We read all the time that computers, from central government/corporate servers or servers we call “clouds” to laptops in our home, get hacked. Personal information is sucked out and often malware is pushed in. We may think we are safe when our computers are turned off… but if they are connected to anything via cable or WiFi, they are vulnerable. Governments that run their systems off the Web – creating what they call an “air gap” – get hacked anyway.
Some of this hacking comes from amateur “hobbyists” to see how far they can go. Others – folks like Anonymous and WikiLeaks – have a political agenda. Still others are thieves of bank accounts, purveyors of fraudulent transactions or down and dirty ransomware extortionists. Like this May 12th event: “A global cyberattack leveraging hacking tools believed to have been developed by the U.S. National Security Agency has infected tens of thousands of computers in nearly 100 countries, disrupting Britain's health system and global shipper FedEx.
“Cyber extortionists tricked victims into opening malicious malware attachments to spam emails that appeared to contain invoices, job offers, security warnings and other legitimate files… The ransomware encrypted data on the computers, demanding payments of $300 to $600 to restore access. Security researchers said they observed some victims paying via the digital currency bitcoin, though they did not know what percent had given in to the extortionists.
“Researchers with security software maker Avast said they had observed 57,000 infections in 99 countries, with Russia, Ukraine and Taiwan the top targets.” Reuters, May 13th. But this “almost debacle” had a happy ending. A modest cyber-good Samaritan, a cyber-security researcher in the U.K. who preferred to work under a pseudonym (“Malware Tech”) found the “kill-switch” (the computer code that terminated the program) for this ransomware. “The researcher first noticed that the malware was trying to contact a specific web address every time it infected a new computer.
“But the web address it was trying to contact - a long jumble of letters - had not been registered… MalwareTech decided to register it, and bought it for $10.69 (£8). Owning it would let him see where computers were accessing it from, and give him an idea of how widespread the ransomware was… By doing so, he unexpectedly triggered part of the ransomware's code that told it to stop spreading… While the registration of the web address appears to have stopped one strain of the ransomware spreading from device-to-device, it does not repair computers that are already infected… Security experts have also warned that new variants of the malware that ignore the ‘kill switch’ will appear.” BBC.com, May 13th.
But for those whose computers were infected, the choices weren’t so pretty: Records not backed up, for which the ransom-mandated password is not paid, are unlikely ever to be unlocked again. And even if backed-up, the task of rebooting and repair can take a lot of time and effort. When it comes to a healthcare system, people can just die from lack of the necessary information or analysis. But believe it or not, that’s not the worst that could happen or has happened.
But the biggest players with the baddest intentions are nations, from the purported North Korean hack of Sony Pictures Entertainment, the Great Russian Hack of the Democratic Party and the political organizations around the world to the more targeted cyberattacks with destruction or disabling of military and strategic operations, facilities and equipment as their focus.
We are hardly blameless. Back in 2010, the United States and Israel created a plan jointly to attack and disable Iran’s centrifuges, which were dedicated to enriching nuclear-weapons-grade plutonium. To this day, both countries deny their involvement in this effort. Iran’s systems were not linked to the outside world; there was a seemingly impenetrable “air gap.” Yet somehow a malware worm, created in this joint collaboration, found its way into the system focused specifically on the models of equipment Iran used for its centrifuge control systems; the world knows this as the Stuxnet virus, malware that once unleashed is auto-programmed and unstoppable. Some say it was a stick drive with the virus that some spy inserted into the system.
The control systems caused the centrifuges to spin either out of control or to spin so slowly as to create unstable operations… while signaling the control systems that the centrifuge were operating “normally.” They just blew apart. Against U.S. desires to keep the attacks subtle, Israel upped their attacks to the point where the virus became obvious and easily discoverable.
As a Stanford student writing a paper released on July 16, 2015, Michael Holloway noted: “The cause of these failures was unknown at the time. Later in 2010, Iran technicians contracted computer security specialists in Belarus to examine their computer systems. This security firm eventually discovered multiple malicious files on the Iranian computer systems. It has subsequently revealed that these malicious files were the Stuxnet worm. Although Iran has not released specific details regarding the effects of the attack, it is currently estimated that the Stuxnet worm destroyed 984 uranium enriching centrifuges. By current estimations this constituted a 30% decrease in enrichment efficiency.” Woo hoo!
Except that once Iran learned what happened, they used these events as recruitment tools, invoking a patriotic call to engineering students throughout the country to join a soon-to-be-huge elite force of Iran’s best and brightest to defend the Motherland and attack those who dared to try and take down Iran’s systems. They decided to send a message to the United States and her allies, loud and clear… one that they too deny into the present day. And somehow, Stuxnet found its way back into the United States itself. Further, Iran didn’t exactly lay back either. Even though they denied (and continue to deny) these efforts, they really wanted the U.S. to know who pulled this trigger.
In the summer of 2012, Iran unleased a massive cyberattack on the world’s most valuable oil company, Saudi Aramco, which decimated the entire software system of this primary extractor of Saudi oil. 35,000 computers went down… permanently. “The virus erased data on three-quarters of Aramco’s corporate PCs — documents, spreadsheets, e-mails, files — replacing all of it with an image of a burning American flag.” New York Times (10/23/12). Saudi Arabia is Iran’s most virulent foe in the Middle East and is a cornerstone of a U.S. policy to contain Iran.
Then, in the late fall of 2016, Iran purportedly struck again. Iran’s “cyberweapon has attacked at least one Saudi government agency, as well as organizations in the energy, manufacturing and transportation sectors, according to two researchers with direct knowledge of the investigations into the attack… Security researchers are now headed to Saudi Arabia to investigate how hackers wiped clean computers en masse, according to several experts involved.” CNN.com (12/2/16).
But lest the United States have any doubt on who perpetrated this attack… and why… very shortly after that first attack on Saudi Aramco, this happened directly in the United States: “The financial and banking industries are on high alert tonight [September 27, 2012] as a massive cyberattack continues, with potentially millions of customers of Bank of America, PNC and Wells Fargo finding themselves blocked from banking online… ‘There is an elevated level of threat,’ said Doug Johnson, a vice president and senior adviser of the American Bankers Association. ‘The threat level is now high.’
“‘This is twice as large as any flood we have ever seen,’ said Dick Clarke, an ABC News consultant and former cybersecurity czar… Sources told ABC News that the so-called denial of service attacks had been caused by hackers from the Middle East who had secretly transmitted signals commandeering thousands of computers worldwide.
“Those computers -- or ‘zombies’ -- were then used to overwhelm bank websites with a barrage of electronic traffic… Different banks have been targeted on different days…. Today was PNC Bank's turn: For three hours, ABC News tried to get on the PNC website to no avail… On Facebook, a frustrated customer, Cynthia Schirm, wrote, ‘Trying to pay bills. This is ridiculous.’… ‘Hopefully it can be up soon,’ wrote Stacy Briggs-Gerlach. ‘Never realized how dependent I am on it!!!’
“A group of hackers calling themselves Izz ad-Din al-Qassam warned the financial industry that it was going to attack in retaliation for the controversial film ‘The Innocence of Muslims,’ which provoked outrage across the Muslim world earlier this month [September/12].’ ABC News, September 27, 2012. It was a bad week for those banks. But despite denials, it was the government of Iran that fomented that little message, not some esoteric terrorist hacking group, aimed directly at the U.S. policy-makers. Oh, the U.S. never directly conceded that Iran could do this, but insiders were absolutely certain who perpetrated this assault. Seems that our original Stuxnet attack, while seemingly wildly successful, generated an Iranian blowback to both accelerate their nuclear enrichment program, stemmed in the recent accords to which the U.S. is a party, and to develop one of the world’s most sophisticated cyber commands.
Could such attacks disable our entire Internet, crippling communications and most if not all of our financial transactions? Could power grids across the United States be shut down, perhaps for sustained periods of time? Could the powered drinking water filtration and sewage systems then spread havoc and disease to every sector of our nation? In an easy answer. YES! We are seriously vulnerable, our cyber-infrastructure abominably weak and our planning to recover from such an attack woefully inadequate.
The hard dollar cost to fight such attacks is expensive enough for our military and defense systems, but for most private enterprise the costs are beyond prohibitive… until they have to recover following a well-targeted attack. And it’s not exactly as if following a power outage of this kind that electrical companies can just flip the “on” switch. What toxic worms remain on the system? What rebooting needs to be carefully structured to avoid creating more damage?
While we have taken decades to generate biological, chemical and nuclear warfare containment treaties, and while these WMDs continue to be genuine threats, World War III is well underway in the cyberworld. What makes the situation worse is the exceptional difficulty in detecting and tracing these attacks – not exactly as unsubtle as a nuclear blast – but perhaps mostly, the proclivity of nations to deny their actions and pretend to keep these weapons secret. If an entertainment lawyer from Beverly Hills can write about this world, really, exactly how secret is it? Why is this “cone of silence” so pervasive in this segment of military warfare?
Unlike other traditional weapons developed by hardware manufacturers with long-standing military industrial suppliers, these weapons have been and will continue to be developed by the espionage agencies of governments themselves, agencies which have traditionally classified everything that they do as Top Secret. Agency heads, top military officers, elected officials (including the President of the United States), never talk about these capabilities, either refusing to answer questions or withholding necessary evidence. In the vernacular of government, this sector is heavily “over-classified.” However, if we don’t talk about it, how would we ever propose to negotiate international treaties to contain a threat that mirrors the capacity of huge explosive weapons… a threat that works without having the need to deploy missiles, aircraft or even trucks?
I’m Peter Dekom, and given the magnitude of this threat – particularly to a technologically-dependent country like the United States – we need a ground up reconfiguration of our cyber-policy towards developing an international treaty to contain this terrifying new category of weapons.
Hollywood Reporter 5/12/17: "The frequency of the [ransomware] attacks has overwhelmed the FBI's Los Angeles field office, which has been unable to properly investigate all of them. The FBI's surprising advice, according to industry sources: Pay the ransom. After all, the hackers aren't asking much more than a Cannes hotel tab. In all of the Hollywood extortion cases, the hackers demanded less than $80,000. A law enforcement source says that in California, losses would need to exceed $50,000 for the U.S. Attorney's office to prosecute, thus keeping the FBI from pursuing most of these cases.
ReplyDeleteBut an FBI spokesperson in the L.A. office denied that the agency is telling companies to cough up the bitcoins in cases of ransomware. "The FBI does not encourage payment of ransom as it keeps the criminals in business," says Laura Eimiller. "Of course, the individual victim must weigh their options."
"If your system is wiped and you didn't pay, then there's no way to recover it and you basically shut down your entire business, so the FBI will say it's easier to pay it than it is to try to fight to get it back," says Hemanshu Nigam, a former federal prosecutor of online crime in L.A. and onetime chief security officer for News Corp. "And if one company pays the ransom, the entire hacking community knows about it."