A Deep Dive Into Cyber Warfare
We’ve entered a new era of warfare strategy. In this era, we attack the enemy by exploiting its defensive vulnerabilities- its network of electronics. In this Information Technology (IT) age, the United States and our adversaries depend on communication systems and computers to perform functions vital to national defense.
What happens if the system is penetrated by a “bug”?
That’s a scary scenario. Contemplate the ramifications of being hacked to the extent you are defenseless. If critical system components crash or cease to function normally, it is all over. The bug wins, you lose. Now, think of this happening on a large industrial scale, or even one triggering a national disaster.
“Bug” has become the catchword for a malware exploit by a virus, a worm, a Trojan horse or a blended threat of the three bugs.
I cover this in chapter six of Killing Time, the second novel in the Biff Roberts-CIA intelligent thriller series. Published in 2013, the chapter explains how a malware exploit destroyed a thousand Uranium centrifuges at Iran’s Natanz nuclear facility, ultimately setting back their nuclear ambitions for at least three years. The ingenious Stuxnet virus, described as a “digital missile” was the culprit.
Stuxnet specifically targeted the uranium centrifuges’ command and control systems, sending them spinning out of control. The blended threat additionally knocked off the feedback system, so facility supervisors did not detect the damage until too late. Beleive it or not, this event really happened and I have dramatized it in Killing Time.
Killing Time‘s title is a double entendre referrring to the scenario I just described. Iran is stalling, buying time to develop a nuclear bomb, while it’s adversaries are killing its chances with a cyber attack and targeted assassinations of their nuclear scientists.
The following is an excerpt from the novel. Biff Roberts has invited Ralf Sanger, a German expert on malware cyber security, one of the first to break the Stuxnet code, to brief select CIA/NSA officers on the exploit. The chapter takes you through the cyber attack so you will have a comprehensive understanding of the genius behind this malware and its impact on Iran’s uranium enrichment endeavors. This chapter is a primer in cyber warfare at its best.
CHAPTER SIX – KILLING TIME
THE BRIEFING — LANGLEY, VIRGINIA
“Gentlemen . . . and I use that term loosely,” Biff grinned, “we are fortunate to welcome Ralf Sanger here today for our special briefing, focusing on the Stuxnet virus. Before he begins, I’d like to give you some history on uranium enrichment and the development of a cyber-warfare strategy to contravene the development of nuclear technology by rogue nations and terrorists. Names and places are fictitious to protect the innocent, of course.”
This jocular, satirical disclaimer elicited an uproar of laughter from the audience of NSA cipher specialists and seasoned field officers, all eager to hear what the venerated operative, Biff Roberts, and the German cyber security expert had to say.
“UF6, uranium hexafluorine, is essential in the gaseous centrifuge process of this enrichment. As you well know, enriched U235 is required in commercial light water reactors and to produce a controlled nuclear fission chain reaction. Basically, build a bomb, 101’ technology. Following me? They need about 90% purity for a nuclear bomb. So they still have a way to go.”
The conference audience murmured an affirmative, enjoying Biff Roberts’ lively presentation. A few were impressed with his knowledge, but most were not surprised. He was at the top of his game.
“Okay . . . now consider a series of hypotheticals. What if you could interfere with this enrichment process without military intervention or covert sabotage of the nuclear facility by a team of Navy Seals in the middle of the night? Consider an alternative like cyber warfare? No loss of life, and it forestalls a credible threat. Maybe even averts WW III. Too good to be true, right?
“Well, what about Stuxnet? Effective viral cyber-attack? How’d it come about? Ralf Sangner will elaborate on that subject, but bear with me for a moment. A little more history . . .
“In 2008, the Department of Energy sponsored a conference at the Idaho National Lab to evaluate potential vulnerabilities in Microsoft Windows operating systems and Siemens industrial SCADA networks—supervisory control and data acquisition systems. There were holes found in both. Let me again leave it there for Ralf to go into the particulars. Next, consider another hypothetical situation. What if you developed a program with a worm that could take over the enemy’s computers, and cleverly disguised the virus so that they were completely unaware of the foreign invasion? Great idea, huh? You’d own them by controlling their computers! You’d have the power to surreptitiously sabotage their operations. By the time they figured it out, significant destruction would have occurred. Bring to mind a case in point? How about Stuxnet for starters? Nifty clandestine compromise of Iranian nuclear reactors, yes?
“Go a step further. What if you had a chance to test your hypothesis for effectiveness prior to employing a vicious cyber-attack on a rogue nuclear facility? Make sure the bug does it job. Work out the kinks. Be nice, agree?
“Say you had colleagues with a facility in the middle of the Negev desert—something like the Dimona complex—who were eager to test the bug’s effectiveness, but didn’t have P-1s to test it on? But you just happen to have some P-1s left over from when you confiscated a cache from Libya. Remember when Gaddafi relented on pursuing a nuclear program in 2003? Might work, huh? Then let’s make a deal. After POTUS, Bubba, gave his okay on the transaction, you supplied your buddies with the necessary number of P-1s to conduct these critical tests. This is all supposition, of course.”
The crowd snickered.
“Now let’s pretend our colleagues worked out all the kinks on Microsoft windows and the Siemens industrial equipment with their test trials, simulated the identical setup at Iran’s Natanz nuclear facility. You’re ready to go, locked and loaded. How would you launch a cyber-attack . . . and still maintain plausible deniability?
“I’ll let our guest speaker answer that . . . Ralf?”
Rokman nudged Leroy, “Impressive warm up.”
Leroy agreed. Biff’s presentation was not diffident. He never hesitated to let it all hang out.
“Thank you, Biff. You really set the tone. Let me run through some of your fictional, what-if scenarios and cite some specific characteristics of Stuxnet’s blended exploits, then conclude with recommendations to maintain optimal systems security to avert a copycat or retaliatory cyber-attack.
“First, some definitions so as not to confuse terminology. A computer bug is a catchall term for a malicious invasion. A virus attaches itself to a program or file, enabling it to spread computer to computer only when it involves human action, like running an unknown malicious program—in most cases on an executable file. Typical examples are e-mails with attachments or sharing infected files. A virus can not only damage files, but software and hardware as well. Some use the terms virus and worms interchangeably. But there are definite differences.
“Worms can spread computer to computer without human intervention. A worm taps into the file or information transport features on your computer, allowing it to travel surreptitiously and unaided. It can replicate on your computer, consuming system memory and depleting network bandwidth. A worm can send out thousands of copies of itself with devastating effects. Web servers, network servers, and individual computers overload and simply stop responding. The greatest threat occurs when a worm tunnels into your system, giving malicious users control over your computer—a very scary proposition!
“Next, consider the Trojan Horse virus. As in mythology, it involves trickery and deception. It presents itself as authentic with a bona fide signature, posing as files from a legitimate source. So naturally, you open them and expose your computer to malicious activity. It may delete files or destroy information on your system. In a worst-case scenario, the Trojan creates a back door and gives the uninvited hacker full access to your confidential information. Now you’re in real trouble. That puts you in a seriously compromised situation! Bu Trojans do not self-replicate or reproduce by infecting other files, like worms do.
“There are also blended threats—sophisticated mixes of viruses, worms, and Trojan horses all compiled into a single malicious code. The attack comes from multiple points, using multiple methods to exploit vulnerabilities. It can cause damage to several areas of your network at the same time, like modifying your exec, HTML files, and registry keys simultaneously. Blended threats are considered the worst security risk since they require no human intervention to propagate.
Okay, now let’s address zero-day threats, exploits, and vulnerability windows. For viruses, Trojans, and other zero-day attacks, the four-step sequence is as follows—the developer’s software contains an unknown vulnerability, the attacker discovers the vulnerability before the developer, the attacker writes and distributes an exploit during this period of unawareness, and then, maybe years later, the developer finds the vulnerability and starts to fix it. This requires analysis, testing, reporting, and mitigating. And it consumes valuable time.
“Zero-day attacks are lethal ways to exploit root access of a system. They’re programmed to slip through the security cracks of installed applications and take advantage of vulnerability on the exact day that the vulnerability becomes publicly known. Patching the vulnerability takes ingenuity, expense, and time.
“Now, look at Stuxnet. To maintain plausible deniability, it was launched from remote sites, say maybe Denmark or Malaysia. These countries had no axe to grind. No motive. They were the most unlikely suspects.
“How was the worm introduced? That’s interesting speculation, but quite clever and conceivable. Plausible spy novel stuff, right down your alley, Biff.”
Everyone got a kick out of the friendly jibe. Biff cracked a smile and retorted, “This is all supposition, of course,” implying that it had never really happened.
This friendly exchange broke the audience up. They hooted and hollered, much to Sangner’s surprise. He smiled and waited for the commotion to subside, then continued his dissertation.
“My best guess is the infiltration originated from two sources—the personal computers of Natanz employees, but more cleverly through those belonging to the Russian reactor contractors. The worm traveled undetected on their drives into the Natanz facility.
“JCS Atom Story Export, the Russian contractor building the Iranian Bushehr reactor, had its website hacked. Some of its web pages are still blocked by security vendors fearing host malware. Not an auspicious advertisement for a company contracting to deal with nuclear secrets. I suspect that this was a classic Trojan horse strategy that worked to perfection. Very clever, indeed. JCS’s signature provided and assured the worm a legitimate doorway through which to infect the Natanz SCADA systems.”
This revelation really hooked the CIA group. They exchanged views on the covert tactic, murmuring excitedly among themselves. A select few in the audience were familiar with the Trojan horse, but most were not and were spellbound by the skill and intrigue involved in successfully penetrating Iran’s reactor site in this manner.
Rokman and Leroy smiled. They had collaborated with Mossad on this critical phase of the highly classified scheme. Rokman Behrouz still had assets in the Middle East. His family had fled Tehran in ’79, avoiding the Revolution’s purge. Some sleeper cells, his cousins in fact, had been extremely helpful in facilitating this conspiracy. They’d pulled it off without a hitch using sophisticated spyware and malware that Rokman had provided them. Their talent ranked them as hackers par excellence with the best professionals.
The German consultant was amused at the group’s animated reaction. He could see that ingenuity of this covert action captivated them. Sangner had assumed all this information would be common knowledge in the agency, but evidently even spies kept secrets from each other.
He continued, “It gets better, gentlemen. Observe genius at work. Once introduced, Stuxnet could manipulate Microsoft’s Windows shortcuts, using four different zero-day vulnerabilities to gain access to corporate networks. Once Stuxnet had network access, it would then seek out the specific PLCs—programmable logic controllers—those things responsible for managing the Siemens software that controlled the facility’s SCADA systems. PLCs are essentially tiny computers about the size of a crayon that regulate machinery in factories, power plants, and most importantly in this case, contractor and engineering projects, such as those at the Natanz nuclear plant.
“PLCs perform critical computerized work, such as opening and shutting valves. But in Natanz’s case their functional design designated that they control the speed and spinning rate of the uranium centrifuges during the gaseous enrichment process. Stuxnet is a precision, customized bug. It searches through thousands of computer components and targets only these small gray boxes called PLCs. This clever tactic represents an electronic marksman’s job on Siemen’s software.”
He paused for effect to let this revelation sink in.
“Another interesting feature is that the virus self-erases on a set date to avoid detection. Ingenious! The virus’ name is derived from a fake cover anagram of the letters found in two parts of its code. More about that later. The attack continues.”
“Stuxnet’s attack code targeted three other unpatched Windows vulnerabilities—a print spooler bug and two EoPs, elevation of privilege. The worm didn’t stop there. It exploited a Windows bug patched in 2008 with Microsoft’s MS08-067 update. Recall the notorious Cornficker worm at that time? Stuxnet packs about twenty times that viral impact! Using four zero-days is unprecedented. Now here’s the nitty gritty . . . how Stuxnet commandeers the nuclear plant.”
Everyone shifted in their seats, ready to take notes.
“Now it gets technical. Once Stuxnet invaded the network through an infected USB device, the virus employed EoP vulnerabilities to gain administrative access to other PCs, seeking out specific systems running the WinC and PCS- 7 SCADA management programs. I consider this a smart maneuver—it enabled the virus to hijack these system, exploiting either the print spooler or the MS08-067 bugs. In the next sequence, the virus used default Siemens passwords to take control of the SCADA software. The passwords authorized the software to reprogram the facility’s PLCs to give the machinery a new set of instructions. The attack code appeared legitimate because those behind Stuxnet had stolen at least two signed digital certificates!
“Not your ordinary hackers, people. A brilliant consortium carefully planned this cyber-attack. It had to involve talented computer techs experienced on the rootkit side to the database side and experienced exploit writers. Exceptional conception, accomplished execution. Stuxnet was not an espionage mission. It was a precise search and destroy mission targeting Natanz nuclear reactors.”
These remarks brought down the house with applause and a few whistles. A select few took it as a compliment. Others had an inkling of a CIA-Mossad plot. It had their fingerprints all over it. Sangner’s presentation was blowing them away. He understood Stuxnet inside and out.
“There are several other brainy aspects to this story,” Ralf continued. “Stuxnet was programmed to minimize the risk of discovery. It utilized a counter in the infected USB to prevent the virus from spreading to more than three PCs. The perpetrators obviously wanted to limit the extent of the threat so that the worm or virus would avoid detection and remain isolated within the nuclear facility to accomplish its targeted mission—disrupting and destroying the uranium enrichment centrifuges. Once inside, Stuxnet used MS08-067 exploit only if it recognized that the target represented part of a SCADA network. This step tells me that those executing the operation had intimate knowledge of the plant’s machinery and computers. The execution of this step was flawless. Why do I say that?”
Shaking of heads in the assembled crowd.
“There is no login on most SCADA networks, therefore they have limited security. In other words, the networks are quite vulnerable. SCADAs have very slow patch cycles. The long-patched MS08-067 exploit was perfect for the job. Incidentally, I’m not the only expert who delved into the Stuxnet mystery—security experts in Belarus, Symantec, and Microsoft contributed significantly to our knowledge.
“Now comes what I refer to as the duel warheads of the digital missile, Stuxnet. Enormously inspired talent masterminded this brilliant idea, a stroke of genius. The worm kicks into gear only when it detects a specific configuration of controllers, running a certain set of processes that exist only in a centrifuge plant. Talk about a designated target!
“One section of the code is designed to send commands to 984 machines linked together, sending them spinning out of control, undetected. International inspectors noted that exactly 984 machines had been taken out of service at Natanz in 2009. Satellites had noted that unusually high turnover rate earlier, correlating their observation.
“Now comes an attribute I consider uncanny. One part of the program lies dormant for long periods, then speeds up the P-1 machines at such a high rate that the centrifuge’s spinning rotors wobble and spin out of control, destroying themselves. This clever exploit simultaneously sends out false sensor signals that indicate the system is functioning smoothly. Like a prerecorded message. The facility supervisors don’t have a clue anything is going wrong until they later discover the damage done.
“In computer jargon, this is known as ‘the man in the middle’. This intelligent ploy prevents a safety system from kicking in, which would automatically shut down the plant before it self-destructs. Code analysis indicates this represents sophisticated cyber warfare, destroying targets with military precision. The expert attackers exploited specific quirks of Siemens controllers and understood exactly how the Iranians had designed their uranium enrichment operations. They took advantage of critical holes and gained control of the facility—with devastating results. Stuxnet appears to be the best malware ever developed. And Stuxnet left four seeds in the system for stealthy attacks at a later date!
“Finally, maybe someone left a clue in Stuxnet’s code, a sort of in your face fingerprint, implicating Israel’s involvement. This is an interesting bit for you to mull over. Researchers in Vancouver found a marker with the digits 19790509 buried deep inside the worm’s code. Many think it’s a reference to Iran’s execution of a leading Jewish businessman on charges of spying for Israel. He faced a firing squad on May 9, 1979. A strange coincidence? I’m inclined to think not. Other experts discovered part of the code entitled Myrtus, a possible allusion the Old Testament’s account of the foiling of an ancient anti-Jewish Persian plot. Happenstance?
“Yaniv Leviathan, an expert in cyber warfare at the University of Haifa in Israel asked why a security agency would leave a signature, a calling card. I quote him, ‘If a state wants to plant something by stealth, why put a signature on it? It could be a double bluff. This is a world of lies upon lies upon lies.’ Something to think about, gentlemen.”
The audience rustled in their seats.
“Your security is top-notch here at Langley, but be alert for retaliatory attacks now that the blueprint is out there for copycats. Don’t be complacent. Biff and I have discussed this concern as the threat level increases. It’s a linear relationship. Monitor your data 24/7 with continuous firewall programs like Threatfire, and include the myriad of anti-virus updates in multilevel security IT environments. Segregate your data. Limit file sharing. Change your encrypted passwords periodically. Never use your company computer for personal reasons. Purge legacy and minority technologies. Maintain a core forensics capability. Have an emergency communication intranet plan in case you suddenly have to shut down your network to avoid further damage from a hack or exploit. But of course, I’m preaching to the choir here at Langley.”
Everyone got a chuckle out of that comment.
“The best method to protect critical infrastructure from cyber-attacks is to put its control systems on separate ad secure private networks. Networks that aren’t connected to the Internet. In other words, develop an intranet. Employee carelessness or inattention is then taken out of the equation. Most cyber-attacks originate from a careless person at the CIA opening an infected Internet attachment. If the CI company has its own intranet, the risk is obviated.
“In conclusion, what concerns me is the next generation of malware. Some call it the ‘Son of Stuxnet’. Technology builds on itself. The clock is ticking. Digital dirty bombs
may be the next wave. They may not be as powerful as Stuxnet on a single system, but could have a far broader effect on many systems. Stuxnet is a game changer, a glimpse of what future wars may look like. Cyber warfare has enormous ethical and political ramifications. Stuxnet didn’t kill anyone. That’s a good thing. It accomplished a military mission with precision. But in the long run, it opened Pandora’s box.”
The crowd applauded, and some stood in line to ask technical questions afterwards.
Rokman took Biff aside. “Retaliation has started. We missed your dinner get-together in Georgetown last night deciphering chatter, but we couldn’t specify the soft targets. We just got word of some car bombings of Israeli Embassy personnel in New Delhi, Bangkok, and Georgia.”