Evolution Of Cyber Weapons

Published Date: 02 Nov 2017

This self replicating program was identified as W32.Stuxnet, which was first categorized in July of 2010. Originally Symantec named the detection W32.Temphid based upon the information originally received but later renamed it Stuxnet. Since first reported in July 2010, the Stuxnet worm�which some call the world�s first �cyber weapon��has spread to more than 155 countries, though most are in Iran. Stuxnet searches for industrial control systems, often known as SCADA systems, and if it finds these systems on the compromised computer, it attempts to steal code and design projects. It may also take advantage of the programming software interface to also upload its own code to the Programmable Logic Controllers (PLC), in an industrial control system that is typically monitored by SCADA systems. Stuxnet then hides this code, so when a programmer using a compromised computer tries to view all of the code on a PLC, they will not see the code injected by Stuxnet.

Stuxnet searches for industrial control software made by Siemens, called Simatic. If Simatic software is not on the machine, the worm looks for vulnerable computers on the network to which it could spread. But if the software is present and configured a certain way, the worm begins its dirty task, intercepting legitimate commands that control devices such as valves and pressure gauges and substituting potentially destructive ones in their place. The ultimate goal of Stuxnet is to sabotage these facilities by reprogramming programmable logic controllers (PLCs) to operate as the attackers intend them to, most likely out of their specified boundaries.

Stuxnet isn�t just a rootkit that hides itself on Windows, but is the first publicly known rootkit that is able to hide injected code located on a PLC. Stuxnet is a large, complex piece of malware with many different components and functionalities. It was trickily developed with antivirus evasion techniques, complex process of injection and hooking, networks infection routines, peer-to-peer updates, and a command and control interface

The use of a various propagation techniques has made the Stuxnet to spread beyond the initial target. Analytical data of the Stuxnet worm attack showed (Figure 1:- Geographic Distribution of Stuxnet) that Iran, Indonesia and India are the most infected country. As the figure 1 shows, Iran wasn�t the only country targeted by the malware. The worm programmers were not able to control the spread. It is not possible to have the certainty that such kind of malware will infect only the targets.

One of the most dangerous effects of the use of a cyber weapon is the difficulty to predict its diffusion. Since cyber space has no boundaries, we will never have assurance that a cyber weapon will work as planned. This means that the cyber weapon could also hit in unpredictable way to other systems or networks that are not considered as targets. In extreme cases it is also possible that it attacks the nation of the cyber weapons developer it self.

The presence of a cyber weapon in cyberspace could also open the possibility of a reverse engineering of its source code. Foreign governments, cyber terrorist, hacktivists, and cybercriminals could be able to detect, isolate and analyze these codes. They may further modify it with some more tricks and spread it, which will be difficult to mitigate.

These worms or agents are difficult to be discovered and could operate silently for years, like in the case of Gauss malware causing serious damages to the victims and also to other entities in cyberspace.

Evolution of Cyber Weapons

Before 2012, only two instances of cyber weapons Stuxnet and Duqu were known. However, further investigation and analysis of these two forced the cyber community to thoroughly expand the whole concept of what cyber warfare entails.

As per the Kaspersky Security Bulletin, 2012 has brought key revelations in the field of cyber weapons �in terms of how cyber weapons are being developed. Some of these deadliest worms which acts like a cyber weapons are:-

� Duqu: - This spyware program was identified in September 2011. Experts say that the Duqu was a development of the Tilded platform, on which another deadliest malicious program � Stuxnet � had also been developed. Analyst has also established that at least three more malware programs existed that used the same Duqu/Stuxnet framework; this malware has yet to be detected.

� Wiper:- This Trojan greatly disturbed Iran in late April 2012: it destroyed a large number of databases in dozens of organizations. The country�s largest oil depot was hard hit � its operation was halted for several days. Wiper�s creators successfully did their best to destroy all the data that could be used to analyze the incidents and their activity. Because of this reason, no trace of the malicious program has been found.

� Flame:- Flame is a very sophisticated toolkit for conducting attacks. It is far more complex than Duqu. It is a backdoor Trojan which also possesses some of the characteristic of worms. It propagates via local networks or USB drives following instructions from its master. After infecting the host system, Flame starts to execute a complex set of operations. It includes analyzing the network traffic, taking screenshots, recording voice communications, keystroke logging etc. Flame incorporated a unique functionality to propagate itself across a LAN. It intercepted Windows update requests and substituted them with its own module signed with a Microsoft certificate. Analysis of this certificate revealed a unique cryptographic attack which enabled cybercriminals to generate their own bogus certificate that was indistinguishable from a legal one.

� Gauss:- Gauss is a another sophisticated toolkit for conducting cyber espionage. The toolkit has a modular structure. It supports remote deployment of a new payload that is implemented in the form of extra modules. The modules which has been found and analyzed so far, perform the following functions:

o Intercept cookie-files and passwords in the web browser.

o Collect system configuration data and send it to root system.

o Infect USB storage drives with a module designed to steal data;

o Create lists of the contents on a system�s storage drives and folders;

o Steal data required to access user accounts of various banking systems.

o Intercept account of social networks, mailing and instant messaging services.

� miniFlame:-This malicious program is full-fledged spyware, designed to steal information and gain access to an infected system. miniFlame is a tool for targeting attacks with pinpoint accuracy. Although miniFlame is based on the Flame platform, it is implemented as a stand-alone module that can operate both autonomously, without Flame�s main modules being present in the system, and as a component controlled by Flame. Remarkably, miniFlame can also be used in conjunction with Gauss, another spyware program. miniFlame�s primary purpose is to function as a backdoor on infected systems, enabling attackers to directly manage them.

Countries Racing for Cyber Arsenal

The majority of countries are investing huge to improve their cyber capabilities. Many of the countries has not yet revealed about their strategy and ongoing projects, where as some of them has provided details publicly, to demonstrate their commitment in cyber warfare.

The Figure 2 shows some figures relating the total expense of the most active countries in cyber warfare. China and the U.S. have allocated considerable investment for the development of new cyber technologies.

Analyzing the global expense in cyber warfare, it is possible to understand the economic impact on each nation�s demonstration of the strategic importance to adopt a proper cyber strategy and of course to develop a cyber weapon arsenal.

Cost Estimation of Cyber Weapons

It�s quite difficult to estimate an exact cost for the development of a cyber weapon which depends on many parameters, but a very valid and realistic estimation has been provided by the famous hacker Charlie Miller, a independent security evaluators in his presentation �How to build a cyber army to attack the U.S.� Charlie hypothesized a project with a total duration of two years, involving around 592 professionals that cover various job roles from vulnerability analysts to managers. The hypothetical estimation (Figure 3) revealed an expense of $45.9 million in annual salary (average annual salary $77,534) and $3 million in equipment.

Job Roles Units Cost

Vulnerability Analysis 10 Senior, 10 Junior 2,900,00 0$

Exploit Developers 10 Senior, 40 Experienced, 20 Junior 7,300,000 $

Bot Collectors 50 Senior, 10 Junior 4,150,000 $

Bot Maintainers 200 Senior, 20 Junior 12,900,000 $

Operators 50 Senior, 10 Junior 5,400,000 $

Remote Personnel 10 Senior, 10 Junior 400,000 $

Developers 50 Senior, 20 Junior 2,850,000 $

Testers 10 Senior, 5 Junior 800,000 $

Technical Consultants 2,000,000 $

Sysadmins 500,000 $

Managers 52 6,200,000$

Despite that the amount appear expensive, if it is compared with the cost of a conventional weapon it is really cheap. For this reason many government are establishing cyber units, which is dedicated for the development of new offensive technologies.

Is India Ready for Cyber war ?

India has experienced, and continues to undergo, cyber attacks in a various forms. On June 7,1998, for example, an anti-nuclear group �Milw0rm� reportedly hacked into the Bhaba Atomic Research Center (BARC) network to protest India�s nuclear tests. During the same time period, Pakistani hacker groups, such as Death to India, Kill India, Dr. Nuker, and G-force Pakistan, openly circulated instructions for attacking Indian computers.

When the Stuxnet cyber attack temporarily took down the Iranian nuclear facility, it made few waves in India. However, shocking details have now emerged that barely a few months after the computer worm created problems in Iran, critical infrastructure in India too was infected by the tactical cyber weapon developed in Israeli laboratories.

The article published by Sai Manish, �India is a sitting duck in the cyber battlefield�- in �tehelka.com� revealed that a few weeks after that shocking discovery, Indian investigators also stumbled upon massive infections in a mega power project in Gujarat using SCADA systems controlling the generation and transmission network in western India. Investigators pieced together the evidence and launched a probe into other vulnerable systems that revealed facts that were too sensitive and complex to be made public. They discovered that the same attack was perfectly capable of knocking off signal and control systems on Delhi Metro�s crucial links, throwing the capital�s most used public transport system into chaos.

Many of the online news report has also published about investigative researcher Jeffrey Karr analysis, who had shocked ISRO when he proved that India�s INSAT 4B satellite was taken down by Stuxnet to serve Chinese business interests. On 7 July 2010, INSAT 4B�s power glitch forced India�s leading DTH providers to shift to ASIASAT-5, a satellite owned by the Chinese government. INSAT 4B was using the same software that was responsible for activating Stuxnet to make the Iranian nuclear facility go haywire. Though ISRO had then dismissed the possibility of Stuxnet having hit INSAT 4, there is no doubt that ISRO and other sensitive security establishments in India have to be on their guard against cyber attacks.

Despite the fact that cyber security is being breached every day, there seems to be little urgency in devising a National Cyber Security Policy that could provide not just a security blanket against future attacks but also a framework for offensive capabilities that enables India to retaliate and launch attacks against enemy nations.

Conclusion

The coming generation will witness the country-sponsored cyber operations and cyber warfare. Cyberspace will change deeply. Governments and private business must be prepared for the challenge, not underestimating the risks. The country like India has enough potential to get ready for cyber war, and develop his own cyber weapons. As US army is publicly advertising and asking openly to contribute in developing the cyber weapons, India too can follow the same approach or establish a cyber army, which can empower the country with cyber weapons to retaliate, defend and attacks in the situation of cyber war.