Internet as weapon

By every passing day, Internet is strengthening its roots in every house and every organization across the planet. It is as if IT is knitting the planet into one seamless yarn of cloth. The quality of yarn, rough or fine, or the density of knitting varies from place to place. This unification (and dependence) of World on Internet or on Intranets has been possible due to long years of concerted all around efforts by various technical groups in standardizing the protocols through which machines and devices on the Internet/Intranet communicate with one other in a transparent and hardware independent manner. This free and cheap communication has opened up numerous businesses, social, cultural and economic opportunities. Gaps in communication protocols or bugs in operating systems that power the devices or the knowledge of some special applications that are critical to an industry are now being exploited by some evil minded persons or possibly nations to cripple businesses or cripple economy or a complete industry. We have been witnessing attacks on the business-facilities since ninety’s and these took more sophisticated form in 2000s. But attacks on an industry or crippling of a national economy, for example, by paralyzing oil-pipelines are a completely new phenomenon and represents a transformation of IT as a weapon being used by one or more nations against the other. Since 2007 there have been at least four such weapons used with telling effect.

How attacks take place on Internet

Let us first understand how Internet becomes vulnerable. Consider the manner in which a connection that transfers files from one machine to another is first established and then file transferred. The client machine (that requests the file) sends a specific series of bit-pattern (packet) on the Internet to file-server signaling its intention to connect to it. In response, the file-server sends back a specific packet to client acknowledging the receipt of sender’s request. The client sends back another acknowledgement to server and the connection between client and server is now established. File transfer can begin. A file on the Internet travels not as one huge block of bits but is fragmented into reasonably sized packets and each packet travels independently. Each packet has a sequence number. Packets from server machine may arrive at client taking different routes and at different times in an out of sequence fashion. At the receiving end, sequence numbers of all packets are checked. When the last number has arrived, packets are assembled in the correct order and delivered to the client application. Also, each packet carries a checksum that may be used to check at the receiving end whether during the journey packet was corrupted or not. If corrupted, the particular packet is discarded and the sender is requested to retransmit packet of the same sequence id.

This is how this protocol is (mis)used to attack the server: When the server acknowledges the client’s request to connect, simultaneously (in anticipation) it also commits some resources such as reserving certain memory to satisfy possible requests from the client. After receiving the server’s acknowledgement, it is the duty of client to send back a return-acknowledgement to server. But the client, in an act of mischief, holds back the return-acknowledgement and keeps the server waiting. Meanwhile, from another machine another connection signal is sent, server responds and commits resources, but the client holds back the return- response. When a large number of such fake connection requests are made to server, the server commits its significant resources and may not be able to respond with speed to a genuine customer. Such an attack is known as distributed denial of service (DDoS ) attack. Distributed, because attackers (client machines) are distributed geographically. No damage is caused to the server but its capability to service genuine clients gets seriously impaired. Such attacks are very common on the web-sites of financial houses which carry financial transactions such as sale purchase of stocks. If server is incapacitated for a few hours the business may lose a lot of money and customer goodwill. Such attacks are also common during festival seasons on prominent web-sites selling goods/merchandise.

There is another form of DDoS known as ‘Ping of Death’. Many a time a host needs to know whether a particular address is present on the Internet or not. To find this out, it sends a packet to that address and the packet after ‘striking’ the receiver ‘pings back’ to sender. On receiving this ‘ping back’ (or reply) the sender knows that the machine with that particular address is present. In the ‘Ping of Death’ a large number of ping packets are sent to the other host choking its bandwidth. A genuine client wishing to connect may not find sufficient space in the bandwidth to connect to the machine under attack.

2007 cyberattack

2007 cyberattack on Estonia was the first example of state-sponsored cyberattack of sophistication never seen before. It made the countries sit up and take notice especially from military point of view. The attack was targeted against web-sites of major organizations including Estonian parliament, news agencies, banks, government offices and broadcasters. It was the first ever large-scale attack of this type on numerous organizations. The distributed denial of service attack used various methods including ping floods. Experts estimate that hundreds of thousands of computers were used in a coordinated attack against government agencies and banks. It has been reported that critical systems whose network addresses would not be generally known were targeted, including those of serving telephony and financial transaction processing. Although not all of the computer crackers behind the cyberwarfare have been unveiled, some experts believe that such efforts exceeded the skills of individual hackers or even groups of them for in such an attack cooperation of State was must as also of a big telecommunication firm. At that time Estonia had certain serious differences with Russia and Russian hand was suspected in the attack. Russia has also not been cooperating in tracking the source of attack within its boundaries. These attacks prompted NATO to enhance its cyber-war capabilities and to establish the alliance’s cyber defense research center in Tallinn in 2008. Subsequently, in June, 2009, a decision was taken by US Government to establish United States Cyber Command (USCYBERCOM) as an armed forces sub-unified command subordinate to United States Strategic Command (USSTRATCOM).

2009 cyberattack

In July 2009, South Korea, one of the World’s thickly wired nations suddenly found itself under waves of attacks. Web-sites of largest banks, major news agencies, government offices including Korean Ministry of Defence, and portals were made dysfunctional by hijacking thousands of computers. The disruption prevented people from carrying out transactions, purchasing items, and conducting normal business. The modus-operandi was somewhat like this: An email was sent with a malicious (Trojan like) attachment. The malicious payload dropped two components inside the user’s machine. The first component scanned the user’s address book and gathered all email addresses and sent emails to all these addresses with ‘itself’ (the malicious payload) as an attachment. The second component started mounting denial of service attack on certain web-sites. Very soon thousands of machines which had received the emails joined hands in the DoS attack paralyzing the financial and government services in South Korea. Symantec security services group has estimated number of hijacked computers as 50,000. Such cluster involuntarily acting in concert is known as ‘botnet’. The timing and targeting of the attacks have led to suggestions that they may be originating from the Democratic People’s Republic of Korea, North Korea, although these suggestions have not been substantiated. In December 2009, South Korea announced the creation of a Cyber Warfare Command.

Stuxnet—A missile like targeted bomb

All above attacks pale into insignificance when we consider ‘Stuxnet’. Stuxnet was unleashed in 2009 but discovered in 2010. Stuxnet appears to be an endeavor of not one nation but multiple nations joining in attack against Iranian nuclear facilities. The more one analyses Stuxnet the more bizarre it turns out to be. Unlike DDoS attacks, which do no direct harm to computer facilities, Stuxnet was designed to inflict irrecoverable damage. Here is the story.

Stuxnet is a computer worm. A computer worm replicates itself in order to spread itself to other computers. Unlike computer virus it need not attach itself to other programs to multiply itself. Worms are written in one computer language, Stuxnet was written in multiple computer languages including C and C++ with a size of around half-a-megabyte. This size is quite large for a worm. Stuxnet was designed to spread rapidly through Windows OS copying itself to USBs or through networks. It would remain harmless in most machines. Stuxnet was written to only target Siemens industrial control systems. Siemens Industrial control systems were being used by Iran in its nuclear facilities and power plants. Its final goal was to reprogram programmable logic controllers (PLCs) to make them work in a manner the attacker intended and also to hide those changes from the operator of the equipment. PLCs are used as top-level software layer for monitoring and controlling highly integrated and automated systems. A reprogramming in this controlling system very soon brought the facility to slow down. Stuxnet would bypass anti-virus systems. It would try to sense the anti-virus system installed on the machine and would change its behavior so as to evade discovery as a malware. Stuxnet employed several vulnerabilities in Windows system. Almost all viruses or worms known hitherto exploited one bug in Windows System; Stuxnet employed several and four of them were zero day vulnerabilities. A Zero-day vulnerability is one which the developer of the System (Windows) is yet to discover. And since the vulnerability is not yet discovered, there is also no patch provided to plug it. That Stuxnet used four zero-day vulnerabilities was unprecedented.

There was more to Stuxnet design. Stuxnet was designed to regularly update itself from two sites on the Internet. Two websites in Denmark and Malaysia were configured as command and control servers for the malware, allowing it to be updated, and for industrial espionage to be conducted by uploading information. It is in this process of updating that one update went slightly wrong and Stuxnet spread beyond its intended boundaries and was discovered. Design of Stuxnet was tuned to characteristics of Siemens plant operating in Iran. The traffic to two websites in Denmark and Malaysia was monitored in early days of attack and it came out that around 60% of infected machines were from Iran, 18% in Indonesia and 8% in India. It is suspected that damage in Iran was more severe than 60% as Iranian authorities blocked traffic to the two web-servers. The intended targets in Iran were Bushehr Nuclear Power Plant and Natanz nuclear facility. Stuxnet appeared to be designed to destroy centrifuges at the Natanz facility but destruction was by no means total. It appears that damaged Centrifuges have been replaced but so many computers remain affected by Stuxnet, Iran will have to take special precautions to protect its facilities.

Design of Stuxnet was of immense complexity requiring expertise from different fields including deep knowledge of Industrial control systems. It is estimated that at least ten to thirty experts must have taken a minimum of six months (if not a year) to code the worm. Such collaboration is not possible without the assistance of nation-state. Fingers are being raised towards USA and Israel.

Stuxnet was followed in 2010 by another malware Flame targeted at Iranian oil installations. Flame was about twenty times more complex than Stuxnet and was intended as an instrument of espionage. It would send its data to various command and control centers on the Internet. Flame worked for around two years when it was discovered in 2012 and was ‘killed’ by a command from one of the Command and Control Centers.

Aftereffects

Stuxnet is history. But its effects and possible future scenarios reverberate across nations. First, there is no International law to control or cooperate in tracing the attackers. In the 2007 attack against Estonia, Russia refused to cooperate. Secondly, precedents now exist to sabotage industrial or financial systems of other countries by various nations. Thirdly, what has been attempted by a nation can in future be attempted by competing business houses. There is no guarantee that a particular multinational will not try to attack the specific industrial installation of its competitor. Are there defenses? In Part-II of this article we will try to cover possible defenses against such attacks.

***********************

References:

  1. W32.Stuxnet Dossier (version 1.4, February 2011) from Symantec
  2. 2007 Cyber-attacks on Estonia, Wikipedia
  3. Kaspersky lab provides its insights on Stuxnet worm
  4. Cyber-attacks of July 2009 on Korea and America

————————-

Advertisements

Tags: , , , , , ,

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: