Security just got real Powerful. Affordable. Easy to use. Scalable, end-to-end IT monitoring software from solarwinds.com/government ACCESS RIGHTS ACCOUNT SECURITY PATCH CONFIGURATION MANAGED FILE FTP SERVER MANAGEMENT TAKEOVER INFORMATION & MANAGEMENT MANAGEMENT TRANSFER PREVENTION EVENT MANAGEMENT Empower your mission with deeper real-time visibility. Your missions need strong, intuitive, and trusted networks that never rest. Built on a platform that enables deeper real-time visibility, from the enterprise to the tactical edge. An operationally implemented platform for cyber that securely maneuvers data, creates decision advantage, and enables information effects across all domains. All while protecting you with industry-leading cybersecurity and resiliency. Together with your partners at Cisco, you can deploy a platform for cyber that does this, and more. One that automatically interprets, implements, and enforces network operational policy in a simple and effective way. And automatically detects and reacts to threats, while providing your team with unprecedented situational awareness. Cisco empowers your mission. Learn more at cisco.com/go/DoD © 2019 Cisco Systems, Inc. All rights reserved. Foreword Contents p. 5 Suspected Iranian Cyber Attacks Show No Sign of Slowing By Patrick Tucker p. 6 New Tech Aims to Tell Pilots When Their Plane Has Been Hacked By Marcus Weisgerber p. 8 The US Must Prepare for a Cyber ‘Day After’ By Samantha Ravich p. 10 Russian Hackers Used Stolen Iranian Malware to Attack 35 Countries, NSA Says By Jack Corrigan p. 13 States Must Explain When a Cyber Attack Might Draw a Violent Reprisal By Jonathan Reiber p. 15 Should Cyber Arms Be Treated Like Bioweapons? By David Fidler p. 18 The Cybersecurity Challenge Page 4 Foreword It’s enough to make you long for the days when law? It’s not yet clear. In “Should Cyber Arms Be the proliferation of dangerous weapons required Treated Like Bioweapons?” the Council on Foreign more than an email. Late last month, officials with Relations’ David Fidler examines one potential the U.S. National Security Agency and the U.K.’s analogue — biological weapons — and comes away National Cyber Security Centre announced a joint unconvinced. finding that Russian hackers had used Iranian cyber Even more urgently needed than a strict tools and digital infrastructure to launch attacks classification of cyber capabilities are some on government and industry groups in dozens of international norms for using them. “Without countries. clear explanations that affirm rules of the road, “The disclosure paints a picture of Russian countries make it easier for conflicts to spiral out hackers piggy-backing off the work of Iranian of control,” writes Jonathan Reiber in “States Must rivals to advance their own agenda,” Nextgov’s Jack Explain When a Cyber Attack Might Draw a Violent Corrigan writes in “Russian Hackers Used Stolen Reprisal.” Formerly Chief Strategy Officer for Cyber Iranian Malware to Attack 35 Countries, NSA Says.” Policy in the Office of the Secretary of Defense, “Authorities said the Nautilus and Neuron tools Reiber writes in the wake of Israel’s May attack had ‘very likely; originated in Iran, but Turla had on a Hamas hacking center, “the first time that a acquired both tools by early 2018. The group initially military has conducted a kinetic operation directly used the malware in combination with one of its in response to a cyberattack in real time.” Read on. own toolkits, called Snake, but eventually began targeting victims with the tools directly.” Bradley Peniston But wait. Are these kinds of cyber capabilities Deputy Editor actually regarded as weapons under international Defense One The Cybersecurity Challenge Page 5 Suspected Iranian Cyber Attacks Show No Sign of Slowing In this photo released by official website of the office of the Iranian Presidency, President Hassan Rouhani By Patrick Tucker addresses the nation in a televised speech in Tehran, Iran, Monday Aug. 6, 2018. IRANIAN PRESIDENCY OFFICE VIA AP As Iran and the U.S. trade cyber blows, a new warning shows that the online fight is likely to go on. ensions between the United States and Iran in been phished — which is not what is occurring here. The the Strait of Hormuz may be cooling but, online, it organization may waste valuable time without focus on Tappears Iranian actors are continuing their activity the root cause.” against targets in the United States and elsewhere. In a December blog post, FireEye traces the activity to On Wednesday morning, U.S. Cyber a threat group dubbed APT33, which, they say, is working Command tweeted that they discovered “active “at the behest of the Iranian government.” In a June malicious use” of a known bug in Microsoft Outlook, update to that post, the company said that they saw those “CVE-2017-11774.” same APT33 tactics playing a role in a new a coordinated In their tweet, Cyber Command doesn’t say who campaign against “U.S. federal government agencies and is using the bug to launch attacks. But cybersecurity financial, retail, media, and education sectors.” company FireEye has reported that a variety of Iranian That update coincides with a June 22 notice from hackers have been busy using that very vulnerability. the Cybersecurity and Infrastructure Security Agency, “Adversary exploitation of CVE-2017-11774 continues or CISA, warning of a “recent rise in malicious cyber to cause confusion for many security professionals,” activity directed at United States industries and the company wrote in a statement sent to reporters on government agencies by Iranian regime actors and Wednesday. “If Outlook launches something malicious, proxies.” The agency notes that the new attacks are highly a common assumption is that the impacted user has destructive, “‘wiper” attacks and that the perpetrators The Cybersecurity Challenge Page 6 are “looking to do much more than just steal data and the types of tactics used. “I think a lot of times we think of money. These efforts are often enabled through common escalation is vertical in nature,” he said. tactics like spear phishing, password spraying, and The statement follows a comment from Joint Chiefs credential stuffing. What might start as an account Chairman Gen. Joe Dunford in May, describing the compromise, where you think you might just lose data, increase in Iranian activity in the region, including cyber can quickly become a situation where you’ve lost your activity as “campaign-like.” whole network.” The U.S. has been ramping up cyber operations against At last week’s Defense One Tech Summit, Ed Wilson, Iranian intelligence groups involved the planning of the the deputy assistant secretary of defense for cyber policy, attack on various foreign oil tankers, according to reports described the recent escalation in Iranian offensive cyber from Yahoo and The New York Times. activity as a “horizontal escalation” meaning an increase Wilson declined to comment on those reports. in the volume of activity, rather than a sudden change in The Cybersecurity Challenge Page 7 New Tech Aims to Tell Pilots When Their Plane Has Been Hacked By Marcus Weisgerber The Cyber Anomaly Detection System tells pilots when their plane is being hacked. /RAYTHEON Raytheon is pitching a product to detect cyber intrusions into aircraft, drones, and even missiles. s the military helicopter lifts off the ground information about what’s happening internally on and heads skyward, the numbers on the altimeter his aircraft in real time,” said Amanda Buchanan, the Asuddenly stop ticking upward. The rumble of the project’s engineering lead. “We’re telling him what’s going helicopter’s engines fade and the chopper starts losing on and allowing him to make decisions about what he altitude. A second later, a dire warning flashes in red on a needs to do to correct the problems.” cockpit screen: “Cyber Anomaly.” Inside most aircraft, important electronics are plugged The helicopter is under attack, but not from missiles or into a serial data bus. The bus used in many U.S. military guns. Seconds later, it smashes into the ground. planes was developed in the 1970s and “still have not been Luckily for the pilot, he’s not in a real helicopter — just updated for security,” according to Fry, a cyber-resiliency a small simulator set up in a conference room of a high- product manager at Raytheon. rise office building in Arlington, Virginia. Greg Fry, the “You GPS talks on it, your fuel valve switches are engineer at the controls of the choreographed crash, is on it, your autopilot is on it and other avionics systems part of a Raytheon team that is building a new warning all communicate over this bus,” Fry said. “What we system that tells pilots when their planes are being found is as technology has increased and more and hacked, something the U.S. military expects to happen in more [commercial] products are put in aircraft, there’s the battles of the future. more of an attack surface for cyber threats to go onto “Basically, we’re trying to give the pilot the the platform.” The Cybersecurity Challenge Page 8 hackers had found cyber vulnerabilities in the F-15E Strike Eagle fighter jet. Hackers can get into military and commercial aircraft, vehicles, and even missiles and bombs by infecting them with malware — say, by plugging an infected cell phone into one of the aircraft’s USB ports, or even wirelessly, Fry said. Buchanan hacked Fry’s helicopter by injecting malicious code wirelessly from a tablet. The code caused the helicoper’s engines to shut down. While Fry was able to disable the helicopter’s wireless receiver before hitting the ground, he was not able to stop its fall. SENIOR AIRMAN FRANKLIN R. RAMOS Raytheon says the technology could be used to detect Raytheon began developing this Cyber Anomaly cyber intrusions on drones, vehicles or even missiles.