I recently took part in a webinar with IHS Janes, the defence analysts, on cyberwar, cyberterrorism and cybercrime. I presented alongside Dr Dave Sloggett, an expert on terrorism and asymmetric threats, Jerry Dixon from Team Cymru and Alex Von Rosenbach a lead analyst at IHS Janes.
Expect to see a recording of the webinar coming along soon, but in the meantime here is a transcript of my thoughts on the subject:
The intensity of cyber threats is relentless
Only recently the International Monetary Fund (IMF) became the target of a hack attack resulting in the agency temporarily suspending network connections with the World Bank to protect its systems.
Apparently this disconnection of network systems followed the detection of some suspicious file transfers. A subsequent investigation found that an IMF personal computer had been compromised and used to access other IMF systems. Some reports suggest that the IMF was the target of a spear phishing attack designed to plant malware inside its systems.
A spear phishing attack normally takes the form of a well crafted and convincing looking email that appears to come from a close colleague. Often contained in the email is a malware payload disguised as a word document or image. Once the attachment is opened the malware is discreetly installed on the user's computer and will then start to gather data including key strokes and user credentials.
In another, unrelated, incident, Lockheed Martin said that it had come under attack from hackers using information gleaned from an earlier high-profile attack on RSA, a security company, back in March of this year. This demonstrates the relentless attack on intellectual property that many aerospace and defence companies are coming under. Many attacks come from state-sponsored entities trying to gain access to confidential data and industrial secrets that could be worth millions of dollars.
We seem to be in the middle of cyber turmoil, as criminals, spies and rogue states try to get to our data, financial details and industrial secrets. These stories make good headlines but truth is often more disturbing.
Defining cyberwar is tough
The commonly cited examples of the Estonian and Georgian governments attacked in 2007/8 could arguably be categorised as aggressive hacktivism rather than cyberwar, depending on what parties you believe were involved. Indeed some research indicates that the attacks, which affected some government agencies, emanated from hackers based in Russia acting on their own initiative rather than being a state-sponsored punch up.
In contrast, cyberterrorism has been defined by the US National Infrastructure Protection Centre, now part of the Department for Homeland Security as, "a criminal act perpetrated through computers resulting in violence, death and/or destruction, and creating terror for the purpose of coercing a government to change its policies" Herein lays an interesting debate. I would suggest that we see very few criminal acts that truly fit into this definition. Hacktivism is another term intermingled with the three cyber terms we are discussing. Hacktivism combines hacking and activism in one term. It means the use of digital tools in the pursuit of political ends and normally results in a plethora of mainly annoying attacks such as defacement of websites and the stealing of low level information. Rarely does it result in what could be described as cyberterrorism, but that said there is no doubt that aggressive hacktivism is on the rise.
The scale of cybercrime is difficult to assess, although recent research indicates the cost to the UK alone from cyber crime to be around $45 billion per year, of which a large proportion relates to stolen intellectual property. What is certain is that for many people it is a real and present problem, but remains under-reported for reasons of embarrassment, ignorance or a lack of faith in the authorities to investigate any possible offences.
So what are the typical attack tools used in cyberwar, cyberterrorism and cybercrime?
There are a variety of ways in which websites and public-facing computer systems can be attacked by hacktivists and attacks on websites continues to be a popular form of political demonstration. In December 2010 around 36 Pakistani government websites were hacked by an online hacker group called the Indian Cyber Army. All hosted on the same server, the sites that were hacked included the Pakistan Army, the Ministry of Foreign Affairs, Ministry of Education and the Ministry of Finance. The attacks consisted of messages and graphics inserted into the web pages with political messages, some of which related to the attacks in Mumbai.
Also in December 2010 a number of financial payment websites were subject to denial of service attacks by hacktivists disgruntled at these companies no longer processing payments to the WikiLeaks website. For commercial websites that trade across the internet this can be catastrophic and is the equivalent of having all their real world stores closed down in one go.
Denial of service attacks can range in their level of sophistication from destruction of physical internet connection points through to the flooding of websites with extraneous data that overwhelms web servers forcing them to close down. This is similar to blocking the switch board of a business with lots of phone calls that are terminated as soon as they are picked up, but uses the TCP/IP protocol that runs the internet to flood servers with bogus messages. These attacks can be coordinated using hijacked networks of computers, called botnets, that in turn are forced to send high levels of spurious data to target websites. There are steps that network designers can take to mitigate such attacks but, in reality, a significant attack can be difficult to manage, and often the best course of action is to take down the servers and hope the attackers go away.
More sinister is a malware threat that emerged in 2010 called Stuxnet. Researchers had been aware of this malware for many months, but it hit the media headlines when reports emerged of Stuxnet finding its way into Iranian nuclear plants. The malware was apparently written to target industrial control systems such as those used in manufacturing and processing plants. Its ultimate aim is to reprogram control systems by modifying computer code on programmable logic controllers (PLCs) in such a way that plant operators would never suspect anything was wrong. In contrast to a denial of service attack that is extremely noisy, Stuxnet is a very clever and covert attack. Bundled with the Stuxnet malware is a whole arsenal of additional components designed to assist in this control system attack, including zero-day exploits, antivirus evasion and a Windows rootkit, an advanced form of malware. So why bother to mess with PLCs? In fact Stuxnet only affects specific PLCs controlling electric motors that run at special high speeds and frequencies. These are only available from two specified companies and the attack will only be initiated if there are at least 33 of these devices present. The majority of Stuxnet infections were found in Iran and these devices are regulated for export by the United States Nuclear Regulatory Commission as they can be used in centrifuges used for uranium enrichment.
Yes, the implication is that Stuxnet is a powerful piece of malware created to disrupt the enrichment of uranium by the Iranian government. Clearly this advanced malware has not been developed by a back bedroom hacker as it needed very specific insight into the workings of complex industrial control systems. This is a high watermark in terms of malware, and evidence is starting to emerge that conventional cybercriminals are adapting Stuxnet for more conventional criminal activities.
As those that propagate cyberthreats become more creative they are targeting devices other than conventional computers. The rise in popularity of smartphones has seen an upsurge in hacker interest, as well as more sinister use of these devices to spread propaganda by jihadist groups.
There are now specialized propaganda units creating materials to be spread via Bluetooth wireless interfaces. A typical data-package is designed for a mobile operating system such as Symbian and allows quick installation of the jihadists' materials. It also enables the sympathizers to adhere to the jihadists' principles of religious conduct and warfare by assuming an active role in spreading this material. The data contained in these packages has nearly everything from a range of jihadist materials; from Afghanistan to Iraq, Somalia, Yemen, the 9/11 attacks, Fort Hood shooting and attempted operations in the West.
Whatever the realities of current cyber threats companies, organisations and individuals can do a lot to protect themselves, their intellectual property and their systems. Putting in place good anti-malware, regular computer patches and good end user education to help people spot attacks such as phishing emails will go a long way to prevent becoming a victim to cyber threats.
The good news is that preparing defences for a cyberthreat, be it cyber war, cyber terrorism or cybercrime, is basically the same. Most companies are more at risk from cybercrime than they are cyberwar or cyber terrorism. We just need to make sure that business decision makers understand the threat in a measured way so they can support us as we protect the systems and networks. Less hyperbole and more grounded assessment with practical advice is what we all need to protect our data, financial systems and intellectual property.