine_DUC_5.pdf
Higgins, K.J. (2016). Lessons from The Ukraine Electric Grid Hack. Darkreading. Retrieved from http://www.darkreading.com/vulnerabilities—threats/lessons-from-the-ukraine-electric-grid-hack/d/d-id/1324743
Kovacs, E. (2016). Ukraine Power Grid Attacks Part of a 2-Year Campaign. Security Week. Retrieved from http://www.securityweek.com/ukraine-power-grid-attacks-part-2-year-campaign
Murdock, J. (2016). Ukraine power grid attacks continue but BlackEnergy malware ruled out. V3. Retrieved from http://www.v3.co.uk/v3-uk/news/2440469/ukraine-investigating-suspected-russian-cyber-attack-on-power-grid
National Security Agency. (2010). Defense in Depth. Retrieved from https://citadel-information.com/wp-content/uploads/2010/12/nsa-defense-in-depth.pdf
Paganini, P. (2012). The Rise of Cyber Weapons and Relative Impact on Cyberspace. Infosec Institute. Retrieved from http://resources.infosecinstitute.com/the-rise-of-cyber-weapons-and-relative-impact-on-cyberspace/SANS Institute. (2005). Can Hackers Turn Your Lights Off? The Vulnerability of the US Power Grid to Electronic Attack. Retrieved from https://www.sans.org/reading-room/whitepapers/hackers/hackers-turn-lights-off-vulnerability-power-grid-electronic-attack-606
Shea, D.A. (2003). Critical Infrastructure: Control Systems and the Terrorist Threat. CRS Report for Congress. Retrieved from https://fas.org/irp/crs/RL31534.pdf
Storm, D. (2014). Hackers exploit SCADA holes to take full control of critical infrastructure. Retrieved from http://www.computerworld.com/article/2475789/cybercrime-hacking/hackers-exploit-scada-holes-to-take-full-control-of-critical-infrastructure.html
Zetter, k. (2016). Inside the cunning, unprecedented hack of Ukraine’s power grid. Wired. Retrieved from https://www.wired.com/2016/03/inside-cunning-unprecedented-hack-ukraines-power-grid/