This document analyzes the use of the cyber environment in the Syrian civil war by both the population and the government in order to characterize online tactics and strategies developed and used by each belligerent.
This is an article I wrote a while ago and never got published. It’s a bit outdated now, but I still think it can be useful for historical purposes, so I’ll post a link to it below.
This document analyzes the use of the cyber environment in the Syrian civil war by both the population and the government in order to characterize online tactics and strategies developed and used by each belligerent. This overview allows for generalization of online behavior by hacktivists and nation-state sponsored actors on communication networks in the region, which will continue to see online attacks from various parties in the foreseeable future during similar conflict. In Syria, because of poor infrastructure, low rate of Internet penetration and early adoption of control mechanisms by the current government, the authorities had dominance over their information environment early in the conflict, enabling rapid gathering of intelligence on dissidents. While social medias were leveraged by the population as in many other uprisings for coordination, it was also the theater of multiple offensive cyber operations by internal and external groups, mostly for information operations purposes. Despite the high level of activity, none appeared to have a definitive impact on the ground. While events recorded in this space have not reached the level of intensity of other conflicts, it proves a useful model for similar conflicts in the Middle East region.
China, as one of many alleged actors on the frontier of cyber espionage, is best understood by briefly examining the past century, how it influences contemporary cyber operations attributed to Chinese-based actors, and how they could be used against the Canadian Armed Forces in a potential Southeast Asian conflict.
Out of nowhere, here’s an article I wrote for the Canadian Military Journal. China, as one of many alleged actors on the frontier of cyber espionage, is best understood by briefly examining the past century, how it influences contemporary cyber operations attributed to Chinese-based actors, and how they could be used against the Canadian Armed Forces in a potential Southeast Asian conflict.
This accident comes amid a raise in violence targeted towards Indian native in Australia and apparently Dwivedi protested this situation by leaving a message on the website:
“This site has been hacked by Atul Dwivedi. This is a warning message to the Australian government. Immediately take all measures to stop racist attacks against Indian students in Australia or else I will pawn all your cyber properties like this one.”
This site is now up and running as per normal. Of course the webserver wasn’t connected to any internal network and didn’t contain any classified information according to a spokewoman:
“No sensitive information was compromised as the air force internet website is hosted on an external server and, as such, does not hold any sensitive information,1“
Microsoft products are used in pretty much every Western armed forces. So it’s save to assume the webserver used by the RAAF is probably running IIS. Of course, IIS implies as Windows machine and a Windows Server machine means that everything is almost certainly all Microsoft based. Of course we can now verify those claims and according to David M Williams from ITWire2 the website is hosted through Net Logistics, an Australian hosting company. The aforementioned article tries to explain the hack with the use of exploits. Which might have been the way Dwivedi did it, but the analysis is quite simple and lacks depth. The site still has an excellent link to a blog detailing the WebDAV exploit, see below for the link.
It’s not impossible to think that Dwivedi might have tricked someone into giving out too much information also. Social engineering can do lots and is usually easier than technical exploits. The Art of Deception by Kevin Mitnick should convince most people of that. Someone could look up on Facebook or another social networking site for some people in the RAAF and then try to pose as them and pose as them.
Then also, why not look for the FTP server? And God knows what else the server is running; maybe a SMTP server also (and probably it does). Now I wouldn’t suggest doing this, but running a port scan would probably reveal a lot of information. Moreover, using web vulnerability tools like Nikto could help find misconfigured settings in ASP or forgotten test/setup pages/files. Up to there, only two things are important: information gathering and imagination.
The new command system is based on COTS hardware and software products. It uses mainstream PCs and Windows as supporting components. All computers are connected with on a LAN by an Ethernet network using fiber-optic cable. According to The Register, the system will mostly be based on Windows XP although in was initially decided it would be based on Windows 2000.
The role of this system is to store and compile data from various sensors in order to present tactical information for the leadership. It also controls the weaponry:
SMCS NG is designed to handle the growing volume of information available in modern nuclear submarines and to control the sophisticated underwater weapons carried now and in the future. Its core capability is the assimilation of sensor data and the compilation and display of a real time tactical picture to the Submarine Command Team.
The SMCS NG system is the descendant of the previous SMCS system that was proposed back in 1983, when the U.K decided to build a new command system for the then-new Trident class. Before, all electronics were custom built by Ferranti. The SMCS would use COTS material to minimize the costs and become fewer dependants on one company. The architecture of the command system was modular and was written in Ada 83. The core of the system contains an Input/Output computer node, a computer that process data from the sensors and weapons systems. There is also the central node, which is used for processing all the data. Each of the central nodes are duplicated to provide of fault-tolerance, with each being dual modular tolerant, which means that hardware components are working in parallel in case one becomes defective. The dual central nodes are connected to each other and they are also connected to Multi Function Consoles, a Main Tactical Display and two Remote Terminals, which provide the Human Computer Interface. The first phase of the project was to install the SMCS on the Vanguard class submarines.
In 1990, it was decided to extend the SMCS to other submarine classes and that the new command system would use UNIX as its base operating system. Because of the Ada architecture, problems arose when the technicians tried to map the SMCS to run-time processes of UNIX. Solaris and SPARC machines were finally selected for Multi Function Consoles. The central nodes kept their original architecture in Ada.
In 2000, the project was completely own by BAE Systems and the move from SPARC computers to PCs. The switch for the operating system was more difficult, as management preferred Windows while the engineers promoted the use of variants of UNIX such as BSD, Linux or Solaris. The main argument for the engineers was that with UNIX, it would be possible to remove all the extra code unneeded for the submarines operations, thus making it more secure. However, the management point of view prevailed and thus was created the “Windows for Warships” label.
Windows was chosen even after the USS Yorktown accident in 1997, in the US. The ship was crippled after the sysadmin entered invalid data into the database thought the Remote Database Manager.
Insert any jokes about Windows controlling nuclear subs into the comments. Thank you.
The Los Angeles Times reports that the reports about the Agent.BTZ worm spreading to the U.S Army networks might be a coordinated attacks originating from Russia.
The U.S Central Command is now infected with the worm and a high-classified network has been hit also.
It is unclear if the author of the article thinks that an infection is the same things as an ‘attack’ though. From the article:
“Military electronics experts have not pinpointed the source or motive of the attack and could not say whether the destructive program was created by an individual hacker or whether the Russian government may have had some involvement.”
This infection has been report at the beginning of the month. This might just be sensationalism ofrcomplete ignorance from the author who might think than an infection by a worm made in Russia is a deliberate attack.
Officials would not describe the exact threat from agent.btz, or say whether it could shut down computers or steal information. Some computer experts have reported that agent.btz can allow an attacker to take control of a computer remotely and to take files and other information from it.
Then maybe they should just call Symantec or F-Secure or even better, Google it…or this if they are having a hard time..
Wired reports that the U.S Army network is under assault by a variant of the SillyFDC worm called Agent-BTZ . In order to restrain the infection, the U.S. Strategic Command has ban the use of every portable media on its network, this include USB keys, CDs, flash cards, floppies etc… Both the SIPRNet and NIPRNet are affected by this directive.
The SillyFDC worm infects systems through replication, i.e. by copying itself to various locations such as these folders:
It will also try to copy itself to any drive connected to the machine by scanning drives A:\ to Z:\, which is why the U.S Army is banning the use of portable media for the time being. According to F-Secure who first discovered the worm, the variant in question will also create these files:
It will then install itself into the registry to make sure the worm starts every time the computer is booted. It will also attempt to download a JPG file from http://worldnews.ath.cx/update/img0008/[REMOVED].jpg and create an AUTORUN.INF file on each drive on the computer, which contains the following:
[RANDOM] is a randomly generated filename for the malicious DLL. Each time a new partition or a new drive is plugged in, Agent.BTZ will infect it immediately.
The SillyFDC worm doesn’t have any payload, as it only replicates itself through systems it finds using physical medias only. But its variant, the Agent.BTZ is a known Trojan dropper. A dropper is the kind of Trojan that will look to download and execute other malware. It’s surprising that it found its way into the U.S Army network. So that might be a tip for any worm/Trojan writer: add physical media replication to your malware like in the good ol’ days before e-mail, as it seems sending it by e-mail or click jacking is pretty well filtered in military networks, but peripherals such as USB keys are still often used by personnel. And this will surely open the eyes of the network admins of the U.S Army: scan anything plugged into the network.
Also, Graham Cluley, senior technology consultant at Sophos advises:
“… that users disable the autorun facility of Windows so removable devices such as USB keys and CD ROMs do not automatically launch when they are attached to a PC”
With whom I agree.
Since so many people asked me about this worm, I looked deeply into Internet and found this code, which seems to be part of the script of the Silly FDC worm (that’s the best I could do for now). This script basically copy files from one directory to another, renames the core of the worm and put it into another directory and add registry keys. I cannot confirm this as I found this on an Indonesian blog, so if anyone can look into this, please let me know. Thank you. Blog : http://morphians.wordpress.com/category/uncategorized/
Since the 70s, when Deng Xiaoping was the head of China, the People’s Liberation Army tried to modernize itself and cut its size in order to become more efficient. Still, China is still behind when it comes to military even if its defense budget is the second largest after the United States on the planet, with US$57 billion in 2008. According to an article published in Culture Mandala, China could boost its cyber warfare capabilities in order to compensate for their technological backwardness.
It started as soon as in 2003, when it deployed its first cyber warfare units, the “zixunhua budui“. Since, many attacks have been attributed to China, such as Operation Titan Rain in 2003. China hopes that by using asymmetrical warfare, such as information warfare and cyber warfare, it might level other modern armies.
Michael Vickers, Senior Vice President for Strategic Studies at the Center for Strategic and Budgetary Assessments declared that “a Chinese attack on Taiwan could entail special operations and cyber attacks on U.S. regional bases in Japan and South Korea, and might even include cyber attacks on the U.S. homeland that target the U.S. financial, economic, energy, and communications infrastructure“. In the same document, we can read:
“One way to assess this risk is to ask whether a cyber attack by China launched a few days in advance of a clash could prevent U.S. carrier battle groups from deploying to the Taiwan Straits. Launching the attacks too early would create the risk of discovery and countermeasures.“
It is clear to me that a nation with a technologically late compared to modern armies have all the advantage to develop asymmetrical warfare. We can assess its effectiveness in Afghanistan and Iraq. And cyber warfare is a perfect way to destabilize modern armies used to technology in their daily operations. But this is far from being easy for both sides, as talented individuals and highly skills hackers are needed to develop this kind of warfare. Terrorists and groups are unlikely to develop a high quality cyber warfare force, although they still can be efficient. China, on the other hand, can and is smart to do it. After all, if a force can disable communications the enemy’s communications networks, such as GPS, emails and phone networks, it can makes a strong army useless. Like a strong man or woman, if the brain can contact the muscle through the nervous system, the body is powerless…
As more and more of the infrastructure of modern societies gets inter networked, the more the authorities are taking notice of the possible disasters that ought to happen if those networks would be attacked and controlled by malicious individuals. Based on that, the U.S Secretary of the Air Force announced the creation of the AFCYBER, the Air Force Cyber Command, whose mission “will be to provide combat ready forces trained and equipped to conduct sustained global operations in and through cyberspace, fully integrated with air and space operations“. Let’s go deeper into that interesting new agency and try to see if it can actually matches the challenges of this century.
The United States government released in February 2003 a 76 pages document titled “The National Strategy to Secure Cyberspace”. This document recommended numerous solutions and actions to better protect the American cyberspace. Among these actions, one of them recommends to “Improve coordination for responding to cyber attacks within the U.S. national security community”. Based on that recommendation, the former U.S Secretary of the Air Force, Michael W. Wynne decided to establish a cyberspace command. He also stated:
“The aim is to develop a major command that stands alongside Air Force Space Command and Air Combat Command as the provider of forces that the President, combatant commanders and the American people can rely on for preserving the freedom of access and commerce, in air, space and now cyberspace“
It then has been decided that the 67th Network Warfare Wing and some elements of the 8th Air Force would serves as the core of the new command. It’s interesting to note that the goal of the 67th is “organizes, trains, and equips cyberspace forces to conduct network defense, attack, and exploitation.” Therefore, the Air Force already had an unit trained to conduct cyberspace operations, and more interestingly, this unit was also train to conduct attacks, not only defensive operations. Thus, in 2006 the Air Force Cyberspace Command (Provisional) unit was put into place. but faced many difficulties. The first came as to define the term “cyberspace”, define the command’s operations, find a location to base the unit, then find the personnel and define all their functions, train them and organize the unit. Those challenges were perfectly summarized when Maj. Gen. William T. Lord answered a Slashdot user about the location of the new command:
“I would hope that no matter where it was located, we would still be able to attract the talent needed to work in this exciting command and that all communities see the need to protect this domain.”
Attracting specialists and talented individuals is getting harder and harder. The private sector in technology is still offering, for now at least, good opportunities for graduated students. Maybe that’s why the AFCYBER touted is creation and development with TV ads and advertisement all over the web. A great mistake, as it opened it to greater scrutiny from the public and observers, which would now be able to witness the success or the failure of the new command…
And not only did it have difficulties organizing itself, it was in competition with other similar services of the military, with the Navy (Naval Network Warfare) and Army already having such organizations, without forgetting about organizations such as the National Security Agency (NSA).
Even with the fore mentioned difficulties, “We’ve figured all that out” said General Lord in October this year, “We’ve outlined how to organize cyber forces, i.e., what capabilities fall into, or not into, a cyber organization“.
The optimism expressed in Lord’s comment was hard to share. One month earlier, the establishment of the Cyber Command was suspended and the transfers of units were halted. In June, different actors were still discussing if the command should concentrate on defense and protection or if it should also conduct offensive operations. The ever growing size of the command and the confusion about which operations of the unit was to conduct were slowing any progress and all this amid numerous other Air Force scandals about nuclear management, which later caused Wynne to resign from his post.
As by October 8, 2008, the Air Force decided that the Cyber Command will finally be a numbered unit under the Air Force Space Command as told by Staff Gen. Norton A. Schwartz (see previous post “U.S Air Force Cyber Command is Working on a new Roadmap“, October 24, 2008). After 2 years, it seems that very little has been accomplish. We still have no idea of the structure, the size and not even the mission of the unit. Although Colorado Springs is apparently the preferred location, still no official location have been designated.
Will it work?
To be successful any cyber unit must first emphasize on constant research of new vulnerabilities in order to take the lead. It’s not just about looking at logs and waiting for an attack to occur. Any
serious cyber warfare unit must cooperate with every actor of the computer security field, not only corporations or universities, but also with hobbyist groups, hackers and phreakers in order to always have the initiative. As information is always distributed at blazing speed through out the net, and that nothing stays secret for long, constant research is needed to discover new vulnerabilities and detailed analysis. Yet, all those actors have been, as far as I know, ignored or forgotten.
Also, offensive is the best defense. Why should a military organization concentrate only on defensive operations? It even goes against American principles of war, as it ignores the “Offensive” principle, letting the initiative to the enemy. This is clearly not a sound decision. It ignores the basic concepts or warfare. I believe this is mostly due to a certain mentality in the military leadership, which still regards technology as support for troops instead of a fully fledge battlefield. This reasoning needs to change if we are to develop real cyber warfare operations. This is certainly something the Chinese understood.
I believe it will, if this unit becomes reality, become an administration bloated unit that will miss the point. Quantity is never a remedy to the lack of quality. A small but highly trained and skilled unit of hackers can do a lot more than a legion of technicians. The important part of cyber warfare is always to stay ahead, since that as soon as a hole or exploit is found, the enemy will patch it thus making it obsolete. and therefore, the need to find the next security vulnerability. Therefore, we don’t need a bigger bureaucracy, but more research, more cooperation with existing similar units and agencies and to develop a strong offensive capacity as the Chinese government seemed to have developed. The 67th Network Warfare unit and the Naval Network Warfare Command would be able to implement those capacities with the appropriate funding and support.
This command, which seemed like an important toward cyber warfare, now seems to have become a botched concept that will unlikely be of any use, except for other to look upon and learn from their mistakes. As the U.S Navy also has plans for a Naval Cyber Command, they have been a lot quieter about their project, maybe so they won’t suffer the same humiliation as their colleagues.
As governments are realizing the potential threats from a cyber war, agencies are organizing themselves to protect and defend their cyberspace. The U.S Air Force was based on this premise and would have been a good idea…if anyone had any idea of what they were talking about. Instead, it became or will become an administrative burden that failed and that will give no ror little results. In the end, the “Cyber Command” or what’s left of it, will be another organization which goals will be the same as the other agencies already in place, with no new value or innovative ideas…While western nations are struggling to grasp the concept of cyber warfare, others are developing a very well organized and effective effort to disrupt our systems. Cyber war is won by being a step ahead…and we’re not…
A new roadmap will be written for the reorganization of what was once the U.S Cyber Command. The project was downgraded from a major command to a numbered unit on October 8 by Staff Gen. Norton A. Schwartz. The cyberspace mission of the Air Force will be part of the Air Force Space Command. Both organizations are now working at ways of working together to fulfill the Air Force commitment to protect the cyberspace.
“This is not an additional duty for us,” General Kehler said. “We are in this 100 percent, and we will dedicate the manpower and resources needed to make this transition work. This is not just building a cyber numbered Air Force. This is establishing a robust cyberspace capability for our Air Force, and there won’t be a huge difference in what was being presented originally — cyber being its own command — with what will be done under Air Force Space Command’s umbrella.
There more I read about the Air Force Cyber Command, the more I believe it’s going to end up as it started. In the end, this is about the 67th Network Warfare unit transferring under the Air Force Space Command from the 8th Air Force. This is a wasted opportunity from the Air Force.