What Public Disclosures are Revealing about Cyber War Threats

If you follow cybersecurity news on a regular basis, the realization of what is coming for a true cyber war is downright frightening. For many who may be reluctant to view the looming threat head on, the quote from Jack Nicholson in the movie, A Few Good Men, may apply -- “you can’t handle the truth!”

Some may argue that we are on the brink of a cyber war, while others assert that what we see in the public sphere is only a mere fraction of the cyber-offensive capabilities of many nation states. The opportunistic ransomware incidents of this month, like in the city of Baltimore, reveal how paralyzing cyber threats can be—even if they are not nation-state backed attacks. And, Israel has even bombed a suspected cyber warfare center, bridging the gap of suspected cyber terrorist sources with physical military action. The signs are all around us of what the devastating end results could be.

What Kind of Damage Could a Cyber War Wreak?

A true cyber war could be nearly as devastating as conventional bombs and weapons in terms of human life and destruction to infrastructure and the economy. If you think that this is farfetched, consider these real world examples of the escalation of sophisticated cyberattacks targeting critical infrastructure:

• Triton: In December 2017, an unidentified power generation facility, believed to be in Saudi Arabia, was compromised when the Triconex industrial safety control system made by Schneider Electric SE was exploited in what was reported to have been a state-sponsored attack. The malware, known as "Triton", exploited a vulnerability in computers running the Microsoft Windows operating system, and potentially allowed the threat actors nearly full control of the safety systems for the power plant.
• GPS Manipulation: According to a study conducted by The Center for Advanced Defense Studies, the Russian Government is actively hacking the global navigation satellite system to confuse thousands of ships and airplanes regarding their current location. As an example of this potential threat reported by the UK Space Agency, Britain’s entire critical infrastructure relies on the GNSS and GPS for operations.
• GHIDRA: Ghidra is a software reverse engineering framework developed by National Security Agencies Research Directorate to support ongoing United States government cybersecurity missions. The tool helps analyze malicious code and malware, and can give cybersecurity professionals a better understanding of potential vulnerabilities in their networks and other advanced file-based threats. The tool was released to the public on April 4^th, 2019.
• Medical Devices: The earliest attacks on medical devices can be linked back to the late researcher, Barnaby Jack (a former colleague of mine at eEye Digital Security, now BeyondTrust). As early as 2011, demonstrations on the vulnerabilities in medical devices were published and raised awareness of the potential risks when IT meets implanted medical equipment. This threat has become vastly more prevalent as mhealth and IoT have exploded in popularity. Some IT-enabled medical devices still have default, embedded passwords, which is a particularly risky practice.
• HOPLIGHT: According to the US-CERT, this malware was created by the North Korean government and is designed to inventory a host, collect targeted information, and relay that data to a list of addresses on the Internet. This default payload contains a reconnaissance tool, but future versions are speculated to use this information for deeper, targeted attacks based on attributes discovered on a host system.

Reflecting on the Real Threats to Critical Infrastructure Security

It is clear that we are dealing with much more than ransomware given the sophistication and sources of these attacks. In summary, these cyberattacks and malware have the capability to:

• To penetrate infrastructure (Triton) and inflict wide-ranging damage—from service disruption to catastrophic systems failure, and even extreme damage to critical infrastructure
• Misdirect commercial navigation (GPS) that could cause collisions in dependent services, like shipping, aviation, and civil rescue
• Reverse engineer attacks for countermeasures and new attack vectors (GHIDRA)
• Target individuals with medical history (medical devices) for assassination
• Provide reconnaissance and surveillance of foreign activities (HOPLIGHT) to reveal sensitive information and plan for future attacks, both physical and cyber
• Impact devices from computers to IoT, IIoT, SCADA, and ICS that could devastate a company or public, critical infrastructure.

If we consider that these are only a fraction of what nation states wield in their cyber war arsenal, we should all take note. We “need to handle the truth” and not ignore the potential threats against our critical infrastructure, homes, businesses, personal well-being, and government systems.

Resources on Securing Critical Infrastructure from Cyber Threats

IIoT Security: Managing Identities and Privileges (guide)

Mapping BeyondTrust Solutions to NERC Critical Infrastructure Protection (CIP) (white paper)

Secure IoT/IIoT Devices with BeyondTrust solutions (datasheet)

Four Pillars to Securing UK National Infrastructure (blog)

Securing IoT with Privileged Access Management (blog)