Putin loves his hackers, comparing them to artists who feel great in the morning and immediately start work on some new masterpiece. He told them, feePutin loves his hackers, comparing them to artists who feel great in the morning and immediately start work on some new masterpiece. He told them, feel free to hack away, just anywhere except the homeland, and if your hacks coincide with Russian goals, well so much the better.
They went at it with a vengeance in 2014 and Ukraine became a testing ground for election interference, disinformation campaigns, interference and destruction of infrastructure, and cast doubt on the election process. There was little Ukraine could do to retaliate, given it history and geographic dependence on Russia. The hackers were wildly successful and our 2016 campaign reflected many of their techniques. The Mueller report has laid out exactly how they went about it.
One interesting chapter examines the market for zero-day exploits, how it works and how it has changed from companies suing hackers who find bugs, to actively soliciting and paying for bugs and especially the zero-day exploits. ( A zero-day exploit is a vulnerability that has yet to be discovered and patched, making it extremely valuable for anyone with malicious intent. The Stuxnet worm created by the U.S. and Israel to destroy the Iranian centrifuges used several.) Paying for the bugs meant a rise in prices, from mere hundreds of dollars to many thousands and countries found themselves competing against bad actors, other countries, and companies for the zero-day exploits.
The Stuxnet exploit is discussed in more detail than I had read before. Of particular interest were the policy determinations and the effect of the Iraq war on those decisions. Deaths of American soldiers in Iraq ere at their highest level when the Israelis, wanting to repeat their successful attack on the Syrian nuclear reactor strike (see ShadowStrike) insisted they wanted the U.S. to bomb the Iranian facility. Bush couldn't afford such a provocative action, one the military's war games revealed would result in WW III. So he authorized the unique and first-ever cyber strike to result in physical destruction of an opponent's infrastructure. It used an unheard-of seven zero-day exploits, and the preparation was boosted by an Iranian intelligence error of Trumpian proportions when the Iranian leader bragged to the press about the facility and gave them a tour, allowing pictures, of their centrifuges. This gave the Stuxnet planners all the information they needed about the brand and type of centrifuges being used allowing them to target those directly with the Stuxnet malware. The Israelis were kept informed and must have assisted because Bush could not have them operating unilaterally.
Stuxnet showed the world the power and destructiveness of the cyber-world, and soon the value of zero-day exploits exploded as smaller countries and those without a large military realized that with little expense they could equal the United States and China in offensive capability. The attack on Saudi Arabia's oil network** that destroyed thousands of their computers and disrupted oil networks, used some of the same code the U.S. had utilized in an attack a few months prior and was clearly retaliation for that attack. The hackers got in through an email someone in ARAMCO had opened.
One of the mantras I try to inculcate in my students is to NEVER click on a link in an email. If you have reason to believe it might be valid, go to the web site and investigate there, never via a link in an email. The Russian hack of the DNC email resulted in a typo error. Podesta got an email purportedly from gmail claiming he needed to reset his password. He ran it by their IT guy who meant to write back that the link was ILlegitimate but left off the initial IL. What the IT guy should have insisted on besides noting it was illegitimate was to hammer away at the danger of clicking on email links. So Podesta, thinking it was legit, click on it and gave the Russian hackers instant access to the DNC's emails.
The chapter on how the WannaCry ransomware was unleashed on the world and its origin is alone worth the price of the book. The role of the NSA in hiding its zero-day exploits rather than alerting Microsoft so they could be patched was highlighted by Brad Smith, Microsoft's CEO, in an essay. "We have seen vulnerabilities stored by the CIA show up on Wikileaks, and now this vulnerability stolen from the NSA has affected customers around the world. Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage." Ironically, the ransomware, garnered little in the way of financial rewards for the North Korean malefactors, but it caused billions in damage to computers around the world, especially because the originators had not built in a workable way to pay the ransom. In another travesty, the teenager who discovered a built-in kill switch to the malware, was arrested by the FBI for hacking! (see the Wikipaedia article for more information.)
An important book. I recommend reading it along with Cyberspies by Gordon Corera....more
Greenberg writes for WIRED magazine and is a specialist in cyber security and privacy issues. This book is an extremely readable account of a Russian Greenberg writes for WIRED magazine and is a specialist in cyber security and privacy issues. This book is an extremely readable account of a Russian hacker group nicknamed Sandworm that succeeded in shutting down a substantial amount of infrastructure throughout the world but was aimed primarily at Ukraine. The attacks targeted every aspect of Ukrainian society: government servers, media organizations, transportation hubs. Ukrainian cyber experts could only watch as systems began to crash all around them. Public web sites, trains, banking systems and ATMs were disrupted. Finally, the electricity grid collapsed plunging hundreds of thousands of Ukrainians into darkness.
Having read several articles and books on Stuxnet, the successful destruction of Iranian nuclear centrifuges by the U.S. and Israel, I was anxious to read Greenberg's book. "Zero Day" security flaws are software holes that have never been used before so their vulnerability has yet to be discovered or fixed. Knowledge of these is precious to those wishing to penetrate systems. The Sandworm group (the name came from a Frank Herbert novel, Dune) has access to several and used them to great effect. The group went to great lengths to disguise themselves and hide. To Greenberg's credit he is able to explain how experts deciphered what group was responsible and he does it in language free of technical jargon.
Just a few months ago, a Netherlands researcher wanted to come to the U.S. to present a paper on the vulnerability of the industrial control system. There are almost 30,000 of these devices (programmable logic controllers) that control everything from wastewater plants to the electrical grid. The researcher, thanks to America's arcane and silly visa system, was not admitted and so unable to present these important findings. Fortunately he was able to post them to his blog. Whether that resulted in a wider dissemination of the information than had he delivered his talk is academic, perhaps. **
Researcher Wojciech, used standard OSINT techniques (the CIA has identified five main OSINT fields: Internet, media, geolocation, conferences, and online pictures) to analyze the exposed ICS devices. Many of these are used in critical infrastructure that would include dams, electrical grid, reactors, health treatment facilities, etc. Critical infrastructure developed by OSINT can be used not just by espionage agencies, but also criminal elements who may seek to gain monetary advantage by holding these devices hostage. OSINT techniques are passive, in that the target remains completely unaware it is being surveilled. Access may be gained by open ports, IP addresses, knowledge of details of the specific devices and how they work -- all freely available online and elsewhere -- and even responses from the device itself.
Here's an example of device information that's available that even includes the phone number: There are several programs that permit searching the internet for active ICS devices (https://www.shodan.io for example.) The author lays out precisely how to go about searching. Many of these devices have open management ports that are convenient for technicians to access the devices remotely for maintenance. That, however, makes them extremely vulnerable to malicious actors. General contractors with government contracts are particularly vulnerable as they have a history of being more open and thus more vulnerable.
That hackers can cause innumerable problems has already been shown in Ukraine, Estonia, and Georgia where the Russians devastated each country's infrastructure. Andy Greenberg in Sandworm documents what happened in several cases. In Ukraine access to the banking system was eliminated.
It took forty-five seconds to bring down the network of a large Ukrainian bank. A portion of one major Ukrainian transit hub…was fully infected in sixteen seconds. Ukrenergo, the energy company…had also been struck yet again…the effect was like a vandal who first puts a library’s card catalog through a shredder, then moves on to methodically pulp its books, stack by stack.
Ukraine became a testing ground for Russian hacking. Disinformation to spread distrust in the election and tampering with the infrastructure were simply test runs for their successful attacks on United States electoral trust in 2016 and 2020. Ukraine had taken the brunt of Russian abuse for centuries and Greenberg's short history of those onslaughts was suitably horrifying. (See also Anne Applebaum's Red Famine: Stalin's War on Ukraine to understand why Ukraine at first welcomed the Nazis.)
US officials, typically heads in the sand, refused to admit something similar could happen in the U.S. yet we now know that Russian hackers infiltrated the U.S. election system and may well have manipulated the outcome in a variety of unorthodox ways. In 2016, Iranian hackers attacked several US banks causing millions in damages and shut down a dam presumably in retaliation for the Stuxnet attack. The attacks themselves were quite unsophisticated, mostly DDoS attacks that even the most unsophisticated hacker can pull off.
There is software (malware, really) that has been designed for specific purposes; Stuxnet is but one example. Another, discovered by the security firm Dragos, was CrashOverride***, only the fourth example of malware designed to attack and manipulate the controllers in electrical grids. "The functionality in the CRASHOVERRIDE framework serves no espionage purpose and the only real feature of the malware is for attacks which would lead to electric outages."
Greenberg shows that a variety of software is available, even for sale, that permits relatively easy access for anyone, but can also be used to hide the origin of the attacker. To make matters worse, Greenberg wrote in Wired (https://www.wired.com/story/plundervo...) of researchers who had managed to access and control Intel processors (a vulnerability that has since been fixed) by manipulating the internal voltage of the processor. You can induce faults by lowering or changing the voltage and once you can do that you can change the output by manipulating the faults. The technique, called Plundervolt, was discovered concurrently by a researcher in Beijing. (Take from that what you will.)
In his book, Greenberg focuses on Sandworm, a group of hackers and software named after the malicious creature in Dune (cyberanalysts had discovered that preference while doing research on the code - don't ask me how.) They determined there was evidence that Sandworm had been infiltrating critical infrastructure—some of it in the United States—since 2011 and had already developed a weapon that could knock it out. When it was used against Ukraine, it had evolved even further.
The hackers had, in other words, created an automated cyberweapon that performed the same task they’d carried out the year before, but now with inhuman speed. Instead of manually clicking through circuit breakers with phantom hands, they’d created a piece of malware that carried out that attack with cruel, machine-quick efficiency.
PowerPoint users need take note that the program has become so large and now includes so many useless features that it has almost become its own programming language. The Sandworm group utilized the ability to place objects and run programs within slides to place malware within the users computer that would download or run other programs unbeknownst to the user.
They managed to fix the system in about an hour, but the point was made. Another group calling themselves ShadowBrokers made off with a whole set of penetration tools developed by the NSA and turned them loose in the wild where virtually anyone with a modicum of knowledge can make use of them. Shadow Brokers caused immense harm when they released EternalBlue, malware that spread faster than anything anyone had seen before. Within minutes it had disabled pharmaceutical companies, and Maersk, the huge shipping company was brought to its knees.
“ 'For days to come, one of the world’s most complex and interconnected distributed machines, underpinning the circulatory system of the global economy itself, would remain broken,” Greenberg writes of the attack on Maersk, calling it “a clusterfuck of clusterfucks.” The company was only able to get its ships and ports back in operation after nearly two weeks and hundreds of millions of dollars in losses, when an office in Ghana was found to have the single computer that hadn’t been connected to the Internet at the time of the attack.' " ****
I've been reading a lot of books and articles on the potential for cyberwarfare. The potential is there for even non-state actors to operate in the shadows and do tremendous harm. Then again shutting down most of our industry might solve the global warming worst case scenarios. One apocalypse preventing another.