Understanding Cyber Conflict Dr. Panayotis A. Yannakogeorgos Dean Air Force Cyber College

1 The Character of Cyberspace

The cyber domain includes more than just the Internet, but all things relevant within cyberspace require some type of connectivity or networking.

The Internet is the manifestation of networking theory on a global scale.

Cyberspace has national borders, the same as every other domain.

In the cyber domain, at no time is the military likely to be in complete control of the battlespace.

Civilians will be a part of cyberwar, likely as victims whose computers will be placed at risk, but equally likely, they will be cyberwar participants.

Source: JP 3-12(R) Modern Hacking Tactics and the `Cyber Terrain

So who actually owns the Internet? There are two answers to this question: 1. Nobody 2. Lots of people

• APT1 maintained access to victim networks for an average of 356 days. The longest time period APT1 maintained access to a victim’s network was 1,764 days, or four years and ten months. • In the last two years we have observed APT1 establish a minimum of 937 Command and Control (C2) servers hosted on 849 distinct IP addresses in 13 countries. 3 Spectrum of Operations in Cyberspace

Access/Exploitation Deletions/Denial of Service/Disruption/Digital Damage Physical Effect Digital intelligence Interrupt the flow of information or function of information Results in physical damage or systems without physical damage or injury destruction, injury or death Spectrum adapted from US Cyber Command, 2013 Cyber Threat Actors

• Hacktivists • Criminals • Spies • Terrorists • Militaries

5 Breakdown of Noteworthy Cyber Attacks in 2015 Tracked by Hackmageddon.com

http://www.hackmageddon.com/2016/01/11/2015-cyber-attacks-statistics/ 6 Hacktivists

• Operates anonymously and globally • Objectives – Entertainment – laughs – Freedom, transparency, anti-corruption, etc. • Unorganized, but blend of anarchy and power circles with factions and splintering – Often regional and issue related factions • Targets are global and have included – Governments/countries – Businesses – Terrorists, especially ISIS – Competing hacktivists – Pedophiles 7 Criminals

• Bangladesh Central Bank Heist • Criminals tried to withdraw $951 million from the bank’s US account with the Federal Reserve, which is used for international settlements • Criminals used stolen Bangladesh Bank credentials and ran on bank’s system to cover up tracks • 35 requests were made for money transfers • 81 million successfully moved to casinos in the Philippines Feb 4-5, 2016 • Transfers stopped when Deutsche Bank detected typo in a $20 million transfer to Sri Lankan organization Shalika Foundation (misspelled as “Fandation”) • Philippines froze $68 million of stolen funds

8 Terrorists

• Junaid Hussain [TriCk] was involved in recruiting ISIL sympathizers • Had significant technical skills and expressed a strong desire to kill Americans • Compiled and published names, email addresses, phone numbers of US military and government staff urging lone wolves to “act and kill” • Sent terror guidebooks including bomb-making instructions and information about domestic terror plots in the UK

9 Spies & Militaries

FANCY BEAR’s profile closely mirrors the strategic 2010 Military Doctrine: interests of the Russian government, and may “integrated use of military indicate affiliation with Главное Разведывательное force and non-military Управление (Main Intelligence Department) or GRU, capabilities, and a greater role for information warfare” Russia’s premier military intelligence service. https://www.crowdstrike.com/blog/who-is-fancy- bear/ Indicted on cyber espionage 2011 Defense White Paper: “combat capability to win charges Chinese military officers local wars in conditions of from left to right informationization” Gu Chunhui, Huang Zhenyu, Sun Kailiang, Wang Dong, and Wen Xinyu

2012 Supreme Council of Cyberspace tasked with the coordination of national cyberwarfare

10 Actors and Authorities

11 Onion Routing

12 Complexity of Response

Hypothetical example for educational use. What is a Vulnerability? How do they Relate to Threats?

. Vulnerability - Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited by a threat source . Threat - Any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, or the Nation through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service . Threat source - The intent and method targeted at the intentional exploitation of a vulnerability or a situation and method that may accidentally exploit a vulnerability

Source: Glossary definitions (Committee on National Security Systems, 2010)

14 Most use posted vulnerabilities in pre-programmed exploit packages for their attacks. [HBGary’s Law].

Source: 2015 Verizon Data Breach Report Anatomy of a Takeover

Target Install Target Victims Services Collect Data Initiate Effect Malware (Intranet, etc.) Malware Types

• Trojan horse • Exploit or exploit code/kit – Deceptive – Exploits security vulnerabilities • Virus • Backdoor – Attach to objects; spread w. objects – Gives attacker access to system • Worm • Remote access tool (RAT) – Spread (semi-)autonomously – Gives attacker remote control • Logic bomb / time bomb • Rootkit – Triggered by some condition – Contains backdoors & Trojans • Spyware • Sniffer – Scoops up data – Intercepts packets on network • Keylogger • Downloader/Dropper – Records keystrokes – Downloads/installs malware • Scareware • Wiper – Purports to be needed security tool – Destroys data on disk • • Ram scraper – Encrypts & holds data hostage or locks – Steals payment data from POS RAM screen 17 “Spearphishing”

• With the information that can be found about us and our coworkers on the Internet, hackers can craft a very believable malware laden email. • Spoofing email addresses (or using email from a compromised system) is not hard. – If you received an email from the director of your department, would you open it? – Would you open the PDF document, or follow the URL to get registration information for an upcoming conference you plan to attend? – If you weren’t sure if the email was legitimate would you follow up using a separate line of communication to confirm the email’s authenticity?

18 Watering Holes

https://www.google.com/transparencyreport/safebrowsing

19 (SEA) Attack on Associated Press

What user saw – not actual link

20 Ransomware

A type of malware that attempts to extort money by taking control of a victim’s computer or infecting the files and documents stored on it.

CryptoDefense Ransom Demand Locky Recovery Instructions 21 Point of Sale

This vector compromises POS terminals where customers swipe a payment card at a checkout counter. RAM (Remote Access Memory) scrapper malware is installed on a POS device:

• Captures payment card data while processed in memory before it is encrypted for storage or transmission.

Data used to manufacture counterfeit cards • The data is written to a text file which is Often discovery of the breach does later sent to an offsite server. not occur until the criminals are noticed to be using the data for illicit • This credit or debit card data is offered purposes by law enforcement or for sale on the black market. fraud detection entities. 22 Point of Sale Attack (Target Corporation)

The retail giant Target confirmed some 70 million customer credit and debit accounts were compromised in December 2013. Account numbers, expiration dates, cardholder names and credit verification value (CVV) were compromised plus encrypted debit card PINs were stolen. • Attackers installed a Hybrid of Kaptoxa and Reedum malware on Point of Service (card reader) machines. • Both derived from BlackPOS sold on crime forums for only $2,300 – designed to bypass firewall software. • The PINs are encrypted with Triple-DES (Data Encryption Standard) – somewhat vulnerable to brute force cracking. two weeks. Data Breach costs $61M in expenses and resulted in loss of $700M

of revenue from loss of consumer confidence to shop at Target. 23 Exploitation of Data

• The second-biggest health insurer in the United States detected a breach on 29 Jan 2015 of a database containing personal information for 80 million customers and employees • The breach exposed names, birthdays, addresses and Social Security Numbers but not medical information or financial account numbers. – Private health data used for extortion, fraud or identity theft. – Not clear how hackers obtained systems admin privileges – Hacked data tracked to an outside Web-storage service. – Changing corporate attitude about rapid disclosures.

24 Modern Botnets

• Networks of compromised devices (zombies, drones) acting as cyber robots (bots) – Devices are put under the command and control (C2) of the botnet herder/owner – C2 servers issue commands to bots • Botnets are used for – Spam – Distributed denial of service (DDoS) attacks – Stealing data – often sold in Bot Chop Shops – Fraud – e.g., click fraud and pay per install fraud – Computational tasks such as bitcoin mining • Botnets are taken down by taking down their C2 – Often multinational efforts Size of DDoS Attacks

2014: 20% reported attacks over 50 Gbps 2015: 25% reported attacks over 100 Gbps

Arbor Networks, Worldwide Infrastructure Security Report 2015 26 Dyn DDOS Attack

Targeting of a vital Internet infrastructure provider

Dyn offers Domain Name System (DNS) services, essentially acting as an address book for the Internet

Infected Internet of Things devices all over the world infected with malware

September 2016, developer of bot released source code to hacking community

27 DDoS Revenue Loss and Attack Results

28 Ukraine Power Grid Blackout

SANS analysis of attack, http://ics.sans.org/media/E-ISAC_SANS_Ukraine_DUC_5.pdf 29 Cyber-Physical Systems

Cyber-physical systems are IT systems “embedded” in an application in the physical world

Courtesy: Compass Security Germany GmbH 30 Cyber-Physical Systems

- Energy Almost everything is wireless - Traffic control - Custom protocol and encryption-related - Parking issues (even in RF transceiver chips) - Street lighting - Huge and unknown attack surface - Public transportation - Complexity, interdependency, chain - Energy, Water and Waste management reaction Security - Simple bugs can cause big problems and - Street lighting have big impact - City management systems - Wireless encryption problems - M2M - Sensors (weather, pollution, seismic, - olfactory, flood, sound, etc. )

How do you monitor small PLCs? There is a big impact of little systems on national security 31 Differences in IT & ICS

Attribute Information Technology Industrial Control Systems

Confidentiality (Privacy) High Low

Message Integrity Low-Medium Very High

Availability Medium Very High

Authentication Medium-High High

Lifetime 3-5 years 10-25 years

Operating Systems COTS (Windows, Linux,…) COTS at HMI, RTOS at field devices

Patching Standard and expeditious Non-standard and potentially long time

Adapted from: National Institute of Standards and Technology, SP 800-82. NEST Thermostat

Hardware/Protocols • ZigBee/WiFiRadios [cyber/EW] • Display board • Graphics/UI, Networking • Chips: • ARM Cortex A8 app processor • USB OTG • RAM/Flash (2Gb) • Proximity Sensors • Hooks up to AC/Heating system. Implications Software • Full control over the house Linux Based platform • Away detection • Network credentials • Zip Code • Remote exfiltration • Pivoting to other devices 33 Shodan

Shodan: A special search engine that discovers computers based on software, geography, operating system, IP address and other specified options. From Vulnerability to Exploit to Physical Effects

https://go.recordedfuture.com/hubfs/reports/ics-scada.pdf 35 San Bruno, CA Pipeline Explosion

•September 9, 2010 •Explosion excavated a crater 51m long, 7.9m wide 12m deep. •24 hours+ and 25 fire engines, 4 air tankers, 2 air attack planes, and 1 helicopter to contain fire. •32 Homes Destroyed, 8 lived lost. Causing a significant misappropriation of funds or economic resources, trade secrets, personal identifiers, or financial information for commercial or competitive advantage or private financial gain

• The range of trade secrets and other sensitive business information stolen in this case is significant

• State actors engaged in cyber espionage for economic advantage indicted on cyber espionage charges Chinese military officers from left to right Gu Chunhui, Huang Zhenyu, Sun Kailiang, Wang Dong, and Wen Xinyu • State-sponsored cyber thieves are accountable as any other transnational criminal organization that steals and breaks laws

Success in the global market place should be based solely on a company’s ability to innovate and compete, not on a sponsor government’s ability to spy and steal business secrets. 37 North Korea / Guardians of Peace Cyber Attack Against Sony

• Took place late November 2014 • Used spear phishing, a zero-day exploit, and wiper malware to erase all data on infected computers • Stole & posted pre-release movies & sensitive data about company, employees, and film stars • Sent threatening e-mails to employees • Demanded money, “equality,” and then later that “The Interview” not be released • Said they planned to cause Sony to collapse • Issued threats of violence at theaters if film shown • US attributed to N Korea • Hacktivists took N Korea off the Internet • President Obama tightened sanctions against 10 individuals & 3

agencies in N Korea 38 Cyber Attack - German Steel Mill 2015

• Wholly digital attack caused physical destruction of equipment • The hack attack led to failures in plant equipment and forced the fast shut down of a furnace • Attackers gained access to the steel mill through the plant’s business network, then successively worked their way into production networks to access systems controlling plant equipment Source: Wired: http://www.wired.com/2015/01/german-steel-mill-hack-destruction/ 39 Questions?

40