Guest post: Speedbox – Could a cyber-attack trigger war

There are concerns that the world has only experienced a very small level of the true threat posed by cyber-attacks. With both state and non-state actors becoming more adept at carrying out attacks in the cyber realm, the threat to global security and economy will continue to grow. This raises the possibility that cyber-attacks could spark an actual conflict outside of the cyber sphere.

In just the first six months of this year, the severity of the attacks reached a new high.

Florida Water – In February, a plant operator noticed how the cursor of his computer started moving across the screen and opened software functions that controlled the water treatment process. The hacker was able to boost the level of sodium hydroxide pumped into the water by 100 times its normal level before the attack was thwarted.

Colonial Pipeline – The cyber-attack directly impacted the fuel supply for the East Coast of the United States. The chaos, fuel shortages and price spikes were a consequence of a leaked password to an old account with access to the VPN used to access the company’s server. Colonial paid a ransom in Bitcoin although much of that was reportedly recovered.

Microsoft Exchange – A Chinese cyber espionage group uncovered and exploited four newly discovered vulnerabilities in the email software, putting at risk millions of organizations and government agencies across the globe. Microsoft worked to revert the damages caused by releasing an update to the system and providing mitigation guidance. The issue caused most email exchanges to be offline or degraded for several days.

The foregoing is just the tip of the iceberg. Hundreds of lesser known (or now forgotten) attacks have occurred such as Marriot International in 2020 which revealed the personal information of some 5.2 million hotel guests including name, mailing address, email address, phone number, employer, gender and date of birth.

The cost of cybercrime goes far beyond the actual money invested in detecting, responding and recovering an organisation from an attack and the situation has been getting worse. In 2015, the World Economic Forum estimated the global cost of cybercrime to be $3 trillion. That figure is forecast to reach a whopping $10.5 trillion by 2025.

The use of cyberweapons against military industrial systems was reinforced with destructive effect in 2010 by the most (in)famous computer virus of them all: Stuxnet.

Stuxnet was a complex, multifaceted malware that disabled uranium-enrichment centrifuges in Iran, slowing down the country’s nuclear program. Back then, nothing could match Stuxnet for complexity or sheer cunning — the worm was able to spread imperceptibly through USB flash drives, penetrating computers that were not connected to the Internet or a local network.

Hundreds of thousands of computers were infected yet the worm manifested itself only on computers operated by Siemens programmable controllers and software. On landing on such a machine, it reprogrammed these controllers. Then, by setting the rotational speed of the uranium-enrichment centrifuges too high, it physically destroyed them.

Whilst many in the West cheered Stuxnet, it reinforces the question of whether by accident or design a cyber-attack may result in a devastating outcome. The Florida Water attack is a case in point. Fortunately, the operator noticed the moving cursor on his computer and responded quickly. Florida Water advised they have overlapping systems that would have prevented the contaminated water from being released to the public however this incident was a classic example of a cyber-attack with potentially serious consequences.

Recently, US President Joe Biden said that war in the future could be sparked by actions in cyberspace. This is a somewhat ironic observation by the US President as Stuxnet was a product of US and Israeli collaboration and he was Vice President during part of its development and at its release, but I digress.

For the last several years many have speculated that numerous ‘Trojan Horse’ programs lie idle in the computer operating systems of government departments and various utilities around the world waiting to be activated. An investigation confirmed the malicious script in the Florida Water system had been in place for at least two months before activation, for example. Could a single cyber-attack initiate a tit-for-tat response leading to a military confrontation?

Stuxnet, for all its brilliance over a decade ago, ushered in a new era of cyber-attack and a malicious action by any number of governments could initiate a dangerous escalation.

This entry was posted in Politics. Bookmark the permalink.

8 Responses to Guest post: Speedbox – Could a cyber-attack trigger war

  1. mundi says:

    All of those attacks are nothing compared to the SolarWinds attack. Hackers somehow got into solarwinds development environment – and put their own source code secretly into the build process. Solar winds then shipped versions of their programs with special back doors, allowing every user of the software to be infected – as the infection was in legitimate signed binaries. The high level of this attack could only be done with colossal government funding.

    Now consider how much code you run that you don’t control – everything from Windows to hardware drivers to all the vendors in between. Every time you download or install something. How many are already compromised? No one knows.

    Another example we already have seen: retail teller software used all over the world ship with malware that send credit card info back to russian hackers, they stole on the order of tens of billions, it took years to figure out how they were seemingly able to randomly get almost any person on the planets credit card at will. All you had to do was buy something at a shop.

    We also have numerous examples of exploits in the linux kernel where by the source code is slowly refactored – often over years by puesdo actors from big companies and governments – to create subtle logical exploits that are very difficult for the maintainers and links to pick up. Many are likely still in the code and being used. Some are designed to allow a break from a virtual machine to the host, allowing attackers to take full control and supervision of cloud services.

    Google chrome has had about 20 “zero day” exploits this year. And when you look into them – many of them were injected into the source deliberately – or are extremely suspicious in hind sight.

    basically you can’t trust any code you didn’t write yourself. Even open source software has so many layers that even the best security teams can’t even pick up logical bugs/exploits – there is just way too much code.

     


    Report comment
  2. FlyingPigs FlyingPigs says:

    @Speedbox

    good post…. thank you.


    Report comment
  3. FlyingPigs FlyingPigs says:

    People that don’t know the history and origins of computing, let alone the history of the west, are easy marks.


    Report comment
  4. FlyingPigs says:

    LOL

    I used to check program output once… back yay whenever…


    Report comment
  5. Rohan says:

    A bloke in my Chem Eng class I went through Uni with, told me in a get to gether in 2019, that he installed a new control system to a client. He got a callback about a week after instillation and the client told him that set points were altering by themselves while they were watching. When they corrected them, they would be altered.

    Anyone who has done any control engineering will tell you that this is potentially. As in the very real chance it will make the plant unstable and explode.

    So he headed back to trouble shoot and witnessed this first hand. Someone was altering set points in the control room without anyone touching a thing.

    He isolated the control room from the wider network but asked to see the router installed on the site and low and behold, it’s a Huawei. This guy is a bit on the spectrum and is obsessive with IT, so he hacked the router firmware (as in manually cracked the encryped files – he just sees the patterns.) and sure enough, there’s a back door in the firmware and the back door only accepts logins of a Chinese origin.

    Don’t use Wuawei anything. Or any other cheap Chinese IT based routers or switches. You’re asking for trouble if you do. And the ChiComs will know everything.


    Report comment
  6. Shy Ted says:

    Need to arm the citizens just in case.


    Report comment
  7. Kneel says:

    Pegasis: a “no-click” phone (iOS and Android) “hack”. They send you a message. You do not do anything with that message – don’t even look at it let alone click any links or buttons, just delete it. Your phone is infected. Complete control – camera, microphone, encrypted comms apps – everything is vulnerable and wide open to the nefarious actor. Over 50,000 phone numbers from a “related” group was released – many prime ministers, presidents, diplomats etc on this list.

    Intel & AMD: every single x86_64 CPU from both these manufacturers (a large percentage of all desktops and even PLCs etc) have a “security” CPU built in – this can completely stop your main CPU(s), examine/change memory, access disks and network etc etc with absolutely NO WAY to stop it or even detect it from the device itself, regardless of OS, anti-virus or anti-malware programs.

    If you have critical infrastructure and want to be secure, disconnect from the internet.
    If that is not possible, then:
    1) do NOT run any “standard” OS unless you built it from sources yourself
    2) do NOT use “standard” hardware – ARM-based CPU’s in custom hardware, a “developer kit” or some android device that has been repurposed is safer than x86 hardware
    3) ONLY use encrypted comms with good security and authentication (X.509 certificates of at least 2048 bits, at least AES-256 encryption with maximum 4 hours between re-keying, multi-factor authentication)
    4) screw the lid down tight, and only open services that you MUST have and ONLY to clients that you specify.
    5) if you are using passwords to help authenticate users, run a password “cracker” on your users regularly, insist on a new password that is secure and insist that it be changed every 30 days at most, with no repeats of the last at least 12 passwords.
    6) “single sign-on” from the corporate side is unacceptable for critical infrastructure systems – these MUST require additional authentication, preferably to even “see” critical infrastructure, and then additional authentication to log in to it, each device requiring a different username and a diffeent, secure password.

    This WILL be painful to implement.
    You WILL get complaints from users.
    This WILL NOT protect you totally.
    If ANY breach is unacceptable, ONLY use dedicated comms lines or direct physical access.


    moderated

Comments are closed.