Destructive Malware and Interstate Rivalries: The Evolution of Digital Weapons and Geopolitical Conflict

all right she said that's our lengthy title so we'll pass it through that thick as the anyone who's read anything in the news knows there's a lot going on the destructive matwork realm there's a lot going on as far as geopolitical conflict what happens rarely that was actually seeing these two together and seeing how the interplay between them and so that's a lot what we'll be talking about today and also looking at over the course of really the last decade or so it's not necessarily a new phenomena there's been a ton even over the last month's thing and there's this new wiper malware there's never been before but anything like this we're going to show that's not necessarily as

news everyone's saying but these pieces in the puzzle I'm not necessarily been put together and such an arrant strategic way and so that's what we'll be doing and basically show that's how we've gone to 2017 or there's a lot of interesting things going on to say the least I'll cruise through this really quickly just who we are just show that we both work at endgame both have experience in the government but from the IC and the DoD perspectives but we take it different perspectives miami quantity of international relations background sephora modeling and conflict and mark as a InfoSec background and so bringing those two together on bring those two perspectives together in a way actually Allison

talked about a little bit during her to you know as far as blending that the Social Sciences with the information security I'll pass it on to mark all right cool so I'm gonna talk a little bit about just a background on what what destructive attacks have we seen over the last seven or eight years and what are the differences between these things what are some of the commonalities what are some of the emerging themes so I've been these things into two main categories and like what's a destructive attack the first type of attack it really involves just destruction of like data destruction of hard drives logical destruction these are the sorts of things overriding a files destruction of

a Master Boot Record a lot of you in this room probably would say sorry I'm not doing it right apparently sorry about that so destruction of data is it's kind of the first step and you might think that's not that big a deal what would be the impact of an attack like that which might be successful well it's easy to restore the data on one computer if you have a backup and repartition a hard drive you're back in business but when you're talking about coordinated attacks across sometimes tens of thousands of machines that can actually lead to some very very severe real-world impacts as secondary effects so we're gonna talk about some attacks of that nature the other type of

destructive attack is really more about using you know cyber access and cyber means to directly manipulate things in the physical world usually by taking advantage of industrial control systems components and modifying the the way certain systems are operating the electric grid other components and that kind of starts us off with Stuxnet which I bet everyone in this room has heard about remains one of the if not the most advanced and complex attack that created a physical real-world effect in this case just quick background if you haven't heard of this the Iranian nuclear program has been an a something of great concern for a very long time you know they there's a lot of thought thinking hey they're pursuing a bomb to

build a bomb you need lots of fissile material enriched uranium or something else and so they have a lot of centrifuges which are you know spinning around trying to separate atoms and create fissile material so those actual centrifuges were the subject of a cyberattack called Stuxnet very advanced campaign access through USB drives supposedly got onto systems up to four zero days built into this software in order to do propagation and look for programmable logic controllers PLC's which were what the attackers were intending to get on to and then create some real-world manipulative effects with great knowledge of the actual system employing lots of reconnaissance before the attack which is a theme you'll see throughout some of these the

things were manipulated and allegedly up to 20% of the centrifuges in the program were destroyed basically modified through cyber means to make themselves effectively like explode self-destruct causing a real-world impact so that was sort of the first time we saw that sort of effect you know somebody reaching through the internet and causing this to happen so jump forward two years Iran was the target again using of some malware called flame this particular malware was one of the biggest packages we've ever seen about 20 Meg's in size had a lot of really advanced espionage components in that malware do things like you know screen grabs audio capture you know like recording conversations things like that also had a wiper

component in the malware so again a lot of propagation techniques and there as well to burrow through networks in an automated way and take some kind of a broadly this wiper component took out Iranian oil targets the Iranians had to allegedly take a bunch of actual production facilities off line unclear if that was cause of the attacker if it was a precautionary measure I'm not aware of how you know how that exactly went down but things came offline so again this was an attack where a manipulation of hard drives data destruction and NBR over rights led to some kind of real-world effect on the oil production similar attack happened later something called Shamoon this targeted at a Saudi oil production

facility like just quick question who here has been part of a like cyber incident that happened on a weekend or on a Friday night and kind of wrecked your day like yeah I have that sucks happens all the time you see that also with these destructive attacks and this was a time when this was a real theme they launched this attack supposedly the Iranians against the Saudis on like the the eve before a major religious holiday in Saudi Arabia so that wrecked a lot of people's you know holiday long week in this case the all data was overwritten with a nice little picture of a burning American flag Master Boot Record destroyed this matter was hard-coded

with admin credentials which produced to create like remote admin shares malware copied across and then a scheduled task to destroy data at 11:08 a.m. on the before this religious holiday so like coordinated wide-scale effect 30 thousand computers supposedly taken offline I don't know of any evidence that actual oil production was affected but it sure as heck impacted their business operations for quite some time it was a major of restoration activity so kind of going forward we see a very similar attack now out of the Middle East but in the Korean Peninsula this dark soul attack which is very likely the North Koreans going after the South Koreans and Andrea will talk a little bit more about that continuing back and

forth here in a minute but again they timed this attack to have Matt like create maximum chaos maximum you know simultaneous events targeting finance and media again destroy files with overwrites they actually and then go ahead and actually destroy the master boot records reboot computers things are inoperable huge pain in the butt to restore from that this not ATMs offline in South Korea knocked some media outlets off the air for a short period of time so again like secondary bro world effects based on this destructive malware that looks a lot like other wiping type of attacks so jumping forward to 2014 what did we see kind of some hilarity with back and forth like you know cyber

destructive attack as a response to a something somebody doesn't like the first example targeted The Sands Casino and this is very likely another Iranian attack with with malware in this case Sheldon Adelson a billionaire head of the Sands Casino conglomerate he's a bit of a in Iran Hawk he doesn't he thinks we should push back a little harder in the nuclear program it made some statements to the effect of you know we got a puff our chest out show them who's boss maybe we should go take a new cough to the desert to Nevada blow it up to show the Iranians what will happen if they don't stop so you can imagine that maybe the Iranians

didn't really appreciate that and they actually in response to that went right back at him and it disrupted operations of the Sands Casino in very substantial ways taking out 75% of their systems with again wiper style malware but also stealing data releasing some employee data online defacing web sites in this case with some nice messages like don't let your tongue cut your own throat and you know any threaten you no use of weapons of mass destruction for any reason as a crime things of that nature so kind of getting some messaging in with that and then another great one with a lot of people I bet have heard of is this the guardians of peace later

very tightly connected through the Lazarus group or North Korean hackers responding to Sony because they didn't like a movie created by the guys behind South Park that talked about it was all about like assassinating Kim jong-un ridiculous comedy I guess Kim Jong hoon didn't appreciate that either and decided that the right proportional response was going at Sony hard with a cyberattack stealing a lot of data releasing you know unreleased films all of their email servers which you can imagine the chaos that creates if all your email goes online your doxed like broadly and again destructive attack wiper and destruction of empty yards in that case using the same some of the same components that the Shamoon

attacks had involved same raw disk access driver et cetera so you're starting to see you know cyber of destruction as a response to some something else even something I didn't like that I'm gonna go pop you in the face with a cyber attack so kind of getting away from that but something I think a little more serious in terms of real real-world impact an attack on a German steel mill in 2014 this one hasn't gotten a tremendous amount of press but in this case it looks you know there's been some connections to Russian hacking groups doing this you know state-sponsored hacking getting access via spearfishing to a German steel mill moving laterally finding industrial control system you

know components kind of harkening back to the Stuxnet model where hey I can reach into a cyber system and do something to cause a real world effect in this case they modified you know multiple components sort of regulating this giant blast furnace used by the steel production process they knocked some of these things off it created some cascading failures and the thing basically blew up so I'm not I don't think anybody died but if anybody had been standing next to this thing that would have been a real bad day some pretty serious real-world consequences so in this case hackers reaching in manipulating control components in causing this real-world impact we saw more of that in 2015 the apt 28 again

Russian hacking group attacks the Ukraine power grid you're starting to see this Russia Ukraine thing really heating up and cyber activities going along with that they went in this was a this was actually a pretty amazingly well coordinated attack against their grid about almost a quarter million people had no power for about like 1 to 6 hours depending on things before they could manually restore but these guys you know they went in they clearly did reconnaissance for a while the Spearfish their way in they got creds to a VPN login to the VPN which gave them access the status components and and did a lot of things they first actually did a denial of service on the call center for

these different electrical companies so nobody could call and figure out what was going on a report anything so kind of you know creating some chaos out at the outset they went in they they basically broke some communications components UPS is connected to this stuff they opened a bunch of breakers and did some other things that caused the electrical grid to fail and as they got out they actually over wrote firmware and some of the control components that were supposed to talk to these systems so basically they couldn't do restoration via cyber means at all because you could no longer communicate with any of the devices it's pretty well coordinated ninety minutes after the attacks started they

actually did a like a wiper attack destroying systems throughout the network to make it even more difficult to do any kind of restoration because all the sudden the like business side of the network starts going offline so you know a denial of service multiple real world effects through ICS components and a wiper component all coordinated at the same time pretty impressive attack and maybe a harbinger of things to come in terms of like level of sophistication we also saw another interesting trend here something called the cyber caliphs it had a French TV network called TV 5mon taking 12 tell 12 TV stations off air for almost a day oh good well yeah that ICS components attached to the fire

alarm system have been modified alright these rivalries are basically between country pairs that's what dyad are dyadic means so between two groups of countries these dietetics is exist out there are disproportionally responsible for the number of the number and amount of conflict in the world system and so you can see any other theories up there that you know that these disputes are not you insular events but they're actually interconnected they're starting to either research is starting to stray a little bit for me just a dyadic to the network aspect and system level and I'll talk about that a little bit as far as you see these diets are starting to become more you having regional

consequences and so these findings you're going back to you know several hundred years coding all the different data in the world based on whether this conflict between these two groups of countries does show that it is they are disproportionately responsible for conflict and as it turns out these are the same with these diet the ones that are some the most conflict prone also are the ones using ypur malware right now so while walk through some of the more common rivalries as they pertain to hyper malware so Russia Ukraine is no surprise the interesting thing about this one and I'll go through some different power symmetries between each of the three use cases will do Russia

Ukraine or on Saudi Arabia and the Koreas with this one you've got a major power on a minor power and so we start seeing in 2014 it's basically for Russia it's an extension he goes back to 2007 with the stone yet he's not even sooner for all other activities but see within Ukraine ECU switched from a pro-russian leader over to a more of a pro-eu integration leader and following that you start seeing that that leader was ålesund by Parliament you have elections occurring in 2014 and this is really a case where Russia almost did stop the elections during this time they actually did get into the ballot system they had to delete everything and reboot

just in time for the elections to actually occur so your Russian interference and elections is not anything new by any stretch at the same time you start seeing there also where information campaigns going on basically after the elections saying to the Russian you know pro-russian candidate won any of the annexation of Crimea during this time that was also coupled with major DDoS attacks other kinds of attacks at the same time and so that's where you start seeing this Ellucian into hybrid warfare where there's a digital domain integrated with more physical kinetic kind of conflict at that time Russia hogs wasn't done then and 2015 more local elections right around that time again major attacks going on this time targeting more of the

news and media industries going on along with the government entities and then you've got the attack on the on the energy grid during that time right as the holidays we're picking up and that's again a mark talked about for some of these allies as we go along or are aimed to augment the amount of impact based on holidays and those kind of events or downtime you go to 2016 and Ukrainian present has basically said you know we're under a digital blitzkrieg during 2016 they've been attacked a ton throughout the entire year not just these major ones that you're hearing about he said something like you know 30 if there is something you're tens of thousands attacks on about 36 different

organizations over two-month period alone just during last year and so it's really picking up if the targets are expanding yet the shipping industry a financial industries you have media I'm obviously in the public sector as well you get this so you get the tech there and then 2017 you've got you're not petty coming on when targeting Ukraine then going spring globally through additional sanctions thinking about on Russian force on this activity and so it is just it's been one major escalation between those two countries for Iran and Saudi Arabia's a little bit of different stories this is where you got a peer-to-peer country and more of a tit-for-tat behavior and mark talked about a lot of stuff leading up to it so

what I'll point out is the only twelve or on cert issued a warning over the wiper malware and she started seeing the tension starting to rise during that following those attacks and they get Shamoon and after that though there's a relative lull at least in the digital domain during that time there still is plenty of proxy words you think about Syria and Yemen both 2015 nuclear deal you can think about that in the rest of the region felt a little uncomfortable you know to say the least with some of that aspects of it and so following that 2016 again you see the headlines you're calling you know digital Warfare's going on between Saudi Arabian Iran I know those are the

kind of headlines that are getting pushed out there for 2016 on top of that you see the Iranian pipeline explosions and so thing to point out here it has not at least from anything I've seen there been discussions on whether it's a cyber attack or not it's not been confirmed but when it comes to rivalries it doesn't always matter whether that's happen or not that's the perception is there that is what will guide behavior within the the conflict so they may see Shamoon and finally 2017 he's still under old Shamoon at the same time we see everything going on right now with some of the proxies of Saudi Arabian Iran with the UAE and Qatar tensions

that are going on in the planning of the fake news after the after the intrusion and so that's what's going on with it with this one and again a lot of it timed around some of these major events but it is much more targeted and that's part of the difference between here at least over the years but with the being targeted you compare that to North Korea which really has not had any kind of constraint with a kind of attacks that they've had and so well may point to Stuxnet as one of first and then they of the first major destructive malware North Korea had some back in 2009 which doesn't really get talked about a ton

and it was part of a botnet a botnet worm that propagated it first the US on July 4th again the theme of kind of the events and then spread to South Korea during that time what you happen during that same year those the end of the six-nation peace talks so it's something to keep in mind and that the nuclear testing began again in 2009 in North Korea and so you see the tensions going on there and you see their response on the on it was linked to the North Korean side being linked to those kind of changes in the international system that are going on increased tension going on in 2010 11 2011 otherwise linked to

North Korea this time really having an impact on the South Korea financial system during that time their torpedo wash launches and some failed ones and again more more of this tit-for-tat going on between those two countries another nuclear test in 2013 and there's another one in 2016 keep in mind I'm get the sanctions the joint exercises that occurred during you know 2013 is around the same time and some of the attacks that happened and so you got again all these things going on as far as the different events you can start linking those to win some the wiper malware or destructive malware was was deployed skip there's someone we know about Sony 2015 war of the words

basically blasting propaganda across the DMZ at each other there were some casualties some minor casualties between the two countries as far as some exchange of fire and again wit Swift that we started basically 81 million dollar bank heist going on Matt was working so we started seeing really following that that malware in 2013 a much more easing of tensions on the digital domain as far south North Korea still heating up a bit on the on the political front and North Korea starts looking actually even broader and what the reasons could be that was in South Korea there's a whole corruption crisis that they could very well you know from the North Korean perspective be taking

care of themselves as far as you know leading to instability and so forth and then 2017 when CDO DHS cert just recently issued a warning for hidden Cobra they're in their includes everything from DDoS to wiper malware as the warning and so there's still very very active enough so that there was a warning issued so now mark will yeah cool so you know what's next it's you know we don't have a lot of like super bold predictions here because you know largely this this isn't broke it's working these techniques we talked about both targeting the grid targeting endpoint computers they're all working so I think we should expect to see the attacks you know kind of following very

similar paths I however some of these these countries involved in these attacks are probably emboldened by the lack of any real consequences to their actions both you know destroying computers and also probing at things like television stations power grids steel mills things like that some of these attacks you can't even really figure out why they'd be specifically targeted and so the thought that pops into my mind is that there may be just sort of test now you know testing out tools making sure they actually work in the wild and then putting in the tool box for a rainy day when conflicts might escalate further they may have to deploy them more broadly and as these geopolitical

strains increase kind of feels like the consequences or you know give a crap miss about getting caught maybe that starts to go away maybe we start to see more of these real world physical attacks where tools just kind of used in a proof-of-concept basis I think we're gonna see you know a lot deception you know and perhaps like ransomware being included in ransomware as a cover for action I mean you know irreversible you know encryption yeah it can be reversible but if you don't have the encryption key it's like effectively dated destructions so we may see more ransomware without reversible you know reversible encryption or provided keys start to become the norm for when we're

going after computers themselves as opposed to those overwriting files we'll probably see more collateral collateral damage and you know and things like that you know which organizations we're gonna see a lot of the same we've seen we talked about energy sector finance the public sector all these institutions where you know if computers go down business operations cease there's going to be you know confidence undermined ability to have sort of strategic messaging about why things are happening defacements to go along with these attacks all of that's going to continue in you know strategic targets that's even and even you might call some of these things tactical but we saw a lot of in the minds of probably North Korea

and Iran very successful operations in response to statements and things they don't like that are totally outside the cyber domain with the response coming you know through the cyber domain we'll probably see more of that as like hey this is in my toolbox you know as a government of faint ways I can respond even if things totally outside the cyber realm creating some destructive effects alright and ok we are which kind of groups of countries might be next any on caucus thien also comes in mind the fastest which is you know increasingly worrisome given that you think of the nuclear weapon issue on both sides but what's going on are you with that we're already seeing you that they're

following a path that's very similar all we've seen is from the other countries this would be more of a peer-to-peer like we see with Saudi Arabia and Iran we've already been seeing an uptick of DDoS attacks and then just in this year there's been some sightings of ransomware used against you between the two countries and so given the in the historical animosity going on while the other GOP is going on they seem like a prime candidate if we were to be forecasting which rivals might be next Israel irani it seems like the natural dis progression of what's already going on within the Middle East and then you know one more interesting question is you know why not the US and China and I

don't think they would be right that group would be right now for a large reason that thinking about all this goes back to strategic objectives right and so for China right now to attack the u.s. in this area given the economic interdependencies given also some of the instability already going on right now within our own system you know China can basically to step back for a little while and see what's going on while continuing other kinds of attacks this isn't you know saying that you that there won't be any kind of you know cyber espionage and those kind of things it's basically saying that you know the implementation of destructive malware it's not necessarily in China's interest

or in the u.s. is interest right now and so when that changes when that calculus changes that's when there's a reason for concern and at the same time you look at all the different you know three different case studies we did the u.s. is getting drawn into each of those as well so we start seeing some those system effects for more of the US and I finally win and this is hopefully a theme that we don't upon a little bit had a breeze through a little bit holidays are a big time elections are a big time think about agreements and summits we start seeing arranged just more cyber texts in general during some of these I'm thinking like joint

exercises those kind of things and then the sanctions will end with that because today the house is voting on potential increase in sanctions on to Russia Iran and North Korea across each of those die as we've talked about and say I'll be interesting to see one if that passes and then if so if there is any kind of response in this area so that's something to keep an eye on so now well and a little bit over our time but sir questions be happy to take them

you mentioned that there's a lack of consequences for probing networks especially probing civilian networks what effect like how much of this do you think is caused by the NSA is refusal to allow espionage and non fully destructive activities into the Tollan definition of the use of forces in the digital realm since that was a NATO combined exercise I can talk a little about that for the talent and so there is still discussion so if you get your the inform on the formal aspects of whether countries you have to adhere to that right so there's all that yeah that's exactly part of the issue right so whether you in hearing to that so it is in there is discussion and they that

the ung GE the norm just fell apart that discussion as far as whether or not destruction actually does get categorized as you know with a physical effect think it categorizes as a point of war I also don't think there's follow-through yet from the government's to be able to to want to respond given those kind of things so the interesting thing that's just been coming out lately is that so ukrainian some of this has been impacted the ukrainian hospitals we ukraine and russia are technically at war by most accounts and so that makes it a war crime right there been a couple articles over the last week talking about that and so well we were coming

Fitbit well met and that's like that's why it i mean it's it's fuzzy right now and that's policy in all these areas is really lagging behind that I'm a hundred percent though whole nother talk on that I mean some of the policy is going out whether they're not the countries don't actually have to adhere to it it's very informal they're trying to build a norms to try and categorize what is and it is not acceptable but I think it I think it is lagging behind it even even if you put the document out there like so NATO's got Article five right it has a cyber attack on one it's a cyber attack on all ahead hey the definitions

that yeah right and that's what not yeah I I won't speak to anything that the NSA does unless we're not associated with them but um they're competing interest within the US and within all these other countries as well that further complicates the entire ways have to follow through with all these things so I think it's a fair point I absolutely think that there's a lot to be done on international arena to actually hold accountability in this area and until we actually do move forward in that area it's not going to happen and there are there there are different groups both you within Western democracies in within the authority and regimes that also are holding up part of these processes

any other questions all right well thanks everyone