Know Your Enemy: The United States of America – Part 1

For those who have read this series up to this point pointing a finger at the US as one of the threats you need to be aware of in the current nation-state threat actor landscape. This is primarily because government agencies tasked with carrying out cyber warfare or cyber espionage operations mostly have evaded public exposure. Only when Edward Snowden released 9,000 classified documents in 2013 did the world get an inkling of what agencies like the National Security Agency (NSA) were up to. Following Snowden’s revelations pressure was placed on the government at the time to release classified documents to inform the public of the government’s history involving its offensive cyber capabilities. Some 52,000 classified documents were released to the public towards the end of 2015. These proved to be a veritable treasure trove of information.

Cyber Roots Trace back to World War Two

Encrypted communications in times of war have been a useful tool in keeping vital information away from the enemy, even if the message is intercepted. In World War Two, this was taken to an entirely new level when the Germans developed the Enigma machine to encrypt communications that using traditional code-breaking techniques could not be broken. The allies saw this and started purchasing encryption machines from the Swiss company Crypto AG. After the war, stronger connections were developed with the US and Crypto AG, to the massive benefit of both the US and the Swiss company. The whole saga resulted from the above-mentioned declassification of documents by the US government.

Writing on the incident the Washington Post wrote,

“The deal called for Hagelin…to restrict sales of his most sophisticated models to countries approved by the United States. Nations not on that list would get older, weaker systems. Hagelin would be compensated for his lost sales, as much as $700,000 upfront.

It took years for the United States to live up to its end of the deal, as top officials at the CIA and the predecessor to the NSA bickered over the terms and wisdom of the scheme. But Hagelin abided by the agreement from the outset, and over the next two decades, his secret relationship with U.S. intelligence agencies deepened.

In 1960, the CIA and Hagelin entered into a “licensing agreement” that paid him $855,000 to renew his commitment to the handshake deal. The agency paid him $70,000 a year in retainer and started giving his company cash infusions of $10,000 for “marketing” expenses to ensure that Crypto — and not other upstarts in the encryption business — locked down contracts with most of the world’s governments.”

This deal effectively gave US agencies the ability to harvest encrypted data from Crypto AG customers, bar that of China and Soviet Russia, who long was suspicious of the relationship the US and Crypto AG had. It could be argued that this was the first instance of a supply chain attack but some will point to the lack of digital assets compromised, at least at the beginning, as to why this shouldn’t be considered cyber espionage. The counter-argument to this is we are still reliant on encrypted communications even in an individual’s daily life, the technology is still vital despite supplementary technologies arising in the decades that followed the Second World War.

The Stuxnet Saga

Those who have read our previous articles in this series may have a sudden bout of deja vu. We covered this incident in the “Know Your Enemy: Israel” article, so rather than hashing over what has already been covered a focus will be placed on the US’s hand in events.

As a reminder of events in June 2010, reports began to emerge that a new computer worm had been discovered. Shortly after the worm’s discovery, it mutated to attack programmable logic controllers (PLCs) used to automate machine processes and was spread through compromised USB sticks loaded with the malware. It would then go on to destroy centrifuges used by Iran’s nuclear program to enrich Uranium, to weapons-grade fissile material for use in nuclear weapons. One of the reasons why the incident received so much attention was because it was one of the first known instances of malware actively destroying hardware and set a precedent for years to come that has haunted those tasked with defending networks associated with manufacturing.

Suspicion was soon placed at the United States door as Iran had turned their backs on a deal signed with the US, Israel, and several other countries that they would not enrich uranium for use in nuclear weapons. In 2006, Iranian President Mahmoud Ahmadinejad announced that Iran has achieved the uranium enrichment goal needed to support its nuclear program.  Then President of the United States George W. Bush warned that there would be consequences. Initially, sanctions were placed on Iran by the international community but in 2010, the attack on the enrichment facility showed that the time for sanctions had ended.

After several years of extensive research conducted by Symantec, the security firm concluded that Stuxnet had existed far before 2010 when it first appeared in the wild. Further evidence exists showing Stuxnet development began many years earlier, during May 2005. However, it likely did not make its way onto the Natanz FEP, the Iranian enrichment facility until 2009, just one year before Stuxnet’s discovery. To execute the attack, the adversary needed to get the malware onto the network-controlling systems at the Natanz FEP.

According to media reports, the attacker placed Stuxnet injector code onto USB devices. Symantec’s technical findings identified a USB module designed into the Stuxnet malware, corroborating the claims. The media claimed Stuxnet’s orchestrators strategically placed the USB sticks at the five companies with trusted relationships to the FEP. The attacker likely knew the Natanz FEP’s internal networks and systems would have strong security defenses. It would take an attacker with vast intelligence-gathering capabilities to identify a nuclear facility that is primarily underground and gain insider knowledge of its technical environment. Given these requirements needed to carry out a successful attack would involve the US Israel or both.

Since the Stuxnet attack, there have been several other instances of possible US cyber warfare operations to try and prevent attacks on oil tankers traveling through the Strait of Hormuz. According to the Washington Post and corroborated by the United States CyberCommand, the United States’ cyber operations destroyed both data and communication sources Iran used to identify and track oil tankers and other ships passing through nearby waterways.

The seriousness of the Stuxnet attack cannot be overestimated. Firstly, the worm developed to carry out the attack exploited multiple Windows zero-days and set a new precedent for stealthy deployment. This made it extremely difficult to detect any attack before it was too late.

From a geopolitical view, the incident brought into sharp relief the capabilities of cyber warfare operations not only to disrupt but also destroy specific targets reliant on some form of hardware and software to operate. This meant that other state actors would have to adopt similar tactics to bolster their cyber warfare operations, increasing the global threat posed by such cyber warfare attacks. This was a wake-up call for the cyber security industry and now Stuxnet is considered by many security researchers as the opening of Pandora’s Box about hardware attacks that could ultimately result in the destruction of not just hardware but manufacturing facilities on the whole.

Equation Group

In February 2015, researchers from Kaspersky dropped a bombshell report detailing the discovery of a world leader in cyberespionage operations dubbed by Kaspersky as Equation Group. Researchers dubbed the group Equation due to the extensive use of encryption routines. Described as Kaspersky as,

“The Equation group is a highly sophisticated threat actor that has been engaged in multiple CNE (computer network exploitation) operations dating back to 2001, and perhaps as early as 1996. The Equation group uses multiple malware platforms, some of which surpass the well-known “Regin” threat in complexity and sophistication. The Equation group is probably one of the most sophisticated cyber attack groups in the world, and they are the most advanced threat actor we have seen.”

All in all, researchers discovered the Equation group had compromised more than 500 systems across 42 countries. Countries with high infection rates included Russia, Iran, China, and several more. Once they had analyzed this data, they categorized the victims by country and industry. These victims included organizations Nation-State Attacks working in government, military, aerospace, nuclear research, telecoms, and cryptographic technology, among others, which is a pattern that aligns with nation-state targeting.

Researchers did not suggest who they believed was behind the Equation Group’s formation and operations. However, think tanks like the Council for Foreign Relations put forward several good arguments that a U.S. intelligence agency conducted the attacks. The attribution arose from the Equation group’s access to zero-day exploits and malware strings written in the English language. And two elements identified by Kaspersky’s research. First research suggested the custom malware used by the Equation Group was found on several Stuxnet “patient zero” victim systems before the Stuxnet attacks. Secondly, several of the zero-days originally identified in the Stuxnet malware had been leveraged by the Equation group over a year before its use in Stuxnet operations. This suggests that a well-organized central organization oversaw both operations.

Operation PRISM and Mass Surveillance

Operation Prism was initially revealed to the public at large when Edward Snowden published a series of leaks from his time working for the NSA. In the leaks, it was revealed that the NSA was capable of directly accessing the systems of the US’s biggest tech and internet giants including Google, Facebook, and Apple. The public only became aware of the program in 2013, but it appears Operation Prism first kicked off in 2007.

It is widely believed that Operation Prism was used to conduct mass surveillance on those living in the US, be they citizens or foreign nationals. The revelation of mass surveillance programs like Prism raised significant concerns about the violation of privacy rights. Critics argue that such surveillance activities infringe upon the privacy and civil liberties of individuals both within and outside the United States. The secretive nature of many cyber operations conducted by intelligence agencies like the NSA has been a source of controversy. Critics argue that a lack of transparency and accountability can lead to abuses of power and the misuse of cyber capabilities.

Conclusion

While the US has escaped the demonizing attention of the media other countries have, it is clear that US activities within the realms of cyber warfare and cyber espionage have paved the way for others to follow and set very a very dangerous precedent. In the next part, we will look at how this dangerous precedent has enabled further operations by US agencies and also made the US a major target and victim of several attacks.

Tags: No tags

Comments are closed.