Tag Archives: cyberwarfare

Algorithms as Weapons –Tracking,Targeting Nuclear Weapons

 
New and unproved technologies—this time computer systems capable of performing superhuman tasks using machine learning and other forms of artificial intelligence (AI)—threaten to destabilise the global “strategic balance”, by seeming to offer ways to launch a knockout blow against a nuclear-armed adversary, without triggering an all-out war.

A report issued in November by America’s National Security Commission on Artificial Intelligence, a body created by Congress and chaired by Eric Schmidt, a former boss of Google, and Robert Work, who was deputy defence secretary from 2014-17, ponders how AI systems may reshape global balances of power, as dramatically as electricity changed warfare and society in the 19th century. Notably, it focuses on the ability of AI to “find the needle in the haystack”, by spotting patterns and anomalies in vast pools of data…In a military context, it may one day find the stealthiest nuclear-armed submarines, wherever they lurk. The commission is blunt. Nuclear deterrence could be undermined if AI-equipped systems succeed in tracking and targeting previously invulnerable military assets. That in turn could increase incentives for states, in a crisis, to launch a devastating pre-emptive strike. China’s rise as an AI power represents the most complex strategic challenge that America faces, the commission adds, because the two rivals’ tech sectors are so entangled by commercial, academic and investment ties.

Some Chinese officials sound gung-ho about AI as a path to prosperity and development, with few qualms about privacy or lost jobs. Still, other Chinese fret about AI that might put winning a war ahead of global stability, like some game-playing doomsday machine. Chinese officials have studied initiatives such as the “Digital Geneva Convention” drafted by Microsoft, a technology giant. This would require states to forswear cyber-attacks on such critical infrastructure as power grids, hospitals and international financial systems.  AI would make it easier to locate and exploit vulnerabilities in these…

One obstacle is physical. Warheads or missile defences can be counted by weapons inspectors. In contrast, rival powers cannot safely show off their most potent algorithms, or even describe AI capabilities in a verifiable way….Westerners worry especially about so-called “black box” algorithms, powerful systems that generate seemingly accurate results but whose reasoning is a mystery even to their designers.

Excerpts from Chaguan: The Digital Divide, Economist, Jan 18, 2019

The Repressive Digital Technologies of the West

A growing, multi-billion-dollar industry exports “intrusion software” designed to snoop on smartphones, desktop computers and servers. There is compelling evidence that such software is being used by oppressive regimes to spy on and harass their critics. The same tools could also proliferate and be turned back against the West. Governments need to ensure that this new kind of arms export does not slip through the net.

A recent lawsuit brought by WhatsApp, for instance, alleges that more than 1,400 users of its messaging app were targeted using software made by NSO Group, an Israeli firm. Many of the alleged victims were lawyers, journalists and campaigners. (NSO denies the allegations and says its technology is not designed or licensed for use against human-rights activists and journalists.) Other firms’ hacking tools were used by the blood-soaked regime of Omar al-Bashir in Sudan. These technologies can be used across borders. Some victims of oppressive governments have been dissidents or lawyers living as exiles in rich countries.

Western governments should tighten the rules for moral, economic and strategic reasons. The moral case is obvious. It makes no sense for rich democracies to complain about China’s export of repressive digital technologies if Western tools can be used to the same ends. The economic case is clear, too: unlike conventional arms sales, a reduction in spyware exports would not lead to big manufacturing-job losses at home.

The strategic case revolves around the risk of proliferation. Software can be reverse-engineered, copied indefinitely and—potentially—used to attack anyone in the world…. There is a risk that oppressive regimes acquire capabilities that can then be used against not just their own citizens, but Western citizens, firms and allies, too. It would be in the West’s collective self-interest to limit the spread of such technology.

A starting-point would be to enforce existing export-licensing more tightly… Rich countries should make it harder for ex-spooks to pursue second careers as digital mercenaries in the service of autocrats. The arms trade used to be about rifles, explosives and jets. Now it is about software and information, too. Time for the regime governing the export of weapons to catch up

The spying business: Western firms should not sell spyware to tyrants, Economist, Dec. 14, 2019

Cyber-Attacking Nuclear Plants: the 3 000 cyber bugs

In the first half of 2019 , no country endured more cyber-attacks on its Internet of Things—the web of internet-connected devices and infrastructure—than India did. So asserts Subex, an Indian telecommunications firm, which produces regular reports on cyber-security. Between April and June of 2019, it said, recorded cyber-attacks jumped by 22%, with 2,550 unique samples of malware discovered. Some of that malicious code is turning up in hair-raising places.

On October 28, 2019 reports indicated that malware had been found on the computer systems of Kudankulam Nuclear Power Plant in Tamil Nadu, the newest and largest such power station in India. Pukhraj Singh, a cybersecurity researcher who formerly worked for the National Technical Research Organisation (NTRO), India’s signals-intelligence agency, says he was informed of the malware by an undisclosed third party in September, and notified the government.The attackers, he said, had acquired high-level access and struck “extremely mission-critical targets”…. On October 30, 2019 the body that operates nuclear power plants acknowledged, sheepishly, that a computer had indeed been infected, but it was only an “administrative” one.

Sensitive sites such as power plants typically isolate the industrial-control systems (those that control the workings of a plant) from those connected to the wider internet. They do so using air-gaps (which involve disconnecting the system from the wider world), firewalls (which monitor data-flows for suspicious traffic) or data diodes (which allow information to flow out but not in).

But breaching a computer on the outside of these digital moats is nevertheless troubling. It could have given the attackers access to sensitive emails, personnel records and other details which would, in turn, make it easier to gain access to the more isolated operational part of the plant. America and Israel are thought to have sneaked the devastating Stuxnet virus into Iran’s air-gapped uranium-enrichment plant at Natanz around 2007 by planting a USB stick on a worker, who carried it inside and plugged it in.

The culprit behind the Kudankulam attack is unknown, but left some clues. The malware in question is from a family known as DTrack, which gives attackers an intimate look at what victims are doing—down to their keystrokes. It is typically used to monitor a target, making it easier to deliver further malware. DTrack was originally developed by a group of hackers known as the Lazarus Group, who are widely assumed to be controlled or directed by North Korea.

Excerpts from On the DTrack: A cyber-attack on an Indian nuclear plant raises worrying questions, Economist, Nov. 1, 2019

Firing Back with Vengeance: the NSA Weapons

The strike on IDT, a conglomerate,… was similar to WannaCry in one way: Hackers locked up IDT data and demanded a ransom to unlock it.  But the ransom demand was just a smoke screen for a far more invasive attack that stole employee credentials. With those credentials in hand, hackers could have run free through the company’s computer network, taking confidential information or destroying machines….Were it not for a digital black box that recorded everything on IDT’s network, …the attack might have gone unnoticed.

Scans for the two hacking tools used against IDT indicate that the company is not alone. In fact, tens of thousands of computer systems all over the world have been “backdoored” by the same N.S.A. weapons. Mr. Ben-Oni and other security researchers worry that many of those other infected computers are connected to transportation networks, hospitals, water treatment plants and other utilities…

Both WannaCry and the IDT attack used a hacking tool the agency had code-named EternalBlue. The tool took advantage of unpatched Microsoft servers to automatically spread malware from one server to another, so that within 24 hours… hackers had spread their ransomware to more than 200,000 servers around the globe. The attack on IDT went a step further with another stolen N.S.A. cyberweapon, called DoublePulsar. The N.S.A. used DoublePulsar to penetrate computer systems without tripping security alarms. It allowed N.S.A. spies to inject their tools into the nerve center of a target’s computer system, called the kernel, which manages communications between a computer’s hardware and its software.

In the pecking order of a computer system, the kernel is at the very top, allowing anyone with secret access to it to take full control of a machine. It is also a dangerous blind spot for most security software, allowing attackers to do what they want and go unnoticed. In IDT’s case, attackers used DoublePulsar to steal an IDT contractor’s credentials. Then they deployed ransomware in what appears to be a cover for their real motive: broader access to IDT’s businesses…

But the attack struck Mr. Ben-Oni as unique. For one thing, it was timed perfectly to the Sabbath. Attackers entered IDT’s network at 6 p.m. on Saturday on the dot, two and a half hours before the Sabbath would end and when most of IDT’s employees — 40 percent of whom identify as Orthodox Jews — would be off the clock. For another, the attackers compromised the contractor’s computer through her home modem — strange.

The black box of sorts, a network recording device made by the Israeli security company Secdo, shows that the ransomware was installed after the attackers had made off with the contractor’s credentials. And they managed to bypass every major security detection mechanism along the way. Finally, before they left, they encrypted her computer with ransomware, demanding $130 to unlock it, to cover up the more invasive attack on her computer.

A month earlier, Microsoft had issued a software patch to defend against the N.S.A. hacking tools — suggesting that the agency tipped the company off to what was coming. Microsoft regularly credits those who point out vulnerabilities in its products, but in this case the company made no mention of the tipster. Later, when the WannaCry attack hit hundreds of thousands of Microsoft customers, Microsoft’s president, Brad Smith, slammed the government in a blog post for hoarding and stockpiling security vulnerabilities.  For his part, Mr. Ben-Oni said he had rolled out Microsoft’s patches as soon as they became available, but attackers still managed to get in through the IDT contractor’s home modem.

There are now YouTube videos showing criminals how to attack systems using the very same N.S.A. tools used against IDT, and Metasploit, an automated hacking tool, now allows anyone to carry out these attacks with the click of a button….

“Once DoublePulsar is on the machine, there’s nothing stopping anyone else from coming along and using the back door,” Mr. Dillon said.More distressing, Mr. Dillon tested all the major antivirus products against the DoublePulsar infection and a demoralizing 99 percent failed to detect it.  “We’ve seen the same computers infected with DoublePulsar for two months and there is no telling how much malware is on those systems,” Mr. Dillon said. “Right now we have no idea what’s gotten into these organizations.”..

Could that attack be coming? The Shadow Brokers resurfaced last month, promising a fresh load of N.S.A. attack tools, even offering to supply them for monthly paying subscribers — like a wine-of-the-month club for cyberweapon enthusiasts.

Excerpts from NICOLE PERLROTHJUNE, A Cyberattack ‘the World Isn’t Ready For’,  New York Times, June 20, 2017

Biometrics: Behavioral and Physical

From DARPA pdf document available at  FedBizOpps. Gov Enhanced Attribution
Solicitation Number: DARPA-BAA-16-34

Malicious actors in cyberspace currently operate with little fear of being caught due to the fact that it is extremely difficult, in some cases perhaps even impossible, to reliably and confidently attribute actions in cyberspace to individuals. The reason cyber attribution is difficult stems at least in part from a lack of end-to-end accountability in the current Internet infrastructure…..The identities of malicious cyber operators are largely obstructed by the use of multiple layers of indirection… The lack of detailed information about the actions and identities of the adversary cyber operators inhibits policymaker considerations and decisions for both cyber and non-cyber response options (e.g., economic sanctions under EO-13694).

The DARPA’s Enhanced Attribution program aims to make currently opaque malicious cyber adversary actions and individual cyber operator attribution transparent by providing high-fidelity visibility into all aspects of malicious cyber operator actions and to increase the Government’s ability to publicly reveal the actions of individual malicious cyber operators without damaging sources and methods….

The program seeks to develop:

–technologies to extract behavioral and physical biometrics from a range of devices and
vantage points to consistently identify virtual personas and individual malicious cyber
operators over time and across different endpoint devices and C2 infrastructures;
–techniques to decompose the software tools and actions of malicious cyber operators into semantically rich and compressed knowledge representations;
–scalable techniques to fuse, manage, and project such ground-truth information over time,toward developing a full historical and current picture of malicious activity;

–algorithms for developing predictive behavioral profiles within the context of cyber campaigns; and
–technologies for validating and perhaps enriching this knowledge base with other sources of data, including public and commercial sources of information.

Excerpts from Enhanced Attribution, Solicitation Number: DARPA-BAA-16-34, April 22, 2016

Hacking the Power Grid

In Ukraine on Dec. 23, 2015 the power suddenly went out for thousands of people in the capital, Kiev, and western parts of the country. While technicians struggled for several hours to turn the lights back on, frustrated customers got nothing but busy signals at their utilities’ call centers….Hackers had taken down almost a quarter of the country’s power grid, claimed Ukrainian officials.  Specifically, the officials blamed Russians for tampering with the utilities’ software, then jamming the power companies’ phone lines to keep customers from alerting anyone….Several of the firms researching the attack say signs point to Russians as the culprits. The malware found in the Ukrainian grid’s computers, BlackEnergy3, is a known weapon of only one hacking group—dubbed Sandworm by researcher ISight Partners—whose attacks closely align with the interests of the Russian government. The group carried out attacks against the Ukrainian government and NATO in 2014…

The more automated U.S. and European power grids are much tougher targets. To cloak Manhattan in darkness, hackers would likely need to discover flaws in the systems the utilities themselves don’t know exist before they could exploit them. In the Ukrainian attack, leading security experts believe the hackers simply located the grid controls and delivered a command that shut the power off. Older systems may be more vulnerable to such attacks, as modern industrial control software is better at recognizing and rejecting unauthorized commands, says IOActive’s Larsen.

That said, a successful hack of more advanced U.S. or European systems would be a lot harder to fix. Ukrainian utility workers restored power by rushing to each disabled substation and resetting circuit breakers manually. Hackers capable of scrambling New York’s power plant software would probably have to bypass safety mechanisms to run a generator or transformer hotter than normal, physically damaging the equipment. That could keep a substation offline for days or weeks, says Michael Assante, former chief security officer for the nonprofit North American Electric Reliability.

Hackers may have targeted Ukraine’s grid for the same reason NATO jets bombed Serbian power plants in 1999: to show the citizenry that its government was too weak to keep the lights on. The hackers may even have seen the attack as in-kind retaliation after sabotage left 1.2 million people in Kremlin-controlled Crimea without lights in November 2015. In that case, saboteurs blew up pylons with explosives, then attacked the repair crews that came to fix them, creating a blackout that lasted for days. Researchers will continue to study the cyber attack in Ukraine, but the lesson may be that when it comes to war, a bomb still beats a keyboard.

Excerpts How Hackers Took Down a Power Grid, Bloomberg Business Week, Jan. 14, 2016

Forecast a CyberAtttack: IARPA

From the website of IARPA (Intelligence Advanced Research Projects Activity (IARPA) — a US research agency under the Director of National Intelligence.

“Approaches to cyber defense typically focus on post-mortem analysis of the various attack vectors utilized by adversaries. As attacks have evolved and increased over the years, established approaches (e.g., signature-based detection, anomaly detection) have not adequately enabled cybersecurity practitioners to get ahead of these threats. This has led to an industry that has invested heavily in analyzing the effects of cyber-attacks instead of analyzing and mitigating the “cause” of cyber-attacks,

The CAUSE   (Cyber-attack Automated Unconventional Sensor Environment)Program seeks to develop cyber-attack forecasting methods and detect emerging cyber phenomena to assist cyber defenders with the earliest detection of a cyber-attack (e.g., Distributed Denial of Service (DDoS), successful spearphishing, successful drive-by, remote exploitation, unauthorized access, reconnaissance). T

he CAUSE Program aims to develop and validate unconventional multi-disciplined sensor technology (e.g., actor behavior models, black market sales) that will forecast cyber-attacks and complement existing advanced intrusion detection capabilities. Anticipated innovations include: methods to manage and extract huge amounts of streaming and batch data, the application and introduction of new and existing features from other disciplines to the cyber domain, and the development of models to generate probabilistic warnings for future cyber events. Successful proposers will combine cutting-edge research with the ability to develop robust forecasting capabilities from multiple sensors not typically used in the cyber domain…”

Excerpt from IARPA website