In Focus

• Improving Data Handling
• UK National Security Strategy
• UK Cyber Security Strategy
  • Tackling UK cyber threats
  • 2011 Cyber Strategy response
  • Reclaiming cyber space
  • Global cyber security threat
  • Cyber Defence Incident Mgmt
  • Information Fidelity
  • Malware Espionage
  • Cloud Computing Security
  • Darwinian Defence
  • Hacktivism
  • Digital Forensics challenges
  • Protecting CNI in cyber space
• Information Superiority
• Information Sharing
• Information Exploitation
• Olympic Security Strategy
• Managing Efficiency
• Secure Government Networks
• Acquisition Reform
• TLCM
• Business Continuity Management
• Addressing Sustainability

Home Page / In Focus / UK Cyber Security Strategy / Malware Espionage

Malware: The new face of Espionage

As media headlines continue to profile suspected cyber-attacks on key assets and the extended military supply chain, David Gray from VEGA’s Cyber Security team investigates the nature of the attacks and what our armed forces can do to reduce the risk of strategic national defence systems being compromised.

Introduction

These days we only have to open a newspaper or read our favourite news blog to read about the latest business that has had its Intellectual Property stolen by hackers, or their websites defaced or taken down by a Distributed Denial of Service (DDoS). So you would think with the mission criticality of military systems that this sort of thing would not happen, right? Wrong.

In October 2011 various news channels reported that US Military Drones had been infected with a mysterious computer virus which logged pilots’ every keystroke as they remotely flew missions over Afghanistan and other warzones. The virus detected by the military’s Host-Based Security System did not prevent pilots at Creech Air Force Base in Nevada from flying their missions overseas, nor were there any confirmed incidents of classified information being lost or sent to an outside source. However, the virus resisted multiple efforts to remove it from Creech’s computers.

So how could this happen?

Since their invention in World War II, computer systems have had close links with defence. From ENIAC (Electronic Numerical Integrator and Computer) designed to calculate artillery firing tables for the US Army Ballistic Research Laboratory through to AMRAD (Automated Messaging Routing and Distribution) (the Ministry of Defence’s (MOD) Messaging system in the 90s) and modern bespoke equipment within aircraft, ships and tanks. The military around the world have always been heavily involved with the development of new computer systems.

However, development has its cost and with the World’s modern military organisations experiencing severe budgets cuts ‘bespoke’ has, for the most part, become a thing of the past. Most military systems over the past decade therefore have been purchased as Commercial Off The Shelf (COTS).

This has gathered momentum with the wider introduction of Microsoft (MS) software. Bespoke software and hardware tends now be found only within legacy equipment or weapon systems themselves.

Why are we using COTS?

COTS systems are cheap, can be implemented across a large organisation with minimal heartache and, in the case of the military, can be secured with hardware encryption devices. Roll out of new software has minimal impact on operations and is easier to accredit for military systems. For the most part COTS systems have been installed using MS software which also brings the added advantage of staff already being familiar with the same Operating Systems (OS). Whilst this approach offers military organisations around the world a known, stable operating system, the cyber risk is increased.

Threat Landscape

If an organisation is known to only utilise one particular type of OS, then hackers and other cyber threats only have one type of system to compromise. When an attacker has gained a foothold into an organisation’s network, it is much easier to extend their reach to other parts of the network. The vast majority of attacks on PCs these days are centred on MS machines (that is not to say however that Apple and Linux/Unix do not have their share of problems). In reality therefore, military computer systems are no different from those used within every other organisation around the world. As such, they are also susceptible to the same threats.

Military assets at risk

The infection of the US Predator and Reaper drones is an all too stark example that military computer networks can be compromised by major Worm and Virus infections just as easily as those in the private sector. The most recent publically announced major infection was the Conficker worm which at its height had infected around seven million government, business and home computers in over 200 countries. It was reported by the BBC and other media sources in January 2008 that the UK’s MOD was infected, with its RESTRICTED network being heavily affected. In some cases the clean-up took months to remove the infection from networks.

According to technology website Wired, a worm named Agent.btz gained access to the US military’s Unclassified and SECRET networks (NIPRNet & SIPRNet). Strategic Command mandated that users were not to use removable media to prevent further spreading of the virus. An Army email alert was sent out relaying the instructions from STRATCOM, banning the use of removable media, thumb drives, external disks, CDs and DVDs. Whilst this enabled computer security experts to clean up the network, it greatly hampered mission readiness for troops as this affected personnel serving in Afghanistan where the vast majority of the infected machines were discovered.

These infections underscore the on-going security threats faced by our military’s most important weapons system.

Whilst none of these infections have so far spread to the weapon systems themselves, personnel were unable to interact with the systems without a PC. In each of the cases above the infections could have been averted. Publically available patches to fill the security vulnerabilities within the systems had been available for some time. Most military organisations are no different from their civilian counterparts in that they are reliant upon a hard outer shell to their networks. Security systems such as Intrusion Detections Systems (IDS), Firewalls, Anti-Virus products and Data Loss Prevention are all utilised at gateways out of military networks. However, the computers within the networks are not always given the same level of protection.

Advanced Persistent Threat

So far the examples discussed have highlighted how malware has infected military and civilian systems alike; the only goal being to infect as many systems as possible for later use by the attacker. But this is the thin edge of the wedge. The Advanced Persistent Threat (APT) is a term that has been making headlines around the world in the last few years. Typically this will involve an email being written in such a way as to appear innocuous (Spear Phishing) yet containing an attachment (typically a Microsoft Word or Adobe PDF document) that has been crafted to contain a malicious program. This program will exploit an unpatched vulnerability in the computer giving the attacker control of the machine.

Whilst some vendors are using the term to indicate attacks by hackers on corporate systems, the more appropriate definition is of Nation States utilising computer networks to discover the most closely guarded secrets of a nation, their military and defence contractors.

Such an attack grants an hacker access to machines that enables them to explore the network searching for sensitive information to export at a later date. Russia and China are consistently being linked with alleged attacks of this sort.

This is the new face of espionage and, as such, demands the same attention, investment and strategic consideration that is afforded the more traditional threats planned for in any national security strategy.

The Future

As it stands, military organisations are reliant upon their gateway infrastructure to provide a level of security for data entering their networks. This is supplemented with Intelligence support (NSA in the US, GCHQ in the UK) enabling known APT attacks to be thwarted. This unfortunately does not resolve the underlying issue of PCs not being sufficiently patched within these networks.

A rigorous patching system combined with a proactive and comprehensive monitoring protective system will remove the vast majority of avenues for attackers to compromise military systems. However, having a fully patched computer system is only the start; it will remove the “low hanging fruit” of publically available exploits available to the attackers. It won’t stop a highly skilled attacker from researching their own attacks and exploits for a very specific attack.

So what more can be done? A first step towards greater resilience is building Security Enforcing Functionality (SEF) within computer systems. Here, defence contractors take a standard COTS product and build in extra security functions creating a much more secure OS. The user has limited scope to abuse the system or their privileges, and outside attackers are faced with a machine that has been considerably changed and hardened from a standard Windows/Linux configuration.

However, more can and should always be done given the clear and present danger to our military’s assets and our nations’ security. Further techniques include developing Secure Operating Systems (Secure OS) which are already being investigated by the US. The premise of the idea is of a bespoke system that is developed for the highest level of security and reliability. China has also been researching Secure OS for some years. Kylin is an Operating System developed by the University of Science and Technology for National Defence, and successfully approved by China’s 863 Hi-tech Research and Development Program office in 2006. Kylin was rolled out across the Chinese Military in 2007. However, a Secure OS can give a false sense of security. Should a Secure OS become out of date and contain security flaws within it; users are still likely to trust the system believing it cannot be compromised and leaving themselves open to a greater compromise if/when an attacker is able to access the system.

Of a similar vein the US Department of Defence (DOD) is currently testing Lightweight Portable Security (LPS) which boots a thin Linux operating system from a CD or USB flash stick without mounting a local hard drive. Administrator privileges are not required; nothing is installed. LPS differs from traditional operating systems in that it is not continually patched. LPS is designed to run from read-only media and without any persistent storage. Any malware that might infect a computer can only run within that session. Therefore, a user can improve security by rebooting between sessions, or when about to undertake a sensitive job or process. LPS can be rebooted immediately after visiting any risky websites, or when the user has reason to suspect malware might have been loaded. In any event, rebooting when idle is an effective strategy to ensure a clean computing session.

Whatever the techniques, deploying them can always be argued that there can never be such a thing as a “Secure OS”. Anything based on software can only be as good as the developers and their testing. The complexity of an OS is such that there are too many lines of code with any real assurance. Risk will always exist and new unknown threats will continue to emerge.

To quote the UK’s Foreign Secretary, William Hague, ahead of the recent London Conference for Cyberspace: “Unlike before the First World War, when new battleships were designed once a decade, now new techniques are adopted every day.”

Conclusion

While the migration of COTS technologies has served to provide faster/cheaper capabilities to the military, our adoption of such an approach can be said to have degraded our security measures and even increased our exposure to cyber risk. Although advances are being made in protection of specific information systems, no comprehensive security policy has yet to be rolled out across an entire defence estate. Under the current financial pressures it is hard to see any military organisation moving away from COTS system to a bespoke system.

Therefore, in order to protect operations around the world, everything must be done to ensure existing computers are secured as well as they can be from attack., This means, at the very least,  implementing:

• A successful patch to their vulnerable systems
• Security Enforcing Functionality

The ability to gather intelligence and nullify threats is not new to warfare. It is a common held belief that cyber-espionage will now form part of any future attack on a nation in much the same way that strategic bombing and commando raids on military assets and supply chains have in previous conflicts (dare we mention the speculation around Stuxnet?). There has been no public acknowledgement of any weapons systems having been compromised as part of a malware attack. However, any COTS systems supporting these weapons systems are at an elevated risk. Whilst the Typhoon and the F35 Joint Strike Fighter are amongst the world’s most advanced aircraft, they will not be flying any missions if the flight planning system in the operations room is offline due to an infection.

With the UK Government acknowledging Cyber Security as a Tier 1 threat to national security, the time is right to change our view of the humble PC.