Cyberwarfare Evolution and Western Power Grid APT Profile 1

Cyberwarfare_Evolution_and_Western_Power_Grid_APT_Profile 1

Cyberwarfare Evolution and Western Power Grid APT Profile

Introduction

Since 1998 the technical complexity, effectiveness and frequency of cyber-attacks and cyberwarfare has increased exponentially. Starting with relatively unorganized, simple attacks such as the Solar Sunrise Attack that occurred in 1998, the nature of cyberwarfare has evolved into something very well planned, strategic and sophisticated, (such as the Stuxnet worm that effectively disabled the Iranian nuclear program) developed by cyberwarfare professionals either working for or sponsored by a nation-state. The following discussion outlines significant events in the cyberwarfare evolution, explains how the Internet facilitates cyberwarfare, and how today's Advanced Persistent Threats are different from earlier attack methods. The discussion concludes by identifying the logical origin of the Western Power Grid APT attack along with the most likely profile of the attackers behind the APT attack.

Evolution of Cyberwarfare

The Solar Sunrise Attack mentioned earlier which occurred in 1998 is considered to be an early form of cyberwarfare attack because the targets were U.S. government systems. However, it was obvious that the attacks were not performed by professionals because of the massive trail of evidence that was left behind.

“Moonlight Maze,” another attack that also occurred in 1998 against U.S. government systems, was much more stealth in nature, remaining undetected for over a year. It was found that the attack had indeed occurred from outside the United States, and that information was stolen, however since the forensic evidence was limited the perpetrators were never positively identified.

The “Code Red” worm that was released in 2001 was a major step forward in the evolution of cyberwarfare. For the first time, an automated attack weapon that could self-replicate without dependencies upon specific programs or applications (as is the case with virus malware) was released and provided nation-states and cyberwarfare activists with a template upon which they could build future automated attacks.

Similarly, the “SQL Slammer” worm released in 2003 by the Chinese hacker group named “Honker Union” introduced yet another level of cyberwarfare weapon, one that could self-replicate at amazing speed, leveraging an MSSQL database vulnerability to clog the Internet with traffic in less than an hour. The replication mechanism used in the SQL Slammer was extremely effective, and provided the cyberwarfare communities with a template they could use for future weaponization.

In 2005, as the result of the investigation code named “Titan Rain,” it was announced to the press that up to two years previous, cyber-attacks based in China were able to penetrate United States Department of Defense systems. The investigation determined that the People's Liberation Army or PLA, a hacker activist group based in China and supported by the China governments CNO or Chinese Networks Operations unit, was responsible for the attack. It was learned later that the CNO was supporting a large number of activist hacker groups within China, evidence that there were nation-states supporting cyber-warfare activities.

Further technological evolution of cyber-warfare led to the creation of worms that could be programmed remotely and reprogrammed, with the built-in sophistication to change behavior as required to accomplish the objective for which they were released. The Duqu worm, soon followed by the release of the Stuxnet worm, possessed these qualities. Stuxnet, the more well known of the two forms of malware, was allegedly developed in a joint U.S./Israeli effort to infiltrate and destroy the Iranian nuclear enrichment program. The Stuxnet worm was the first malware ever with the capability to upload malicious firmware into an embedded device, rather than only a PC based system, and was used to deliver a payload that ran the Siemens centrifuges in Iran, used to enrich uranium, until the centrifuges essentially burned themselves up and stopped working. Iran announced shortly thereafter that their nuclear program suffered a “set back” of between 18 months and two years due to “an incident” that took place. What is most disconcerting about the Stuxnet worm is that it could be used to infect and control embedded devices, which includes the ICS (Industrial Control Systems) and SCADA (Supervisory Control And Data Acquisition) systems used for managing a nation's utility and power grids like the Western Power Grid, essentially a cyberwarfare first strike capability should a nation-state perform effective reconnaissance and weaponize effectively.

The FOXACID, Careto and Operation Aurora cyber-attacks introduced sophisticated levels of social engineering, command and control networks and AI into cyber-attacks. The Operation Aurora attacks that were revealed by Google in 2010 used a technique called “spear phishing” to attack Google's servers through the use of compelling emails that contained links to malicious code which facilitated access to Google's servers. The origin of the Operation Aurora phishing attacks appears to be from within China by either the Chinese government or an activist group within China because the focus of the attacks was on Chinese email accounts held on Google's servers. The FOXACID program authored by the National Security Agency or NSA, was launched with automated decision capability and weapon selection based on target vulnerabilities, while also armed with zero day attack vulnerabilities, leveraging a rudimentary form of AI to obtain targeted information. Careto, discovered in 2014, was among the first command and control networks with over 1000 IP addresses controlled from hundreds of Internet locations in over 30 nations. Careto's ability to be controlled from virtually anywhere, ability to capture and forward information, and ability to remain undetected, make it also among the first cyberwarfare efforts that approach the capabilities of present day APT (Advanced Persistent Threat) attacks.

Characteristics of an APT

The evolution of cyber-attacks and cyberwarfare as described above led to the development of what is now called the Advanced Persistent Threat or APT. Advanced Persistent Threat attacks are very difficult to detect, typically occur over a long period of time, employ multiple cyber-attack techniques, and are generally conducted and can be identified by the five actions that characterize an APT. First, APT attacks usually employ the use of social engineering attacks such as phishing and spear phishing to infiltrate the target systems. APT attacks also use very sophisticated attack tools for all stages of the attack including reconnaissance to identify vulnerabilities, zero day attack tools, and specialized remote access tools so the attackers can continue to have remote access after they have penetrated the target system. APT attacks are usually conducted or sponsored by highly structured organizations, and the attack group itself is usually very disciplined and well organized rather than simply a haphazard group of “script kiddies.” Finally, APT attack groups generally exhibit a very clear set of objectives, such as stealing information, or access to control and even deny system access when they require. In addition APT attack groups are known to use standard software development tools, and reuse already existing malware attacks.

How APT Differs from Attacks Before 1998

Prior to 1998 cyber-attack objectives were less clear and more exploratory in nature. Attacks during that time were less sophisticated and certainly not as stealthy, leaving a trail of evidence that pointed to the perpetrators at the crime scene while also being much easier to detect during the course of the attack. Attack tools such as malware and those that can execute zero day attacks did not exist. The attackers themselves were also much less organized, such as “script kiddies” and hackers such as Kevin Poulsen that would operate alone with very limited resources and ill-defined objectives (such as when Poulsen hacked into FBI and Army computers)unlike the present day APT groups that are highly organized, highly skilled, have well defined objectives, a plethora of resources (either from a nation-state or as a professional crime organization) and execute plans with military-like precision, (Ries, B., (2010).

Another aspect of APT is that the Internet has helped to facilitate the attacks. The Internet has enabled remote access around the globe, and offers connectivity between nearly every nation on the planet, so that cyberwarfare attacks between countries, such as the attack cataloged in the “Titan Rain” investigation mentioned above, are possible. Prior to 1998, many attacks took place over phone lines (“phreaking” was the term used for this type of attack), such as the attack Kevin Mitnick successfully launched against DEC (Digital Equipment Corporation) systems once he obtained the phone number to dial into the systems.

Attack Origination on the Western Power Grid Network

Although there are many ways for an APT attack group to gain access to the Western Power Grid networks, perhaps the most effective and most often overlooked is an attack from inside the Western Power Grid networks. Infiltration can take place once the attack identifies a Western Power Grid employee or contractor that is a sympathizer and willing to join their cause. Once the insider installs a service within the Western Power Grid networks that enables APT group remote access, the attack group can being using the compromised system to perform reconnaissance, identify vulnerable systems, compromise those vulnerable systems, and increase their access and control of the power grid network. Since the Western Power Grid security policies do not require job rotation nor separation of duties, and does not allocate permissions to systems on a need to know only basis, installation of a malicious service by an insider is not only plausible but likely.

Attacker Profile

Similar to the “Titan Rain” attackers, the APT group attacking the Western Power Grid would likely target the power grid for nationalistic reasons, such as to possess first strike capability such as by causing a massive power outage for use in situations where war is imminent between the perpetrator's country and the United States. The stealth nature of APT along with the objective to establish and maintain system remote access rather than cause an immediate power outage or denial of service are evidence of this motive. Thus the profile could best be described as malicious intent, likely sponsored by foreign governments or possibly militants from enemy states known for this type of attack as both enemy militants and enemy states would have clear motive and the resources to conduct such a sophisticated attack.

Conclusion

The Western Power Grid is an attractive target for malicious nation states that wish to possess first strike capability against the United States or to at least significantly weaken the United States prior to physically attacking America and/or America's allies. An APT attack provides the attackers with stealth and nearly undetectable remote access, effectively facilitating the goal of control over Western Power Grid systems for use in the future. However, with an understanding of how APT works, the Western Power Grid management can take a proactive approach and identify network weaknesses and vulnerabilities within the grid, areas that should be monitored for APT type anomalies, and allocate funds toward measures that would help ensure that the Western Power Grid remains out of the control of foreign hands.

References

USDoE, (2016), Learn More About Interconnections, Web. Retrieved from planning/recovery-act-0

Chang, Z. (2014, August 15). 7 Places to Check for Signs of a Targeted Attack in Your Network - TrendLabs Security Intelligence Blog. Retrieved from

Chapple, M., & Seidl, D. (2015). Cyberwarfare: Information operations in a connected world. Jones & Bartlett Learning.

Energy Sector Control Systems Working Group. (2011). Roadmap to Achieve Energy Delivery Systems Cybersecurity. Retrieved from

Kushner, D. (2013, February 26). The Real Story of Stuxnet. Retrieved from

Ries, B., (2010), Hackers’ 10 Most Famous Attacks, Worms, and DDos Takedowns,

Retrieved from