Archive for the ‘CyberWar’ Category
Write a blog post on why attribution in cyber attacks is not really important
This article is part of an ongoing experiment with the use of ChatGPT for developing primers on cyber security topics.
So, this is something I have written about before, but, I thought I would ask the AI and see what it had to say. Well, it pretty much made the same arguments that I have in the past about attribution… Gee…
Attribution in cyber attacks refers to the process of identifying the source or perpetrator of a particular attack. This is often seen as an important aspect of cybersecurity, as it allows governments and organizations to take action against those responsible and to prevent future attacks. However, some argue that attribution is not as important as it is often made out to be.
One reason why attribution may not be important is that cyber attacks are often carried out by individuals or groups who operate outside of traditional government structures. This makes it difficult to attribute attacks to specific countries or organizations, and even when attribution is possible, it may not lead to any real consequences. For example, a hacker group operating out of a country that has little interest in prosecuting cyber criminals may be difficult to hold accountable.
Another reason why attribution may not be important is that the tactics and techniques used in cyber attacks are often widely known and can be easily replicated by others. This means that even if a specific group is identified and stopped, others may be able to carry out similar attacks using the same methods. In other words, focusing too much on attribution may be a distraction from the larger issue of improving cybersecurity as a whole.
Finally, some argue that the emphasis on attribution may be driven more by political considerations than by a genuine desire to improve cybersecurity. In some cases, governments may be more interested in using cyber attacks as a way to justify military or diplomatic action against other countries than in actually preventing future attacks.
In conclusion, while attribution is often seen as an important aspect of cybersecurity, it may not be as critical as it is often made out to be. Factors such as the difficulty of identifying the source of attacks, the ease with which attacks can be replicated, and political considerations may all contribute to making attribution less important in practice. Instead, efforts should focus on improving cybersecurity as a whole, through measures such as improving network security, educating users on best practices, and developing better tools for detecting and mitigating attacks.
Krypt3ia generated this text with ChatGPT, OpenAI’s large-scale language-generation model. This author reviewed, edited, and revised the language to my own liking and takes ultimate responsibility for the content of this publication
Postulate scenarios where non nation state threat actors use AI to attack critical infrastructure using hacking techniques and the outcomes from these kinds of attacks.
This post was generated with ChatGPT at my prompt.
Non-nation state threat actors, such as terrorist groups, criminal organizations, or hacktivist groups, could potentially use AI to carry out attacks on critical infrastructure using hacking techniques. Here are some scenarios that could arise from such attacks:
- AI-assisted cyberattacks on power grids: A non-nation state threat actor could use AI to conduct cyberattacks on power grids, causing widespread power outages and disrupting critical infrastructure. By using machine learning algorithms to analyze the infrastructure’s weaknesses, an attacker could identify vulnerabilities and launch targeted attacks that could have cascading effects on the entire system. The outcome of such an attack could be significant economic damage, loss of life, and social unrest.
- AI-assisted attacks on transportation systems: AI could also be used to carry out attacks on transportation systems, such as railways, airlines, or ports, causing significant disruptions and potentially resulting in loss of life. For example, an attacker could use AI to breach the security systems of an airport, causing flight cancellations or delays, or to tamper with traffic control systems, causing accidents or traffic jams.
- AI-powered attacks on financial systems: Non-nation state threat actors could also use AI to conduct attacks on financial systems, such as stock markets or banking systems. By using AI algorithms to analyze market data and identify vulnerabilities, attackers could launch targeted attacks that could disrupt financial systems, potentially causing widespread economic damage.
- AI-assisted attacks on healthcare systems: Non-nation state threat actors could use AI to carry out attacks on healthcare systems, such as hospitals or medical devices, potentially causing harm to patients and disrupting critical healthcare services. For example, an attacker could use AI to breach the security systems of a hospital and access patient data, or to tamper with medical devices, causing harm to patients.
The outcomes of such attacks could be significant, potentially causing widespread economic damage, loss of life, and social unrest. It is therefore important for governments, critical infrastructure providers, and cybersecurity experts to develop effective countermeasures to detect and prevent such attacks, as well as to establish regulatory frameworks to govern the use of AI in warfare.
Make it better and give a timetable on when these types of attacks could occur
To expand on the scenarios where non-nation state threat actors could use AI to attack critical infrastructure, it is important to note that the potential for such attacks exists today, and the risks are likely to increase in the future as AI and machine learning technologies become more accessible and widespread.
In terms of a timeline, it is difficult to predict with certainty when such attacks could occur. However, there have already been incidents of non-nation state threat actors using AI and machine learning to conduct cyberattacks. For example, in 2019, a hacker group known as DeepLocker demonstrated an AI-powered malware that can evade detection by antivirus software and target specific victims. This indicates that the development and deployment of AI-powered malware is already possible.
Similarly, there have been incidents of non-nation state threat actors using hacking techniques to disrupt critical infrastructure. For example, in 2015, the Ukrainian power grid was targeted by a cyberattack that caused a widespread blackout, believed to be the first successful cyberattack on a power grid. This demonstrates that non-nation state threat actors have the ability to target critical infrastructure using hacking techniques.
Given these precedents, it is likely that non-nation state threat actors will continue to develop and use AI and machine learning to carry out attacks on critical infrastructure in the future. The pace and scale of these attacks will depend on a range of factors, including the accessibility and affordability of AI technologies, the effectiveness of cybersecurity measures, and the ability of governments to regulate and control the use of AI in warfare.
To counter these threats, it is important for governments, critical infrastructure providers, and cybersecurity experts to remain vigilant and proactive in identifying and mitigating potential risks. This will require ongoing investment in cybersecurity research and development, as well as international cooperation and coordination to establish effective regulatory frameworks for the use of AI in warfare.
What are the current vulnerabilities within ICS and SCADA systems that nation state and non nation state actors can use to potentially disrupt critical systems and list them our in order of threat likelihood
Industrial control systems (ICS) and supervisory control and data acquisition (SCADA) systems are used to monitor and control critical infrastructure, such as power grids, water treatment plants, and transportation systems. These systems are vulnerable to cyberattacks by both nation state and non-nation state actors, who may seek to disrupt critical services or cause physical damage to infrastructure. Here are some of the current vulnerabilities within ICS and SCADA systems that threat actors could exploit, listed in order of threat likelihood:
- Unsecured or weakly secured remote access: Many ICS and SCADA systems allow remote access for maintenance and monitoring purposes, but often these remote access points are not properly secured. This creates a potential entry point for attackers who can exploit unsecured or weakly secured remote access systems to gain unauthorized access to critical infrastructure.
- Outdated software and hardware: Many ICS and SCADA systems rely on outdated software and hardware that may have unpatched vulnerabilities, making them easy targets for attackers. In some cases, these systems are so old that they cannot be easily updated or replaced, making them even more vulnerable.
- Lack of network segmentation: ICS and SCADA systems are often connected to corporate networks, which increases the potential attack surface. If the network is not properly segmented, an attacker who gains access to one system could potentially move laterally and gain access to other systems within the network.
- Poor password and access controls: Many ICS and SCADA systems rely on weak passwords or default passwords that can be easily guessed by attackers. Additionally, access controls may not be properly configured, allowing unauthorized users to gain access to critical systems.
- Social engineering: Attackers may use social engineering techniques, such as phishing emails or phone calls, to trick employees into divulging sensitive information or granting access to critical systems.
- Lack of encryption: Many ICS and SCADA systems do not use encryption to protect data in transit or at rest, making them vulnerable to interception and tampering.
These vulnerabilities are not exhaustive, and there may be other weaknesses within ICS and SCADA systems that could be exploited by threat actors. It is important for organizations responsible for critical infrastructure to take a proactive approach to cybersecurity, including implementing regular vulnerability assessments, ensuring that systems are properly patched and updated, and providing ongoing training to employees on how to recognize and respond to potential threats.
How would AI detect, deter, and counter disinformation campaigns for humanity and how would AI counter the use of another AI in carrying out these campaigns?
This post was generated with ChatGPT at my prompt.
AI can be used to detect, deter, and counter disinformation campaigns in several ways.
First, AI can be used to analyze large amounts of data and identify patterns that indicate the presence of disinformation. Machine learning algorithms can be trained on large datasets of both genuine and false information to recognize characteristics of disinformation campaigns, such as the use of certain keywords, sources, or propagandistic techniques. AI can also analyze social media and other online platforms to identify bots and fake accounts that are used to amplify disinformation.
Second, AI can be used to monitor the spread of disinformation in real-time and alert human moderators to take action when necessary. This can involve the use of natural language processing algorithms to analyze the sentiment and credibility of online content, as well as the tracking of viral trends and patterns of user behavior.
Third, AI can be used to develop counter-narratives and fact-checking resources to provide accurate information to counter the disinformation. This can involve the creation of databases of verified information, as well as the development of chatbots and other interactive tools that can engage users in meaningful and informative conversations.
To counter the use of another AI in carrying out disinformation campaigns, AI can be used to develop more sophisticated and advanced algorithms that can detect and flag suspicious activity. This can involve the development of machine learning models that can identify patterns of behavior that are characteristic of malicious bots and other AI-driven disinformation campaigns. AI can also be used to develop better security protocols and authentication systems to prevent the unauthorized use of AI technology in disinformation campaigns. Additionally, human oversight and regulation of AI systems can help ensure that they are being used ethically and responsibly.
Make it better and expand on the tools, techniques, and procedures in carrying out this kind of warfare
To expand on the tools, techniques, and procedures for detecting, deterring, and countering disinformation campaigns using AI, there are several key areas to consider:
- Data Collection and Analysis: AI can be used to collect and analyze large amounts of data from a variety of sources, such as social media, news articles, and government reports. This data can be used to identify patterns and trends in the dissemination of false information, as well as the sources and actors behind these campaigns. AI-powered tools such as sentiment analysis, network analysis, and text mining can be used to analyze data and identify patterns that indicate the presence of disinformation.
- Natural Language Processing (NLP): NLP is a subfield of AI that focuses on the interaction between computers and human language. AI-powered NLP tools can be used to identify the sentiment, credibility, and relevance of online content, as well as to classify content into categories such as news, opinion, and propaganda. These tools can be used to detect and flag disinformation, as well as to develop counter-narratives and fact-checking resources.
- Machine Learning (ML): ML is a technique used in AI to enable machines to learn from data and improve their performance over time. ML algorithms can be trained on large datasets of both genuine and false information to recognize characteristics of disinformation campaigns, such as the use of certain keywords, sources, or propagandistic techniques. These algorithms can then be used to detect and flag suspicious activity in real-time, as well as to develop predictive models that can anticipate and prevent future disinformation campaigns.
- Chatbots and Interactive Tools: Chatbots and other interactive tools can be developed using AI to engage users in meaningful and informative conversations about disinformation. These tools can be used to provide accurate information and fact-checking resources to counter false narratives, as well as to identify and report suspicious activity to human moderators.
- Human Oversight and Regulation: While AI can be a powerful tool for detecting and countering disinformation, it is important to have human oversight and regulation to ensure that AI systems are being used ethically and responsibly. This can involve the development of ethical guidelines and standards for the use of AI in disinformation campaigns, as well as the establishment of regulatory frameworks to govern the use of AI in warfare.
Overall, AI has the potential to be a powerful tool for detecting, deterring, and countering disinformation campaigns in warfare. By combining advanced analytics, machine learning, and natural language processing with chatbots and other interactive tools, it is possible to develop effective strategies for countering false narratives and promoting accurate information in the face of disinformation.
What potential outcomes on society would play out when AI is used to propagate misinformation and disinformation and what geopolitical scenarios would happen when this happens?
This post was generated by ChatGPT at my prompt.
The potential outcomes of using AI to spread misinformation and disinformation are multifaceted, with implications for society, international relations, and conflict. Misinformation and disinformation refer to the intentional or unintentional spread of false or misleading information, respectively. The use of AI to create, spread, and perpetuate false narratives can have significant consequences for individuals, organizations, and even governments.
One potential outcome of the use of AI to spread misinformation and disinformation is the erosion of trust in public institutions and information sources. If individuals cannot distinguish truth from falsehood, they may become cynical or disengaged from the political process, leading to a potential democratic crisis. Furthermore, the spread of false narratives can also create political polarization, as individuals are exposed to different realities, reinforcing pre-existing beliefs and biases.
At the international level, the use of AI to spread false narratives can have serious consequences. State actors may use AI to create deepfakes, which are sophisticated manipulations of videos or images, showing individuals doing or saying things they never did. These deepfakes can be used to manipulate public opinion or to create confusion in the midst of a crisis or conflict. In the worst-case scenario, deepfakes can trigger conflicts, as false information can create tension and even provoke an armed conflict.
The use of AI to propagate misinformation and disinformation is also a potential tool for cyberattacks, which can have far-reaching consequences. For example, a state actor can use AI to manipulate data or to launch a cyberattack on the infrastructure of another country. This can lead to a loss of critical infrastructure, such as the electricity grid, water supply systems, or transportation networks, leading to social unrest or even violence.
However, AI can also be used to detect and counter misinformation and disinformation. AI-based systems can analyze patterns of online behavior, identify false or misleading content, and monitor social media and other sources for potential threats. Furthermore, AI can be used to develop more sophisticated methods of verifying the accuracy of online information, enhancing the ability of individuals to make informed decisions and reducing the impact of disinformation and misinformation.
To address the threat of AI-propagated misinformation and disinformation, policymakers and civil society must work together to establish norms, regulations, and best practices that prevent the malicious use of AI. At the same time, education and media literacy programs are critical to developing a more informed and resilient public, capable of distinguishing truth from falsehood.
In conclusion, the use of AI to spread misinformation and disinformation poses a significant threat to society and international relations. However, by developing more sophisticated AI-based systems to counter these threats and educating the public on media literacy and critical thinking, we can mitigate the risks and promote a more informed and resilient society.
How specifically, can AI be used by Russia in disinformation campaigns and how could we detect these attacks and counter them?
Russia has been known to use AI in disinformation campaigns to manipulate public opinion and sow discord in foreign countries. By using AI-based systems, they can create sophisticated deepfakes that are difficult to detect and manipulate videos and images to spread false narratives. Additionally, they can use AI to create fake news articles, social media posts, and websites that appear to be legitimate.
The effects of these disinformation campaigns can be far-reaching and can lead to the erosion of trust in institutions, a rise in extremism, and increased polarization. These campaigns can also exacerbate existing social and political tensions and contribute to the destabilization of regions.
To detect and counter these attacks, it is essential to have robust systems that can identify false or misleading content and monitor social media and other sources for potential threats. AI-based systems can analyze patterns of online behavior, identify bot and troll activity, and identify content that contradicts known facts.
Additionally, AI can be used to identify the origin of the disinformation campaign. By analyzing the patterns of content and behavior, it is possible to identify the individuals, groups or organizations responsible for spreading the false narratives. This can help to mitigate the effects of these campaigns and hold those responsible accountable.
Countermeasures can be taken to counter disinformation campaigns by building resilience in the public against false information. For instance, individuals can be trained to critically assess the information that they receive online, and media literacy programs can be developed to teach the public to identify false narratives and propaganda. Government agencies and civil society organizations can work together to develop best practices for identifying and countering disinformation campaigns and to develop regulations and norms to prevent malicious uses of AI.
However, detecting and countering disinformation campaigns can be challenging, as those spreading false narratives constantly adapt and evolve their tactics. It is essential to remain vigilant and to continue to develop new tools and methods to stay ahead of the attackers.
In conclusion, the use of AI in disinformation campaigns by Russia is a serious threat to democracy, and it is essential to take measures to detect and counter these attacks. AI-based systems can be used to detect patterns of behavior and content, which can be used to identify the source of the disinformation campaign. Additionally, media literacy programs and critical thinking can be developed to make individuals more resilient to disinformation and false narratives. Governments and civil society organizations must work together to prevent malicious uses of AI and protect democracy.
The CYBER Wars
We met in an old, drab, and odd Russian eatery cum bar this year. A matronly Russian woman made us order things from the menu as a young girl sang Russian kulturny songs on a cheap sound system in the back corner. I had come to talk to someone in the IC about “Cyber War” and hoped that our mutual experiences could give me an insight or direction for this post. After sitting with this person for about an hour I had to go but in that time I had several revelations from our discourse. This post is the culmination of that conversation and my further ruminations about the current state of “cyber warfare”
Firstly, the conversation that we had was very roundabout, going back to the dawn of the ARPANET and other systems but all the while with a bent on economics. This kind of threw me for a bit but I listened further and within that long and winding road two things became clear from this IC warriors career. All cyber war is really Information Warfare, and second that all information warfare has an economic component. These things had not really occurred to me in the past but the revelation made me think differently about all of it. Thinking about the economics certainly easily led to all the Chinese hacking and theft of IP surely, but on a macro scale all warfare has its economic drivers right? Someone wants the things you have or they want to stop you from getting those things to others. So the motivation is always there in some way on a nation state level and all of the techniques used in information war or hacking can be used to great effect on these problems.
Once I had some time to think about all that I had heard I started to contemplate everything that had taken place over the last election and what is still happening today. It became clear to me today that my convictions on “cyber” war were the same as they always had been but with some caveats. Primarily for me is the notion that “cyber” war is really just information warfare. It is even still information warfare when something physically is caused to blow up or eat itself like the centrifuges in Natanz back in 2011. Information warfare since then though has been escalated with the active measures by the GRU and SVR (KGB) that took place in our last election cycle. Clearly it was information being used to manipulate the populace and their opinions. The hacking or “cyber” as many like to call it was just a component, an element of this and it was the information that was a key to this. The net effect here is that once again I put it to you all, the “cyber” war doesn’t exist, it is all just information war using hacking and code as a force multiplier.
What you all need to worry about now is the use of technology to manipulate just like the active measures campaign did in 2016. The revelations on Facebook’s being used by Russia to manipulate public opinion is just one instance and a more nuanced approach needs to be applied to information warfare henceforth. I see articles every day now asking how do we fight this kind of warfare and honestly I see no easy way to do so. People are easily led and much more so now that the electronic media is so prevalent and easily manipulated by ad buy’s, hacks, and open source troll accounts. That people now have their digital bubbles cum echo chambers makes it even worse with their cognitive dissonance at eleven. Honestly, much of the time lately I feel like Joshua and have decided not to play the game at all and go dark.
Maybe you should too.
K.
Scenarios on Outcomes from Russian Information Operations on the US 2016 Election
Assessment Goals:
With all that has been happening with the disinformation and influence operations during this election cycle I thought it prudent to thought experiment out some scenarios if Russia or any other adversary with the means, decided to attack the election cycle in other ways. One might ask right now what benefit would other countries like Russia gain from such operations and you would be right to ask. That is a question for another post but suffice to say that if Russia is indeed tampering with our electoral process like they have in others, then the reasons are geopolitical and very much Putin’s aegis in ordering the SVR and KGB to carry them out.
The goal here is to just lay out the attacks that could happen simply and then give you the likely outcomes. All of these are not as comprehensive as you might find in some think tanks like Wikistrat but you get the idea. All of these attacks are possible, and they do not have to all work completely to have secondary and tertiary effects on the US population and political system. Please read through them and ponder yourselves how would you react if these happened? How would the general populace? Would government be able to carry on? If the election cycle is broken and the systems not trusted, how would one re-set the vote and how long would it take?
Interesting times….
SCENARIO 1: VOTE TAMPERING
The voting machine have been tampered with electronically or code has been inserted. The potential for votes being tabulated incorrectly or data tampered with is possible but not probable in the grander scheme in the US according to sources. However, this does not preclude a way found to insert such code or physical devices in key states. It is also not impossible to have assets in play such as sympathizers or outright KGB assets on the ground helping to tamper with the results. I will not go into the details because this is a scenario to start but it is also not the point. Let’s just assume ways have been found to tamper enough to call the electoral data into question via tampering directly with the systems.
POTENTIAL OUTCOME:
- Trust in the election system is diminished
- Recalls are called for by both candidates and the public
- The electronic systems will lose public trust and a re-assessment of the process will be mandated
SCENARIO 2: VOTER ROLLS TAMPERING
Scenario 2 is based on recent events. The hacking of the rolls databases in key states could be an attempt to manipulate the data and cause secondary issues with that data on the day of the election. The posit is that the adversary has tampered with people’s voting preferences data. If you are a republican they can change that roll to the opposite party and vice versa. Additionally what if a users region or address were changed surreptitiously? To date there are no systems that I am aware of that will email you when a change is made to your voting status and how many people check before they go to the polls? This is a common tactic that has been used in gerrymandering an election area by disallowing voters from voting on the day of the election. To date, the FBI has not been able to determine what the hacking on the voter databases was about and this could be one of the goals.
POTENTIAL OUTCOME:
- Voters are unable to vote once they get to the polling place.
- Voters are not allowed to correct these records and are thusly negated from the process
- Attack key states once again, going for the electoral college and you can change the outcome of an election
- All of the above once again have the amplification of causing distrust of the system and damage to the election
- The candidates and the people are left with a recall and with the system being manipulated already how can they trust it?
SCENARIO 3: DISRUPTION OF THE PROCESS ELECTRONICALLY
Russia has attacked the Ukraine elections by inserting malware/code into the election machines in 2014 that effectively bricked them. If such an attack code were placed and propagated within the American voting systems the disruption would cause the election to be halted and emergency measures taken. Perhaps the election might try to carry on with paper ballots but I am unsure the process can be that effectively nimble. If the election systems are down, since they are of varying makes and models of machines, the time to return of service would be long, causing more FUD to the elections process itself.
POTENTIAL OUTCOME:
- Voters are unable to vote or the process takes so long that they walk away with a more analog process
- Trust in the electronic system would be degraded or destroyed
- The election cycle would be likely broken and emergency measures would have to be employed (contingencies)
- Continuity of government is challenged
CONCLUSIONS:
These three scenarios to date, have not been covered I believe. This post comes to you as the fruit of a discussion I had with @SteveD3 and I believe that in our current atmosphere of information warfare and influence operations carried out by Russia, one has to take these thought experiments out for a drive. All of these scenarios are possible and will have the effects of denial, disruption, and degradation to our election systems and the stability of the nation. It need not render the election completely in the favor of one or the other candidate conclusively to cause faith in the system and its outcome to be questioned. Imagine if you will, as Trump has already been saying repeatedly, that these tactics are used and the general populace believes that the election has been rigged? With or without the hand of the Russians, others could be easily blamed by a candidate like Trump and his followers. The outcomes from this could lead to civil unrest and other worse things if they came to pass with the help of information operations attacks by another nation state.
I suggest you red team these ideas yourselves and see what else you can come up with…
DD0S: Posters From Walls To Legitimate Weapon Of War and Its Possible Use Scenarios
pew pew pew
Historical DDoS
Distributed Denial of Service has been the go to tool for the script kiddie and Anonyous over the years but recent developments have shown that this tool may be evolving and maturing with new use by actors within the nation state arena. In fact DDoS has been used before by Russia on Georgia in 2008 and again recently on the attack of the power grid in Ukraine. The types of attacks varied but the end state of denying service to sections of infrastructure have been the same in each of those occasions.
What was once considered to be just a tool for skids is now fast becoming a dangerous tool for other attacks that in tandem with kinetic action, could be the prelude to war or, more to the point, smaller actions that may not lead to the intensity of war by the standard definition by countries like the USA. This blog post contains a set of scenarios that could possibly play out but they are more so thought experiments to show the potential use of a denial of service in hybrid or network centric war that includes information warfare, CNO, and CNE implications.
Recent Events
Directed Attacks on Infrastructure and Defense (Schneier)
In a recent post on his blog, Bruce Schneier alluded to some very directed DoS activity against infrastructure of the internet. He was not really forthcoming with the data but I too had heard of some activity and thus began to ponder who might be carrying out tests of new denial of service tools. His go to on who was carrying out the attacks was China, which was a poor choice in my opinion and wrote an off the cuff retort here. I believe that another actor is afoot in that one and as you read below that actor is DPRK. I think this for many reasons that I will cover later.
In any case, the attacks have been systematic and show planning in a way that alludes to a desire to take out large areas of the internet and or command and control systems for the nation(s) that would degrade our abilities to fight a war, carry out daily business, or just surf the web. Of course the former is the most important and likely the aegis here rather than the latter for this adversary.
Krebs
Another event that has taken place in rapid succession to the attacks on infrastructure was the DDoS of Brian Krebs website after he outed a company that performs DDoS as a service in Israel. This attack for the most part appears to me to be revenge for the takedown he was part of, but he has over the years managed to piss off many of the skidz out there today so the list of names grows exponentially there. What struck me though in this attack was that the tool used was then burned by it’s one time use on Brian. If this actor were someone within the space of nation state, they would not want to burn the tool so to speak.
In fact, post the hubbub of the determination that the tool in question leveraged a botnet consisting of IoT devices (Internet of Things) the author dumped his code online because within days he already was seeing his output diminish because ISP’s were cleaning up their acts and denying access to insecure IoT devices and telnet sessions that had default creds. With this revelation it leaves the tool up for use to some, upgrades to others, but overall it is burned as tools go for surprise attacks. Of course the tool’s DDoS is carried out by GRE packets which is a hard one to stop. If others find new sources of bots for the botnets then the tool once again can be fired and take down the targets pretty readily, so there is that.
South Korean Router Hack
The Yonhap News agency recently put out a report stating that the ROK military had suffered an attack on a ‘Vaccine Routing Server’ at their cyber command in Seoul. I am still not sure what a vaccine routing server is other than perhaps a bad translation from Korean to English but if it is in fact a router, then this attack could further a DDoS quite well. Of course this attack if carried out the right way, could be just like the OVH attack that leveraged traffic directly through to the back end of the OVH infrastructure. This type of attack would be devastating on any network. If in fact the OVH attack was another “test” of another, as yet un-named tool, then leveraging such a router compromise on the ROK cyber command by DPRK would be the next best thing to just dropping a missile on the building, which would likely happen right after the DDos begins in a lightning war.. But I digress.
Tactical Use
So with all of these things in mind, I would like to next discuss the tactical use of DDoS in a hybrid warfare scenario. In the cases earlier stated with Russia, both types of denial of service were used in differing capacities. In Georgia, they used the DoS to cut off the country’s communications both internally and externally leaving them dark the rest of the world. In the case of the recent attack in Ukraine they did not use the common tactic of DoS by packet, instead they used a phone DoS on the helpdesk at the power company as well as other tricks like attempting to re-write the firmware in the ICS/PLC environment so that the power would stay down after the attack. Both of these attacks plainly show the value of this type of attack but below I will go into the thought process behind their use.
Deny, Degrade, Disrupt & Psyops
DoS of any kind’s main goal in a warfare sense is to deny access and communications, degrade access and communications, and disrupt access & communications. These primary goals have sub goals of slowing the adversary, denying the adversary, and disrupting their abilities to respond to attacks. If you carry out these denial of service attacks on communications lines for say military command and control (C4ISR) then you are effectively blinding the enemy and or disrupting their ability to respond and prosecute a war.
Years ago an example of this was carried out in Syria by Israel when they attacked a radar station electronically and allowed their jets to make it through unseen by the air defense of the country. This operation (Orchard) leveraged this electronic attack to destroy a nuclear facility before it went live. In certain situations these attacks also can have the added benefit, or even the main goal, of prosecuting a PSYOP (Psychological Operations) on the affected country by destabilizing their networks (public and mil) and sow distrust of the infrastructure as well as cause pandemonium. I will write further on the PSYOPS angle below in one of the scenarios.
Signal To Noise
In some cases a DdoS can be used to distract an adversary while you are attacking a specific asset(s) in a hack. This type of activity has been seen in some of the Chinese activity in the past. This type of attack is quite successful as the IR teams are otherwise engaged in trying to mitigate being offline, it is easy to miss a certain network or device that may still be connected and being attacked. With the masses of data being aimed at the defenses it is easy to miss the attack within the deluge of bad data.
Scenarios
Scenario One: Core Infrastructure Attacks on ROK and USA
With the attacks on infrastructure mentioned above, and the ROK Cyber Command attack on a “router” this scenario concerns a “short war” which is the favored type of warfare by the DPRK. In this attack the following happens:
- DPRK launches a DDoS of some kind(s) on ROK and US assets to disrupt C4ISR
- DPRK engages their rocket batteries just outside of the DMZ with a three minute flight time to Seoul
- DPRK launches other forces and attempts to overtake ROK
It is within the nature of DPRK to attempt this kind of attack because it is doctrine for them, they have nothing to lose, and they would aim to deny, degrade, and disrupt ROK’s allie, the US with the types of attacks we have seen recently with the GRE packet attacks. Of course there would have to be other maneuvers going on and other attacks within the spectrum, but this attack vector would be easy enough for DPRK to leverage in a kinetic hybrid war scenario.
Additionally, the use of DDoS by DPRK is a natural fit because of the lack of infrastructure within the hermit kingdom. If DPRK were to leverage DDoS like the GRE elsewhere, it could easily do so because of the aforementioned lack of connectivity as well as the norms today for warfare do not really cover DDoS (yet) as a type of attack that would require a kinetic response. DoS and DDoS are the perfect asymmetric cyber warfare tool for DPRK and I for one would not be surprised to see in the near future, it’s use by them in scenarios like these.
Directed Attacks In Concert on US Elections
The following scenario concerns the upcoming US election and the possible use of DoS/DDoS as a tool to sow mayhem during the process. Russia seems to be actively tampering with the US electoral process in 2016 through direct means by way of hacking and cyber warfare tactics. However, this attack could be just as easily leveraged by DPRK or anyone else. I am using Russia in this instance because it is October and, well, you all have seen the news lately right?
- Russia attacks the internet infrastructure within the united states to deny and degrade access large scale
- Russia attacks polling places connectivity either by the larger DoS or direct action against polling places and the electronic voting machines connection to upload results
The net effects of these types of attacks on the voting systems on the day of the election would have these potential effects on the process:
- Insecurity and fear that the US is under attack
- Insecurity and mistrust of the electoral process through electronic means
- Not all voting systems have the paper backup so counting ballots would be null and void in some areas
- Re-counts would occur
- The parties (Dem and Rep) specifically in this heated election race would demand redress on the systems being corrupted by possible hacking attacks
- Election results could be null and void
This scenario is quite possible and it does not have to be fully successful technically to actually be successful as an attack. The net effect of PSYOPS on the American process and people would already be carried out and in effect. Given this election cycle’s level of crazy, this one would be very hard to control and not have it spin into disarray. It does not take a lot to throw a monkey wrench into an already contentious election where persistent October surprises from hacked data are being splayed across the scrolling bars of CNN.
Actors
With all the scenarios laid out, it is important to now cover the two actors and circle back to the events recently concerning DDoS. In Bruce’s piece he immediately went to the old stand by that; “China did it” I however do not agree with this assessment and the reasons are due to the nature of the actors and their motivations. Rational actors versus irrational actors are key points to consider when you are trying to attribute an attack like these recent attacks. All of this is speculative to start, so please bear that in mind with the attribution I make. (see dice above) For all I know these attacks could all just be cyber criminals seeking to hawk their “booter” service.
Who’s to say really?
DPRK
Per the assessments of CSIS and other experts on DPRK there is not much to go on in the way of hard data on cyber capabilities and actions from North Korea. However, they do have patterns of behavior and doctrine that has been smuggled out of the country in the past. The use of asymmetric attacks that take very little resources would fit perfectly with the DPRK’s desires and modalities. As mentioned above also, this type of attack would fit well with their “short war” stratagem.
North Korea under Un has shown a willingness to use cyber warfare tactics in attacks like Sony and understands they have nothing to use by leveraging them. Sanctions are not going to work on them even with the pain they may cause. The same can be said for attacks like DDoS, there is a low threshold to entry and use and they have a large asymmetric win in the eyes of DPRK. I would recommend that you call click the link at the top of this post for the CSIS paper on DPRK’s cyber capabilities and structure.
Russia
Russia is another animal altogether. Russia plays the game brashly but most of the time very smart. In the case of DDoS use we have already seen them leverage it in tandem with kinetic warfare and do so with success. Their recent use of it as a digital stick on Ukraine as well show’s that they are not afraid to use the attack in their back yard. However, use of it against other nations might be a bridge too far in some cases. The scenario I have laid out though with regard to the nations elections in November 2016 is quite plausible and the burden of proof that the DoS was carried out by Russia or a proxy would be hard to prove in an international court.
Another aspect of this scenario is just how far of a response would the US take if such attacks happened? With attribution being what it is, how would the country respond to an attack of this nature and what good would it do if the process is already tampered with? This scenario is mostly a PSYOP and once again, the damage would have been done. With Putin’s recent aggressive moves (re-forming the KGB and now walking away from the nuclear treaty) it is not beyond the scope of possibility that his penchant for disruption would win out.
Russia is a rational actor and this would be a rational attack. Imagine if by an attack of this kind it tips the election in favor of Trump?
Scary.
Conclusion
The DDoS attacks that have been happening recently do show that something is afoot. That something is coordinated and is being used to target key aspects of the net as well as DIB partners. What the end goal is and who is doing it all is still a mystery, but, these scenarios above are just as valid as once again pointing at China and yelling “THEY DID IT!”
Maybe something will happen in the near future…
Maybe not…
Either way, one should consider the adversaries who might be at play.
K.
UPDATE: Evidently I am not the only one who is thinking along these lines… The Daily NK had an article come out the same day, thanks to @JanetInfosec for the tip! According to this article they are assessing that on or near 10/10/2016 DPRK may attack ROK with electronic/hacking attacks as well as perhaps more launches of provocation.
EquationGroup, ShadowBrokers, and Loving The Cyber Pathogen Bomb
We all knew that this shit was going on but now it’s reaching epic cyber douchery levels kids…
Monday:
Hey someone posted some shit on the Github and the everywhere! LOOK!
DOWNLOAD
DOWNLOAD
DOWNLOAD
Tuesday:
Shiiiit this stuff looks kinda real!
FUCK THEY TOOK DOWN ALL THE LINKS!
…EXCEPT MEGA OF COURSE…
LOOK! RC5 and RC6 Implementations match EQUATION GROUP!
ERMEGERD!
LOOK ODAYS!
SNOWMAN SAYS LAY OFF RUSSIA BECAUSE YOU WAKE DA BEAR! (Uhh hey, can I have my dacha now? I have been a good comrade)
ASS-ANGE FROM HIS EVITA BALCONY: WE HAVE ALL THE SHIT AND WE WILL BE POSTING IT BECAUSE FUCK YOU ALL!
Wednesday:
SECRET SQUIRRELS FORMERLY AT NSA SAY HOLY SHIT!
SECRET SQUIRRELS AT TAO SAY OOPS!
SECRET SQUIRRELS AT TAO SAY THIS IS RUSSIA BY GOD!
Fuckery. It’s all fuckery kids. The world is at war already and the populace never got a vote on this one. These scripts and exploits are just the tip of the 2013 iceberg and the reality is that knowing what the likes of J-39 and their ilk were hoping for back in the day we are well and truly fucked if they decide to go all out cyberdouche. Now we have this almost parity with this leak by who? The 2016 cyber equivalent of the Rosenbergs? I haven’t a fucking clue and no one else does as to who did this and why. No really, fuck you if you say you do. And if you attempt to “treat intelligence cyber attribute” this shit you are only trying to get clicks for ads.
But seriously, the biggest issue I have with all of this is that while we are all slobbering over the dump and the potential one to come no one seems to be talking about how fucked up this is. While these guys are making and buying 0days and pwning foreign nations our own infrastructure lays like a burned out whore in the missionary position. We are prosecuting the war but we are not securing the “homeland” for shit and we see it every day. See, the rub of it all is that corporations are the ones that hold the infrastructure and fuck all trying to make them become secure through legislation or any kinds of rules. So here we are with all our shit in the wind to start with, no mass movements to secure the nations everything, and now a dump of just some of our cyber weapons has been spilled online as a big fat fuck you.
Yeah, I feel good about where we are.
Still, the shit is three years old.. Who’s to say that those sploits still work on systems in China let’s say. Anyone checked by the way? Anyone?… Well in any case either someone fucked up and left this shit on a server in 2013 to now OR as some have intoned, this was an insider. Either case still leads to the inevitable fuckery the nations have all been up to and we are not alone, not by a long shot. Some have said that the NSA should be securing things and I just laugh and laugh at that. What the fuck do you think their operational aegis is anyway? It’s to break all the things and own them! So all you who look to Ft. Meade for any solutions are just deluded. Nope, the war is on, it is hot, and it is all under cover. When someone finally decides to go batshit they will unleash all the sploits in tandem with kinetic operations and that will be it. A real hot war will erupt.
It’s still true.. We are the reason we can’t have anything nice.
Oh well, at the end of the day there’s fuck all we can do. The shit is in the wind and now everyone has it. It will be used as a platform of attack until all the things are patched but in between they will be used for whatever ends lone actors or nation states feel like using them for.
Yay.
Move on.
K.
DNC Hack: The Flying Fickle Finger of Fate and Intelligence Analysis
I had some Tweet conversations this morning that led me to a need to make yet another post on the DNC hack debacle. @Viss and @mr0x20wednesday both struck up a conversation after I posted a link to the NYT article on the consensus that is growing within the government that Russia carried out the hack. The consensus building is coming from assessment by the CIA while the FBI has initiated an investigation into the hack and the subsequent dump of data to Wikileaks and to the web via the wordpress account for Guccifer2.0. It is important to take note of the previous statement I make here about who is “assessing” and who is “investigating” and that is something people in the general population do not quite grok much of the time. The FBI attempts to prove things in court and the CIA generates analysis and assessment to help leaders make decisions. These are two different things and I want you all in INFOSEC to understand this when you start to have conversations about spooky things like the hack on the DNC and the subsequent possible propaganda, psyops, and disinformation campaigns that may ensue.
I recently wrote a more irreverent post while I was in a more Hunter S. Thompson state of mind concerning American politiks and the mess we are in, but the core idea that Russia carried off this hack and the actions after it still hold true for me. Many of you out there are reacting more like how I reacted when the Sony attack happened and once again I also find myself asking the same questions and having the same concerns over attribution versus solid evidence. There are many issues at play here though that you have to take into account when dealing with an action like the Sony or DNC hacks where information warfare or “cyber war” are concerned. Most of the considerations you have to make surround the classification of much of what you might get in the way of evidence to start with never mind about the circumspect nature of attribution that is being released to the media. At the end of the day my question to the FBI was “Show me proof” which is their job right? FBI is part of the DOJ and should be leading to charges right? Well, none were proffered by the Obama administration, some sanctions were laid on DPRK but no charges, unlike the wanted posters for the Chinese agents that the FBI laid out for hacks and thefts of data. There is a distinct difference here and that is evidence that can be presented in a court versus attribution and analysis by companies like FireEye and Crowdstrike. True, both those firms can prove certain things but primarily, as you all know out there, attribution is hard to prove so it really stops at analysis, more like the intelligence agencies content and mission.
So where does that leave us with regard to the DNC hack? Well, the attribution data presented first off may only be a portion of what Crowdstrike may have. Other portions may in fact have been classified or asked to be held back by the government (I’d say pretty likely here) and may some day be revealed. If the Sony hack is any indication though of this process, not so much. I am still unaware of any real conclusive evidence of Sony’s hack being DPRK but like I said, the US government sanctioned DPRK over it. It is not likely the government and the president would do so without some more solid evidence but one must consider “sources and methods” when dealing with international intrigue like this right? Don’t like that? Well, get used to it because you are going to see more and more of this as we move into the golden age of nation state hacking and covert action. There will be things you John Q. Public, will never know and will be classified for a good long time. Just take a stroll through the Spy Museum in the cyber war section and look at some of those code names. I bet you haven’t heard of some of them and at least one of them, some of us, were VERY surprised to see on that wall already.
But I digress…
At the end of the day though I have to go with previous experience, Occams Razor, and a sense of Cui Bono concerning the DNC hack/dump/manipulation. Some may argue that the GRU and KGB (yes, once again old agencies don’t die, they just change names 😉 ) would not be as sloppy as to leave the breadcrumbs that are being found by Crowdstrike and others. I would remind you to look at at the last big operation that we busted in the US by the KGB as well as the recent posting of selfies by a KGB graduating class as examples of “everyone fucks up” For that matter, shall we mention our own CIA’s debacle with the Pizza Hut? Every agency screws up and every hacker does too. Humans and human nature insure that things will get messed up, there are no perfect operations. In this case the assets involved likely had access to the DNC as well as the RNC but decided to use this data to influence the elections in a manner that they could get away with it easily. This is the nature of spying, politics, and geopolitics, take a look at the history of the CIA and dirty tricks in the politics of South America and then picture it if they were doing the same (hint, they are) today in the cyber age.
That’s right kids, there have been other dumps and hacks. Perhaps some of those too were the US? Think about it.
Russia and Putin have been gerrymandering elsewhere, money and influence operations have always been around. Now consider yourself to be Putin and you have an operation that gave you easily funnelled information to the likes of Julian Assange and Wikileaks! Even more enticing, the fact that you all know that attribution is hard to prove in hacking! What do you have to lose if you are Putin or anyone else? So, if you look at how this plays out, and what more may play out come October, who, what nation, would have the most to benefit if we actually had trump in office?
Think… The answer is ANYONE who would like to take America down a peg and have more possible influence on world politics.
If you look though at the rhetoric by Trump you can in fact see that the big dog in the room would be Putin though. Just think about it! How much more power and sway would Putin have if Trump were in office and dismembers NATO? Come on now kids, think about it. Ask yourselves “Cui Bono?” here. So stop the quibbling about the attribution and the finger pointing. Take the analysis by the CIA and others as well as the eventual data the FBI comes up with and start looking to how can we fix the problems here? There are so many problems though that I too get disheartened. The political system is broken, the information systems are not properly protected, and we run headlong into creating more weaponized code? It is enough to make a man drink.
Ooh good idea…
Dr. K.
Wait Till October…
There is so much talk about the leak by Wikileaks of the DNC emails (20k) which is only a partial dump I think in the end. Much of the Tweet stream is going on about how this is likely the KGB (No, I will not call them FSB) and how this is bad in so many ways. The DNC dump Friday has been fun to go through from the perspective of laughing at their hubris and gawking at the people involved, the money, and the fuckery. However, once you get past all the schadenfreude you start to realize just how fucked we all are.
First you begin to realize just how dirty and full of fuckery politics is to start, that is if you aren’t already jaded about this shit. Then you realize the proportions of the fuckery when you see proof of some of the things that go on via the leaks from the DNC’s and Hill’s toilet server and you think
“What the SHIT?”
You take a shot of whiskey and crawl back into your lizard brain for a while to get away from it all.
Once you have ruminated on all of this then you start to ponder on the motives and the actions taken by the actors here. They hack Hill’s server in the disused crapper and then DNC’s systems? Or was it the opposite? What is the motive here? Is this a hack by some kids to upset the political apple cart? Or is this something more? Is this a nation state? The attribution firms are in high gear promoting their theories but this time I will go with what Crowdstrike is selling.
Pooty and his funtime band are doing a number on us is my vote too and fuck are they pulling a whammy using our own political fuckery to destabilize all the things. This has been the hack that I would consider to be an outright CIA styled destabilization operation, the kind that you would find material online on (think South American fruit and sugar) with a cyber cyber twist. Even Nixon, who pulled this kind of shit with the plumbers and Watergate would be envious right? The only difference here is that Nixon got caught. Pooty is not gonna get caught because of the nature of hacking, attribution, and cyber cyber cyber.
Once you start to look at it as a destabilization operation against the US then you have to look at the possible goals here. The US is on a five front war? How many fuck fronts is it now anyway? We are precariously teetering on the edge of failing empire, and we have these nitwits (both party candidates) running for office, both of them now tainted beyond redemption. Hillary with bathroom servers, no malware protections, and not even the forethought or ability to hire people to help them secure her shit properly? Then she goes on to consider their machinations safe for fucking un-encrypted classified email?
JESUS FUCK!
*deep breath*
Then we have Trump, with his.. Well.. His everything. He is the worst candidate I could ever think of and yet here we are, he is the RNC candidate. We are well and truly fucked. I can only imagine the security posture of his systems but gee, no one has hacked him.. Have they? If they have no one has leaked anything… Yet. I am sure his servers are full of dirty shit too.
Ok, so yeah, here we are in July and November rapidly approaches. We have Trump as the official RNC candidate for ORANGE CAESAR which scares the living fuck out of me, and we have Hillary, the lady who flouts all security measures for ease of use…Wait… Shit, that really is everyone ain’t it? HELL that is most of corporate MURICA! God dammit we are so fucked!
Anyway, Hill goes on to mishandle CLASSIFIED information and skates on it while frankly others have been pilloried for less. Truly people, with the leaks so far and just the epic fuckery of the race, I am just crawling into that lizard brain more and more with the help of a good grain alcohol. The problem is I keep coming back to lucidity and then hear/see/read the news and end up chugging the shit again to make it go away!
The sad thing is that what we have seen is just the tip of the shitberg. Trust me, wait till October when the real revelatory emails show up. It’s called and “October Surprise” and fuck it’s gonna make Hunter’s worst drug and loathing fueled nightmares seem tame in comparison. Think about it people, Pooty and the KGB are easily, handily, fucking us all over with the cudgel of our own hubris and lack of due care.
All the while these fuckheads are crafting all our dooms with malware and cyber cyber cyber WAR that would make Dr. Strangelove weep in ecstasy. While they argue over surveillance as good and crypto as bad they really don’t comprehending any of it. If it weren’t true it would make one hell of a farcical film. Unfortunately for us it is true, and it is happening today. We the people are the ones being fucked over by their collective business as usual in so many ways.
This isn’t over kids…
Put your helmets on and wait for October for the last of the dumps. I am fairly certain some shit will come out and in the end MURICA will begin it’s 2nd empire with an orange, small handed, orangutan at the helm of this country. Hunter was smart to have left because if he were alive now he would be reaching for the shotgun all over again in much more despair.
Dr. K.
PS.. I have written about possible motives recently… You might wanna take a look.
Krypt3ia 