Running head: CYBERWARFARE DEFENSE REPORT 1

Cyberwarfare Defense Report Part 1

name

Western Governors University

CYBERWARFARE DEFENSE REPORT 2

Cyberwarfare Defense Report Part 1

The Mission

Recent intelligence shows that an advanced persistent threat is planning to

exploit vulnerabilities in computers that manage the Western Interconnection power grid

(WIPG). The threat is believed to be originating from a Middle Eastern terrorist group.

We have determined that the adversary has probed and performed reconnaissance on

the network over the past few months. Intelligence is indicating that the group is

planning to infect computers on the grid’s network with malicious software with the

intent to disrupt power to at least eleven states.

When we look at the history of modern warfare, it is evident that it has evolved

dramatically over the course of the last century; cyber warfare specifically has evolved

very rapidly over the last two decades. By 1997, three out of four of all organizations

had experienced some form of a security incident. The 1998 Israeli Solar Sunrise and

Russian Moonlight Maze attacks on U.S. military computer systems made it clear to

military and government leaders that the threat of cyber-attack was imminent and

needed to be addressed immediately (Western Governors University [WGU], n.d.).

Although the tactics of cyber warfare at that time were not nearly as sophisticated as

they are now, these attacks demonstrated that security threats were evolving quickly

and better security defenses and protocols needed to be implemented as fast as

possible to try to stay ahead of the ever-increasing sophistication of cyber warfare

tactics.

In 1999, the release of Microsoft's new operating system officially known

as Windows 98, introduced hundreds of new and widely publicized bugs and
CYBERWARFARE DEFENSE REPORT 3

vulnerabilities (List of notable security hacking incidents, n.d.). That same year, the first

malicious rootkit for the Windows NT operating system appeared (Hoglund, Butler,

2006) and fast spreading worm attacks spread quickly across the internet. In the year

2001, a worm known as Code Red, exploited a buffer overflow vulnerability in

Microsoft's Internet Information Services (Code Red worm, n.d.) and in 2003 the SQL

Slammer worm infected thousands of computers running SQL Server (SQL Slammer,

n.d.).

In the first few years of the millennium, attackers began to exploit vulnerabilities

in applications which affected many of the companies using those applications. A study

performed by AOL and the National Cyber-Security Alliance determined that 61 percent

of personal computers were infected with some form of spyware in the year 2005

(“AOL/NSCA Online Safety Study,” 2005). Around this same time, some of the first

botnets appeared and were used to send massive amounts of spam. This generation of

attacks led to the development of signature-based intrusion detection systems which

themselves quickly added remedial capabilities and became signature-based intrusion

prevention systems.

The cyber threat landscape is in a continual evolution and so it was no surprise

that what came next was a rise of targeted attacks for which there were no signatures.

The quality of malware code improved significantly at this time and many of the most

successful attacks were polymorphic shapeshifters that changed their characteristics to

evade detection. Cyber security experts determined that the best way to defend against

these new types of attacks was to implement network-based sandboxes as well as bot
CYBERWARFARE DEFENSE REPORT 4

defense systems to combat the botnets that were starting to proliferate across the

internet.

While these exploitations were extremely damaging to data, privacy and the

availability of systems, in June of 2010, a whole new type of cyber threat was

discovered. The Stuxnet worm, an alleged collaboration between Israel and the United

States (Stuxnet, n.d.), was specifically designed to cause physical damage to nuclear

equipment in the country of Iran. This type of attack was one of the first of its kind and

paved the way for many more extremely sophisticated malware programs designed to

cause actual physical destruction. Some of those included GAUSS, FLAME and

DUQU which shared many features and characteristics of Stuxnet and Irongate which

targeted Siemens industrial control systems.

These destructive targeted attacks, known as cyber-physical attacks ( Loukas,

2015), contained very specialized malware created to take control of infrastructure

Supervisory Control and Data Acquisition systems for the purpose of crippling

infrastructure targets such as power grids and control systems. Often times, this type of

malware would take advantage of known and unknown vulnerabilities present in

operating systems, web applications and software programs to assist in spreading and

achieving its objective.

Once such vulnerability, the Heartbleed bug (CVE-2014-0160), was first

introduced in 2012. This vulnerability provided an opportunity for a buffer over-read

exploit which resulted in the theft of the servers' private keys and also users' session

cookies and their passwords. It was potentially considered one of the worst

vulnerabilities found in the history of the modern internet (Steinberg, 2014). An updated
CYBERWARFARE DEFENSE REPORT 5

version of OpenSSL was released on the same day Heartbleed was publicly disclosed,

but a little over a month later, 1.5% of TLS-enabled websites had not been patched and

were still vulnerable to Heartbleed (Leyden, 2014).

In October of 2014, unclassified computer systems at the White House were

comprised through an elaborate spear phishing attack. Many U.S. government agencies

categorized it as one of the most sophisticated attacks against U.S. government

computer systems (Perez, 2015). The compromise began with a phishing email that

was sent using a State Department email account that had been taken over using a

spear fishing attack. It is critical that users are trained to spot and report this type of

attack as this is an extremely common and successful attack method that can

compromise an entire network. Throughout the last decade, spear phishing attacks

began being used more and more to gain access to systems simply by impersonating a

legitimate user and convincing someone to grant them access.

As a result of the advancement of cyber-attack methodologies, data breaches

were also becoming more and more commonplace. In June 2015, the personally

identifiable information of 21.5 million people was covertly siphoned from the Office of

Personnel Management. The attackers were believed to be affiliated with the

government of China (Sanders, 2015). Around this same time, security analysts

stumbled upon another startling discovery. While doing a security audit on the servers of

a company Amazon was in the process of acquiring, security testers discovered tiny

microchips that were not a part of the original design. These microchips created a

stealth backdoor into any computer network that included these modified servers. This
CYBERWARFARE DEFENSE REPORT 6

was one of the first discoveries of a successful large-scale compromise of the supply

chain (Robertson, 2018).

According to a Verizon Data Breach Investigations Report conducted in 2017,

phishing was behind 90% of successful security incidents and breaches in 2016

(Verizon, 2017). At that time, it was definitely one of the largest contributors to cyber

security incidents around the world, but in 2017, a new class of multi-vector,

polymorphic cyber threat appeared that combined several different types of attacks and

changed form to avoid detection as they infiltrated secure networks. These threats were

categorized as 5th generation cyber-attacks. The authors of these malware strains were

continuously rewrapping their packed executables to avoid signature-based detection

(Turner, 2018). One of the only ways to combat this type of malware is with advanced

analysis which evaluates a program’s behavior and blocks it if it’s suspected to be

malicious.

In May of 2017, a crypto-worm known as the WannaCry ransomware attack

originated in Asia and then infected more than 230,000 computers as it quickly spread

throughout 150 countries. North Korea was believed to be behind the attack which

attempted to extort millions of dollars from its victims by encrypting data on infected

machines and demanding a ransom be paid for their data that was being held hostage

(Wannacry ransomeware attack, n.d). Data theft was also a major objective for cyber

criminals during this time; in May of 2017, the consumer credit reporting agency

Equifax experienced a data breach of unprecedented scale when the personal

information of approximately 145.5 million U.S. consumers was stolen by unknown

cyber criminals (Equifax, n.d.).

CYBERWARFARE DEFENSE REPORT 7

One of the most recently discovered vulnerabilities is the Spectre-Meltdown

exploit which could potentially reveal private data to attackers by using a timing attack.

The Meltdown and Spectre vulnerabilities are considered severely catastrophic by

security analysts (spectre, n.d.). Although no malicious exploits of the vulnerabilities

have been reported as of yet, chances are it’s only a matter of time before it’s used to

perform an extremely damaging attack.

In 2018, Google announced the launch of an artificial intelligence-based solution

for the cyber security industry called Chronicle. Google realized the benefits of creating
a partnership between security professionals and artificial intelligence so that they could
work together in the fight against cyber threats. Google concluded that the best chance
of defending against cyber-attacks would be having intelligence analysts analyze
anomalies flagged by artificial intelligence driven cyber security solutions that use
advanced capabilities to help analyze security data (Chronicle, n.d.).
The term advanced persistent threat is commonly used to refer to cyber threats

that attempt to avoid detection, such as Internet enabled espionage which uses covert

cyber gathering techniques to steal valuable information, but it also includes other

threats such as traditional espionage. Some of the tradecraft used by advanced

persistent threats include highly targeted malicious emails, advanced malware, infected

media, remote access Trojans, supply chain compromises, social engineering, spear

phishing, zero day viruses, strategic web compromises and spying on information

systems through leaking emanations of radio and electrical signals.

Advanced persistent threats usually share some common characteristics that

include sophisticated technical tools, clearly defined objectives, social engineering,

organization and discipline and large amounts of financial and human resources. They

typically have very advanced attack technologies that take advantage of vulnerabilities

that have not yet been disclosed and may be impossible to defend against. They usually

have a sponsor that can provide high levels of funding and support including access to
CYBERWARFARE DEFENSE REPORT 8

very talented staff and intelligence. They tend to operate in a command and control

military manner, have a very clearly defined mission and conduct their cyber-warfare

operations in direct support of that mission.

The characteristics of current advanced persistent threats have some similarities

but overall are quite different from the threats and attacks that may have been

attempted before the existence of the Internet. Before the prevalence of the internet,

intelligence gathering agencies had to depend on spies, reconnaissance planes, cypher

devices, covert submarines and robotic insects with tiny hidden cameras and listening

devices to gather military intelligence. Prior to the WIPG being connected to the world

wide web, adversary agents would have had to physically breach the grid’s security

barriers and mechanisms. The internet now creates direct physical and logical

connections to communication networks and systems such as those of the WIPG.

These networks and systems are often protected by firewalls and intrusion prevention

systems, but these protections are not 100% full proof and can be circumvented.

Intelligence has determined that the attackers intend to use social engineering to

trick a WIPG network user into visiting a web site that has been compromised by a

cross site scripting attack and now contains malicious code. The code installs malware

on the compromised computer causing it to connect with a server operated by the

attackers. The attacker uses the malware to gain administrative access to the computer

and then to the WIPG network so it can infect other machines and access the systems

necessary to disrupt the power grid.

In the Equifax breach, the attack originated at a web application where a bug was

exploited using a vulnerability in Apache Struts (CVE-2017-5638). This flaw would allow
CYBERWARFARE DEFENSE REPORT 9

an attacker to execute system commands on affected systems by manipulating certain

HTTP headers. A patch for the vulnerability was released in March, but Equifax failed to

apply the patches before the attack began two months later. An investigation later

determined however, that this was not the only point of failure; other factors included an

insecure network design that lacked adequate segmentation and ineffective intrusion

detection mechanisms (Equifax, n.d.).

The WannaCry ransomware attack propagated through EternalBlue (CVE-2017-

0144), an exploit in certain Windows systems released several months before the

attack. EternalBlue exploits a vulnerability in the Server Message Block protocol. This

vulnerability may mishandle certain types of packets which could allow attackers to

execute code on the target machine (“Wannacry ransomeware attack”, n.d).

An attack can occur internally from inside the network, especially if the attackers

have obtained valid user or admin credentials. In the OPM breach, the attackers posed

as an employee of a U.S. Government subcontracting company and obtained valid user

credentials to the system they were attacking, possibly through social engineering or a

phishing attack. They also installed a malware program within OPM’s network which

established a backdoor. The attackers then elevated their privileges to obtain access to

internal OPM systems (Office of Personnel Management data breach, n.d.).

An advanced persistent threat is typically not executed by an individual as it

would be very unlikely that they would have the resources to be both persistent and

advanced, even if they were intent on exploiting a specific target. Advanced persistent

threats are usually members of a government, terrorist group or agents of a nation

state. They typically have the intent and capability to effectively and persistently attack a
CYBERWARFARE DEFENSE REPORT 10

specific target (Advanced persistent threat, n.d.). Attackers from these groups would be

much more likely to be able to obtain logical access rather than physical access to a

target’s network and systems although they would take full advantage of the opportunity

if they could circumvent security and obtain physical access.

Based on information gathered, intelligence has determined that the attacker is

likely the Islamic State of Iraq and Syria. The United Cyber Caliphate developed as an

umbrella organization for seventeen cyber-attack groups that have declared their

support for ISIS. An assessment of their cyber-attack capabilities have determined that

UCC agents do not possess the capability to develop reliable, sophisticated malware;

the attack tools they have created have been buggy, insecure and have failed to take

down any significant target. Their lack of ability to develop effective attack tools has

forced them to resort to contracting online cyber-attack services and acquiring malicious

tools and attack code from the dark web (Wilhoit, 2017). The majority of ISIS operatives

are not geographically located where they could attempt to obtain physical access to the

grid network so they will be focusing their attacks on obtaining logical access, but they

may have a sleeper cell that is geographically capable of attempting to gain physical

access of the network grid so access control measures needs to be as secure as

possible.

References

Western Governors University (WGU). (n.d.) Early Attacks: The 1990s [Online course
information for C688: Cyberwarfare]. https://wgu.ucertify.com/?
func=ebook&chapter_no=8#02NmG

List of notable security hacking incidents (n.d.)

https://en.wikipedia.org/wiki/List_of_notable_security_hacking_incidents
CYBERWARFARE DEFENSE REPORT 11

Hoglund G.; Butler J. (2006). Rootkits: Subverting the Windows kernel. Addison-Wesley
Boston, MA

Code Red worm (n.d.) https://en.wikipedia.org/wiki/Code_Red_(computer_worm)

SQL Slammer (n.d.) https://en.wikipedia.org/wiki/SQL_Slammer

AOL/NCSA (2005). Online Safety Study. Retrieved from

http://www.staysafeonline.info/pdf/safety_study_2005.pdf

Stuxnet (n.d.) https://en.wikipedia.org/wiki/Stuxnet

Loukas G. (2015) Cyber-Physical Attacks: A Growing Invisible Threat Butterworth-

Heinemann Newton, MA

Steinberg, J. (2014, April 10). Massive Internet Security Vulnerability – Here’s What You
Need To Do Retrieved from https://www.forbes.com/

Leyden, J. (2014, May 20) AVG on Heartbleed: It’s dangerous to go alone Retrieved
from https://www.theregister.co.uk

Perez, E. (2015, April 8) How the U.S. Thinks Russians hacked the White House
Retrieved from https://edition.cnn.com

Sanders, S. (2015, June 4) Massive Data Breach Puts 4 Million Federal Employees’
Records At Risk Retrieved from https://www.npr.org

Roberston J. (2018, October 4) The Big Hack: How China Used a Tiny Chip to Infiltrate
U.S. Companies Retrieved from https://www.bloomberg.com

Verizon (2017) 2017 Data Breach Investigations Report 10 th Edition Retrieved from
https://www.ictsecuritymagazine.com

Turner, R. (2018, May 24) Thinking about cyberattacks in generations can help focus
enterprise security plans Retrieved from https://ovum.informa.com

Wannacry ransomeware attack (n.d.)

https://en.wikipedia.org/wiki/WannaCry_ransomware_attack

Equifax (n.d.) https://en.wikipedia.org/wiki/Equifax

Spectre (n.d.) https://en.wikipedia.org/wiki/Spectre_(security_vulnerability)

Chronicle (n.d.) https://en.wikipedia.org/wiki/Chronicle_(company)

CYBERWARFARE DEFENSE REPORT 12

Office of Personnel Management (n.d.)

https://en.wikipedia.org/wiki/Office_of_Personnel_Management_data_breach

Advanced persistent threat (n.d.)

https://en.wikipedia.org/wiki/Advanced_persistent_threat

Wilhoit, K. (2017, September 25) Poor coding limits IS hackers’ cyber-capabilities, says
researcher Retrieved from https://www.bbc.com/