State Actors Develop Cyberweapons to Cripple Infrastructure

Friday, March 25, 2011

Dan Dieterle

B64e021126c832bb29ec9fa988155eaf

“… we believe that state actors have developed cyberweapons to cripple infrastructure targets in ways tantamount to kinetic assaults. Some of these weapons could potentially destroy hardware as well as data and software.”

This was the report General Keith Alexander, head of the U.S. Cyber Command, told Congress recently, according to the Washington Times.

Stuxnet has really shaken the cyber war experts with it’s innate ability to modify and actually destroy physical hardware. Unfortunately this seems to have not gone unnoticed by all the nations that are involved and creating offensive cyber weapons.

Countries are actively searching out and recruiting the necessary talent to create such weapons.

Iran is willing to pay up to $10,000 per month for computer hackers. And the thing is, the individual recruits may not even know what they are working on:

“Computer experts working on piecemeal projects wouldn’t even necessarily know they were working on a government cyberattack plan, according to Mohsen Sazegara, another former member of the Iranian Revolutionary Guard, who now lives in the Washington, D.C., area."

“It’s a process.They write complicated programs and divide and subdivide the work in such a way that even a highly qualified person might not know the end results. So they (the regime) can recruit many people who would not know that the end result of their work might be a computer worm.”

This process sounds very much like the plot of the 2007 “Live free or Die Hard” movie with Bruce Willis and “I’m a Mac” actor Justin Long. 

Where individual hacker’s programs are created separately, then brought together to create an attack that shuts down American infrastructure.

And if General Alexander believes that state actors have already created “kinetic” cyber weapons, then we will be facing much more sophisticated attacks than the Iranian Cyber Army’s defacement of the “Voice of America news service” website.

Cross-posted from Cyber Arms

Possibly Related Articles:
4996
Network->General
Stuxnet Infrastructure National Security Cyber Warfare Keith Alexander cyberweapons
Post Rating I Like this!
850c7a8a30fa40cf01a9db756b49155a
J. Oquendo Dan, I have to respectfully dissect what you are posting here since it is very misleading. I mean what I am writing with respect and sincerity but I will be "matter-of-fact."

You state that: “Stuxnet has really shaken the cyber war experts with it’s innate ability to modify and actually destroy physical hardware. Unfortunately this seems to have not gone unnoticed by all the nations that are involved and creating offensive cyber weapons.” ... You are 100% wrong. Stuxnet hasn't shaken anyone, the world is not necessarily doing anything different in fact, all that is being done differently is: “people are speaking about electronic attacks moreso now than before. Secondly, the physical aspects of Stuxnet (the outcome of what would happen if Stuxnet succeeded) has not been unnoticed. Perhaps by you it has, but just because no one is pounding on the podium does not mean the outcome is not known or spoken about.

We have far too many of these misleading and inaccurate statements being shown on our emails and screens that media - who is often looking at the “experts” - runs with whatever statement seems sexy and appealing. Capable of capturing a reader's mind. No matter how absurd the statements are.

The fact of the matter is, many are aware of the dangers of Stuxnet and others like it, and it is highly spoken of in security circles as well as cross collaboration (government/private/research) sectors. There is an entire group of SCADA engineers and security professionals constantly talking about this on the SCADASEC mailing list (http://news.infracritical.com/pipermail/scadasec/) so you are completely wrong with your statement.

You also state: “Countries are actively searching out and recruiting the necessary talent to create such weapons.” This is not new news either. Prior to “electronic espionage, warfare and or crime” (what you call “cyberwarfare,” countries recruited individuals capable of performing specific roles. For example, many are confused to know that the NSA actively recruits musicians. Historically, countries have and will continue to recruit talent on all levels. ACTIVELY. It is how countries evolve militarily. There is no rocket or new science to this so it is kind of a moot point. Imagine that, countries looking for talent.

Further you state: “Iran is willing to pay up to $10,000 per month for computer hackers. And the thing is, the individual recruits may not even know what they are working on:”

So what? This equates to $120,000.00 (USD) per year. I have seen “security professionals” so "far underclued" earn more than this. The reality is, this is not a lot of money for the tasks one would have to “accomplish” as an attacker. You miscalculate the reality that a “criminal” with the same “talent” you mention can earn millions on the black market. This is not including the fact that security researchers (hackers making exploits) can earn more from companies like ZDI, iDefense and so on. So I fail to understand the financials in your posting: “Hackers are making money!!!” … Really?

The rest of what you wrote is not new, not really even newsworthy. Sorry, it seems like a re-hash of “The Boogeyman is Coming” which is evident with your comment: “This process sounds very much like the plot of the 2007 “Live free or Die Hard” movie with Bruce Willis ...”

With the underclued ending: “we will be facing much more sophisticated attacks than the Iranian Cyber Army’s defacement of the “Voice of America news service” website.”

So think about this for a moment: at any point in time I can group together a bunch of amateurs, deface a website and call my group: “US Cyber Army Squadron” does this make me or my group members of the military. Think about that realistically. Do you think an army would lay out their strategy as such using a defacement: “Here I am, CountryX's Army painting a target on my chest letting you know I am coming.” Use your brain for a moment. That would give away any element of surprise and allow for a counter.

Thanks for inspiring an upcoming “The Sky Is Falling” article which media can reference and continue to get the whole situation wrong though.

1301152862
B64e021126c832bb29ec9fa988155eaf
Dan Dieterle J. Oquendo - Wow, someone woke up on the wrong side of self importance this morning.

Not that your comment even deserves a response, but i'll bite.

Stuxnet is the most advanced threat discovered yet. And maybe it did not take the highest levels of American and Israeli security experts off guard (They probably wrote it) it sure did everyone else.

If you would have bothered to check facts, you would know that the average income in Iran is about $5,000 a year. So $10,000 a year would be quite a jump in pay. Not so much for American security experts who I assume you were referencing.

The reference to Live free or Die hard which somehow you miss tok, was how the programing is being dealt out piecemeal to separate programmers so no one actually knows what the final project is. Just like in the movie.

And if they could pull off a "Fire Sale" which is mentioned in the movie you better believe that they would try to do it.

And finally, the quote about future attacks being more advanced than defacing websites was a joke.

If you weren't on a soapbox and trying to impress everyone with your "knowledge" you probably would have caught it.

1301166944
B64e021126c832bb29ec9fa988155eaf
Dan Dieterle *$10,000 per Month
1301167481
850c7a8a30fa40cf01a9db756b49155a
J. Oquendo You stated "American and Israeli security experts off guard (They probably wrote it)" ... And you are basing your comment on the same premise that I was speaking of: "Underclued speculation" Have you ever seen Stuxnet, have you ever analyzed it? I have in fact I cross collaborated with government, private industry and researchers to do so. [1]

You then state: "If you would have bothered to check facts" and to this I say: if you would have taken the time to think logically, you would understand that "hackers" in the terms that Iran is seeking, are a specialized bunch. They would have to have unique and advanced technological knowledge and capabilities to be effective. They are also most likely be silent or vocal members in the security community (Bugtraq, Full Disclosure, etc.) They would have the same exposure that others in the security industry would have.

With that said, they would also likely know they could make more than $10,000.00 per month off of their research irrespective of their patriotism, irrespective of where they currently live. Many companies purchase exploits and many foreigners have been making A LOT of money selling exploits to companies like ZDI, iDefense and others. So your point is moot about how much the average Iranian makes. You don't need to be American to sell exploits to ZDI or other companies. In fact, exploits can fetch you anywhere from $500.00 to $250,000.00 (USD) REGARDLESS OF WHAT COUNTRY YOU ARE IN. I suggest you read "The legitimate vulnerability market: the secretive world of 0-day exploit sales"[2]

You then state: "was how the programing is being dealt out piecemeal to separate programmers" Prove this. This isn't KFC where multiple vendors have ingredients to a secret recipe making good chicken at the end of it all. While it may sound sexy to media and those who don't understand "effectively exploiting an enemy," the reality is that in order for effective exploits to work as an actionable plan, there has to be a lot of cross collaboration. You can't give someone ONE piece of code, cross your fingers and hope it doesn't take out the next person's code. ... "Just like in the movie." This isn't the movies things work differently in the real world.

Now doesn't most of your writing defeat your initial "interpretation" of your article. You convey "Iranian Patriotism followed with: "they could pull off a "Fire Sale" which is mentioned in the movie you better believe that they would try to do it." Who will pull off a fire sale? The Iranians? What will they sell? Code?

Finally you state: "about future attacks being more advanced than defacing websites was a joke." You and others need to realize that media often looks to security individuals as experts and will often quote us. Why feed them with nonsense when they often do a good job on their own making crazy nonsense up.

A vast majority of the public relies on "those in the know" for information. This type of information concerning "cyberwarfare" is misleading and can cause mass political chaos not to mention cause physical injury if we get it wrong.

You now state: "If you weren't on a soapbox and trying to impress everyone with your "knowledge" you probably would have caught it." ... Caught what? Is the notion of any kind of "war" something to snicker at? While *you* may have understood it as a joke perhaps even wrote out to be funny, the fact is, many take things serious. Not to mention that as stated before, media is looking to professionals for information. Stop polluting and let relevant information trickle through. Not nonsense about: "OMG... Die Harder... They're hitting websites... Voice of America... They're making money..."

Finally, Imagine the following: "As a patient you rely on your doctor's advice to keep you treated when your ill. Your doctor as a professional in order to treat you, has to constantly stay up to date with the medical information. To do so he reads journals, takes courses from time to time, but most often he relies on the expertise of his peers." How would you feel if your doctor often followed the advice of individuals spewing nonsense? ... As a security professional, same should apply. Don't follow the herd. Understand what you are saying, convey facts. Humor is always a welcome presence however who is to know what another is thinking. "Die hard..., websites" To you it may be funny but many take this subject serious.

Now you can take this comment however you'd like. The reality is that it has nothing to do with any wrong side of the bed. In fact its meant more of a "you're embarassing not only yourself, but also me as a professional security peer on the same forum as you. Please stop I wouldn't do it to you." Nevertheless take it however you'd like.

[1] http://www.csfi.us/?page=volunteer
[2] http://securityevaluators.com/files/papers/0daymarket.pdf
1301193508
B64e021126c832bb29ec9fa988155eaf
Dan Dieterle Looks like we will just have to agree to disagree.

You are obviously pretty impressed with yourself, hence the length of your comments, that are longer than the actual posts.

But hang in there, you do have a lot of talent, I am sure maturity will come with time.

1301194028
1a7064c205020fd7fd50a987624d2031
Derrick Buxton Personally, I have to agree with Mr. Oquendo, if only because, like him, I am tired of the BS. I've seen so many people saying the same thing week after week, month after month. Nuclear weapons changed the face of history, but most wars are still fought with guns and traditional bombs.
1301229260
B64e021126c832bb29ec9fa988155eaf
Dan Dieterle Derrick, I hear you. And it may not just be the media. The quote in my post is from General Keith Alexander.

Actually a lot of the dire sounding cyberwar quotes picked up by the media are from top government officials.

One would have to ask, if so many top government officials are raising such an alarm, are they doing it because the threat is that bad, or do they just want more funding for their pet projects?
1301254231
44a2e0804995faf8d2e3b084a1e2db1d
Don Eijndhoven Bit of a sensationalist piece here, Dan. And factually incorrect. The General has been saying the same exact thing for the last 5 years, as have many of the other top brass.

They´re doing it because the threat is real. Does anyone really STILL need more proof of that? Even after Stuxnet, which you mention yourself? The whole ´the military is spreading FUD for funding´ partyline as being spewed by the likes of Schneier is getting old and is demonstrably false.

As I have myself argued time and again, the situation is complex enough as it is without the InfoSec community infighting to further obscure whats´ what. We need to align internally and start acting like the value-adding bunch that we can be.
1301260541
B64e021126c832bb29ec9fa988155eaf
Dan Dieterle Don, thank you for your comment.

I am impressed with the range of responses (and controversy) to this issue.

As with the government, it seems we also have IT professionals with strong feelings on both sides of the fence with this.

I think the NSA's modified stance on security speaks volumes in and of itself.
http://www.dailytech.com/NSA+Switches+to+Assuming+Security+Has+Always+Been+Compromised/article20424.htm

I do agree with you whole heartedly that we need to come together on a common ground and face these issues with a united front.
1301267738
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.