Ten Takeaways from the Tilded Platform

Monday, April 02, 2012

Robert M. Lee


In February I wrote a paper titled “Tilded and Future Nation-State Cyber Weapons” to be published with Australian Security Magazine in May. 

The purpose of this blog post is to highlight some of the key takeaways from my paper for the InfoSec Island community.  It is not my hope that all of my statements are 100% accurate, although I feel confident in stating them, but instead that they add a different perspective to discussions being had on the topic and help in inspiring good debates.

1.     Nation-states may be reluctant to admit compromises.

The Stuxnet worm was discovered June 2010 yet Iran did not confirm that its nuclear program had been affected until September.  The initial reports that Iran released though stated that the malware caused no significant harm to the nuclear program. 

In November, Iranian president Mahmoud Ahmadinejad did confirm that Stuxnet had caused irreparable damage to a number of centrifuges at the Natanz nuclear facility.  The reluctance to admit being hacked could be credited to a number of reasons ranging from embarrassment, to helplessness, to the desire to not appear weak out of fear of future attacks. 

No matter the reasons though, the Stuxnet malware did show that not every nation-state may respond openly to cyber attacks or admit to an attack.  Largely, it is my opinion that the issue is focused on the lack of ability to apply attribution of the attack to a particular nation-state. 

The fact remains though that there is an inherent added bonus to cyber weapons if their impacts are reluctantly, if at all, reported by the target.

2.     Platform based weapons are efficient.

Nation-states have been moving to the development of weapon system platforms for many years.  Nothing exhibits this better than aerial platforms.  Aerial platforms, both manned and unmanned, are designed to conduct multiple types of operation and mission sets depending on the type of payload that they carry. 

Whether the payload is an information gathering sensor, air-to-air missile, or air-to-ground missile the aerial platform remains the same.  The benefits in applying this type of platform based approach to weapon system development are numerous. 

Money is saved by using common platforms, time is saved through developing only one platform that has to go through acquisition and approval processes, and secrecy is maintained to avoid espionage attempts by having the weapon system classified under one overarching project with limited personnel access. 

It should be no surprise then that experts looking at Duqu and Stuxnet were able to determine a link between the two pieces of malware.  Kaspersky reported that this definite link is based on a common platform, which they named Tilded, and is an advanced coding framework. 

This framework enables one weapon system platform to utilize different modules and payloads to create highly customizable and unique cyber weapons.

3.     Platform based cyber weapons are versatile.

The Tilded platform exhibits this versatility in the differences between Stuxnet and Duqu.  Stuxnet was able to inject malicious code onto systems that caused the physical degradation of nuclear centrifuges.  Duqu is a remote access trojan which allows the exfiltration of data from targeted networks and systems. 

Although these two pieces of malware seem very different in style they are based off of the same framework, or weapon system.  The ability to highly customize cyber weapons enables nation-state cyber teams to update their malware to fulfill different mission requirements while changing stealth methods, such as encryption algorithms, to avoid detection.

4.     Cyber weapon development teams learn from open source analysis.

Open source analysis done on Stuxnet and Duqu was extensive and beneficial to the team that made them.  Security experts around the world provided an in depth look into Stuxnet and Duqu in ways that was probably unexpected to the development team.  The analysis revealed how security experts look at advanced malware and what was important to them when they looked at it. 

This tells a team developing cyber weapons not only what they can do to hide their malware better but what to insert or remove from the malware to cause certain ideas to be generated.  The pieces of evidence such as “myrtus” found in Stuxnet, the galaxy image in Duqu, and the Dexter/Showtime reference in Duqu all created a wide variety of theories. 

By provoking ideas and theories in these security communities the development teams can guide opinions and revelations about the malware.  In a sense, false attribution and theories can lead to real political strife between nation-states that may or may not have been involved in the cyber weapon’s creation.  

5.     ICS/SCADA systems are and will continue to be a target.

Stuxnet had a large impact on the Industrial Control System/Supervisory Control and Data Acquisition (ICS/SCADA) community.  It revealed vulnerabilities and reasons for concern that many cyber security experts in that community had been warning about for years.  Moreover though, it showed that nation-states are willing to target these kinds of systems if it helps the success of a mission. 

These systems impact almost every aspect of daily life in industries all around the globe and in many ways represents a prime target for cyber warfare.  Duqu’s ability to steal information from companies, universities, and sensitive networks opens up the capability to create another Stuxnet type weapon that would target ICS/SCADA systems either in a similar style or side attack. 

ICS/SCADA systems are currently a viable target in various industries that impact national level defenses and key sectors that could cripple a nation.  If a nation-state is planning for war one of the targets considered will be ICS/SCADA systems.

6.     Whatever works will be used.

In developing nation-state weapon systems, such as a naval aircraft carrier or airplane, wars fought years from now have to be planned for and taken into consideration.  Due to acquisition and approval processes as well as the advancement of technology it can take decades to field a new weapon system. 

Therefore, it is important to make the most advanced weapon system possible so that it can be useful until the next system can be developed and implemented.  In cyberspace this is not true.  Cyber weapons can be created much more quickly than the decade long process behind a traditional weapon system and thus only have to meet the requirements of the current mission. 

With the addition of more advanced payloads a cyber weapon system platform may also be used for multiple missions.  Stuxnet, although incredibly advanced in many aspects, was only as advanced as it needed to be to delay the Iranian nuclear program. 

The MS08-067 exploit used by Stuxnet, used previously in Conficker, was still viable against the Iranian systems and thus a new exploit was not needed.  Nation-states are not concerned with employing the most technologically advanced cyber weapon imaginable; the focus is on meeting mission requirements.

7.     Cyber weapons will be shaped to meet the threat landscape.

Similar to the idea that cyber weapons will meet mission requirements, cyber weapons will be developed based off of the current threat landscape in the world.  If a nation-state has an issue with a country developing a nuclear program then it will focus on exploiting the systems that operate the program. 

This seems very basic and obvious but it allows some insight into planning ahead for cyber weapons.  If there is increased tension between nation-states that rely heavily on aircraft or naval warships then there are most likely cyber weapons being developed against those systems. 

By looking at a nation-state’s strengths it is possible to determine what kind of cyber weapons would be created and employed to reduce that wartime advantage.  This creates a proactive process to developing defenses against these types of cyber weapons.

8.     Nation-states are becoming more open with the development of cyber weapons.

Various news stories have been published lately where national level leaders are discussing cyber weapons and capabilities that are being developed.  As nation-states discuss these types of cyber weapons more openly there will be a push for cyber deterrence that will result in more capabilities being displayed for the world to see. 

These variety of capabilities may have their desired result but depending on the way they are displayed may have unforeseen consequences, which is not inherently good or bad.  Stuxnet provided a framework for hackers and nation-states to develop their own malware based off of similar concepts. 

As other cyber weapons are showcased they may provide frameworks or innovation to push the technology forward.

9.     Cyber war is not as likely as war with cyber.

FUD gets used a lot to describe the approach that many individuals and companies take when it comes to the topic of cyber war.  There is the possibility for people to capitalize on the uncertainty that surrounds the topic of a cyber war and thus there is a cynical nature that surrounds some of the discussion. 

Cyber war is not a likely approach to warfare for any nation-state.  When airpower was being developed many early theorists believed that aircraft could and would be used to decisively win future wars without the aid of any other traditional forms of warfare.  However, no matter how powerful airpower became it was still only one tool of political and military power for nation-states. 

Cyber weapons and capabilities will follow this same pattern.  The capabilities in the cyberspace domain may provide options never before given to nation-state leaders and military commanders but no matter how powerful these capabilities become they will only represent one of many political and military tools. 

Future wars will be fought with cyber weapons and nation-states that do not use them effectively will be at a large disadvantage.  However, cyber weapons used in wartime will be accompanied, and empowered by, the use of traditional warfare capabilities.

10.  Attribution is the key to success.

Although some individuals feel confidently in applying attribution in regards to Stuxnet and Duqu, the fact remains that no nation-state has been 100% positively identified as having taken part in the development or employment of the Tilded platform. 

One of the most appealing reasons to use a cyber weapon is that lack of attribution.  If a nation-state was going to be positively identified in its use of a weapon system then it would not matter what weapon system was used as long as it achieved mission success. 

Currently, the lack of attribution allows nation-states additional options in how and when they will use cyber weapons and capabilities as well as against what targets.  The most effective way of combating the employment of cyber weapons outside of a wartime scenario is attribution. 

The development of reliable and real time attribution will be the ultimate key to limiting cyber warfare.


Robert M. Lee is a Cyberspace Operations Officer in the United States Air Force; however this article and his views do not constitute an endorsement by or opinion of the US Government, Department of Defense, or Air Force.  These opinions and statements are entirely his own.

Possibly Related Articles:
Viruses & Malware
Information Security
SCADA malware Cyberwar Stuxnet cyber weapon Industrial Control Systems DUQU Modular Tilded
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.