Vigilant Technologies LLC

Lessons Learned – Critical Infrastructure Disruption

Moonlight Maze

In 1996, in the infancy of the Internet, someone was rummaging through military, research, and university networks primarily in the United States, stealing sensitive information on a massive scale. Victims included the Pentagon, NASA, and the Department of Energy, to name a very limited few. The scale of the theft was literally monumental, as investigators claimed that a printout of the stolen materials would stand three times taller than the Washington Monument.

The Russian government was blamed for the attacks, although there was initially little hard evidence to back up the US accusations besides a Russian IP address that was traced to the breach. Moonlight Maze represents one of the first widely known cyber espionage campaigns in world history. It was even classified as an Advanced Persistent Threat (a very serious designation for stealthy computer network threat actors, typically a nation state or state-sponsored group) after two years of constant assault. Although Moonlight Maze was regarded as an isolated attack for many years, unrelated investigations revealed that the threat actor involved in the attack continued to be active and employ similar methods until as recently as 2016.

The attack began with the threat actors building “back doors” through which they could re-enter the infiltrated systems at will and steal further data; they also left behind tools that reroute specific network traffic through Russia. The breach was not discovered till June 1998. An investigation task force was only formed in 1999.

Solar Sunrise

SOLAR SUNRISE was a series of DoD computer network attacks which occurred from 1-26 February 1998. The attack pattern was indicative of a preparation for a follow-on attack on the DII. DoD unclassified networked computers were attacked using a well-known operating system vulnerability.

At least eleven attacks followed the same profile on Air Force, Navy, and Marine Corps computers worldwide. Attacks were widespread and appeared to come from sites such as: Israel, the United Arab Emirates (UAE), France, Taiwan, and Germany. The attacks targeted key parts of the defense networks and obtained hundreds of network passwords.

So, who was behind these attacks – Iraq, terrorists, foreign intelligence services, nation states, or bad actors for hire? As it would turn out, the attackers were two teenagers from California and one teenager from Israel.

Even though the Solar Sunrise breach started later and ended before Moonlight Maze, it was discovered before the latter. Moreover, both attacks targeted Solaris and other Unix operation systems. So, from February to June of 1998, thousands of critical servers sat unpatched even though a few teenagers had showed the world how easy it was to break into US military networks.

Eligible Receiver 97

Eligible Receiver 97 was a U.S. Defense Department exercise conducted under what is known as the No-Notice Interoperability Exercise Program. The exercises were held June 9–13, 1997. Eligible Receiver 97 featured mock cyberattacks, hostage seizures, and special operations raids that sought to demonstrate potential national security threats that could be posed through the cyber domain. The joint exercise involved a National Security Agency Red Team which played the role of North Korea, Iran, and Cuba attempting to cause critical civilian infrastructural damage, as well as gain control over the militaries command-and-control capabilities.

The NSA Red Team used threat actor techniques and software that was freely available on the Internet at that time. The Red Team was able to crack networks and do things such as deny services; change and manipulate emails to make them appear to come from a legitimate source; disrupt communications between the National Command Authority, intelligence agencies, and military commands. Common vulnerabilities were exploited which allowed the Red Team to gain root access to over 36 government networks which allowed them to change/add user accounts and reformat server hard drives.

So, now we go from June of 1997 to Feb of 1998 to June of 1998 – when Eligible Receiver showed us how vulnerable we are to teenagers exploiting those vulnerabilities to the discovery of Moonlight Maze. And all this while, critical servers sit unpatched and defenseless. Was this a skill issue or a will issue?

Aurora Generator

Fast forward to 2007, 30 lines of code blew up a 27-ton generator which could produce enough electricity to power, say, a hospital or a navy ship. Fortunately, this was a controlled exercise and not an actual attack. The exercise was to kill that very expensive and resilient piece of machinery not with any physical tool or weapon but with about 140 kilobytes of data, a file smaller than the average cat GIF shared today on Twitter. Like any real digital sabotage, it was performed from miles away, over the internet.

The Aurora Generator exercise proved without a doubt that bad actors who attacked an electric utility could go beyond a temporary disruption of the victim’s operations: They could damage its most critical equipment beyond repair.

Here we are again, from 1997 to 2007, a decade later, and yet vulnerable to bad actors.

Shamoon

Shamoon, also known as W32.DistTrack, is a modular computer virus that was discovered in 2012. The virus was used for cyberwarfare against national oil companies including Saudi Arabia’s Saudi Aramco and Qatar’s RasGas. A group named “Cutting Sword of Justice” claimed responsibility for this attack on 35,000 Saudi Aramco workstations, causing the company to spend more than a week restoring their services.

Shamoon was launched in retaliation to Operation Olympic Games. Operation Olympic Games was a covert and still unacknowledged campaign of sabotage by means of cyber disruption, directed at Iranian nuclear facilities by the United States and likely Israel.

Started under the administration of George W. Bush in 2006, Olympic Games was accelerated under President Obama, who heeded Bush’s advice to continue cyberattacks on the Iranian nuclear facility at Natanz. Bush believed that the strategy was the only way to prevent an Israeli conventional strike on Iranian nuclear facilities.

There are many more incidents like these, that have been perpetrated by nation states. Instead of weapons of mass destruction, we are now dealing with weapons of mass disruption. The recent SolarWinds breach highlights how vulnerable we remain to such attacks simply because “cyber” war does not fit the glorified definition of a war that is made tangible by the visible pile of bodies.

How will this play out in the future? Especially, in volatile political environments like the Middle East. What will be the consequences of such disruptions? What does all this mean for the common citizen? Does my healthcare depend on how secure our compute networks are? Short answer, yes. Does my social security and pension depend on the same? What about daily amenities like fresh, running water or electricity? The short answer to all those is a resounding yes – after all, everything is a computer now, and all of it runs on code. Where there’s code, there are vulnerabilities to be exploited.