Tag Archives: Cyberwarfare

See How USAF Aggressors Jam Civilian GPS Signals in Training at Nellis Air Force Base

GPS Jamming is a New Story from Red Flag 18-1, But We Videotaped It at Nellis Last Year.

Despite the Jan. 27, 2018 accident with a Royal Australian Air Force EA-18G Growler, the massive tactical air training exercise Red Flag 18-1 continues from Nellis AFB outside Las Vegas, Nevada. The training exercise extends throughout the sprawling 7,700 square mile Nellis Military Operating Area (MOA) ranges.

Aviation authority and journalist Tyler Rogoway broke the story of the U.S. Air Force jamming GPS signals on a large scale for training purposes during Red Flag 18-1 in an article for The War Zone last week. But earlier in 2017 we went inside Nellis AFB to get a firsthand demonstration of how easy and how quickly the U.S. Air Force can jam GPS signals for training purposes.

In our demonstration, members of the 527th Space Aggressor Squadron (527th SAS) at Nellis AFB showed us how they can use off-the-shelf equipment to conduct tactical short-range jamming of the GPS signal on a local level. The 527th Space Aggressor Squadron was at Nellis AFB for the 2017 Aviation Nation Air and Space Expo. Our reporters got a firsthand look at GPS jamming on media day. In only a few seconds members of the 527th SAS used off-the-shelf equipment available to the public to jam local GPS reception. As you can see in the video, the signal bars on our test receiver, a typical consumer GPS, disappeared entirely as thought GPS simply didn’t exist anymore.

The 527th Space Aggressor Squadron’s mission is not active combat jamming of GPS, but to provide these and other electronic warfare capabilities for training purposes in exercises like Red Flag 18-1. The unit is based at Schriever AFB in Colorado but is attached to the 57th Wing at Nellis. According to the U.S. Air Force, the 57th Wing, “is the most diverse wing in the Air Force and provides advanced, realistic and multi-domain training focused on ensuring dominance through air, space and cyberspace.”

The 527th Space Aggressor Squadron personnel showed enthusiasm for their mission and reminded us that cyber and electronic warfare is the most dynamic and fastest growing battlespace in modern combat.

The unique insignia worn by members of the elite 527th Space Aggressor Squadron. Notice one version worn by the unit is in Russian. (Photo: TheAviationist.com)

In an operational environment jamming GPS signals represents both a threat and an important capability. In addition to serving an important purpose in navigation on land, sea and in the air GPS also provides targeting capability for precision weapons along with many other tactical and strategic purposes.

For instance, among the various theories surrouding the capture of the U.S. RQ-170 Sentinel drone by Iran in 2011, one mentioned a GPS hack. This is what The Aviationist’s David Cenciotti wrote back then:

Eventually there is an explanation for the mysterious capture of the U.S. stealth drone by Iran. In an exclusive interview to the Christian Science Monitor, an  Iranian engineer (on condition of anonymity) working to reverse engineer the RQ-170 Sentinel hacked while it was flying over the northeastern Iranian city of Kashmar, some 225 kilometers (140 miles) away from the Afghan border, says they were able to exploit a known vulnerability of the GPS.

In simple words, in a scenario that I had more or less described in my last post which described also the known threats to the drone’s Position, Navigation and Guidance system, the Iranain electronic warfare specialist disrupted the satellite link of the American robot and then reconfigured the drone’s GPS setting the coordinates to make it land in Iran at what the Sentinel thought it was its home base in Afghanistan.

They jammed the SATCOM link and then forced the drone into autopilot reconfiguring the waypoint of the lost-link procedure to make it land where they wanted.

Such techniques were tuned by studying previously downed smaller drone, like the 4 U.S. and 3 Israeli that could be exhibited in Iran in the next future.

Although we don’t know what really happened to the Sentinel drone during its clandestine mission (in the above article our own Cenciotti was skeptical about the version mentioned by the anonymous Iranian engineer), it’s pretty obvious that dominating the GPS “domain” is crucial to win. That’s why during Red Flag 18-1 the widespread jamming of GPS for training purposes enables warfighters to operate in an environment where electronic and cyber-attacks may disable GPS capability. This compels the players to develop new tactics for fighting “GPS blind” and to revisit existing capabilities perfected in the era prior to widespread use of GPS in a warfighting role.

The 527th SAS displayed press clippings about GPS jamming incidents around the world at Nellis AFB. (Photo: TheAviationist.com)

Israel Blamed for Fueling Flame Cyber Weapon in Middle East

The day after its discovery, there are few doubts that the infamous malware dubbed Flame (or sKyWIper) has been developed by a government with significant budget and effort. The complexity of the malware suggests that it has been used for a huge cyber-espionage campaign and, easily predictable, Israel is listed as the main culprit, even if in good company if it is true, as argued by some bloggers, that the malware was created by a strict cooperation coproduction between CIA and Mossad.

Israeli vice Premier Moshe Ya’alon has contributed to fuel the Flame: speaking in an interview with Army Radio, Ya’alon has hinted that Jerusalem could be behind the cyber attack, saying “Israel is blessed to be a nation possessing superior technology. These achievements of ours open up all kinds of possibilities for us.” In light of this statement, it does not appear a simple coincidence the fact that the main victims of the cyber weapon, as reported by Kaspersky Lab, are nations who may not be just considered in good neighborhood relations with Israel.

Consequently it is not that surprise the fact that the same interview has been readily reported by the Iranian News Agency Fars (which has interpreted it as a sign of liability and has hence blamed Israel for waging cyber war in Iran) as well as it is not that surprise the tone of several comments to an article posted on the Haaretz newspaper’s Web site (“Nice One Israel, Proud of You!!!!”).

Of course it is too soon to jump to conclusion,in any case, whether Israel (and U.S.) is behind Flame or not, I could not help but wonder how it is possible that a malware has been able to go undetected for at least 5 years. Are endpoint protection technologies really dead, leaving us at the mercy of a (cyber)world ruled by APTs?

If you want to have an idea of how fragile our data is inside the cyberspace, have a look at the timelines of the main Cyber Attacks in 2011 and 2012 (regularly updated) at hackmageddon.com. And follow the author of this article @paulsparrows on Twitter for the latest updates.

Salva

Flame malware infiltrating Middle East computers: the most complex Cyber Weapon, ever!

Irony of fate: not even a day after the publication of a provocative article on the role of Cyber Warfare for maintaining peace, a new cyber threat appears, which is destined to leave an indelible mark on the cyber weapons’ landscape.

Today is one of those days that the Infosec Community will remember for a long time. It looks like the mystery of the malware targeting the Iranian Oil business a month ago has come to a solution, and it is not that kind of conclusion we would have hoped and expected.

Nearly in contemporary Kaspersky Lab, CrySyS Lab and the Iranian Computer Emergency Response Team Coordination Center have unleashed details of what has been defined (arguably) the most complex malware ever found.

The malware, which has been dubbed Flame (Kaspersky), or sKyWIper (CrySyS Lab), or also Flamer (CERTCC), has some unprecedented features that make it one of the most complex threats ever discovered:

  • The Cyber Weapon Malware is a sophisticated attack toolkit, It is a backdoor, a Trojan, and has worm-like features (three in one). According to Kaspersky its development has taken a couple of years and it will probably take year to fully understand the 20MB of code of Flame.
  • According to CrySyS Lab Flame has been in the wild since 2007, having been seen in the following geographical regions: Europe on Dec 5 2007, The United Arab Emirates on Apr 28 2008 and the Islamic Republic of Iran on Mar 1 2010;
  • Flame is controlled via an SSL channel by a C&C infrastructure spread all around the world, ranging from 50 (Kaspersky) to 80 (CrySyS) different domains;
  • Flame owns many capabilities, including sniffing the network traffic, taking screenshots, recording audio conversations, intercepting the keyboard. C&C operators may choose to upload up to about 20 modules, which can expand Flame’s functionality;
  • The complete set of 20 modules is 20 MB in size when fully deployed (about 20 times larger than Stuxnet and maybe it is the reason why it wasn’t discovered for so long);
  • Flame includes a piece of code (about 3,000 lines) written in LUA, a not so common occurrence for malware;
  • Top 7 affected countries include Islamic Republic of Iran (189 Samples), Israel/Palestine (98 samples), Sudan (32), Syria (30), Lebanon (18), Saudi Arabia (10), Egypt (5).
  • Flame appears to have two modules designed for infecting USB sticks: “Autorun Infector” (similar to Stuxnet) and “Euphoria” (spread on media using a “junction point” directory that contains malware modules and an LNK file that trigger the infection when this directory is opened);
  • Flame may also replicate via local networks using the following:
    1. The printer vulnerability MS10-061 exploited by Stuxnet – using a special MOF file, executed on the attacked system using WMI;
    2. Remote jobs tasks.
    3. When Flame is executed by a user who has administrative rights to the domain controller, it is also able to attack other machines in the network: it creates backdoor user accounts with a pre-defined password that is then used to copy itself to these machines.

    So far

  • So far no 0-day vulnerabilities have been found, despite the fact that some fully-patched Windows 7 installations have been compromised, might indicate the presence of high-risk 0-days.

With no doubt a beautiful piece of malware written with the precise intent of Cyber-Espionage. Besides the resounding features of the malware, I found particularly interesting the same infection mechanism used by Stuxnet, that make me think of (another) possible double agent implanting the first infection.

This (legitimate) suspicion is also reinforced by the disarming conclusions issued by CrySyS Lab:

The results of our technical analysis support the hypotheses that sKyWIper was developed by a government agency of a nation state with significant budget and effort, and it may be related to cyber warfare activities.

[Originally posted on Hackmageddon.com: http://hackmageddon.com/2012/05/28/a-flame-on-the-cyberwarfare-horizon/]

If you want to have an idea of how fragile our data is inside the cyberspace, have a look at the timelines of the main Cyber Attacks in 2011 and 2012 (regularly updated) at hackmageddon.com. And follow the author of this article @paulsparrows on Twitter for the latest updates.

Salva

Middle East Cyber War: Revenge Of The Drones

In the same hours in which I was publishing my post on Cyber Weapons, news agencies all around the world have begun to release (few) details about a new alleged Cyber Attack targeting the Iranian Oil Ministry, the National Iranian Oil Company and several other state-owned businesses.

The attack has been confirmed by a spokesman of the Iranian Oil Ministry, who also stressed that critical data have not been damaged or lost in the attack. Anyway, as a consequence of the Cyber Attack albeit as a precaution Internet access to several oil refineries has been cut off.

Of course Iran is not new to Cyber Attacks targeting Critical Infrastructures (do you remember Stuxnet and the possible hoax of Duqu Stars?), in any case it is too soon to draw any connection with Stuxnet or any other kind of State-Sponsored Attack, even because, according to the scant information available, only a server providing public information has been harmed.

Probably this malware has nothing to deal with cyber weapons but, just for fun, I cannot help but notice that this alleged Cyber Attack came in the same day in which, among many doubts, Iran has announced to have reverse-engineered the U.S. stealthy RQ-170 Sentinel drone captured by Iran in December 2011.

The revenge of the reverse-engineered drone?

Obviously it’s ironic, but what if the drone was actually a Trojan horse?

[Read also: Captured U.S. stealthy drone in Iran: the simplest solution solves the mystery]

The mysterious hatch possibly housing a recovery chute. Image courtesy: Dave Krakow

What is a Cyber Weapon?

We’ve been taking about Militarisation of cyberspace for some time now. This interesting article by Hackmageddon.com provides a model to classify cyber weapons in accordance with four parameters: Precision, Intrusion, Visibility, and Easiness to Implement. Based on these parameters, cyber threats can be compared to smart bombs, handguns, traditional bombs and paintball pistols. Read below to discover why.

What is a Cyber Weapon? At first glance this seems an immediate question to answer, but should anyone try to analyze the meaning of this term more deeply, he would probably be quite surprised and disappointed in discovering that the answer is not so immediate since an exact definition has not been given (at least so far).

A real paradox in the same days in which The Pentagon, following the Japanese Example, has unveiled its new strategy aimed to dramatically accelerate the development of new Cyber Weapons. And do not think these are isolated, fashion-driven examples (other nations are approaching the same strategy), but rather consider them real needs in the post-Stuxnet age, an age in which more and more government are moving their armies to the fifth domain of war [you will probably remember the (in)famous episode, when F-Secure was able to discover Chinese Government launching online attacks against unidentified U.S. Targets].

Recently Stefano Mele, a friend and a colleague of the Italian Security Professional Group, tried to give an answer to this question in his paper (so far only in Italian but it will be soon translated in English) where he analyzes Cyber Weapons from a legal and strategical perspective.

As he points out “Correctly defining the concept of Cyber Weapon, thus giving a definition also in law, is an urgent and unavoidable task, for being able to assess both the level of threat deriving from a cyber attack, and the consequent political and legal responsibilities attributable to those who performed it”. Maybe this phrase encloses the reason why a coherent definition has not been given so far: a cyber weapon is not only a technological concept, but rather hides behind its complex juridical implications.

According to Stefano’s definition: a cyber weapon is:

A device or any set of computer instructions intended to unlawfully damage a system acting as a critical infrastructure, its information, the data or programs therein contained or thereto relevant, or even intended to facilitate the interruption, total or partial, or alteration of its operation.

One could probably argue whether a cyber weapon must necessarily generate physical damages or not, in which case, probably, Stuxnet, would be the one, so far, to encompass all the requirements. In any case, from my point of view, I believe the effects of a cyber weapon should be evaluated from its domain of relevance, the cyberspace, with the possibility to cross the virtual boundaries and extend to the real world (Stuxnet is a clear example of this, since it inflicted serious damages to Iranian Nuclear Plants, including large-scale accidents and loss of lifes).

With this idea in mind, I tried to build a model to classify the cyber weapons according to four parameters: Precision (that is the capability to target only the specific objective and reduce collateral damages), Intrusion (that is the level of penetration inside the target), Visibility (that is the capability to be undetected), and Easiness to Implement (a measure of the resource needed to develop the specific cyber weapon). The results, ranging from paintball pistols to smart bombs, are summarized in the below chart.

Read more…

 

Salva