Lessons learned: Cybersecurity in the defense industry
Add bookmarkWe are a lucky generation witnessing the golden age of technology. The internet, smartphones, modern computers and technologies have made our lives easier and our work more productive.
Militaries have taken advantage of technology as well, becoming more effective and protected in their operations. Unfortunately, adversaries have learned to use technology to further their goals as well. In this article, we will discuss the history of cyberattacks on military and government targets with two of the most notorious cases, understand how they happened and identify the lessons learned from them.
Famous Cyberattacks Against Militaries and Governments
Military and government systems are attacked all the time. Security agencies are usually quite effective at identifying and mitigating these risks. However, we have witnessed cases when an attack was not only successful, but it inflicted major damage to the agency affected. Let us discuss two of the most notorious cases and understand how they operated.
Stuxnet: A Worm Designed to Cripple Iranian Nuclear Centrifuges
Probably the most famous and the most complex of the bunch, Stuxnet is believed to be created sometime around 2005 and first identified in 2010 by VirusBlokAda, a Belarussian security company. Stuxnet was deployed with one very specific goal in mind - damage the Iranian Nuclear Program. Security researchers attribute the creation of Stuxnet to U.S. and Israeli intelligence agencies. As New York Times journalists William J. Broad, John Markoff and David E. Sanger point out in their investigation, “the covert race to create Stuxnet was a joint project between the Americans and the Israelis, with some help, knowing or unknowing, from the Germans and the British”.
The worm targeted programmable logic controllers (PLC) - a combination of hardware and software that automatically controls industrial machines. This claim was confirmed by Dean Turner, director of Security Response at Symantec Corporation during his testimony before the U.S. Senate where he claimed that, “Stuxnet the first to include a programmable logic controller (PLC) rootkit and the first to target critical industrial infrastructure”. Those industrial machines in question were the uranium enrichment centrifuges in the Natanz nuclear facility in Iran.
Stuxnet entered the facility installed in a USB flash drive. When the drive was inserted into one of the facility computers, the worm used several zero-day vulnerabilities in the Windows operating system, such as CPLINK to execute its code and move on to its next target - Siemens CP7 and STEP7. Both of them are software used to control centrifuge machinery. Using vulnerabilities in CP7 and STEP7, Stuxnet jumped into the PLC themselves.
What Stuxnet did to damage the centrifuges was both simple and ingenious. It increased the centrifuge rotational speed to above its limits, then quickly decreased to almost a complete stop, while showing fake monitoring data on the facility computers.
The effectiveness of this attack was significant. As Haaretz, an Israeli newspaper reported, "the centrifuge operational capacity had dropped over the past year by 30 percent.".
Red October: Espionage Network that Stole Secrets from Embassies
In 2012, Kaspersky Laboratories identified and alerted the public about a new threat - a network of infected computers and devices that were actively stealing highly confidential data from diplomatic services around the world.
Red October was not a single malware, but a group of tools that could target everything from workstations to mobile devices, Cisco network equipment and even USB drives. It used vulnerabilities in Microsoft Word and Excel and another vulnerability in Java Applets called Rhino Exploit.
Just like Stuxnet, Red October used a simple method for spreading too - infected emails. Hackers sent Embassy staff emails with Excel file attachments such as “spisok sotrudnikov.xls” (which translates from Russian to “Staff List”). After opening the excel file, a virus would infect the device, fake a legitimate connection with the web, masking itself from network security software, and download its remaining modules responsible for the data-stealing and reporting operations.
This all resulted in Red October infecting over 300 unique networks, including embassies in Russia, Iran, and Ireland.
Key Takeaways for Defence Agencies from These Cyberattacks
Both Red October and Stuxnet unearthed major security flaws in military and diplomatic operations. Many agencies started an evaluation of their capabilities to protect from these types of attacks and started quickly fixing their mistakes. Overall, we can identify three major lessons learned from these cyberattacks.
Takeaway #1: Security Rules Must Be Followed Outside The Work Environment Too
As we saw in both stories, the human factor was the primary reason critical systems were compromised. In the case of Stuxnet, intelligence agencies managed to bring an infected USB drive into a highly secured facility. Red October was a trivial example of phishing that resulted in a major data leak.
Military staff today are usually trained to follow security standards and guidelines strictly in their work environment. However, practice shows that attackers will also target staff members outside the work time and work environment - hacking their personal devices and personal accounts. Thus, it is critical for the staff to follow at least the basic security best practices outside work as well, such as performing reverse IP lookup or phone number search before accepting anything suspicious on their personal devices.
Takeaway #2: Vendor Hardware and Software Will Almost Certainly Have Vulnerabilities
If we speak about uranium gas centrifuges produced by Siemens, the first things that come into our minds are reliability and security. However, the success of Stuxnet was attributed to Siemens violating a critical security best practice. Their S7 software connected to SQL servers using hard-coded passwords, a practice highly criticised by security researchers. Windows operating system, on the other hand, is considered secure. Microsoft does its best to patch any zero-day vulnerability researchers find as quickly as possible. However, the practice shows that many vulnerabilities are left unnoticed both by Microsoft and security experts.
Thus, the military leadership should always keep in mind that any hardware and software provided by 3rd parties, even the most trusted ones, will almost certainly have vulnerabilities.
Takeaway #3: Nearly Everything That Has Software Can be Attacked
Both Stuxnet and Red October proved that government-lead sophisticated attacks will not limit themselves to infecting workstation computers. Smartphones, network routers, even electronics inside industrial machines can be compromised and infected. The world, including militaries, is quickly adopting the Internet of Things (IoT) when a variety of everyday equipment now has network connectivity capabilities. While giving a significant technological advantage over adversaries, the IoT also provides intelligence agencies with more devices to hack. Most IoT devices run on Linux operating system. While Linux itself has a decent level of security, the OS versions on these devices get updated rarely. Thus, zero-day vulnerabilities are left unpatched.
Final Thoughts
Stuxnet and Red October can simultaneously be major successes for some governments and epic fails for others. They served as major sources of “motivation” for militaries and government agencies to rethink their security standards and strategies. But the technological world is moving fast, new technologies bring new vulnerabilities, and it is monumental for the military to adapt quickly to the new environment.