Cyberattack Becomes More Sophisticated | AVIATION WEEK
Cyberattack Becomes More Sophisticated | AVIATION WEEK.
By David A. Fulghum
Washington
Talk over the last several years concerning Iran, Israel, the U.S.—and whether Tehran’s nuclear program might be bombed—may have been a canard or a purposeful bit of misdirection.
In fact, the real attack—using cyberweapons instead of bombs—may have been underway during the last year, given the admission of Iranian officials that many of their automated industrial processes—such as those that control nuclear materials and processing—have fallen victim to a cyberworm. But the question of authorship of the attack—despite immediate claims from Iranian officials that it was Israel—is unresolved. It may have been an accident, the action of a surrogate or a cyber-“hired gun,” or a warning of what cyberweaponry can do to the unprepared.
“When people create cybertools, the unintentional distribution of some of those tools can cause the most problems,” says U.S. Army Gen. Keith Alexander, the chief of U.S. Cyber Command. “We have to cover the spectrum [of threats because] most modern nations have [cyberskills] that are near to us and in some areas may exceed our capabilities.
“We’re going to see that one country may be best at developing worms or viruses,” he says. “Another may be the best at building stealthy exploitation tools. A third may be the best at designing tools that can attack specific systems that are in their national interest.” An example of the last might be the U.S. or Israel taking down computers employed in the Iranian nuclear program.
Mahmud Liai, an official of Iran’s industries and mines ministry, says 30,000 computers have been invaded and the attack is considered part of an electronic war against his country. It is widely known that Iran’s nuclear program has been running into technical problems.
For years, an important question has been “whether Israel will one day try to stop the [Iranian nuclear weapon] project by its own means,” Maj. Gen. (ret.) Giora Eiland former head of Israel’s National Security Council, tells Aviation Week. “Can we do it? That depends. Can you count on tacit cooperation of others in the region [and America]. What is the physical damage you will cause? The most important question is how much delay in the program do you cause—a few months or years? Months are useless, decades may do.”
Perhaps the decision was already made and acted upon by the U.S., Israel or a third party. Regardless of who inserted the worm, advanced cyberattacks should have been expected. Warnings have been voiced during the last several years. Among those who have suffered increasingly sophisticated cyberattacks are Estonia, Georgia and Syria. Now it appears that Iran and other countries in the region have been made members of that increasingly less-exclusive club of the cyberexploited.
The attack was successful enough to shut down some of Iran’s digitally controlled industrial capabilities, including systems in its nuclear power plant, confirms a senior U.S. defense official. Perhaps reflecting security compartmentalization, “the question is still open about who created the worm and who is infected,” he says. The official says about 60% of the infected sites are in Iran.
“The worm is spread via USB, and it targets administrative access vulnerabilities to locate Siemens-built supervisory and control data acquisition [Scada] management programs that remotely observe and manage large systems,” the official says. “It appears to be able to take control of the automated factory control systems it infects and do whatever it was programmed to do.”
Iranian agencies that run defense facilities say they are trying to undo the potential damage of the Stuxnet worm, which is a self-replicating set of algorithms.
The U.S. has been studying and testing associated capabilities. In the “Aurora Test” conducted by Idaho National Laboratory in early 2007, a 21-line package of software code sent from 100 mi. away caused a $1-million commercial electrical generator to generate self-destructive vibrations by rapidly recycling its circuit breakers.
“It introduced destructive instructions into a closed computer network that “caused the generator to blow up,” said Rep. Jim Langevin (D-R.I.) during testimony by military officials at a House Armed Services subcommittee hearing Sept. 23. Aurora indicates that this kind of physically destructive cyberweapon “is not just sitting around on a shelf somewhere.”
In another example, Israel shut down Syria’s integrated air defenses in late 2007 with cyberattack and electronic warfare long enough to bomb and destroy a nuclear processing plant.
Moreover, many nations that do not have the international and industrial power of Russia, China, South Korea, Japan, Germany, the U.S., U.K. and Israel have matched and in some cases surpassed the larger nations’ cyberexpertise in key specialty areas.
“In cyberspace it’s not the size of the country as much as it is the [skills of the people] creating the software,” Alexander says. “There are a number of countries that are near-peers to us in cyberspace, and that is a concern. Others have an asymmetric capability and advantage [is specific areas].
A key goal of professional cyberwarriors is to penetrate networks that are protected or isolated from other networks. Of particular interest are Scada networks that run factories, refineries, pipelines, utilities and nuclear facilities.
It is no secret that the U.S. also wants to put such weapons on aircraft for airborne electronic attack.
One such device seen by Aviation Week is a software framework for locating digital weaknesses. It combines cybersleuthing, technology analysis and tracking of information flow. It then suggests to the operator how best to mount an attack, and it later reports on the success of the effort. The heart of the attack device is its ability to tap into satellite communications, voice-over-Internet protocol and Scada proprietary networks—virtually any wireless network.
“If you think about the explosion of capability in commercial electronics, it’s obvious that for not too much money, anybody can set up a fairly robust WiFi capability and just ride the backbone of the Internet,” says a U.S.-based network-attack researcher. Stuxnet seems to differ from this concept in that it apparently works autonomously, without direction, and relentlessly searches for predetermined targets.
In the unclassified arena, there are algorithms such as Mad WiFi, Air Crack and Beach. Industry teams have their own toolbox of proprietary, cyberexploitation algorithms. But the unclassified tools give a sense of what can be done. In fact, they resemble some of the characteristics attributed to Stuxnet.
Air Crack, for example, is used to decipher the encryption key for a wireless network. Some are quick but require injecting a lot of data into the network, which makes the attack noisy and easy to trace. Others are passive and slow. It takes days or even months, but no one is aware of the intrusion—as for months was the case with Stuxnet.
Cryptoattack uses sophisticated techniques to attack passwords. It runs fast and gives good results but the operators have to take an active role, capture different types of data and send the right information to get a proper response.
A deauthorization capability can kick all the nodes off a network temporarily so that the attack system can watch them reconnect, which provides information for quickly penetrating the system.
Photo: USAF
Explore posts in the same categories: Uncategorized
WarSclerotic 
Leave a comment