What Is Cyberwar Anyway? - Andy Pannell

so I'm going to talk about um cyber War because I saw this kind of mentioned a lot uh over the last maybe two and a half three years especially starting with uh Russia Ukraine uh and then moving to um what is happening in the Middle East um so quick disclaimer um I guess the most important part is that I am going to talk about real war and physical War so if you feel uncomfortable with the idea of warfare um then feel free to to leave at any time so a little bit about me so uh I've worked in cyber security professionally for about 14 years a mixture of pentester offensive security red teaming uh and then more recently worked in

application security um I run the Newcastle chapter along with uh fre chapter leaders are here today if you live in the Northeast and not aware of a then fre fre could come talk to me uh afterwards uh I used to be a scatter engineer which will become apparent in in a flu time uh and apparently uh watching cards go around in the circle for 24 hours is not everyone's idea of fun um but it's certainly how I like to to spend my time so I have no military background so all of this is based on Research that I've done or information that I've gathered as part of speaking to people so I'm going to talk about what I see as

traditional Warfare um or then talk about uh some background into how I think cyber War started or has progressed um I'll then talk about uh particularly October 7th 2023 and the current War that's going on in the Middle East so this this talk is focusing on the war between uh Israel and Hamas which wasn't apparent in the in synopsis I'll talk about some threat actors I'll talk about some malware I'll talk about some API uh and reverse engineering and then I'll conclude with what I think uh where we're going in the future and of course I'm going to mention uh AI right so very briefly I'm not going to condem like 40 sorry 4,000 years of

Middle East history into 45 or into half an hour um and I'm not going to try and provide information about what side is good what side is bad rather I'm just going to try and present the facts uh on the ground uh as I see them so a real simplistic view of what Warfare is to me and this is uh one country attacks another country a nation a sovereign state there's usually some physical borders so we understand where where Nations begin and end um and there's some kind of normal normally like ground operation at least in the past where we understand some physical uh interaction will take place so that's the perspective of what I

guess I class as traditional Warfare and now I want to talk about why I think cyber warfare is different from from traditional Warfare but how it's also not a new thing so when I started writing this talk I started to think about films I'd watched growing up I'm a child of n the ' 80s uh growing up in the early 90s and I thought about like Terminator war games and a few other films that I I've watched that kind of spoke to and kind of resonated with with cyber warfare for me but for me uh sneakers was the biggest one where they talk about uh information Warfare and it's not necessarily about bullets but who has

control of the information um and from that I started thinking about the White House so um this I was going to ask who this is but it says on the slide this is Howard Schmidt uh and in the early 2000s uh he was hired by uh President Obama to become the uh cyber uh strategy guide at the White House and his whole shtick was that there is no such thing as cyber War it's just uh it's just an information Warfare this the idea this metaphor that like cyber security evolves from from Warfare and all of our tactics and strategy is just nonsense and that you know this isn't a battlefield this you know we shouldn't use the term uh cyber

War was in March 2010 and then in June 2016 NATO actually recognized cyber War as a tactic that would follow up from uh traditional Warfare it became an officially recognized uh used term and meant that there was this kind of like cyber Battleground uh for nation states and that one attack on one nation's Sovereign uh cyber you know part or body would then result in a collective military uh response from the entire organization um and therefore may also trigger a full military response if if this idea of cyber warfare was to happen so that meant that the as NATO recognized it the official domains of War were land sea air and now cyber was recognized so I mentioned that I used to

be an industrial Control Systems engineer and I'm not going to ask anyone to play geoga as to where this is but I started thinking about the first time that I could think cyber War uh Warfare was happening so this is nans uh in uh in Iraq um and for anyone that's not aware this is where uh stucks net uh kind of began its life um and for me this is the first kind of example where we had a mixture of traditional physical Warfare where something physical happened on site but yet we also had the the Cyber elment of uh Espionage and computers being involved in uh uh you know physical act and this happened uh from memory

around uh 2009 2010 and at the time this was the most advanced or described as certainly the most advanced malware ever written it targeted very specific Sean processors it targeted um very particular Iranian uh nuclear centrifuges um and the idea was that it would compromise uh Iran's ability to make uh nuclear power uh and it did this by uh using four window zero days and stole two digital certificates and it's been attributed to uh two Western nation states and the estimate is that it took hundreds of developers around about five years to come up with this complexity and this this power uh to be able to compromise a a physical uh nuclear uh Power Station so I mentioned that the body of

this talk is now going to talk on uh on from uh about the Middle East and talk about what happened from the 7th of October uh 23 which was uh 364 days ago so for anyone that's not been following the news uh almost 52 weeks ago today uh there was an U an invasion of Israel by 4,000 Hamas Fighters uh 1,200 Israelis killed and 251 uh hostages taken and the reason why I'm explaining this is because I need to explain to you how small Israel is in the terms of cyber War so in the context of a physical War Israel uh on there I've also included Jude and Samaria and Gaza for for which is what I took from

the official government statistics you can see it's a pretty small country right like where somewhere in the Northeast that probably takes us down to about London so not a huge country not very wide it's about 21 miles across uh and about 150 km um in length and the reason why I'm doing this is to provide context around this so uh on the left hand side you can see uh Israel um blowing up Rockets and on the right hand side you can see enemy fire and the way that this works in Israel is that when their andom defensive system is activated citizens get an alert so they download an app called red alert and this is the app and it tells them hey

you need to I don't know go into a shelter uh hide or be at a certain location or you're not allowed to meet in large groups so this is an open- source application it's distributed on the on the Android store and the iOS store but because it's open source um this allows malicious actors to take advantage of this and distribute uh fake malicious versions so the first uh for actor I want to talk about is a non- ghost I couldn't found like a a sex uh you know logo for a non- ghost so for anyone that's seen four Lions this is a this is a reference to the film for Lions uh so a non- ghost uh have conducted attacks

on behalf of Isis and now spearhead the op Israel um attacks that happen on Holocaust Remembrance Day every year and they primarily work on defacing uh anti-western anti-israeli uh of deface websites with those kind of messages um and they found a vulnerability in this uh uh Red Alert applic mobile application so they found that the API uh allowed them to uh when they reversed it send messages at will and at Mass so on uh October 7th when the images of the rockets that I was showing you um and the iselis downloading the app to say hey where do we need to go they got these two push notifications um you can see that uh yeah the references the

images of the swastika um and this is an app that's got 1 million uh downloads on the Play Store so pretty severe um like what the hell is going on when the country is under attack uh and this is the app that supposed to be used uh to defend itself the second thing that happened uh we saw after October 7th was the someone made a fake version of the application so I mentioned it's open sourced they took the Android version uh and they added a load of malicious permissions and anyone that's seen me talk before knows that I like to look at uh mobile application permissions so they took these permissions you can see on the

left hand side the genuine permissions of the the genuine reder application uh and on the right hand side you can see the malicious uh permissions that they added um like quite a citable difference in permissions and the type of permissions that it's uh giving access to so they distributed this app uh through uh a website you click on it would let you download the APK and then you would install that on your device IE to trick Israelis into into downloading this malicious application so I went and I took the application and I start reverse engineering it to try and understand what they added these extra missions for and what is the application doing so the first thing it did is it

would uh go through uh and gather all the information like where the uh victim was uh their um yeah information about uh what network they were connecting to uh what accounts were installed on device they would look at what packages and applications were installed on device uh and then also try and pull off the uh victim's contacts and uh call log and then it would uh the code would go ahead and then wrap it itself around uh text messages try and extract all the text messages on the device sent and received uh and then it would bundle up all that uh information it had gathered and it would upload it to a random it says onion but it's not it's just a a

HTTP Service uh on on the web in order to to extract all information that it gathered from these from these victims devices and again to put it into context at a time when you're being encouraged to download these kind of apps because the country is under attack it becomes a massive uh opportunity for for fret actors to gain information on uh on citizens one of the things that I was impressed with uh is that this application has a lot of anti-b anti- emulation um and and anti- testing built into it so the idea is that me as a security researcher when I download the application I and run it and try and attach a debugger the application

crashes immediately um the code is off your skated like this is a lot better than some of the mobile applications I test professionally where actually they they've got some kind of code in there to protect against people like me from from messing with the application I thought that was a an interesting point that had gone out of their way uh to put these kind of preventative strategies into someone like me reverse engineering uh the application uh the next iteration so the first iteration uh was that the the group found an API vulnerability the second was that they released this Anonymous this uh permission improved version of the application and then the third version of the application that

they released was they allowed it to have a C2 communication so um the idea being that they can remotely control the device so maybe when you install this they can listen onto the microphone uh the attacker can take pictures of the camera they can pull your GPS location uh so they can know uh on command at any time uh where the victim is and what they're doing with their with their mobile device so following on uh from those type attacks we saw uh dos attacks um following October the 7th and these are kind of commoditized now right you can go to the dark web you can buy a a stress tester you can spend a couple

hundred doar and you can attempt to to bring down websites so uh the first kind of fret group I saw uh attacking uh following October 7th uh was a Russian organization called Kil net again they didn't have a cool logo that I could find uh so I just uh I just pulled this one but they described themselves as uh like a patriotic U dos group um they claim responsibility for bringing down Israeli government websites um so if you think at a time when maybe Israelis are going to uh the governments website to try and find out what's going on while there's rockets in the sky or going to new M websites these websites were being

dsed intentionally to St the public uh of information the next group uh that I found were Anonymous Sudan that NE an filiated with Anonymous or exis in Sudan um but it's a really easy way to build reputation is by just putting the word anonymous in front of your group instantly like people are aware of who Anonymous are and again these have been attributed to be a Russian group um they started initially targeting Sweden and NATO um and they took responsibility for taking down the Jerusalem Post website on October 7th in order to starve um you know the public of information and I Clair happily uh shares some statistics around um like the the Dos attacks that they saw so you

can see uh maybe a little bit blurry but on the left you can see uh dos attacks against Israeli infrastructure and on the right dos attacks against Palestinian infrastructure and you can see a little again there a little bit more detail the kind of volumetric attacks that happened following um October 7th in order to starve the public of information and for me like dos is like okay it's mildly interesting um it's not a particularly Advanced um kind of attack and and this is what I I I see when I think of Doos right it's just um it's not the most advanced attack it's just stuffing people into a into a door in order to prevent um access to

information so I then started looking at um more sophisticated threat that we saw following uh October 7th by similar threat actors so the first uh type of malware that was discovered uh following October 7th uh was this BB Linux wiper and for context BB um nahu is the prime minister of Israel so they the FR actor renamed uh their malware after the BB and what it does is it was compiled on October 7th sorry October the 2nd which I don't know if it's a coincidence but that's BB nting out whose birthday um and it got distributed around Linux servers um but unusually there was no ransomware here there was no kind of C2 connection it

would uh when it affected a victim would rename all their files on the Linux uh server um to ending ofbb it would encrypt those files and then it would wipe the server so they're not trying to gain access to information or extract information or even money they're just trying to wipe uh servers on mass but because a lot of the world doesn't run on uh Linux um and Enterprise environment run on Windows they then evolved to uh a Windows version of the malware um that was 2 weeks later on the on the 21st of October following October 7th and this runs multi threaded it runs eight threads it runs on 12 cares um and again

you can see the date of October uh 21st on there um it disables Windows recovery uh features it wipes the Sam and again there's no rant somewhere here there's no C2 they're just trying uh to prevent access to uh Services uh and deny um the ability to to do work uh another fret group I'll skip over these briefly but this is Storm 1133 and they were setting up fake accounts on LinkedIn so they were actively trying to Target Israeli citizens developers and say hey we've got jobs for you uh you know fill in this form download this uh you know code run it um try and get information from speaking to developers about what systems they're working on how they

work but I it wouldn't be fair for me to just do uh you know Pro Palestine stuff and anti-israel there were a lot of like pro-israeli groups that uh set up as well so a lot of Indian um malware and and um hacking teams decided they were going to take down the paninian health authorities website again uh just through dos attack um and this group that I'm not going to attempt to pronounce they targeted Iran so Iran has been part of sanction since the 1980s they've got very old uh like systems for processing and Computing um and they infected 100% of Iran's petrol stations and restricted access uh to Iran's uh gas and petrol uh

Supply so you probably recognize uh these three uh names or these at least the initial of the NSO group they're are well-known um of questionable uh I guess Authority and um ethics around what they do but they essentially sell spyware um and I found it interesting that following the October 7th attack uh where victims were taken hostage the NSO group was called to plant malware onto Israeli hostages phones in order then for the Israeli government to run that malware and use GPS to locate some of the hostages um which they did at zero cost um just found that an interesting use of uh the NSO group's uh capabilities I guess for a one of a better

term so I've talked about dasas I want to talk about a little bit about uh what we saw uh on the ground in DOS so you can see there's like a bit of a gap in the timeline and that is because uh we saw a significant Peak uh of attacks of Dos trying to bring down that infrastructure uh following uh October 7th and Cloud flare allows you to do some cool stuff where it'll figure out whether uh the traffic that you're seeing during a DS attack is robots or human um using some of its puristic uh features so actually we saw that a lot of the attacks um were coming from automation which makes sense um but it's

interesting that Clare has the ability to detect uh robotic automated volumetric dos attacks and provide the information to uh to us as a customer so uh I can't remember who said this uh and I wish I did because I think it's a really great cow but it it gives the idea that Warfare is no longer just Warfare and is kind of merging between like cyber war and physical on the ground operations uh I quite like that quote the idea that um that they kind of you know you're not just going to do one or the other you kind of do them both uh going forward so I mentioned about what do I think the future of cyber warfare looks

like uh first of all you can see every country that's uh colored in has an officially recognized offensive security capability um I don't think it'll be too long before we see every country here have have the ability to conduct offensive security uh operations I think secondly we'll see um a synchronized on the ground operation mixed with some kind of cyber security uh operation uh complimenting each other as part of uh a physical attack and a Cyber attack uh and I think where you see AI because like it's 2024 and everyone's using AI so following October 7th you can see that um like images generated like this which is really weird like I still don't understand why AI can't

figure out that humans have got five fingers but um okay um sure and it's and we like I look for AI and warfare everywhere and you can see like every quote I found like it has some mention of AI some mention of uh cyber warfare so I think I want to talk about what we learned as an organization uh during and following October 7th um so that War uh is no longer just Nation versus Nation right we've got activists that we talked about those threat groups we talked about it's not just physical boundaries uh and and uh and physical threat it's these other uh factors adding in uh to complexity um yeah skid is is still being skides and running dos

at scale um no matter what uh and and the fact that it's just uh you know it can be defended but they're still happening uh in order to stav uh the public of information uh and we see more advanced attacks like the the malware uh that I mentioned and uh the capabilities that brings but I don't think we should be so negative and I I want to Frid some feedback about what I think we can do uh as part of Defending ourselves as we go back to our organizations and as cyber security practitioners um so the first thing is running a tabletops we found this really beneficial of like let's go through an attack let's go through uh

cyber warfare scenario let's prend pretend that like you know this person wasn't available like what would be the consequences run for those type of TBL targ exercises ncc's got like a really good tabletop in the Box uh exercise you can just go through get the right people involved and actually understand if something was to happen how would you play this out uh the second one is disaster recovery tests you might have backups but actually have you tested those backups do they restore do they work have the right people got access to them are they in a separate region a separate ads account and so just has going through the process of restoring them making sure they're available and work

uh was a huge uh piece of work for us and and and worthwhile uh threat inel we we used a lot of threat in tell following October 7th I found that super useful uh the C were were really great both in Israel and the UK um providing information to us um yeah AV the basics and dos test actually the um the Netherland government have a really good stress testing ability so you can deploy a lab you can point it at your production infrastructure and you have full control of like hey this is now affecting something stop it allows you to test your mitigations around dos without actually hugely affecting production and being able to call it off uh when you

need to you can spin up a number of servers you can control date and time the volume of that uh infrastructure that was a huge uh piece an advantage uh of doing this kind of work and that would be a guess if I didn't talk about Supply Chain management so for anyone wasn't aware last month uh there was a large attack uh in Lebanon um which resulted as a compromise of uh supply chain so I want to thank uh those people Chris Pritchard did a great talk at steelon in 2021 I believe 2022 about uh about IDF and mosad and talked about some of the capabilities that Israel have uh it's worth a watch um blackbury

Cloud Flair Joe's did a lot of the research that I I you screenshotted around some of the Dos stuff and some of the the mobile app stuff that leaves five minutes for any questions

yeah [Music] sure uh so uh you can if you try to run it it would uh crash um if you put it in an emulator you can play play with the emulator you can give it different strings so it doesn't detect it's em in an emulator you can then attach uh a debuger because it doesn't think it's an emulator um so just like a slow process of um putting in controls um yeah because that gives you the the actual uh running application at that point at the back

yeah uh I don't have contact with gchq um I know that we have an offensive capability uh that we have the ability to use um and I guess from uh my perspective as an ICS engineer I don't think we're particularly ready I think a lot of critical National infrastructure is running uh a lot of probably old and runable systems um but I think like as as a community as as PE uh practitioners we're getting better um yeah I don't think we will see the kind of barrage like fingers cross that you know other places around the world are seeing um and I think we're getting better every day that's a hopeful answer anyway anyone else

yeah yeah and that the AI images that I the one I posted was on was a a generated image on X yeah and I guess it is harder to control a narrative um and it's easier to spread like misinformation once you've got like this volumetric um you know people are retweeting or liking on and sharing yeah I think it is harder hopefully like when you show like Shadows Of Sunshine they you know they disappear and the truth comes out so thank you very much