Identifying Aggressors in the Global Cyber Threatscape

Independent hacker groups and cyber militias who conduct network attacks complicate international relations between governments. President Obama, at the conclusion of his historic talks with President Xi Jingping last Friday, acknowledged that the "theft of business, financial and military information ... are not issues that are unique to the U.S.-China relationship. Those are issues that are of international concern. Oftentimes it’s nonstate actors who are engaging in these issues as well.”

No nation state can be held responsible for all of the attacks emanating from their own IP addresses. Attribution remains a hard challenge, and the potential for serious miscalculations and misjudgments is high.

Since the landscape is foggy, the threat actors numerous and hard to identify, and the attacks proliferating on a daily basis, the focus of the next Suits and Spooks conference will be to identify non-state aggressors in cyberspace. About twenty speakers will present briefings over two days on hackers, citizen militias, and other non-state entities operating in the Middle East, China, Russia, Pakistan, India, Iran, Africa, South America, the United States (yes - we have non-gov threat actors domestically), and other parts of the world.

A partial list of our country experts include:

• Peter Matthis (Editor, Jamestown Foundation China Brief): China
• Peiran Wang (Ph.D. candidate, The Center for Economic Law and Governance, Faculty of Law and Criminology, Vrije Universiteit Brussel): China
• John Scott-Railton (Research Fellow at Citizen Lab, University of Toronto): Syria, Libya
• A. Aaron Weisburd (Instructor, Combating Terrorism Center at West Point; Founder, Internet Haganah): Middle East
• Sheena Chestnut Greitens, Ph.D. (Fellow, Harvard's Fairbank Center for Chinese Studies): North Korea
• Jonathan Hutson (Communications Director - Satellite Sentinel Project and The Enough Project): Africa

The venue will be in New York City at SOHO House on October 5-6, 2013. Admission will be limited to no more than 80 people so register early. Lunch will be provided on both days. If you'd like to submit a proposal for a talk, please do so by July 15, 2013.

Companies interested in sponsorship options for this event can view our prospectus on Google Drive.

The SOHO House NY Library

Registration

Super Early Bird: (June 10 - July 10): $275
Early Bird (July 11 - Aug 31): $395
Standard (Sep 1 until sold out): $625

Select One

Super Early Bird $275.00 USD Early Bird $395.00 USD Standard $625.00 USD

Add to Cart View detail

No Proof That Iran Is Behind U.S. Bank Attacks

A recent New York Times article reported that the U.S. government was convinced that the government of Iran was responsible for DDoS attacks against U.S. banks. No specific names of U.S. officials were mentioned which is troubling for several reasons:

1. Government policy makers and administration officials are generally not very astute about the complexities of cyber attacks, incident response, and attribution. 
2. The article's authors failed to interview any of the multiple cyber security experts who disagree with the sources quoted and/or referred to in the article.
3. The reasons given by the Times' sources didn't exclude other possibilities besides the government of Iran.

On the other hand, multiple informed, authoritative sources have expressed skepticism about these attacks being state-sponsored, let alone by Tehran. Here are two authorities who were quoted in this Mashable article "Is Iran Behind A Wave Of Cyber Attacks Against U.S. Banks?":

Roel Schouwenberg, senior researcher at Kaspersky Labs (which identified several recent cyberattacks against Iran), didn't confirm or deny the attacks' origins. However, he doesn't believe the attacks are so complicated they must be the work of a government. 

“We can confirm that the attacks being reported are happening; however, the malware being used, known as ItsOKNoProblemBro, is far from sophisticated," wrote Schouwenberg in an e-mail. "It's really rather simple. It’s also only one part of the puzzle but it seems to be effective, which is all that matters to the attackers. Going strictly by the publicly known technical details, we don't see enough evidence that would categorize this operation as something only a nation-state sponsored actor could pull off.” 

Claudio Guarnieri, security researcher at Rapid7, agreed the complexity of the attacks is "disputable" and doesn't necessarily mean a government is behind them. 

"The malicious code involved is effective but very simple," wrote Guarnieri. "The link with state-sponsored entities could be justified by the fact that there is no direct gain for the attackers besides the disruption of the targets' operations. However, considering that there is no obvious evidence and that it could potentially be the work of generic cybercriminals, it's hard to confirm it.”

Then there's Dancho Danchev's expertly written article "Dissecting 'Operation Ababil' - an OSINT Analysis" which cast doubt on who was actually behind Operation Ababil, my article "Fact-checking the Iranian DDoS Attacks Against US Banks", and Anthony Freed's article "Bank DDoS Attacks: Is it the Russian Mob, Iran, or a False Flag?"

The public statements made by this group sound more like an Anonymous operation than something run by paramilitary Basij members or the IRGC, who's responsible for Iran's offensive cyber operations. The group's announcement of an equation based on page views of the offending film to determine the duration of attacks against the banks is too clever by half to be an official strategy. And at least one announcement failed to use proper punctuation for the word "God" and "Prophet" when referring to Allah and Mohammad (the author used lower case "g" and "p" instead of capital letters):

"The table below shows the result of search for the movie that insulted the god, his prophet and Muslims:"

I can't imagine a devout Muslim forgetting to capitalize God or Prophet but remembering to capitalize Muslim. I can imagine that mistake being done by someone who was using religious outrage as a pretense to support a false flag operation with Iran as the victim.

Relations with Iran are already tense. What we don't need is an internationally respected newspaper like the New York Times adding fuel to the fire by putting their name behind a story that presents no evidence and no objective examination of the facts by actual authorities in threat research, forensics, and incident response. You guys can and should do a lot better.

Add to Cart View detail

Five Critical Panels on the Use of Offensive Tactics in Cyberspace

On February 8-9, 2013, 24 world-renowned speakers will address and interact with about 80 attendees from the public and private sectors in a beautiful conference center high above the Potomac river on some of the most important issues in cyberspace - the controversial use of offensive tactics in defending networks (i.e., Active Defense). The full agenda can be seen here, but five critical panels are as follows:

• How is Russia and Georgia engaging in Active Defense?
• Featuring Ambassador David J. Smith (ret.) and Ms. Khatuna Mshvidobadze (Georgian Security Analysis Center)
• How Duqu, Flame, Gauss, and Shamoon can be reconfigured and reused against different victims (i.e., Iran against Saudi Arabia)?
• Featuring Dr. Boldizsár “Boldi” Bencsáth (Associate Professor, Laboratory of Cryptography and Systems Security (CrySyS), Department of Telecommunications, Budapest University of Technology and Economics) and Brig. Gen. Jim Jaeger (USAF, ret), Vice President of Network Defense & Forensic Services, General Dynamics
• How Much Leeway is there in the Computer Fraud and Abuse Act and International Law for Offensive Actions in Cyberspace?
• Featuring Dr. Catherine Lotrionte (Director of the Institute for Law, Science + Global Security, Georgetown University),  Mr. Stewart A. Baker (Partner, Steptoe & Johnson), Mr. Frank J. Cilluffo, Director, Homeland Security Policy Institute at George Washington University, and Mr. Marco Obiso (Cybersecurity Coordinator, International Telecommunications Union (ITU)
• What’s the Downside of Private Sector Offensive Engagement?
• Featuring Dr. Anup Ghosh (Founder and CEO at Invincea), Mr. Jeffrey Carr (Founder and CEO, Taia Global, Inc.), Mr. David Dittrich (Chief Legal Officer, The Honeynet Project), and Mr. Robert Bigman (former CISO, Central Intelligence Agency).
• If the ITU Assumes Ownership of the Internet, How May That Impact International Offensive Cyber Operations by Nation States?
• Featuring Mr. Marco Obiso (Cybersecurity Coordinator, International Telecommunications Union (ITU), Dr. Catherine Lotrionte (Director of the Institute for Law, Science + Global Security, Georgetown University), Mr. Robert Bigman (former CISO, Central Intelligence Agency), and Brig. Gen. Jim Jaeger (USAF, ret), Vice President of Network Defense & Forensic Services, General Dynamics

There are only 28 seats remaining and the Early Bird discount expires in one week so register today to be a part of the year's most unique and informative security event - Suits and Spooks DC 2013. If your employer is interested in joining RSA and Basis Technology as a sponsor, please contact me via email for details.

Add to Cart View detail

10 Years Ago Today - Another Build-up to War on Bad Intelligence?

10 years ago in October 2002, a National Intelligence Estimate (NIE) was produced whose findings concluded that Iraq had Weapons of Mass Destruction. In February, 2003, SECSTATE Colin Powell addressed the U.N. Security Council on that same subject. His remarks were based entirely on source material vetted by intelligence analysts. That speech was the U.S. case - and his case - for going to war against Iraq. On March 19, 2003, the U.S. invaded Iraq for reasons that later proved false.

It didn't take long for the U.S. and the world to see that the rush to war against Iraq was a colossal error in intelligence and good judgment. Colin Powell to this day regrets the speech he made before the U.N. An investigation into the intelligence failures leading up to war with Iraq - "Report of the Select Committee on Intelligence on the U.S. Intelligence Community's Prewar Intelligence Assessments on Iraq" - laid out the many analytic failures that informed Powell's speech and the Bush Administration's position in minute detail.

Now we seem to be laying the political groundwork for yet another war in the Middle East - this time against Iran. While there's no doubt that Iran wants to acquire nuclear weapons, there's a lot of doubt regarding how close that is to happening. Iran has only been successful at enriching low levels of uranium at low amounts. It's certainly a serious problem and one that needs addressing but it's not in and of itself sufficient cause to go to war over yet. So let's pile on another layer of threat - Iran's capability to cause a "cyber Pearl Harbor" or the cyber equivalent of "9/11". In order to underscore those threats, Secretary Panetta pointed to two recent cyber attacks: the DDoS attacks against major U.S. banks allegedly performed by an Iranian hacktivist group that no one had ever heard of before, and the Shamoon attacks against Saudi Aramco and RasGas which the Secretary referred to as a "very sophisticated virus". In reality, Shamoon is neither a virus nor sophisticated. It was a quick and dirty piece of malware (a worm), probably reverse-engineered from the original Wiper (not Flame) that struck at Iran's oil ministry back in April. Half of its functionality didn't even work properly due to a coding error. And the DDoS attacks were most likely the work of an Eastern European criminal gang who specialize in banking attacks and decided to mask this one with an Iranian hactivist false flag.

The bottom line on Iran is that both its Uranium enrichment and its cyber warfare capabilities are not fully developed. There are lots of other countries, including the U.S. its allies, and some adversary states who are far more advanced than Iran in both of those categories. While it's certainly possible that at some point in the future the West will have no choice but to go to war with Iran, we aren't there yet and certainly not for the reasons given by Secretary Panetta. I have nothing but respect for the current Administration but I cannot in good conscience watch a repeat - or what even smells like a repeat - of the 2002-2003 build-up to war with Iraq happen a second time. Not while I have a voice and an opportunity to try to stop it by calling out errors in facts when I see them.

Add to Cart View detail

Ridiculous Administration Premise on U.S., Iran, and Saudi Aramco

Nicole Perlroth's New York Times story - In Cyberattack on Saudi Oil Firm, U.S. sees Iran Firing Back - is a ridiculous premise based on confusing hypotheses regarding malware that may not even have come from the U.S. But before I cover that, I'd like to know in what universe does a country who was on the receiving end of multiple perceived U.S. cyber attacks go after an entirely different nation in revenge?

The answer to that rhetorical question is none. There's no logical reason for Iran to attack Saudi Aramco in order to send a message to the U.S. I've written many times my belief that the Aramco attack was Iran sending a message to Saudi Arabia to not increase its oil production because of sanctions imposed on Iran. That may or may not be true but at least it follows a logical order. 

1. Iran makes a threat to SA - Don't increase your oil production. 

2. SA ignores the threat and increases production anyway.

3. Iran destroys Aramco's 2000 servers and 30,000 workstations.

To believe the Times story, the logic would have to flow differently:

1. Iran is hit by malware that it believes was created by the U.S. which destroyed some servers in its oil ministry.

2. It retaliates against the U.S. by destroying servers owned by Saudi Aramco.

Really? Does that make sense to anyone? 

Apart from that glaring logical inconsistency, there's a factual flaw in Ms. Perlroth's reporting that needs to be corrected. No one has a copy of the original Wiper malware that hit Iran's oil ministry last April so it's impossible to know that it was part of Flame. Further, no one knows who was responsible for Flame because the connection between Flame's creators and Stuxnet/DuQu's creators is limited to the assumption that they "knew each other".  That hardly qualifies as coming from the same nation-state. All in all, this article was far below the quality that I've come to expect from Nicole Perlroth. I hope it doesn't serve to aggravate an already tense situation between between the U.S. and Iran.

UPDATE (24OCT12): I just spoke with Nicole Perlroth and learned that her article was mean't to take a skeptical view of the administration's campaign to pin cyber attacks on Iran. I reread the article and I'm still not clear on which points she was being skeptical about however based upon my respect of her past research, I've changed the name of this post to "Ridiculous Administration Premise ..." instead of "Ridiculous NY Times premise" since that was Ms. Perlroth's intent - to express skepticism of the Administration's position on this issue.

Add to Cart View detail

My Talk on Cyber Warfare and China's Active Defense Strategy

I'm very pleased to be able to announce that I'll be speaking at The New York Military Affairs Symposium in New York City this Friday, October 19th with renowned historian Dr. John Prados. If you're in the city or close by,  please attend and introduce yourself. My portion of the evening will include a discussion of China's use of Active Defense as part of its informatized warfare strategy (China doesn't use the term "cyber warfare"). I'll also include comments on SECDEF's recent speech, Iran's cyber operations, and the attack against Saudi Aramco's facility.

Also, if you're in or near the Boston area, it's not too late to register for Suits and Spooks. Dale Peterson of Digital Bond's talk on how to simultaneously compromise multiple power facilities is going to blow everyone away, and rather than hearing whispers about Israel's cyber capabilities, a former IDF hacker will tell you first hand how he and a red team would run a full spectrum (cyber and kinetic) offensive op against a power plant. The full agenda and registration info can be seen at the above link. Don't miss this one.

Add to Cart View detail

Fact-checking the Iranian DDoS Attacks Against US Banks

There's a boat-load of misinformation being dispensed by CNN and Bloomberg about the DDoS attacks targeting our largest U.S. banks. Since this involves erroneous quotes from certain cyber security executives along with a U.S. Senator, I think a little fact-checking is in order.

Bloomberg: "Cyber attacks on the biggest U.S. banks, including JPMorgan Chase & Co. (JPM) and Wells Fargo (WFC) & Co., have breached some of the nation’s most advanced computer defenses and exposed the vulnerability of its infrastructure, said cybersecurity specialists tracking the assaults."

FALSE. This was a Distributed Denial of Service (DDOS) attack. Nothing was "breached". The web servers which hosted the banks' online services were overwhelmed by "calls" and couldn't handle them all.

Bloomberg: "Such a sustained network attack ranks among the worst-case scenarios envisioned by the National Security Agency, according to the U.S. official, who asked not to be identified because he isn’t authorized to speak publicly."

FALSE. There's no one that I know at the NSA (past or present) who believes that customer inconvenience resulting from a DDOS attack against their bank's website is a "worst-case scenario". That's utterly ridiculous.

Bloomberg: "The initial planning for the assault pre-dated the video controversy, making it less likely that it inspired the attacks, according to (Dmitri) Alperovitch and (Rodney) Joffe, both of whom have been tracking the incidents. A significant amount of planning and preparation went into the attacks, they said. “The ground work was done to infect systems and produce an infrastructure capable of launching an attack when it was needed,” Joffe said."

CNN: "To get hold of all the servers necessary to launch such huge attacks, the organizers needed to plan for months, Alperovitch said. The servers had to be compromised and linked together into a network called a "botnet."

FALSE. This attack did not take months to plan for two reasons: 1) This was a crowd-sourced opt-in botnet commonly used in social activism (aka hacktivist) attacks, and 2) No one needs to create a botnet from scratch anymore. You can find them to rent on pretty much any hacker forum world-wide.

CNN: "Sen. Joe Lieberman, an Independent from Connecticut, said in a C-SPAN interview on Wednesday that he believed the attacks were launched by Iran.
"I don't believe these were just hackers who were skilled enough to cause disruption of the websites," he said. "I think this was done by Iran ... and I believe it was a response to the increasingly strong economic sanctions that the United States and our European allies have put on Iranian financial institutions."

BULLSHIT.  There are lots of good reasons for tensions to exist between Iran and the U.S. but this isn't one of them. If you read the excellent open source analysis done by Dancho Danchev you'll see that this was nothing more than Islamic activists protesting the "Innocence of Muslims" video.

Paste bin notice by Qassam Cyber Fighters group

If Senator Lieberman thought this would be a good opportunity to do some Iran-bashing in order to drum up support for his cyber security legislation, he mis-calculated. This statement by the Senator only serves to reinforce the feeling by many that Congress is out of touch with the problem and is in no position to create new cyber security controls or policies.

Add to Cart View detail

Why Wasn't Saudi Aramco's Oil Production Targeted?

The recent cyber attack against Saudi Aramco resulted in the destruction of thousands of servers and hard drives. Replacement costs along with incident response fees had to have exceeded US$15 million dollars. While it's true that oil production and distribution were not affected, it may be because they weren't targeted.

It's not because Saudi Aramco's network security prevents such attacks from happening. I'm sure that the company has done everything that it can to implement best practices but that's not enough to stop a dedicated attacker. And today, with the amount of open source data on SCADA exploits available combined with the alleged existence of hostile insiders working for the company, it could have been easily done. So why didn't it happen this time?

Saudi Aramco is a state-owned company so an attack against it is equivalent to an attack against the Kingdom of Saudi Arabia. If the outcome of a cyber attack is principally financial with some disruption to business processes, then it will probably be treated as a criminal matter. If the attack resulted in a disruption of oil production and/or delivery, it would almost certainly be treated as an attack against a military objective (see Section 4 "Attacks Against Objects" of the Tallinn Manual on the International Law Applicable to Cyber Warfare for an indepth discussion of this legal term of art).

Iran is a possible suspect in the Shamoon attack and had it targeted one of Aramco's SCADA systems, then what was probably a warning to Aramco not to increase its oil production would almost certainly have been treated as an act of war instead. The IRGC which is in command of Iran's cyber warfare units would know that. Whether it was the IRGC or a proxy Iranian hacker group working on their behalf, Iran knows better than to do anything that would interrupt the world's oil supply.

UPDATE (14SEP12): I've edited this post to correct some errors in my original post regarding the types of operating systems used at Aramco.

Add to Cart View detail

Who's Responsible for the Saudi Aramco Network Attack?

Saudi Aramco R&D headquarters

At least three different hacker groups have claimed responsibility for the August 15th, 2012 attack against Saudi Aramco's network which damaged 2000 servers and up to 30,000 workstations but which failed to impact the segregated production and exploration networks. Only two of the three groups are named and neither of the two have an Internet history associated with their names.

The first, which calls itself the Arab Youth Group, uses terms like "evil Al-Saud" and "Al-Saud traitors" and specifically refers to Lebanon and the Forqan War (aka Operation Cast Lead 12/2008-1/2009) which at least one Iranian hacker crew - the Ashiyane Security Group - participated in.

The second hacker group call themselves the Cutting Sword of Justice. They posted multiple pastebins containing proof of the scale of the attack in the form of compromised IP addresses of servers. They also posted the start date and time which corresponds to the code string found in Shamoon. Their posts lacked the religious phrasing of the Arab Youth Group and emphasized "tyranny" and "oppression" instead.

The third hacker group is the one which announced a second attack on 25 Aug 2012 at 2100 GMT in order to prove that they didn't need an insider's help. That attack doesn't appear to have been successful. The Cutting Sword of Justice specifically referred to them as a separate group and their phrasing and word choice is different from that used by the Arab Youth Group. This third group seems to be a late comer and can be dismissed as an active participant in the attack. And while the Arab Youth Group and Cutting Sword of Justice have claimed responsibility, the timing and circumstances of the attack elevate it beyond either of those groups ability to conduct it alone.

Iran and Hezbollah
According to the analysis that's been done on Shamoon by Kaspersky Labs, it appears to be related to the Wiper virus that struck Iran's oil ministry last April. None of the security labs have a copy of Wiper but since Iran was the victim, it would be in the best position to produce a similar or reverse-engineered version that Kaspersky has named Shamoon.

Hezbollah, a Shi'a militant group based in Lebanon receives financial and political support from Iran. Since Hezbollah members include hackers, and since Iran's decision to recruit hackers to join the ranks of its Basij paramilitary corps in late 2010, Hezbollah's possible involvement in this attack against Saudi Aramco must be properly evaluated.

In fact, a Saudi Arabian minister in 2007 was quoted in a U.S. diplomatic cable in which he expressed his fear that Saudi Aramco had some employees who were members of Hezbollah and who were in a position to disrupt oil production.

Lebanese Shi'a Questioned
According to this Arabic website, up to 70 Aramco employees, including Lebanese Shi'a, are being investigated for involvement in the attack. There's not enough information to know if they were investigated because their religious beliefs made them suspect or because there was evidence connecting them to the attack. Knowledgable sources have told me that this number of suspects has been reduced from 70 to 20.

Tension between Iran and Saudi Aramco Over Oil Embargo
The stated motivation for this attack by the Arab Youth Group and Cutting Sword of Justice is a nebulous religious objection which completely fails to acknowledge recent events related to the oil embargo placed upon Iran by the U.S. and European Union that went into effect on July 1, 2012. Is it just coincidence that these groups attacked now? More likely, in my judgment, is that this attack represents retribution for Saudi Arabia's Foreign Minister Prince Saud al-Fisal saying that talks with Iran are a waste of time and that the oil embargo should proceed as planned.

To add fuel to this fire, on July 20 India's Mangalore Refinery & Petrochemicals Limited "bought Azeri, Saudi and Emirati crude to replace imports from Iran in July 2012 and it may halt purchases from Tehran altogether as sanctions make shipments more difficult." Iran responded with a threat to close the Strait of Hormuz if sanctions weren't revoked however that same threat has been made many times before and Iran has never carried it out. A much more likely form of retribution, and one that's considerably safer for Iran, is to sponsor a damaging network attack against Saudi Aramco through a proxy like the Arab Youth Group.

Summary
Iran is at the center of every significant aspect of this attack. It is the only nation with access to the original Wiper virus from which Shamoon was copied. Iran is angry at Saudi Aramco for off-setting Iran's drop in oil production due to the Embargo that started 45 days prior to the attack which gives it motive. It supports a militant organization (Hezbollah) that uses hackers and who allegedly has members employed at Saudi Aramco which gives it opportunity and access. While both the Arab Youth Group and the Cutting Sword of Justice involvement gives it the appearance of a mere hacktivist attack, I think that a careful analysis of the known facts points to a state-sponsored attack by Iran that was crafted to look like the work of hacktivists. Perhaps Iran has learned something from Russia about the strategy of misdirection via the government's recruitment of patriotic hackers.


RELATED:
Lessons for CEOs from the Saudi Aramco Breach
Was Iran Responsible for Saudi Aramco's Network Attack?
Saudi Aramco's Security Nightmare: Poor Design, Corrupt Contractors, and More
Operations Security at Saudi Aramco? Zero.

Add to Cart View detail

Was Iran Responsible for Saudi Aramco's Network Attack?

I've heard speculation from more than one source in Saudi Arabia that the malware attack against Saudi Aramco's network was an Iranian operation to discourage Saudi Armaco from increasing its oil production to compensate for Iran's decrease in oil deliveries due to sanctions imposed on it by the U.S. and European Union. Iran warned Saudi Arabia against boosting production last January after the Kingdom's oil minister pledged to boost production if there was a demand for more oil.

The attackers who call themselves the "Cutting Sword of Justice" probably used Shamoon (Symantec's W32.Disttrack). It destroyed 2000 servers and affected business operations based upon this list of affected IP blocks. It looks like Iran tried to mimic the Wiper virus that was used against its oil ministry last April. Kaspersky called Shamoon a copycat of Wiper. The differences were:

The original “Wiper” was using certain service names (“RAHD...”) together with specific filenames for its drivers (“%temp%\~dxxx.tmp”) which do not appear to be present in this malware. Additionally, the original Wiper was using a certain pattern to wipe disks which again is not used by this malware.

It's also important to note that Wiper was not Flame; that they are two distinct and separate pieces of malware and that the investigation of Wiper led to the discovery of Flame. Since none of the software security companies have a complete copy of Wiper, it makes sense to me that Iran, the victim of the Wiper attack, reverse-engineered or at least mimic'd it to create Shamoon. Kaspersky Labs noted that the start date of the Aramco attack was August 15 11:08 AM (Arabia Standard Time - AST) per the attackers first pastebin posting. This exactly corresponded with a date and time found in the code "15th August 2012 08:08 UTC". The difference between UTC and AST is +3 hours.

Iran has been known to use its indigenous hacker population to run state-sponsored attacks in the past during Operation Cast Lead (Ashianeh Security Group). Other well-known and highly skilled Iranian hackers include the Iranian Cyber Army and ComodoHacker.

I understand that Aramco has been vigorously investigating the attack to determine how their network was compromised and that some firings of employees and contractors have already occurred. I've asked Saudi Aramco's public affairs office for a comment but so far no one has returned my call.

UPDATE (23AUG12): I've received new information from knowledgable sources that the attack vector for delivery of the worm was via a USB stick inserted into a workstation at one of Aramco's global offices (not in Saudi Arabia). Further, the timing of the attack was carefully chosen to be one hour before the end of the work day which was the end of the month of Ramadan and the start of the Eid holiday.

RELATED:
Saudi Aramco's Security Nightmare: Poor Design, Corrupt Contractors, and More
Operations Security at Saudi Aramco? Zero.

Add to Cart View detail

Saudi Aramco's Security Nightmare: Poor Design, Corrupt Contractors and More

After Friday's blog post on Saudi Aramco's lack of Operations Security involving its network infection by Shamoon, I was contacted by a former Aramco IT employee who provided me with a lot more background on just how bad the security situation is at the world's largest oil producer. My contact's career with Saudi Aramco spanned over 30 years dating back to the late 80's when by royal decree the Arabian American Oil Company became the Saudi Arabian Oil Company or Saudi Aramco.

In 2010, the Financial Times estimated Saudi Aramco's value at "$7,000bn, 40 times Shell’s market capitalisation and double that of the entire London Stock Exchange." A 7 trillion dollar valuation makes Saudi Aramco the most valuable company in the world. From an intellectual property perspective, the company owns over 100 patents and employes over 500 engineers and scientists in two R&D facilities:

1. "Exploration and Petroleum Engineering Center Advanced Research Center (EXPEC ARC) which is solely managed by Exploration & Producing and focuses on upstream research"
2. "The Research and Development Center (R&DC), which focuses on downstream research and includes bio-research. Leading research undertaken at these two major facilities provides Saudi Aramco with competitive technology solutions throughout the vast range of its petroleum-related activities"

I'm including data on Aramco's R&D and patents because in my professional judgment, that's the best way for CEOs and Boards of Directors to plan for and justify their IT security budget - as a percentage of their annual R&D investment. While it's clear that Aramco has a lot to protect, what's not clear is why Aramco's leadership has made so many bad decisions or received such bad security advice. The following information in italics comes directly from the emails that I received and in my opinion helps explain why the company is struggling to defend against what Kaspersky Labs has called the work of some "script kiddies". More importantly however is that if the below information is accurate, then the company has probably experienced multiple breaches that it never discovered; breaches targeting its R&D, mining data, or other valuable IP over the course of several years just like many other oil and mining companies in the U.S., Australia, Brazil, Canada, and elsewhere have reported.

Here are the issues:

All Services On One SAP System
"The first mistake was Aramco's continued work on migrating all of its services to SAP regardless of the type of service. An employee can get an employment certificate through SAP and at the same time can get a gate pass from the same system. One is an EIS function while the other is a security function. Not only that but also doctors prescribe medications on the same system and the hospitals and pharmacies are run through this part of SAP."

Security Administered by Part-time Contractors
The second major mistake is when Aramco trusted the security and administration of all of its systems to contractors instead of its own IT staffs. To be more clear, those contracted firms use temporary manpower to manage the networks. 

The contractors I am talking about are "Local companies" newly established to provide IT services to Aramco. For example, if Aramco wants to install new stations in a department or a unit, then one of those contractors will provide the stations, install the SAP interface and other applications, connect the stations to the network, and add the users to the system. This is how open the system is.

If an employee has a problem on his/her station, then the employee will have to dial "904, The Help Desk" where a contractor employee will issue a trouble ticket, and another contractor employee will remotely use "Remote Desktop" or similar functions to solve the issue.

Insider Threat 
Those contracted companies hire employees from Asian counties for low salaries and have them do this work. If any of those workers gets a better deal somewhere else he will quit the IT function and go. But those contracted workers can go to Dubai or Qatar if they find better deals. And in this case, they know more than enough about Saudi Aramco system. They can go to Iran and work there with this information.

Corruption in Out-sourcing Contracts
The outsourcing business started in the mid-nineties. It was whispered to be a product of the start of corruption in the corporate management.  It was rumored that each of those outsourced contractors is being fostered by a big figure in management in a way that is difficult to verify.

Each of these is a major problem on their own but combined it means that Saudi Aramco has placed itself in an indefensible position with a massive threat landscape. Sadly, Aramco's leadership seems to be targeting loyal employees for responsibility rather than the local contractors whose poor security practices are to blame. The good news is that all of these problems are reversible if Saudi Aramco's President is willing to pursue more informed options on how the State-owned company should handle its network security.

UPDATE (20AUG12: 0655 PDT): A contact at Aramco has informed me that one of the oil plant's gate access system and intruder detection systems are down.


RELATED:
Lessons for CEOs from the Saudi Aramco Breach
Was Iran Responsible for Saudi Aramco's Network Attack?
Operations Security at Saudi Aramco? Zero.

Add to Cart View detail

Cyber Threats Require An Expansion Of The Sensitive Countries List

The website Public Intelligence has released Sandia National Labs and the Department of Energy's Sensitive Countries List. This is a list of 26 countries where approval is required for a visit or an assignment by a DOE employee because the country is known to engage in activities which may be contrary to the interests of the U.S. Of those 26 countries, I've identified 11 who are also developing CNO (Cyber Network Operation capabilities including CNE (Cyber Network Exploitation):

• Democratic Peoples Republic of Korea (North Korea)
• Peoples Republic of China (including Hong Kong)
• Georgia
• India
• Iran
• Israel
• Kyrgyzstan
• Russian Federation
• Syria
• Republic of China (Taiwan)
• Ukraine

There's actually many more countries with these capabilities that do not appear on the Sensitive Countries list and I hopeful that that will change in the next few years. 

Add to Cart View detail

Just How Vulnerable To Attack Are U.S. Drone Operations?

GAO Reports Ongoing U.S. Air Force Vulnerabilities 

The alleged downing of an RQ-170 by Iran has raised a lot of public attention to existing problems in how the Air Force is managing its Unmanned Aerial Systems. As I reported earlier, an unknown person with FOUO access uploaded an Air Force report to the Public Intelligence website that detailed some of those vulnerabilities one day after Iran announced its capture.  On Saturday another FOUO document appeared on PublicIntelligence.net regarding Afghan drone operations by the US Marine Corps. The Government Accountability Office (GAO) has produced quite a few reports that delineate numerous problems with Unmanned Aerial Systems over the past few years. Some as far back as 2008. Some of the problems identified back then have yet to be fixed, such as the lack of a redundant satellite relay site (GAO report 10-331).

The above graphic illustrates the command and control framework that's in place for Predator, Reaper and Global Hawk UAS missions that support contingency operations in Iraq and Afghanistan. A ground control station in the U.S. takes control of the aircraft. A satellite relay site at a fixed location outside of CONUS relays signals from the ground control station to the UAS. Any disruptions at the satellite relay site would impair the operation of the aircraft. While the Air Force has told that GAO that they're working on implementing a redundant system to solve this problem, as of March, 2010 they "had not conducted a detailed analysis of these options to determine the extent to which they would provide for the continuity of UAS operations, or established a specific milestone to formalize a plan that could be implemented quickly in the event of a disruption." Furthermore, the Air Force didn't anticipate bringing a redundant Satellite system online until fiscal year 2012 at the earliest.

Two other detailed examinations of vulnerabilities present in the Air Force's UAS operations are in the following GAO reports (FOUO):

• GAO, Defense Critical Infrastructure: DOD’s Evolving Assurance Program Has Made Progress but Leaves Critical Space, Intelligence, and Global Communications Assets at Risk, GAO-08-828NI (Washington, D.C.: Aug. 22, 2008)
• GAO, Defense Critical Infrastructure: Additional Air Force Actions Needed at Creech Air Force Base to Ensure Protection and Continuity of UAS Operations, GAO-08-469RNI (Washington, D.C.: Apr. 23, 2008)

Cyber Attacks Against Unmanned Aerial System Producers and Developers

The above table of U.S. UAS Producers and Developers comes from the Department of Commerce' Flight Plan 2011 (.pdf). Of the 11 companies listed, the following have acknowledged that they have been the victim of cyber attacks: Boeing, Lockheed Martin, Northrup Grumman, and Raytheon. Most likely all 11 of these companies as members of the Defense Industrial Base would fall into that category, but the above four have gone publicly on record that they are constantly defending against malicious network attacks. However this reflects only a tiny portion of the attack surface for an adversary who's looking to acquire intelligence on operations or R&D. Globalization has extended an adversary's ability to compromise UAS company networks by attacking affiliates or sub-contractors. For example, Japan's UAV association membership includes Mistsubishi Heavy and Kawasaki Heavy, both of whom were hit with simultaneous cyber attacks last summer and both of whom regularly engage with U.S. defense contractors on various projects such as Boeing.

Europe has 153 UAS producers and developers, some of whom are giant companies like EADS and BAE. BAE was implicated in the massive theft of data from the F-35 Joint Strike Fighter program in 2009 when it was believed that access to the data was gained by breaching BAE's network. It's impossible to know how many of those 153 companies have suffered attacks against their network but considering the value of this technology and the rapidly growing demand for drone aircraft world-wide, it would be naive to believe that any of their networks could withstand a targeted attack.

The most important outcome from Iran's capture of the RQ-170 should be an indepth vulnerability assessment of both U.S. intellectual property and operational vulnerabilities of our Unmanned Aerial System aircraft. This must include an international analysis of partnering companies like Boeing - Mitsubishi, Lockheed Martin-BAE, Insitu-ADASI, and many others. The worst outcome is blind denial that Iran or other U.S. adversaries is capable of compromising U.S. drone operations. 

Add to Cart View detail

Iran to put 3 U.S. Drones and 4 Israeli Drones on Public Display

Iranian cartoon (FARS)

Here's some disconcerting news from an Israeli news source. FARS has reported that the government of Iran possesses not one but 3 U.S. drones and 4 Israeli drones - all of which will be put on display and open to foreign ambassadors for inspection. The same article reports that an Iranian government official has traveled to Moscow to discuss Russia's request to examine the RQ-170. If Russia gets permission, China's next.

FARS has also been busy running its own Information Operations campaign mocking the U.S. and President Obama for asking Iran to return the drone. I'm not sure who in the White House thought that was a good idea but he needs to be fired.

Add to Cart View detail

Open Source Analysis of the RQ-170 Stealth Sentinel Loss to Iran

Courtesy of Recorded Future: https://www.recordedfuture.com/rf/s/2z0Cm4

The loss of the RQ-170 Stealth Sentinel drone to Iran is potentially one of the most critical events that has occurred in 2011 because it implies an offensive electronic warfare or cyber capability that no one expected Iran to have. Now that Iran has released a video of the captured drone and the U.S. government has confirmed that it's authentic, it's clear that the original FARS report claiming that it was captured via electronic means may have been accurate in spite of unanimous Western media reports to the contrary; i.e., that it was shot down.

EMEA's strategic intelligence report on the RQ-170 says that the Stealth Sentinel is a high altitude and long endurance unmanned aerial vehicle (UAV) designed and manufactured by Skunk Works, a division of Lockheed Martin Corporation, for the United States Air Force (USAF). According to EMEA:

The UAV can capture real time imagery of the battlefield and transfer the data to the ground control station (GCS) through a line of sight (LOS) communication data link. The 27.43m wide and 1.82m high aerial vehicle was designed to execute intelligence, surveillance, reconnaissance and target acquisition (ISTAR) and electronic warfare missions over a target area.

According to Earl Lum, President of EJL Wireless Research LLC what is supposed to happen when an Unmanned Aerial Vehicle (UAV) like the RQ-170 loses its comms link is that it should autonomously follow a pre-programmed lost-link profile consisting of waypoints at various altitudes, forming a loop until it re-establishes contact or crashes. The communication link for the UAVs is typically today LOS (line of sight). If it falls below the mountains and loses LOS, it is supposed to then go through this process. However while this applies to UAVs in general it may not be the case with the RQ-170.

Navigation technology
According to the EMEA report, the RQ-170 can be controlled either manually from the GCS or through autonomous mode. An automatic launch and recovery (ALR) system facilitates the aircraft to land safely when communication with the control station fails.

Ground control station
The GCS of the RQ-170 displays the real time imagery or videos captured by the vehicle's payload cameras onboard. The data supplied by the vehicle is retrieved, processed, stored and monitored at the control station which was designed and built by Skunk Works. The GCS tracks, controls and monitors the RQ-170 by transferring commands to the vehicle via LOS SATCOM data link. The sentinel is being operated by 432nd wing of air combat command (ACC) at Creech Air Force Base, Nevada, and 30th reconnaissance squadron at Tonopah Test Range, Nevada.

Related cyber incidents that may have compromised the RQ-170:
- A South Korean newspaper, JoongAng Daily, reported in December 2009 that the RQ-170 was flight tested in South Korea to supersede the U-2 aircraft at Osan Air Base for carrying out missions over North Korea. North Korea is an ally of Iran and has conducted offensive CNE (Computer Network Exploitation) and CNA (Computer Network Attack) missions against South Korea repeatedly for several years. It's unknown what information has been stolen however this type of intelligence is highly sought after and its reasonable to assume that the DPRK would include it on a CNE acquisitions list.
- Lockheed Martin reported a cyber attack in June, 2011 that lasted about one week. LM didn't report what was taken however as with the DPRK example, UAV research has been targeted at U.S. defense firms as late as this past summer according to my own confidential sources.
- Creech Air Force Base experienced a malware infection that impacted its UAV Ground Control Stations in October 2011. It's public report on the incident was confusedly written and lacked details regarding the malware involved, its propagation and its remediation.

Summary
The objective of this article is to assess possibilities. Based on EMEA's report on the RQ-170, it appears that the drone had the ability to land itself without operator control. I'd appreciate hearing from any experts who can confirm whether that's the case or not. If it is, then Iran may have lucked out. If it isn't, then Iran's claim that it used its electronic warfare capacity to assume operational control of this substantial U.S. military asset appears to be true. Considering how easy it is for an adversary to conduct CNE against targeted U.S. networks, this is probably a capability that they obtained from one of many mercenary hacker crews who engage in that type of activity. While the scope of this article is hypothetical, the CNE targeting of UAV R&D is a fact born out by my own company's work in this area. Iran may or may not have that capability now but eventually it will. The RQ-170 event should be a massive wake-up call on the part of the U.S. Air Force to reinstall a self-destruct capability, harden the RQ-170's operating system, and examine potential vulnerabilities in its UAV fleet supply chain.

UPDATE (1528 PST 09DEC11): From an article in today's SF Gate:

The most frightening prospect raised by what appears to be a largely intact Sentinel is that the Iranians' second claim about how they brought it down -- by hacking into its controls and landing it themselves -- might be true, said a U.S. intelligence official, who spoke only on the basis of anonymity because the RQ-170 is part of a Secret Compartmented Intelligence (SCI) program, a classification higher than Top Secret.
The official said the possibility that the Iranians or someone else hacked into the drone's satellite communications is doubly alarming because it would mean that Iranian or other cyber-warfare officers were able to disable the Sentinel's automatic self-destruct, holding pattern and return-to-base mechanisms. Those are intended to prevent the plane's secret flight control, optical, radar, surveillance and communications technology from falling into the wrong hands if its controllers at Creech Lake Air Force Base or the Tonopah Test Range, both in Nevada, lose contact with it.

UPDATE (1708 PST 22DEC11): Cryptome has an interesting thread on the use of the RSA cyber to protect the GPS Red band used on military systems like the RQ-170. This suggests that data from the RSA breach last March may have been shared with the Iranians.

UPDATE (0715 PST 05JAN12): AviationWeek has an excellent technical article on the F-22 technology used on the RQ-170.

Related:
Was Iran's Downing of RQ-170 Related to the Malware Infection at Creech AFB?
How Iran May Have Captured An RQ-170 Stealth Drone
U.S. Air Force Demonstrates How Not To Report A Malware Attack 

Add to Cart View detail

How Iran May Have Captured An RQ-170 Stealth Drone

On December 4th, the Iranian FARS news agency announced that the electronic warfare group of the Iranian military took over the operations of a very sophisticated, un-manned RQ170 Stealth Sentinel drone along the border between Afghanistan and Iran. NATO acknowledged that operators lost control of a drone in that area one week ago but that doesn’t necessarily mean that Iran was responsible. Iran has lied about drone captures before and they may be lying this time, but there are at least four good reasons why they may have succeeded.
Through my company’s work in this area, I know that Un-manned Aerial Vehicle (UAV) technology is actively being targeted and acquired via acts of cyber-espionage. This includes research in the Narrowband spectrum which is how UAVs receive their commands.
It’s not enough to know that Narrowband technology is used. An adversary would need to know the specific frequency in order to assume control of the vehicle. That obstacle may have been solved in October with the discovery of “credential-stealing” malware infecting the Ground Control Stations at Creech AFB. If the UAV operators (or pilots) entered the narrowband frequencies used to control their drones on a keyboard, and that keyboard was infected with a keylogger, that information would be captured and delivered to a command and control server and then collected by whomever was responsible for the attack.
The RQ170 Stealth Sentinel along with the Reaper and Predator drones are all operated by pilots manning ground control stations at Creech AFB. The Air Force has not been forthcoming with details of the malware attack nor its remediation and the information that it has provided has been vague and misleading.
Thanks to Stuxnet, Iran is spending a lot of money to ramp up its cyber warfare capabilities, and it's highly motivated to obtain some "get-back" against the U.S. since it believes that the U.S. and possibly Israel are responsible for the Stuxnet attack.
No one will know for sure if Iran successfully launched a cyber attack against “The Beast of Kandahar” (as the RQ170 is called) unless Iran presents proof, but its intent to do so is real; the theft of related technology is real; the lapse in cyber-security at Creech AFB was very real and the Air Force would be well-advised to take this threat seriously and re-evaluate the vulnerabilities that exist today in its UAV fleet.

RELATED:

Danger Room - Wired.Com: Iran Probably Did Capture A Secret U.S. Drone

Was Iran's Downing of an RQ-170 Related to the Malware Infection at Creech AFB?

U.S. Air Force Demonstrates How Not To Report A Malware Attack

Add to Cart View detail

Was Iran's Downing of RQ-170 Related to the Malware Infection at Creech AFB?

The Washington Post has reported that Iran's cyber warfare unit took over the controls of a Lockheed Martin RQ-170 Sentinel stealth drone flying over Eastern Iran and landed it with minimal damage. As of this writing, the U.S. Air Force hasn't yet confirmed or denied the attack. I've left a message with the on-call PA officer at Creech Air Force Base, which is the home of the 432d Wing which flies RQ-170 Sentinels according to this factsheet.

Creech Air Force Base, as you may recall, suffered a malware infection of its Reaper and Predator Ground Control Stations last October. After Noah Shachtman broke the story, the Air Force issued a press release claiming that the malware was a simple "credential stealer" and not a "keylogger", which is a distinction without a difference as I pointed out here. Approximately one and a half months after the Air Force issued that statement, Iran claims to have successfully compromised the flying operations of one of its drones - possibly flown out of the same Air Force base.

Iran's Cyber Warfare Capabilities

Note: The following assessment comes from chapter 16 of the 2nd edition of Inside Cyber Warfare, due out this month:

In 2010 the Iranian Islamic Revolution Guards Corps (IRGC) set up its first official cyber warfare division.Since then, its budget and focus has indicated the intention of growing these cyber warfare capabilities. Education is considered a top priority in the strategy, with increased attention to computer engineering-specific cyber security programs. The IRGC budget on cyber capabilities is estimated to be US$76 million. The IRGC’s cyber warfare capabilities are believed to include the following weapons: compromised counterfeit computer software,wireless data communications jammers, computer viruses and worms, cyber data collection exploitation, computer and network reconnaissance, and embedded Trojan time bombs.
The cyber personnel force is estimated to be 2,400, with an additional 1,200 in reserves or at the militia level. In June 2011 Iran announced that the Khatam al-Anbiya Base, which is tasked with protecting Iranian cyberspace, is now capable to counter any cyber attack from abroad, a claim that will likely be tested soon given the volatile nature of cyberspace. In August 2011 Iran challenged the United States and Israel, stating that they are ready to prove themselves with their cyber warfare capabilities. Should the Iranian cyber army be provoked, Iran would combat these operations with their own “very strong” defensive capabilities. 

In my opinion, the U.S. Air Force needs to respond to this claim by the Iranians quickly and authoritatively because its lackluster conduct regarding the initial infection found at Creech makes this claim by Iran more believable, not less.

UPDATE (1121 04DEC11): CNN quotes a U.S. official confirming that an operator lost flight control of an RQ-170 Sentinel over Western Afghanistan (which borders Eastern Iran).

UPDATE (1807 04DEC11): Western sources are reporting that the RQ-170 drone was shot down however FARS quoted an Iranian military official saying that it was taken down via electronic means "with electronic war units" and with minimal damage which makes this a cyber attack. The Al-Jazeera story is here.

Add to Cart View detail

28 Nation States With Cyber Warfare Capabilities

The 2nd edition of Inside Cyber Warfare: Mapping The Cyber Underworld will contain 4 new chapters plus a new Forward by former DHS Secretary Michael Chertoff and an Afterward by Professor Catherine Lotrionte of Georgetown University. One of those chapters is entitled "Cyber Warfare Capabilities By Nation State". For those of you who can't wait for the 2nd edition to come out, here are the 27 28* States:

1. Australia
2. Brazil
3. Canada
4. Czech Republic
5. Democratic People's Republic of Korea
6. Estonia
7. France
8. Germany
9. India
10. Iran
11. Israel
12. Italy
13. Kenya
14. Myanmar
15. Netherlands
16. Nigeria
17. Pakistan
18. Peoples Republic of China
19. Poland
20. Republic of China (Taiwan)
21. Republic of Korea
22. Russian Federation
23. Singapore
24. South Africa
25. Sweden
26. Turkey
27. United Kingdom
28. United States*

This is not a complete list, but it's a start. We may roll it over into an up-datable website and add the states that we missed for the book (e.g., all of the members of the Commonwealth of Independent States, additional states from Africa and South America, etc.)

* UPDATE: (29 Sep 2011) I left the U.S. off the original list because it's covered under one of the other new chapters! Sorry, everyone. :-D

Add to Cart View detail