Module 5: Cyber Warfare: The New Battlefront for

Defence Forces (55 min) - Peter Holliday

So this is a very exciting topic for me, looking at how-- how we use cyberspace
as a new dimension for warfare in the modern battlefield. So today I'll just--I'll
cover what cyber warfare actually is. I'll go through a lot of case studies today
because, unless you're ex-military, a lot of these things are probably very boring.
I just want to show you what--what some of the things that are happening around
that hopefully scare you into thinking that-- or scare you into knowing that this
sort of thing is happening already around us today. And what's--what the
response is and how people are reacting to it. And then farther in the
presentation, I want to take us through Stuxnet.

Stuxnet is probably--even though it's not strictly speaking-- didn't start a war. So
it didn't start a cyber war at all, but it is in itself a great case study about what you
would probably do, what sort of advanced techniques you would use in attacking
the strategic assets of another country to limit the ability to conduct, in this case,
nuclear proliferation. So it was very--it's a very good case study to go through just
to show you some of the smart--smart techniques and technologies that
countries are using.
What is Cyber Warfare? (01:30)
So we went through this last week, just a recap of what cybersecurity is, and it's
really the protection of cyberspace, and as I touched on in the opening address,
it not only includes your conventional defense mechanisms, but you can use
cyberspace for offensive operations as well. So if you were a military force or a
nation-state, then you can use cyberspace not just in a defensive capacity, but
you can also use it to attack adversaries as well, so this is really what we're
gonna talk about today, the multidimensional uses of cyberspace and
cybersecurity.

Here's a great quote from one of the U.S. Air Force security officers where, I
think he's just highlighting the fact that cybersecurity is a new dimension. It's--it is
new insomuch as it's a term, but, really, it's--it's-- cyber warfare has been around-
- or the mechanism of conducting information warfare is about as old as conflict
itself. There's a lot of definitions of cyber warfare. I like this one the best because
it cuts--puts it into context. It really is a subset of what we call in the military
"information warfare," and information warfare covers a very broad-- very broad
spectrum of attacks on information, and it's all about disrupting, corrupting, and
exploiting information either that your enemy has or adversary has or information
you want to feed the adversary, and other examples of IW may be something like
attacks on command and control.

So when the U.S. decided to go in and take out the head of a particular
organization, an assassination, that's actually information warfare. It's part of an

2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Page 1 of 15
Module 5: Cyber Warfare: The New Battlefront for Defence Forces

information warfare attack, because the idea is that we're trying to chop off the
head of an organization and stop them controlling the rest of the organization. So
we're limiting-- we're disrupting their ability to conduct those sort of operations.
The sort of things that cyber war could be conducted against, of course, not just
military forces, not just the people on the ground, but like all warfare, against
other critical infrastructure. So things like power stations, water supplies, the
military-industrial complex as well are fair game in warfare.

So if you can remember back to World War II, the main bombing raids on
Germany were against targets that were the military-industrial complex, those
that were making the weapons of war. And they are seen to be an open target as
well, as so much as the people who are actually fighting the war. Cyber warfare
is great in that it can be symmetric and asymmetric. And by this, what I mean is
that simple symmetric warfare, we have--we have two forces of probably equal
size lining up against each other and fighting it out. And we haven't seen
anything like it really since Vietnam days, the Vietnam War.

Certainly, the Iraq and-- the latest in Iraq and the Afghanistan wars that we're
seeing being fought now are definitely what we call asymmetric warfare, where
we have a huge combatant on one side, being the U.S. and its allies with lots of
technology, lots of military hardware, against very small enemies. Still finding it
very difficult to win that war, because the tactics are completely different.

Now, cyber warfare fits really nicely into the asymmetric side as well as the
symmetric side in that it only takes a few--few people to inflict quite a bit of
damage using cyberspace. We're also seeing the use of more civilian people
integrated into military units. So for those of you who had anything to do with the
U.S. forces going over to Afghanistan, you probably know that a lot of the things
have been outsourced, a lot of the I.T. support have been outsourced, but also a
lot of the intelligence and cyber sort of information warfare type of things are
being outsourced as well to specialist companies. These are--these are
companies generally of ex-intel community, ex-CIA agents, ex-sort of agents and
operatives who work as civilians to-- to augment the forces that are in there as
well.

But more recently, we're seeing direct recruitment of specialist cyber units, and
certainly, the Chinese PLA, the People's Liberation Army, have developed many
cyber warfare units, and it's there for public record, and recently, the Army, U.S.
Army, has instigated what they call the cyber brigade, and this is part of their
military intelligence organization, and this is--this is in the public domain, so you
can go quite happily and google on that and find out a lot of information about
what their cyber brigade looks like. But what I--what I wanted to show you quickly
was just perhaps an indication of what--what Cyber Brigade would probably look
like.

2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Page 2 of 15
Module 5: Cyber Warfare: The New Battlefront for Defence Forces

Cyber Battalion (07:00)

This is a battalion. Now, a battalion is part of a brigade. There are three
battalions in a brigade, three or four battalions in a brigade, depending on your
force. And, remember back when we talked about what a hacker would do to get
into an organization. The number one thing they conduct is recognizance. So
they've got to get intelligence on the targets that they're after, so you can see a
large, large element of reconnaissance and planning cells that go into the-- that
go into planning sort of a cyber attack.

Once they've gained access, or have identified-- done their penetration testing,
identified the target weaknesses. They'll hand it over to the operations people,
who will conduct offensive operations. And these will be different groups of
people who would do different things. And, of course, they need an R&D
element, and this R&D element are always looking for vulnerabilities and
developing their own scripts and things like that to include in the weapons of war,
which is, in this case, cyber war. And there's a very large legal dilemma when it
comes to cyber warfare. And as I said, it really represents a conundrum for legal
scholars.
The Legal Dilemma What constitutes Cyberwar?
(08:15)
There's a great book, if any of you are interested, called Inside Cyber Warfare.
There on the bottom, I've got the reference. It's very--a very good read if you're--
if you were inclined, but once a war has started, everything to do with cyber
warfare is pretty well legal. So once we're--once we're in a full-blown warfare,
you can use all the elements of cyber war. But what's happening, as we're seeing
in peacetime, is that non-attributable attacks are being-- happening across
borders between nation-states. And when I say "non-attributable," it's very easy
to obfuscate a cyber attack.

So something coming in, like, for example-- we're covering Stuxnet later-- the
Iranians certainly believe that was an attack by Israel, but they can't prove it.
There's no way of actually saying that one nation-state attacked another. So it's
very difficult to pursue sort of a warfare line with cyber attacks in peacetime. And
that's why we see that most of the cyber attacks in peacetime are considered a
criminal act and not an act of war. It's a very, very gray area. And so what--what--
When we're in peacetime, nation-states are not allowed to threaten or use any
force against another state unless an exception is carved out in the U.N. Charter.

So the U.N. Charter, these articles there, 2(4), 39, and 51, really cover how a
nation is supposed to go to war. And there are two exceptions to that, and one is
using the U.N. Security Council and the other is an act of self-defense. Very
unlikely the U.N. Security Council will agree to war based on a simple cyber
attack. But a country or a nation-state can use self-defense, but this is in
response, the wording of the U.N. charter is in response to what they call an
"armed attack."

2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Page 3 of 15
Module 5: Cyber Warfare: The New Battlefront for Defence Forces

Unfortunately, the term "armed attack" is very ambiguous, because the Charter
actually doesn't define that and-- it doesn't define what an armed attack is, and
self-defense also must be what they call "necessary and proportional." And
"necessary" means that the act of self-defense is required under the
circumstances because, you know, reasonable settlement couldn't be attained
through peaceful means. And "proportional" means that the self-defense actions
are limited just to the amount of force necessary to defeat the attack from future
aggression. Very hard to quantify that in terms of a cyber response to a cyber
attack.

I should also say that the U.N. Charter now includes-- initially it only included
state actors. So when one country attacked another country, that's what the
Charter was set up for. But since 9/11, the U.N. Council passed a number of
resolutions, really, to allow for the introduction of these non-state actors and for
nations to take a definite response against non-state actors such as Al-Qaeda
and places like that. The real problem is that attribution to an attack can be very,
very difficult, and here's a great example here.
MyDoom Attribution Case Study Attack in South
Korea (11:35)
In 2009, there was a cyber attack on the South Koreans. As you'll see through
the-- these slides, the South Koreans are probably the brunt of a lot of the cyber
attacks on their country, and most--most security experts believe that it comes
from North Korea. Most logical people believe that they come from North Korea.
But in this case, in 2009, we had about 167,000 zombie machines spread over
74 countries, all attacking target machines in South Korea.

There are eight command and control servers and one master server controlling
those eight C and C servers. The master server actually had a U.K. IP address.
So if the South Korean government had wished to retaliate against the authors,
you know, using legal framework of the U.N., they would have found themselves
in a, you know, very awkward position, because the master C and C was actually
in the U.K. so it would've found itself coming up against the U.K., which it
obviously didn't want to do. Now, to make things worse in cyberspace, the master
server was actually owned by a legitimate British company called Global Digital
Broadcast. And when the U.K. Serious Organised Crimes Agency and MI5 got in
touch with them and said, "Did you realize that you're conducting this attack on
South Korea?" They said, "Well, that machine is actually sitting in Miami,
because it's a VPN into the U.K. out our firewall."

So even though it's got a U.K. address, the physical machine was sitting in Miami
in the U.S., which had obviously been compromised. It was a compromised
machine, and it was--it was running the entire attack. So how can you attribute
the attack on the South Koreans to anybody? It's so difficult to do that. And just
out of interest, the top ten countries involved in this attack on South Korea, the
number one country was South Korea itself. So we had a lot of zombie machines

2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Page 4 of 15
Module 5: Cyber Warfare: The New Battlefront for Defence Forces

sitting in South Korea, attacking other machines in South Korea. The other
countries, sort of in order, were the U.S., China, Japan, Canada, Australia,
Philippines, New Zealand, U.K., and Vietnam. So they're spread out across
many, many countries. It says 74 different countries.
Anatomy of Armed Conflict (Kinetic) (14:00)
So in comparison, say, to a-- what we'll call a kinetic-- the standard kinetic armed
conflict. So when I say "kinetic," we're really talking about, you know, where
you're using explosive forces, you know, devices, bombs, those types of things.
Now, the tactics of an armed conflict differ according to what we call the levels of
warfare. So there's strategic operational and tactical and those levels of war
demand different tactics when you're actually operating standard defensive
operations. But typically they follow these sorts of-- these sorts of tasks, where
you're destroying the national assets of the--of the country that you're after.

So let's take World War II, the great example, the main targets in Germany
behind the lines were all the military industrial complex, the water supplies, the
power supplies, lines of communication, those sorts of things, right? So they're--
they are the typical warfare type targets, and we saw that absolutely in Iraq and
Afghanistan. You see, the first-- first days of those war-- of--of those conflicts
really are the U.S. sitting back and using smart weapons to go in there and
destroy targets of interest such as communications, water supplies, power
supplies, that sort of thing. And then conduct things like psychological operations,
PSYOPS, diversionary operations, and then launch their ground assault sort of
operations. And they sort of repeat that sort of process until they've destroyed the
enemy and taken the ground.
Anatomy of Cyber Attack (15:45)
The cyber attack on the other hand is a little bit different. And we covered some
of this in our presentation last week. The first thing which you do in a cyber attack
is, really, you conduct your reconnaissance. So you're looking to do-- discover
weak points in your adversary's network and weak points not only just in the
military forces fighting, but also tackling it into their power stations, attacking the
military-industrial complex and shut that down and stop those sorts of things. So
that's--that's the--main aim of conducting your cyber attack. What we see is that it
is part of an information warfare campaign or an information operations
campaign insofar as cyber warfare is just part of said PSYOPS, disinformation,
other diversionary things that you're conducting along the intelligence line.

Now, cyber--cyber attacks can be combined with other electronic attack vectors,
and what we mean by this is that we can use jamming and other things to signal
intelligence, those sorts of things, to remove the adversary and/or slow them
down while I can slip in with a cyber attack, those sorts of things. We still need
kinetic weapons in a cyber attack to destroy, say, command and control and lines
of support. We haven't--we haven't seen, apart from very few examples now,
where cyber is sort of leading the virtual domain into the physical domain. Any--

2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Page 5 of 15
Module 5: Cyber Warfare: The New Battlefront for Defence Forces

anywhere there's a cyber attack, it's still--still won't be as effective, say, as a

smart bomb against a cell phone tower, those sort of things.

So a cyber attack is quite-- quite a frightening quite a frightening dimension of

warfare there, where we can conduct a lot of these things very quickly and easily,
limited loss of life on our-- on our-- on the, sort of, the aggressor's point of view.
So we're attacking. And we can get more gain in what we're doing in the
battlefield when compared to the older, kinetic traditional ways of the attack. I'll
take you through a couple of examples. So if we--if we're looking at running this
sort of operation, we'd need to sort of pick the targets, so just like we did in the
old ways.
Operations (18:00)
In the old days, we would have sort of targeting conference for where aircraft
would be dropping their munitions. You do the same thing with a cyber attack.
You would--you would choose targets of opportunity that were easy to break into:
Financial, other headquarters-- so there will be fixed or deployed headquarters--
energy, water, those sorts of things-- and work out a, you know, some sort of
simultaneous takedown of all those-- all those assets simultaneously.
Scope of Cyber Attack (18:45):
Now, I've said here, the scope of the attack is actually--actually requires a lot of
planning and a lot of people. So even though isometric warfare is good for, say, a
group, a terrorist organization, where they can use a small amount of people to
attack a larger country, there--the amount of damage that they can do is actually
quite limited. They can do a fair bit, but if you're doing-- doing a massive attack
against a particular country, the cyber attack needs to be very welled planned
and organized and would use in the order of, you know, hundreds of units to
actually conduct the attack.

For example, if we had, say, in the order of 100 operational targets, we'd need so
much intelligence information for that. And they might be physical, so we need
plans, maps, photographs. We'd need the people on the ground doing the human
intelligence work and those sorts of surveillance work that you just can't get from
the cyberspace. So you've got to put all these things together and develop these
sort of capabilities to--to do that sort of attack.

Information (20:00)
Then we'd need specialists on the inside, and the insiders are probably the best
way we're going to get-- for cyber anyway-- malware into an organization of high
security. This is believe to be the way that they got the Stuxnet virus into the
Iranian nuclear reactor is that they had an insider bring it in, because the nuclear
reactor itself is not attached to any outside network.

Reconnaissance (20:33)
It's either that or they were able to get it onto a PC that they knew a scientist was
bringing out of-- in and out of the facility. The other way is using cyber-
surveillance and those sorts of-- capture keystrokes, those sorts of things. We're

2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Page 6 of 15
Module 5: Cyber Warfare: The New Battlefront for Defence Forces

very passive, but still-- still retain a lot of great information about what's going on.
So that's the surveillance.

One good point at the bottom here is that you're trying to obfuscate the attack as
much as possible, so where the Chinese fall down a bit is that their malware
generally has Chinese characters in source code or things like that that are
traced back to China as being the source of these sort of attacks, a lot of these
kind of cyber attacks. So when you're writing these sorts of things for real, you've
got to make sure that there's no attribution or making--making the attribution of
the attack very, very difficult indeed.

This--this slide just really goes through to tell you, you know, use those major
teams that were in that cyber battalion. You'd have the backdoor team trying to
find compromises, getting into the system; defense suppression team doing
Denial-of-Service attacks, getting firewall, IDS, those sorts of things; crippling the
infrastructure assets and deleting data; planting logic bombs, those sorts of
attacks; very, very difficult to stop.

During Attack (22:18)

This idea of the sort of attackers you would need to conduct that sort of
operation. So you're looking at hundreds if not thousands of organized, highly
organized, highly skilled users to actually conduct these sorts of things.
Balance of Forces (22:33)
This is why we're saying to conduct full-blown cyber warfare is more than just a
group of hackers. You need to have a very good organization of people and
expertise to actually conduct this-- to conduct this operation. Very hard to
respond against this kind of attack if you got a very highly organized attack.
Defense Response (today) (23:00)
Right now, the only defense is to reboot the company or reboot the organization.
And they just have to take it offline, scrub everything, and start again. And,
essentially, that's what they had to do with Stuxnet-- we'll talk about later.
Attacker Requirements (23:15)
They had to really shut off everything. It's very hard. Some of these Trojans are
what they call boot sector or hidden viruses which you think you've cleaned, but
you haven't, and they are very hard to remove. And so that's the idea of the
attack, of course, to make sure these things are extremely virulent and stay
around for a very long time.

So as I was saying before, the attacker requirements, they really-- you need a lot
of--a lot of very highly trained people, and it's very hard to get a lot of people
trained in this sort of environment in cyber attacks. It's a very specific skill, and a
lot of them are probably, you know, civilians that you're using. So it's a very
difficult thing to get in-- get organized, coordinate, but militaries have been doing
this sort of thing for hundreds of years, so it's not something new. And if you go

2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Page 7 of 15
Module 5: Cyber Warfare: The New Battlefront for Defence Forces

to the future, this is probably more and more the style of attack we'll see from
countries conducting operations.

Now, I've got a couple of cyber-- myths for cyber warfare. One of the things is
that small teams can do enormous damage. They can do quite a bit of damage;
so, say on the order of tens of billions of dollars. But if you seriously want to
disrupt the economy of the state that you are attacking, or you want to get inside
the strategic assets in a big way or conduct 100 simultaneous attacks, only--only
nation-states can play at that level where you've got that sort of funding, those
sorts of resources to do, that sort of-- that sort of thing.
Cyberwar Myths (25:05)
It's not for something that even a group like Anonymous could do. They can do
quite a bit of damage themselves in taking down a website or something like--
but they really can't bring a country down. To do that, you really do need another
nation. Another one, another myth, is that these attacks are anonymous. Now,
that's true if you got the odd hacker attacking. They can obfuscate pretty well. But
if you've got hundreds of simultaneous attacks happening, you're gonna notice
where they're coming from.

So you have 50,000 Chinese doing something in the U.S., it will get noticed. And
when you're in sort of a full-blown cyber war, the attacker probably doesn't care
about obfuscating as much as he does when you're in peacetime. So the attacker
probably will want to be known anyway. And cyberspace erases distances. If we
look at some of the very highly sophisticated attacks like the Stuxnet virus, which
is malware which we'll go into, the attacker needed some very, very intimate
knowledge of how the turbines, how the--how the actual logic controllers went
together. You know, what was the system like? How was it laid out? They
needed to have a replica of it working so they could develop the software with it.

So we're talking big budgets, lots of resources. It's something that you need
people on the ground to get reconnaissance for as well as--as well as conducting
that operation either in theater or out of theater. So it doesn't completely erase
this-- you're going to need a lot of people, a lot of players, all throughout the
spectrum of this attack. How do you defend against something like this? Well, it's
very, very difficult. You need to be pretty much online as much as the attacker is.

So if you-- if you were waiting for a cyber attack in your country, say from, you
know, one of the big--big countries that are already--already well advanced in
doing this, and you haven't formed these sorts of rules and regulations and you
haven't started preparing sort of a cyber battalion year-round or at least a cyber
operations center, then you're way behind the mark, and your--you know, your
country really will be affected by any of these attacks. One of the use cases I'll
show you against South Korea, again, coming up is a great example of lack of
defense and what that means to your country.

2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Page 8 of 15
Module 5: Cyber Warfare: The New Battlefront for Defence Forces

So these are the advantages of cyber war over your traditional kinetic warfare
and really it comes down to the cost. To run a cyber campaign is so much
cheaper than even firing one smart bomb. And I've got a great slide here of just a
comparison of the cost. So if you had a stealth bomber flying missions, firing
JDAMs onto a target, the cost of that, the training, the weaponry, the military
technology that goes into that, is billions and billions of dollars. And how does
that compare to a cyber attack? It's just--it's just, you know, orders and orders of
magnitude less to conduct that. So in terms of conducting this sort of operation, it
really makes a lot of sense for countries to now start looking at cyber as a--as a
new dimension for their offensive operations.

So the other thought is it's very difficult to find where a cyber weapons facility
may be. So it's very easy, using satellites and aerial photography to work out
where the missile sites are. But cyber can be anywhere, and that's the-- that's the
beauty of it. And very hard to attack a user who's in the suburb with a smart
bomb, because you don't know where they are. Just one point on propaganda,
it's probably one of the most-- still one of the most powerful cyber attacks.

For example, the Abu Ghraib photos that were disseminated by the internet and
other--other things that WikiLeaks has actually disseminated, these sorts of
things have done more political damage or more damage to the political interests
of the U.S. than any other, you know, sort of cyber attack.
Case Studies (29:40)
Use of--use of the cyber as the medium for conducting-- and this is just an old-
fashioned information warfare type operation-- use of cyber media to conduct
these is very simple, very cheap, and very, very effective. One of the things you
get taught as a military student is a lot of Sun Tzu sort of quotes, and this one is
a great one, I think, that applies to cyber warfare. If you can subdue the enemy
without fighting, and that's exactly where we're coming to now with cyber war,
then that--that is the best-case scenario. You're not killing any of your own
troops. You're not killing any of the enemy, but you're subduing them by using
cyber means rather than kinetic means.

So I just want to throw a few case studies before getting on to Stuxnet. This one
here is called "10 Days of Rain," and this happened last year. This is sort of like
the generation 2 of that Mydoom attack that I talked about earlier on the South
Koreans. And it was a very advanced piece of malware that, for ten days straight,
attacked South Korean computers. This one, they are pretty certain it was
launched from North Korea. They could trace it back to North Korea. But it was
very, very sophisticated. It had 40 Command and Control servers. It had code
updates, multiple encryption schemes. It destroyed the zombie machine when it
was finished and wiped itself off.

So for ten days, the idea was to shut down the South Korean-- as many South
Korean computers as possible, targeting government machines and things like
that. And what they believed is behind this attack is, it was just a straight

2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Page 9 of 15
Module 5: Cyber Warfare: The New Battlefront for Defence Forces

reconnaissance mission. It was just a probing attack on South Korean defenses,

South Korean cyber defenses, to see how they would-- how they would respond
to such an attack if it was used as a precursor to a--to a full-on invasion. So--and
the bad news was is that they couldn't cope with it at all. Poor old South Koreans
had no idea what was happening. They were--they could not counter this virus. It
was so advanced and so sophisticated; they had nothing to counter this virus.

So for ten days, they were essentially taken offline. And if you can imagine if you
were in South Korea and this happened to you, say in your--or in a government
department, say, the defense department of the RoK. You've lost your Command
and Control ability for ten days, and during the ten days, North Korea launched
an invasion. It would be, you know, this sort of attack is just so effective in doing
that sort of thing, causing that sort of information warfare outcomes.

This ought to make you a little bit frightened is that--this is the attack on the Oak
Ridge Nuclear Weapons Lab in 2007. The--they tracked down over 1,000
attempts to steal data from the Oak Ridge center. It was all done through staff
phishing and phishing attacks through email. And unfortunately, some of those
emails were opened, and there was quite a bit of information lost back to the
Chinese source of that particular attack. And as I said in my opening address last
week, China are very active in these sorts of attacks, or should we say sourced
computers from China. The attribution is still very difficult, because we don't know
whether the machine is, in fact, a nation-state sponsored machine, or it's just an
affected machine from China that's been used by another country to infiltrate
other areas.

There are some signs and there are some ways of tracking down in more
forensic sort of investigations to work out exactly where they come from, but a lot
of attacks are Chinese attributed, and then there are a lot that come from China
that can't be attributed to China. Here's just a quick list of some of the more, I
guess, famous attacks from China over the last five years. And these are all
against governments and industry that supply defense. So if you think about
attacks on defense industry, the, you know, the penetration of say the Rolls
Royce system-- of Rolls Royce and stealing their secrets and using their
information or compromising their network in such a way that they could destroy
information or do things like that is a very-- It's a major concern to, say, defense
contractors.

Angela Merkel had three computers in her own office penetrated by the Chinese.
The PLA--this is one that worries the U.S. They've documented in that article that
I've got there sourced that their NIPRNet-- and they also believe the classified
network, the CIPRNet, is also compromised by a number of Chinese malwares
and all designed to disable that network in times of conflict or confrontation. They
estimate that they've already downloaded about 10 to 20 terabytes worth of
information from the NIPRNet, and what they think they're after are user
accounts so that they can then access NIPRNet, CIPRNet using legitimate
accounts so they don't raise any red flags. See, the malware they're always

2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Page 10 of 15
Module 5: Cyber Warfare: The New Battlefront for Defence Forces

being looked for, but no one's looking for a legitimate user who's logging into the
account. And that's pretty much what they're looking for there.

One at Lockheed-Martin, who's a very big U.S. DoD contractor, it was the subject
of some great attacks last year where the hackers actually broke into RSA and
stole the algorithms that we used for the RSA tokens. Now, they did that by
using-- by stealing or accessing two-factor authentication tokens and then they
put a key logger on the Lockheed-Martin network, on one of the machines, and
they were able to grab a few passwords and break what everybody thought at
that particular time was an unbreakable security logging mechanism, and that's
this two-factor authentication. A lot of--you might have-- you might have heard it's
got a lot of banks around the world that use this sort of thing as well, also went
and cancelled a lot of their tokens, reissued tokens. So once the system was
compromised, it was open to attack. Fortunately, they believe these attackers
were really after military secrets. So they were after these sorts of things as well.

The U.S. military contractors go to extraordinary lengths to protect their networks

these days, and one in particular-- I'll just relay a story, won't mention their name.
For example, when they receive an email with an attachment on it, the
attachment is stripped off and actually loaded in its own virtual machine. The
virtual machine has actually been written by that organization. So it's not a
VMware or an open source sort of virtual machine, because the malware is smart
enough to detect if it's being opened in a virtual machine, a commercial virtual
machine. So they've written their own. They open the attachment up like a PDF.

PDFs are well and truly known to be compromised and a very great source for
hackers to use as back channels back to their own networks. And they open the--
open the attachment, and then they sit there and monitor it for a few hours to see
if there's any-- any attempt by that attachment to try and signal anything off the
LAN. If it is, it's destroyed. If it's not, it's put back in the email, and lets it pass
through. So they--they do this, with every single attachment that's put onto an
email that's received in the organization. So they go--go to some extraordinary
lengths to--to do that.
Who Really Did It? (38:45)
So here's just a slide on attribution. As I said earlier, it's very, very difficult for a
nation-state to identify where they've been attacked from under a cyber attack
these days. And it's even more harder to use that as justification for entering into
a cyber war or open warfare against another country or another non-state actor.
But so, essentially, it's treated as a criminal offense. Both sides do it, so the
goodies and the baddies all have cyber warriors who are there, trying to control--
infiltrate the other side for intelligent-- nothing more than government intelligence
purposes.
Stuxnet (39:30)
So I'm painting China as the bad guy here, but I tell you, the other nations around
the world are doing exactly the same thing, and whether or not they're using

2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Page 11 of 15
Module 5: Cyber Warfare: The New Battlefront for Defence Forces

cyber or other information warfare techniques such as old-fashioned information

gathering, surveillance, and those sorts of things. In fact, to date, by the strictest
definition, the only country that has been conducting a real cyber war-- has
conducted a real cyber war by definition was Russia against Georgia during the
South Ossetia conflict. And if you're interested in reading that, just google
"Russia-Georgia conflict," and you'll get some great articles on the cyber war that
Russia actually conducted against South Ossetia.

Quite simple, what they did, but it's interesting to see. So now, to finish up, we'll
look at Stuxnet. So Stuxnet was around in 2010, and if we sort of consider the
landscape of 2010, and what sort of led to the birth of this incredible piece of
malware. The Western countries are really concerned about these unsupervised
nuclear programs and particularly what's happening with Iran, and diplomatic
attempts back in 2010, as they are now, to get inspections are failing. U.S. is
fighting two conventional wars at the time and have no budget or no intention of
going after Iran. Conventional conflict with Iran is not an option. It's still not an
option at the moment, but we'll see. Hopefully, it'll stay not an option. And really,
the only way to get in there and do what they wanted to do, which was forever
damage the nuclear program that Iran was running, was to use some sort of
cyber warfare, some sort of insider tech.

So the target was well and truly Iran's Bushehr nuclear plant. There's no other
commercial gain. It was a malware written purely and specifically to attack that
nuclear power plant. In fact, the centrifuge that are in that nuclear power plant.
What they're worried about was the centrifuges were used-- being used to enrich
uranium illegally.

Now, when you look at this-- the problem that they were looking at here to
actually get the system infected, to an outsider or to some person looking at the
program, they would think this would be totally and utterly impossible to do. The
target systems were the centrifuges and devices which they call programmable
logic controllers. These PLCs were programmed by a thing called a field
programmable device, none of which are connected through any network. These
are standalone devices, which are sitting inside the nuclear reactor. They had
networked workstations that weren't attached to the internet that they used for
internal development of these PLC programs, and they were--so they weren't
attached to the internet, so even to get inside the building, they had to get the
virus or the malware onto those machines first before they could get it across this
air gap to the PLC controls.

And when you look at that, you think, there's no way they could do that. It's a
crazy idea. Here's just some of the acronyms just to help you along. These are
the sort of things they look like. So this is the Siemens PLCs that they were after.
These are very much what they call SCADA systems, the supervisory control
systems that they use to control systems like centrifuges, machines, motors,
those sorts of things. So they aren't--they aren't a PC as we know it. So the
attack scenario went something like this. And this is why, in the security

2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Page 12 of 15
Module 5: Cyber Warfare: The New Battlefront for Defence Forces

community anyway, we firmly believe that it's the work of a nation-state, because
there is no way a simple hacker organization could get these sort of resources or
this sort of information for them to launch this sort of attack, because you really
needed insider information on how the PLC and ICS schematics worked. You
needed to have a complete copy of the system.

One of the things when Symantec-- this is pulled from the Symantec Stuxnet
dossier. It's a great read if you've got a spare couple of hours to go through it.
They've gone through it in a lot of detail. But one of the things they were
surprised at, the lack of bugs in the malware. Normally malware has got a lot of
bugs in it, because the people writing it don't have a lot of time, and they want a
quick return. There were very bugs found in Stuxnet, which--which leads us to
conclude that the people developing it had a complete copy of the system that
they were going to infect available to do testing. So they actually did a full dev
test cycle in the malware development. So once it was introduced to the
organization, they believed this was either through an inside job or an insider
station in the facility or a flash drive that they gave to a scientist or some scientist
picked up.

Stuxnet then used a number of Windows zero day attacks and other exploits to
look for Step 7 project files that were on that computer network. Once they were
there, that's when it went to work and infected the-- infected the machine. They
were able to upload some system DLLs that had been signed by certificates that
were stolen from Realtek and JMicron. So it's--now companies like Realtek and
JMicron don't just have their device driver certificates available freely. These
things are the crown jewels of companies like these. So the ability for the
operator to-- or the--the attacker to go in and steal these two-- and they believe
they used good old-fashioned social engineering to steal those two certificates
from those two companies, two companies that are located very close together in
the U.S. So they used that.

Then they believe the-- they used another attack vector through the flash--
removable hard drive or a flash drive to get from the infected system across to
the field programmer. And once that was infected, the Stuxnet program-- the
logic and the DLL that were required on the actual PLCs themselves were
replaced by these infected one. So the beauty of it was, is that an operator had
no idea there was anything going on. So when they would look at the PLC
console of the diagram of the centrifuges, everything would look great. They'd
have green lights everywhere. Everything was working.

What was happening in the background, the malware would be over-rotating the
centrifuges dramatically and causing the centrifuges to blow up. So initially, they
couldn't work out why they were having a lot of failures in the centrifuges,
because everything looked okay on the actual panel, but in actual fact, that's the
idea of the malware. It hid itself very, very well as well, so any detection software
trying to look for it, it covered itself really well. I won't go through all these
features. Suffice to say that if you look at the dossier that Symantec actually went

2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Page 13 of 15
Module 5: Cyber Warfare: The New Battlefront for Defence Forces

through and produced, if you google that, they covered these in a lot of detail.
You could have a look at just the amazing amount of technology and the things
that were built into this malware to actually--to actually get it through from outside
in the wild right into a PLC that was operating the centrifuges.

Interesting funny one I don't know if I ever mentioned was that one of the first
checks it did, it actually looked on the system to see what virus scanners were
running, and a number of the virus scanners, it actually attached itself to those
virus scanners, and that's how it infected the system. So I think one of them was
the Kaspersky internet scanner or the virus scanner. It itself became infected,
and it didn't pick up that it was infected. So that was one of the-- I thought it was
quite amusing that it attached itself to a virus scanner to get past being scanned.

So the infection statistics, interestingly, the top three countries were Iran, India,
and Indonesia-- were all infected by this virus pretty well. And these are all being
sent back to Command and Control servers. So information was being gathered
from what was being infected and it had a-- had a home server that it-- once it
was able to talk to a system off onto the internet, it was able to send back
information about what was infected.

So these--these are sort of the stats that they gathered from that. That's quite a
lot, so over 60,000 hosts in Iran. So it was very, very successful. These sorts of
other--other hosts from Zandia and Indonesia were what may be termed
"collateral damage." But I would suggest that the people who were looking for
this information would probably be interested in what India and Indonesia were
up to anyway. So it's one of those things. You can see here, this is the rate of
infection by country. On the 22nd of August, 2010, Iran just blocked the
Command and Control traffic completely at its country. So that's where we see
the-- we lost track or the people who were monitoring that lost track of what was
going on in Iran. They don't believe Iran is fully clean yet and fully back into
operational-- back into full operation yet. But it's been over a year. You would--
you would think that they would've started again with new equipment and fixed
that-- fixed that hole in their security system.

This is just proof that it actually exists. The Stuxnet was very successful. It
created a lot of problems for their centrifuges, blew up a number of them. And
they--they-- so they called for outside help, because they didn't realize what was
going on. Just a summary there. It was a magnificent piece of malware. If you're
a security person, you're looking at this, it's just absolutely magnificent in what
they've done to do this. And if you're conducting a cyber war or cyber operations
against another country, you would be doing something very similar to this: a
very sophisticated attack, very hard to pick up, but very, very successful in its
attack.

A couple of issues with Stuxnet, though. The good side was, is that it was
specifically focused at a particular problem. So they wanted to destroy the-- the
means of Iran to enrich uranium. So they were very good at that. The total

2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Page 14 of 15
Module 5: Cyber Warfare: The New Battlefront for Defence Forces

development costs were very, very small. They didn't have to-- didn't have to
launch a conventional operation or warfare against Iran to actually stop it. It's
very good at-- in that sense.

The--the bad was is that we had a couple of-- a couple of what they call collateral
damage to other nations. India and Indonesia were actually a little bit upset that
they were being captured or targeted as well. But they were cleaned off. The
other--the other downside is that, once this was released into the wild, the
techniques that were used by this--by Stuxnet is being adopted other hackers,
and it may become part of the hacker tool set now. So people who before had no
idea how to do this sort of attack are now able to do attacks of similar
sophistication because they just follow the-- follow the recipe that was followed in
Stuxnet.

And already we're seeing a new virus called Duqu, the Duqu virus, which is
based a lot on what Stuxnet was-- was doing in its-- in its attack as well. So
they're seeing new-- new malware variants that are very similar that are being
produced today. The other bad thing is that, now that Iran is aware of that attack,
it's able to change its security policy to-- to combat that. It's bad or good,
depending on which country. It's easier on Iran, it's a good thing. And if you're
outside and worried about nuclear non-proliferation, it's a bad thing.

So... A couple of references. It's on the slides. So when you download the slides
later, you can just go straight to that and look at it. And that finishes my
presentation. And just a last plug at the last slide is, remember your security
career starts somewhere, and please visit the Cisco learning network and look at
the CCNA security or CC entry security as your starting pathway to your long and
illustrious career as a security professional in the future.

2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Page 15 of 15