The day after its discovery, there are few doubts that the infamous malware dubbed Flame (or sKyWIper) has been developed by a government with significant budget and effort. The complexity of the malware suggests that it has been used for a huge cyber-espionage campaign and, easily predictable, Israel is listed as the main culprit, even if in good company if it is true, as argued by some bloggers, that the malware was created by a strict cooperation coproduction between CIA and Mossad.
Israeli vice Premier Moshe Ya’alon has contributed to fuel the Flame: speaking in an interview with Army Radio, Ya’alon has hinted that Jerusalem could be behind the cyber attack, saying “Israel is blessed to be a nation possessing superior technology. These achievements of ours open up all kinds of possibilities for us.” In light of this statement, it does not appear a simple coincidence the fact that the main victims of the cyber weapon, as reported by Kaspersky Lab, are nations who may not be just considered in good neighborhood relations with Israel.
Consequently it is not that surprise the fact that the same interview has been readily reported by the Iranian News Agency Fars (which has interpreted it as a sign of liability and has hence blamed Israel for waging cyber war in Iran) as well as it is not that surprise the tone of several comments to an article posted on the Haaretz newspaper’s Web site (“Nice One Israel, Proud of You!!!!”).
Of course it is too soon to jump to conclusion,in any case, whether Israel (and U.S.) is behind Flame or not, I could not help but wonder how it is possible that a malware has been able to go undetected for at least 5 years. Are endpoint protection technologies really dead, leaving us at the mercy of a (cyber)world ruled by APTs?
If you want to have an idea of how fragile our data is inside the cyberspace, have a look at the timelines of the main Cyber Attacks in 2011 and 2012 (regularly updated) at hackmageddon.com. And follow the author of this article @paulsparrows on Twitter for the latest updates.
2011 has been an annus horribilis for information security, and aviation has not been an exception to this rule: not only in 2011 the corporate networks of several aviation and aerospace industries have been targeted by digital storms (not a surprise in the so-called hackmageddon) but, above all, last year will be probably remembered for the unwelcome record of two alleged hacking events targeting drones (“alleged” because in the RQ-170 Sentinel downed in Iran episode, several doubts surround the theory according to which GPS hacking could have been the real cause of the crash landing).
But, if Information Security professionals are quite familiar with the idea that military contractors are primary and preferred targets of the current Cyberwar as the following infographic shows, realizing that malware can be used to target a drone is still considered an isolated episode, and even worse, the idea of a malware targeting the multirole Joint Strike Fighter is still something hard to accept.
However, things are about change dramatically. And quickly.
The reason is simple: the latest military and civil airplanes are literally full of electronics, which play a primary role in managing avionics, onboard systems, flight surfaces, communcation equipment and armament.
For instance an F-22 Raptor owns about 1.7 millions od line of codes , an F-35 Joint Strike Fighter about 5.7 millions and a Boeing 787 Dreamliner about 6.5 millions. Everything with some built in code may be exploited, therefore, with plenty of code and much current and future vulnerabilities, one may not rule out a priori that these systems will be targeted with specific tailored or generic malware for Cyberwar, Cybercrime, or even hacktivism purposes.
Unfortunately it looks like the latter hypothesis is closer to reality since too often these systems are managed by standard Windows operating systems, and as a matter of fact a generic malware has proven to be capable to infect the most important U.S. robots flying in Afghanistan, Pakistan, Libya, and Indian Ocean: Predator and Reaper Drones.
As a consequence, it should not be surprising, nor it is a coincidence, that McAfee, Sophos and Trend Micro, three leading players for Endpoint Security, consider the embedded systems as one of the main security concerns for 2012.
Making networks more secure (and personnel more educated) to prevent the leak of mission critical documents and costly project plans (as happened in at least a couple of circumstances) will not be aviation and aerospace industry’s information security challenge; the real challenge will be to embrace the security-by-design paradigm and make secure and malware-proof products ab initio.
While you wait to see if an endpoint security solution becomes available for an F-35, scroll down the image below and enjoy the list of aviation and aerospace related cyber attacks occurred since the very first hack targeting the F-35 Lightning II in 2009.
Of course aviation and aerospace industries are not the only targets for hackers and cybercriminals. So, if you want to have an idea of how fragile our data are inside the cyberspace, have a look at the timelines of the main Cyber Attacks in 2011 and 2012 (regularly updated) at hackmageddon.com. And follow @pausparrows on Twitter for the latest updates.
According to the Iranian Fars news agency, on Dec. 4, Iran’s army downed a U.S. remotely controlled spyplane, along the country’s eastern border. Although no image of the wreckage was released so far, the American drone was described as an intruding RQ-170 Sentinel, first spotted in Afghanistan in 2007 and since then dubbed the “Beast of Kandahar”.
This is the fourth time this year Iran claims to have shot down a U.S. drone. No images have ever been released of the previous downed drone hence, unless a photographic evidence is disclosed, we can’t be sure a downing did happen.
The spy drone is currently seized “with very little damage” meaning that, provided a drone was really lost in Iran, it was not hit by any anti-aircraft system. Indeed, unless it was an extremely lucky shot, I think Iran has not the equipment and capability to intercept and destroy a radar evading Sentinel. Most probably, the robot suffered some kind of failure or lost satellite guidance during a covert surveillance mission: an almost conventional mission of the long lasting unconventional stealth war to the Iranian nuclear program.
Noteworthy, according to an unnamed military official quoted by state TV, Iran’s cyber warfare unit managed to take over controls of the Sentinel and bring it down. Is it possible? Maybe, otherwise I would not explain why the RQ-170 was not remotely destroyed with a kill-switch reportedly used on such systems to prevent them from going in the wrong hands. Such self-destruction systems are designed to bring down the drone should its pilot lose satellite link from the mobile ground control station.
The RQ-170 is flown by Air Combat Command’s 432nd Wing at Creech Air Force Base, Nev., and the 30th Reconnaissance Squadron at Tonopah Test Range, Nev. Creech AFB is the same from where MQ-1 Predators, those whose mobile ground control stations were infected with a computer virus.
If the most important U.S. drones suffered a malware attack are we sure Sentinels can’t be hacked by Iranian military?
First, we have to be sure an RQ-170 was really downed….
Update: someone asked me to explain what I meant for “hacking” a Sentinel.
I’m not suggesting someone was able to hack the drone and land it. Maybe disrupting/jamming the satellite link with the mobile ground control station and inhibit its self-destruction system would be enough. Then, the uncontrolled drone could crash land with minor damages.
Even though the news that a computer virus has infected US Predator and Reaper drones, logging pilots’ keystroke during their missions over Afghanistan, Libya and other warzones (Yemen?), spread like fire thanks to the exclusive article published by Wired’s Danger Room on Oct. 7, the fact that today and tomorrow’s war robots have been targeted by a computer virus is far from being surprising.
Drones or, to use the standard designation, Unmanned Aircraft Systems (UAS) play a vital role in modern wars. They are able to silently fly for 20 or more hours deep inside the enemy territory; they carry a wide array of sensors, radars and (in some cases) weapons to identify or attack time-sensitive targets; and they are “expendable” because they are controlled from a remote Ground Control Station by pilots who fly them in the same way you might fly a plane in your favourite flight simulator game.
UAS have been flying in support of ground troops, helping them to identify suspect activity and to prevent IED (Improvised Explosive Device) attacks in Iraq and Afghanistan for years. In the last few months they were dispatched to monitor and attack Gaddafi forces in Libya, and took also part in Operation Neptune’s Spear, when they flew over Abbottabad, in Pakistan, to keep watch over Osama Bin Laden’s compound prior to the Navy Seals raid that unveiled the Stealth Black Hawk helicopter.
Drones have been supporting ground troops, helping them to identify suspect activity and to prevent IED (Improvised Explosive Device) attacks in Iraq and Afghanistan for years. They were dispatched to attack Gaddafi forces in Libya, played a vital role in Operation Neptune’s Spear in Pakistan (where they helped monitor Osama bin Laden’s compound prior to the Navy Seals raid that resulted in the al-Qaida leader’s death) and, more recently “an American drone killed top terrorist Anwar al-Awlaki — part of an escalating unmanned air assault in the Horn of Africa and southern Arabian peninsula”.
A UAS consists of four main components: the remotely piloted vehicle (RPV), its sensors, its Mobile Ground Control Station (MGCS), and its data link and communication suite. That’s why the term UAS, which describes the whole system, is preferred to UAV (Unmanned Aerial Vehicle).
Although they have their own peculiarities and equipments, Predator A and B and other drones control stations are much similar in terms of layout. Both have five workstations, each one equipped with two or more screens providing all the information required by the specific operator’s tasks: from the pilot’s view with the proper flight symbology, to the moving map showing the aircraft position and the regions “covered” by the UAS sensors, to the live video feed. There are also some telephones: in fact, even if the Predator A+ and B are equipped with secure radios, a fixed telephone line can be used to contact air traffic control units in case of radio failure: a clear advantage over conventional planes.
Each crew can be made up of five members: a Mission Monitor, who is responsible for the entire mission; a Pilot, who flies the drone using a joystick to send inputs to the aircraft flight control surfaces; a Sensor Operator, who takes care of the cameras, radar and targeting systems; an Intelligence Operator, who performs a first analysis of the imagery; and a Flight Engineer, who supervises the entire system.
The malware, a keylogger, was detected nearly two weeks ago, at the MGCS at Creech AFB, in Nevada. According to the reports it didn’t prevent the drones to fly their missions, but it has shown an unexpected resilience, so that all the efforts to remove it have failed to wipe it out.
Since MGCS are not interconnected to public networks, they should be immune to the viruses and malware that travels thanks to the Internet. However, crews use removable hard drives to load maps and planned routes into the system and to download mission video, the keylogger might have entered the secret control rooms by accident, by means of an infected USB token.
So, what kind of information could be grabbed by a keylogger inside a Predator or Reaper ground control station?
Anything you might need to input with your keyboard when flying your favourite plane on a Flight Simulator game: most probably, altitude, speed, heading, and other autopilot inputs, radio frequencies, coordinates for the navigation systems, and so on. Unless they are correlated with a specific engine, capable to use those data and to determine the current position and track of a drone, these inputs are hardly interesting or useful. Much more dangerous for drones is the lack of encryption used to transmit live high-resolution video to the ROVER (Remote Operations Video Enhanced Receiver) tactical hand-held receivers on the ground. The video should give the troops on the ground a clear view from the overhead Predator improving the overall situational awareness and reducing the risk of collateral damage or friendly fire. However, in 2009, US forces discovered hours of footage recorded by American drones on the laptops of Iraqi insurgents.
Curiously the [Predator] virus showed to be very resistant to digital vaccines, and after several attempts to remove it with standard procedures (following removal instructions posted on the website of the Kaspersky security firm), the only safe method to clean it was to wipe the infected hard drives and rebuild them from scratch: a time consuming operations. As to say: sophisticated military weapons and technologies suffer the same issues than civil users (how many Windows installations from scratch after a malware infection), on the other hand the drone virus was detected by the military’s Host-Based Security System, a flexible, commercial-off-the-shelf (COTS)-based application. If you look carefully at the HBSS web site you will also be able to identify the commercial security technology which lays behind the HBSS.
Concluding, I don’t think the information leaked because of the malware is worth the reputational damage suffered by the entire US drone fleet and by the USAF INFOSEC (Information Security) capability.
I must confess that I hadn’t heard about Stuxnet until my close friend, colleague, ICT security expert and blogger Paolo Passeri, discussing about my recent visit to Decimomannu airbase for the Vega 2010, an exercise attended by Israeli Air Force aircraft (for the report, wait until Nov. 26), explained me the complexity of this virus and its potential catastrophic effects. Stuxnet is a malware whose aim is to target industrial control systems implying a sabotage strategy that foresees speeding up and slowing down physical machinery at a plant. It was discovered for the first time in June in Iran and, since then, it has already infected more than 100.000 computers all around the world. Initially believed to be a “normal virus”, Stuxnet contains code designed to attack SCADA (Supervisory Control and Data Acquisition) control systems that manage pipelines, nuclear plants and various utility and manufacturing equipment. According to researchers at Symantec, Stuxnet was most probably aimed at sabotaging Iran’s nuclear power plant in Bushehr or Natanz. Below you can read an excerpt from a detailed article published by Wired.com (full article available at http://www.wired.com/threatlevel/2010/11/stuxnet-clues/). For the Italian readers, I suggest a look at the post on Paolo Passeri’s blog titled “Come ti impoverisco l’uranio con un virus“.
….. According to Symantec, Stuxnet targets specific frequency-converter drives — power supplies used to control the speed of a device, such as a motor. The malware intercepts commands sent to the drives from the Siemens SCADA software, and replaces them with malicious commands to control the speed of a device, varying it wildly, but intermittently.
The malware, however, doesn’t sabotage just any frequency converter. It inventories a plant’s network and only springs to life if the plant has at least 33 frequency converter drives made by Fararo Paya in Teheran, Iran, or by the Finland-based Vacon.
Even more specifically, Stuxnet targets only frequency drives from these two companies that are running at high speeds — between 807 Hz and 1210 Hz. Such high speeds are used only for select applications. Symantec is careful not to say definitively that Stuxnet was targeting a nuclear facility, but notes that “frequency converter drives that output over 600 Hz are regulated for export in the United States by the Nuclear Regulatory Commission as they can be used for uranium enrichment.”
“There’s only a limited number of circumstances where you would want something to spin that quickly -– such as in uranium enrichment,” said O Murchu. “I imagine there are not too many countries outside of Iran that are using an Iranian device. I can’t imagine any facility in the U.S. using an Iranian device,” he added.
The malware appears to have begun infecting systems in January 2009. In July of that year, the secret-spilling site WikiLeaks posted an announcement saying that an anonymous source had disclosed that a “serious” nuclear incident had recently occurred at Natanz. Information published by the Federation of American Scientists in the United States indicates that something may indeed have occurred to Iran’s nuclear program. Statistics from 2009 show that the number of enriched centrifuges operational in Iran mysteriously declined from about 4,700 to about 3,900 around the time the nuclear incident WikiLeaks mentioned would have occurred.
Researchers who have spent months reverse-engineering the Stuxnet code say its level of sophistication suggests that a well-resourced nation-state is behind the attack. It was initially speculated that Stuxnet could cause a real-world explosion at a plant, but Symantec’s latest report makes it appear that the code was designed for subtle sabotage. Additionally, the worm’s pinpoint targeting indicates the malware writers had a specific facility or facilities in mind for their attack, and have extensive knowledge of the system they were targeting.
The worm was publicly exposed after VirusBlokAda, an obscure Belarusian security company, found it on computers belonging to a customer in Iran — the country where the majority of the infections occurred.
German researcher Ralph Langner was the first to suggest that the Bushehr nuclear power plant in Iran was the Stuxnet target. Frank Rieger, chief technology officer at Berlin security firm GSMK, believes it’s more likely that the target in Iran was a nuclear facility in Natanz. The Bushehr reactor is designed to develop non-weapons-grade atomic energy, while the Natanz facility, a centrifuge plant, is designed to enrich uranium and presents a greater risk for producing nuclear weapons.
The new information released by Symantec last week supports this speculation.
As Symantec points out in its paper, frequency-converter drives are used to control the speed of another device -– for example, a motor at a manufacturing facility or power plant. Increase the frequency, and the motor increases in speed. In the case of Stuxnet, the malware is searching for a process module made by Profibus and Profinet International that is communicating with at least 33 frequency-converter drives made by either the Iranian firm or the Finnish firm.
Stuxnet is very specific about what it does once it finds its target facility. If the number of drives from the Iranian firm exceeds the number from the Finnish firm, Stuxnet unleashes one sequence of events. If the Finnish drives outnumber the Iranian ones, a different sequence is initiated.
Once Stuxnet determines it has infected the targeted system or systems, it begins intercepting commands to the frequency drives, altering their operation.
“Stuxnet changes the output frequency for short periods of time to 1410Hz and then to 2Hz and then to 1064Hz,” writes Symantec’s Eric Chien on the company’s blog. “Modification of the output frequency essentially sabotages the automation system from operating properly. Other parameter changes may also cause unexpected effects.”
“That’s another indicator that the amount of applications where this would be applicable are very limited,” O Murchu says. “You would need a process running continuously for more than a month for this code to be able to get the desired effect. Using nuclear enrichment as an example, the centrifuges need to spin at a precise speed for long periods of time in order to extract the pure uranium. If those centrifuges stop to spin at that high speed, then it can disrupt the process of isolating the heavier isotopes in those centrifuges … and the final grade of uranium you would get out would be a lower quality.”
O Murchu said that there is a long wait time between different stages of malicious processes initiated by the code — in some cases more than three weeks — indicating that the attackers were interested in sticking around undetected on the target system, rather than blowing something up in a manner that would attract notice.
“It wanted to lie there and wait and continuously change how a process worked over a long period of time to change the end results,” O Murchu said.
Stuxnet was designed to hide itself from detection so that even if administrators at a targeted facility noticed that something in the facility’s process had changed, they wouldn’t be able to see Stuxnet on their system intercepting and altering commands. Or at least they wouldn’t have seen this, if information about Stuxnet hadn’t been released last July.
The conclusion is that the sophistication of Stuxnet is such that only a few hackers could be capable of producing this kind of weapon suggesting that resources required to develop such a malware could only have been provided by highly specialized cyber warfare-capable organizations, as the US Cyber Command or the Mossad (that’s why Paolo Passeri began talking about Stuxnet when I recalled of the Israeli Air Force F-15Ds and F-16Ds deployed to Decimomannu…….).
The Aviationist patch
Send me an email if you want to support this site buying the original TheAviationist.com patch, only available through this website!