What To Know About Cyber Warfare & Unspoken Ethics

Abstract

The concern for Internet Security has been relevant prior to the private institutions and the public domains having access to it. Over the past 27 years our regular daily activities and intimate life has been digitalized on all aspects without much thought around privacy and metadata leakage. Now more than ever, innocent systems and people are affected by transnational objectives due to how devices communicate amongst their peers with very little or no security in place. There has been a rapid technological advance in both defensive and offensive cyber capabilities which expand beyond the regular scope of regular malicious activity highlighted by the Computer and Fraud Abuse Act (CFAA). Computer hacking has transformed from attempting to deeply understand how systems work and how to fix issues to expanding on that knowledge and finding the best way to use a system or application in a manner which it was not designed to function in. The power of breaking old technology is that it allows newer and improved systems to be invented, although not always bug free which keeps the cycle going. This essay explores issues from the past decade. Recent trends of cyber crime in 2022 can be found here.

Cyber Warfare & Unspoken Ethics Decisions

“We’ve never seen this before! The entire power grid of the country has been taken out along with all internet connectivity!” is a reality that has happened and is not far from being taken to an extreme in the near future when there are more aggressive geopolitical conflicts. Transnational military units have transformed battles from fighting through land, water, air, nuclear weapons to now using cyber technology to accomplish such attacks remotely without having to travel on the enemy’s homeland. The most powerful nation or nations will use Offensive Cyber Capabilities to be the dominant force for future wars. If a country is not able to defend its infrastructure and in return compromise its opposition to gain high fidelity information on their techniques, they will not have an advantage and will suffer the consequences of any political agendas against them. 

Any system can be compromised, the recipe rests within the methodology used and if the timeline is in the attacker’s favor, which it normally is. As the need for Cyber Security talent has increased to defend the networks which make up the world wide web and systems specific to nations such as the United States who have influence over political matters; There has been an increase in the need for also having resources who can carry out the Computer Network Attack (CNA) operations. A true understanding of how an attacker exploits systems, behaves, and meshes into regular online traffic to inflict grave damage or advantage over the target is how defenders must also contemplate. By understanding a famous quote from the book Art of War we can begin to understand how we must approach battle within the binary war zone, “Hence, when we are able to attack, we must seem unable; when using our forces, we must appear inactive; when we are near, we must make the enemy believe we are far away” Tzu, S (512 B.C). 

There are not many laws or definitions amongst the different levels of severity within cyber-attacks. Through many publications and breaches, new terminology has been used to provide context to certain attacks. To provide a common ground the top three types of computer hacking that can take place are petty Cyber Crime, Cyber Terrorism, and Cyber Warfare according to Brenner, (2007). Cyber Crime can be related to any time of misuse of computer systems, devices, assets which unauthorized access or an excess of authorized access is forced to view information as stated by US Code 18, (1984). Cyber Terrorism can be related to an act directed through the internet which seeks to harm others physically or meddle within political affairs as it was published by Tafoya, (2011). Cyber Warfare by definition is the launching and creation of Cyber Weapons being utilized against other nations in order to debilitate or degrade their infrastructure as published by RAND, (2017).

Offensive Cyber

Through the use of human intelligence and covert operations that leverage technology, there is nothing that can’t be accomplished. The key is to understand how specific systems, models, and equipment work in order to reverse engineer them or dive into a deep code analysis to find bugs which introduce vulnerabilities. A vulnerability is any physical or digital weakness in the design of an object or technology such as a computer, smart phone, centrifuge, and even to the systems that make up a country’s power grid. The scope of a vulnerability also extends onto the real world as we humans are the most vulnerable asset and can be deceived through psychological and emotional means. A criminal or an ethical individual such as an army soldier can exploit one or more of these vulnerabilities to carry out their objective. An exploit is a technique used to compromise the target Cengage, (2017).  These exploits can be tools, frameworks, or tactics that are publicly disclosed or may be unknown to the rest of the world including the manufacturer who created the system in which they’re referred to as Zero Day Exploits. These Zero Day exploits have a large demand ranging from nation governments and private institutions who are willing to pay up to $1 million per vulnerability or exploit as there has been zero days of acknowledgement or time to patch these attacks. For expert hackers who are very sensitive to revealing any information about themselves and who watch their operational security may end up selling any of those Zero Day exploits or vulnerabilities on the black market. 

Exploits leveraged for Cyber Warfare can have two different types of code execution, Local and Remote. A remote exploit can be launched from anywhere as long as certain criteria is provided such as an IP address, port, code modification, and any other arguments to attack the system. Remote is the preferable option as the operator doesn’t have to be physically present. A local exploit is one that is executed on a system after initial compromise which may lead to getting higher privileges to perform tasks on the computer which were not permitted on a lower level account. Once a system is infected, the next few steps would involve post-exploitation, pivoting, maintaining persistence, and covering any tracks of digital evidence from the attack. Post-exploitation activities are essential to understand what truly is in the system. First thing you would do is inspect what’s in the box, look at all the services installed, understand all of the components that make up the box, and if it has connections to other internal machines to spread control. All the hard work from scanning that machine, enumerating services to find an attack vector, exploiting a vulnerability, and doing post-exploitation can be a time-consuming task when it’s meant to stay under the radar. By nature, when a connection is established, it will end once the session is over or the system is turned off for patching. 

To maintain a connection for days, weeks, months or years at a time the attacker must establish persistence. With complete persistence over a system the operator being sponsored by a government entity can monitor, analyze, mimic, intercept all digital traffic as if it were a wiretap implanted on a home. This can be made possible through the use of root kits being installed in infected systems which can evade Antivirus, Intrusion Detection Systems, and Firewalls configured to protect the system. Malware writers are understanding that many systems use signature based detection systems, which translate into each malicious binary having numerous hashing algorithms tied to it. In order to evade these checks, these malicious files go under rigorous checks and obfuscation of the code to avoid being picked up by popular vendors according to Zetter (2017). As most of the world uses similar security controls to protect their assets, the perpetrators are able to use those same tools to ensure that they won’t get picked up by online databases such as Virus Total. 

Critical Infrastructure Must Be Protected

A nation state interested in taking out another country’s infrastructure first must understand their most mission critical systems. These systems are called High Value Targets as they are essential to the objectives and daily operations of the country that will be under attack. Once key people, processes, or technologies are identified, Open Source Intelligence (OSINT) can begin. This process consists of doing passive information gathering such as seeing what type of information is publicly available on possible targets to be successful at carrying out a stealth without attribution. Many companies and personnel divulge troves of information in hopes to make people aware of their company as it’s a marketing technique. That information can include but is not limited to identifying high ranking individuals, mission statements, projects underway, locations, email addresses, and some insight to what the culture may be. A next logical step would be to gather understanding and publicly available information through use of social media on the high rank officials or individuals who may be related to systems of interest. 

Many companies have strict rules of what is acceptable content to publish online once becoming an employee as it can introduce many risks. An online social media account can provide details such as personality, habits, circle of trust, and how they’re related to the target entity. Gathering information on numerous individuals at the same time can add supporting evidence to the type of people who work there and enable an attacker with enough pretext to carry out a social engineering attack or specially crafted spear phish email. Staggering new data research shows that a large portion of malware is delivered through email which is a fast and easy way to gain a foothold into a network as stated by Verizon (2017). It’s important for many of the individuals who are part of large institutions or government entities to be trained on the risks of Cyber Security and the common techniques used by an attacker. As these techniques may even extend to the real world in some cases. 

An example which was used by a Red Team Consulting group within the United States that used similar techniques to hack the US power grid during an assessment. By conducting the reconnaissance explained above you must be aware of the possible security controls that are implemented in order to be successful at getting through. An understanding of the surrounding area, cameras, guards, and access controls according to Tech Insider, (2016) will give someone enough information to be comfortable enough to fake their way through into a facility. Once physical access is obtained inside a building, it allows local exploits to be leveraged and the use of abusing systems becomes extraordinarily easier to an expert hacker as they don’t have to go through the trouble of remotely accessing assets. There are small devices such as the Pwnie Express which are able to be leveraged as an implant. Once placed on the network, it can call back and give the attacker command line access or a view of what the network communications are according to Gallagher, (2013).

Current Capabilities

The creation of cyber tooling which can grant access to any particular system is typically classified as a threat to our national security when it relates to critical systems. By leveraging open source tools, companies and individuals can protect their data. The United States is quickly gaining talent and will be led by the US Cyber Command which was initiated as a joint program out of the National Security Agency. The sole mission of this US led team also known as CYBERCOM is to disrupt the online communications and exploit any system which has been deemed as an adversary based on the intelligence gathered. Exploitation attacks can only be approved by the president. Countries around the world have understood that in order to protect their nuclear weapons they must enhance their online capabilities to disrupt other countries. 

China is the most populated country in the entire world as it’s been stated by the US Census Bureau. This gives them the advantage of building upon their existing army of expert hackers to an exponential size compared to other countries. Research shows that China’s army of hackers is well over 50,000 at the modest lower end according to an article by Bocetta (2017). North Korea has recently been provided unlimited internet access by a Russian Internet Service Provider which has raised the concerns of the Intelligence Community; This would give the hackers of North Korea a platform to launch any cyber-attacks they desire. Israel’s popular cyber capability which has been used to launch attacks against Iran goes by the name of Unit 8200 which serves as the military force in charge for elite operations. Many of the popular companies within the United States have invested in Israeli companies and also raise concerns when there are geopolitical conflicts.

Geopolitical Conflicts & Cyber Attacks

Stuxnet was the first cyber warfare virus weapon created by a nation state to attack another nation which spread across the world beyond its target. The builder of Stuxnet had taken the Hollywood scenario of bringing physical harm from a movie to the real code. The name was given by the Antivirus companies who deeply analyzed the code of the virus in 2010 according to Zetter, (2017). As it was later clarified through leaked documents and a documentary that the real name of the operation was actually named “Olympic Games” on a documentary published by Szoldra, (2016). The virus was created with such pristine care that when it was reverse engineered the analysts at Symantec claims surfaced of shocked analyst’s stating that the malware was free of bugs. Stuxnet’s sole purpose was to attack a specific model of Siemens Programmable Logic Controllers, which were used at one of the Iranian nuclear facilities specifically focused on enrichment of uranium to jumpstart their nuclear program. PLC’s are small devices attached to large equipment used for water systems, power grids, factory systems which are everywhere within any country’s infrastructure. According to the ZERO DAYS film by director Gibney, (2014).

The malware’s payload was designed to probe through a network for those very specific systems and once discovered it infected them, and the malware would monitor the activities of those systems for 13 days prior to attempting anything. The reason why the Stuxnet’s would lay dormant was to record all of the data throughout a 13-day cycle which was the equivalent time it took to fill a centrifuge of Uranium. The rotors within those centrifuges had a coordinated spin cycle which they must rotate at in order to keep themselves balanced. The purpose of the code in the malware was to make these rotors spin out of control until they made the centrifuges explode putting the life of scientists at the factory in danger. No errors were reported back on the systems that monitored the PLC’s as the virus used the recorded data and replayed it back. Additionally, the controls which controlled the centrifuges activities were hijacked and were not able to be stopped. Due to the geopolitical events going on at that time, the analysts investigating the incident were able to make educated guesses on which countries may have been in charge of launching this cyber weapon. Israel and the United States were some of the top candidates as they were the two countries which were having issues with Iran’s nuclear program at the time according to Tarnopolsky, (2017). 

It was believed that this attack used OSINT to be precise during infection due to the photographs that existed on the internet with photos of the President walking through the facility which gave the United States and Israeli forces an interesting deception technique to trick the scientist on shift at Iranian nuclear plant. As a response Iran launched an attack against the financial sector of the United States which caused a large loss of business due to the number of banks that had to be shut down due to the large amount of computer requests they received known as a Distributed Denial of Service attack. This type of attack takes advantage of the normal operations of TCP/IP in which clients request information from machines known as servers. When a large amount of traffic is sent to these servers, they’re by default overwhelmed as they can’t respond to every system causing a crash. 46 large banks across the United States were affected and the Iranian hackers were indicted according to Volz, (2016).

Honey Systems

System administrators who manage Industrial Control Systems that contain highly classified information must could benefit by using Honeypots to distract attackers and gain intelligence on their Tools, Tactics, and Procedures (TTPs). A mature Cyber warfare capability would make use of Honey Systems which are the infrastructure that supports any decoy networks and artifacts that will lure an attacker away from critical assets. A honey net is a set of sandboxed computers meant to mimic an actual network which will make an attacker think they’re exploiting systems of value according to the white paper released by Israeli company Cymmetria, (2017). A honeypot is a system which may be used for low or higher levels of interactions such as a Windows Active Directory Server with false information on it. A specific honey artifact can be subject to a document or access keys which appear to be legitimate based on the contents within but trigger an alert when opened or used across any system of the monitoring entity. At times, even riskier methods are used where these honey artifacts are used on real systems to redirect adversaries back to honeypots or honey clients. 

An old tactic which has been modernized to accommodate online needs is Cyber Deception. This takes advantage of military tactics and increases the security of online systems, people, company reputation, and possibly even the dark web if done carefully. Any deployment of this type of technology must be carefully planned as an adversary can catch any obvious clues that don’t add up and quickly discover that they’re being deceived. It used to be that the shortcomings of these systems were in the manner which they were designed which made it easier to identify due to their lack of interaction back. Normal systems interact and are quite verbose in their operations, early honeypot projects provided vulnerable banner names which indicated systems of high interest. Once probed they did not respond or act as a real system so attackers would find no interest and move on. With newer advances of nested virtualization, private companies have been able to take these capabilities to the next level by providing the attacker an entire network with running services that interact back, and have normal applications installed. 

Virtualization has allowed the increase of productivity due minimal hardware required on the customers part. Products like Cymmetria create administrative credentials which are able to be integrated into services like a MySQL database. These services then contain more information which lead an attacker back to a bait system to compromise, all done within a virtual environment. A nation state attacker may assume they’re being successful in their espionage mission, although all their techniques are being forensically logged and monitored by the company who has these systems deployed. Such intelligence is regarded as high fidelity as it can be trusted due to the specific direction an adversary had to take which is only followed by a persistent source. Although these are not platforms which can legally stand in court, it does provide information which aids in understanding how the attacker may return and take advantage of real systems according to Rowe and Auguston, (2002).

References

1. Zetter, K. (2017, June 03). A Google Site Meant to Protect You Is Helping Hackers Attack You. Retrieved December 01, 2017, from https://www.wired.com/2014/09/how-hackers-use-virustotal/
2. Verizon. (2017, May 02). 2017 DBIR: Understand Your Cybersecurity Threats. Retrieved December 01, 2017, from http://www.verizonenterprise.com/verizon-insights-lab/dbir/2017/
3. U.S. Census Bureau Current Population. (n.d.). Retrieved December 01, 2017, from https://www.census.gov/popclock/print.php?component=counter
4. Bocetta, S. (n.d.). Chinese State Sponsored Hacking. Retrieved December 01, 2017, from https://www.realcleardefense.com/articles/2017/11/23/chinese_state_sponsored_hacking_112675.html
5. Zetter, K. (2017, June 03). An Unprecedented Look at Stuxnet, the World’s First Digital Weapon. Retrieved December 01, 2017, from https://www.wired.com/2014/11/countdown-to-zero-day-stuxnet/
6. Szoldra, P. (2016, July 07). A new film gives a frightening look at how the US used cyberwarfare to destroy nukes. Retrieved December 01, 2017, from http://www.businessinsider.com/zero-days-stuxnet-cyber-weapon-2016-7
7. Cymmetria, I. (n.d.). MazeRunner Product Whitepaper. Retrieved December 01, 2017, from http://l.cymmetria.com/mazerunner-product-whitepaper
8. Michael, J. B., Auguston, M., Rowe, N. C., and Riehle, R. D. Software decoys: Intrusion detection and countermeasures. In Proc. Workshop on Irf. Assurance, IEEE (West Point, N.Y., June 2002 ), 130–138.
9. Tarnopolsky, N. (2017, October 09). Israel opposed the U.S.-Iran nuclear deal. But how happy will Israel be if Trump really scraps it? Retrieved December 01, 2017, from http://www.latimes.com/world/middleeast/la-fg-israel-iran-deal-20171009-story.html
10. Chakravartula, R. (2016, July 27). What is Enumeration? Retrieved December 01, 2017, from http://resources.infosecinstitute.com/what-is-enumeration/#gref
11. Brenner, S. W. (2007, September 17). Cybercrime, cyberterrorism and cyberwarfare. Retrieved December 02, 2017, from https://www.cairn.info/revue-internationale-de-droit-penal-2006-3-page-453.htm
12. 18 U.S. Code § 1030 – Fraud and related activity in connection with computers. (n.d.). Retrieved December 01, 2017, from https://www.law.cornell.edu/uscode/text/18/1030
13. Tafoya, W. (2011, November 01). Cyber Terror. Retrieved December 01, 2017, from https://leb.fbi.gov/articles/featured-articles/cyber-terror
14. RAND. (n.d.). Retrieved December 02, 2017, from https://www.rand.org/topics/cyber-warfare.html
15. Sean Gallagher – Jul 30, 2013 7:30 pm UTC. (2013, July 30). Pwned again: An exclusive look at Pwnie Express’ newest hack-in-a-box. Retrieved December 02, 2017, from https://arstechnica.com/information-technology/2013/07/pwned-again-an-exclusive-look-at-pwnie-express-newest-hack-in-a-box/
16. Volz, D., & Finkle, J. (2016, March 25). U.S. indicts Iranians for hacking dozens of banks, New York dam. Retrieved December 02, 2017, from https://www.reuters.com/article/us-usa-iran-cyber/u-s-indicts-iranians-for-hacking-dozens-of-banks-new-york-dam-idUSKCN0WQ1JF