POTENTIAL FOR THE ESCALATION OF CYBER CALIPHATE CAPABILITIES
In April 2016, the U.S. Defense Secretary Ashton Carter gave Cyber Command its first wartime assignment. The United States publically declared its first ever cyber warfare campaign, against Cyber Caliphate / ISIS. The U.S. intends to use its arsenal of digital tools to disrupt and sever Cyber Caliphate / ISIS’s communication infrastructure, and its access to money and trade. Carter hopes that cyber warfare disrupts “their ability to command their forces, interrupting their ability to plot”, and hampers “their finances, their ability to pay people.” In fact, many Syrian recruits, who joined Cyber Caliphate / ISIS to escape Syria’s 57.7% unemployment rate, have recently defected due to the loss of the $400-1200 monthly wage (determined by number of dependents). These members initially joined because the Syrian army salary starts at $63 per month and its opposition, the FSA pays fighters $36 per month. Directing Cyber Command against Cyber Caliphate / ISIS will expand the military’s reach without sending more troops into the region. Carter agrees, stating, “We are thinking more strategically about shifting our response-planning from fighting a war to also providing decision makers with options to deter and forestall a conflict before it begins.” The media refers to these cyber attacks as “ cyber bombs ”; however, that term is wrought with ambiguity and elevated expectations.
The cyber attacks that the United States conducts against adversarial systems are not point-and-fire missiles or cataclysmic devices. In many cases, the “ cyber bombs ” that the American government is using against Cyber Caliphate / ISIS and other targets consist of a layered combination of basic off-the-shelf commercial products and advanced proprietary (and often classified) systems made for the exclusive use of our defense, intelligence, and law enforcement communities. More frequently, “ cyber bombs ” or “cyber weapon” refers to a collection of hardware and software and the knowledge of their potential uses against a given target. In most instances, unlike with a cyber bombs , our cyber warfare forces do not want the enemy to be aware that their system is compromised. That means no catastrophic fallout and no flashy delivery. The efforts against ISIS likely begin with distributed denial of service (DDoS) attacks to overload the adversary’s servers with a large amount of traffic to prevent legitimate use. When ISIS cannot access its servers or systems, it has a more difficult time communicating, deploying resources, and recruiting. The United States has also began conducting a counter propaganda campaign focused on the promotion of voices in the region on social media to dispute ISIS lies and deceptive claims on social media. There are now five times as many anti-ISIS channels on social media as proponents. By undermining the fundamentalist message, recruitment into the group plummets and additional resources must be applied to draw in a steady influx of fresh recruits. The campaign causes locals and potential recruits to see alternatives to terrorism, such as faith in the democratic process, as rewarding. Further, defeating ISIS’s messaging machine on the cyber warfare battlefield discourages other groups like Al Qaeda, Al Shabaab, and Boko Haram from further developing their cyber warfare capabilities. As a result of the campaign, ISIS recruitment accounts have demonstratively fewer followers and tweet less frequently than in the past. The jihadists have also had to migrate to different, less trafficked platforms such as Telegram and secure messengers to convey their propaganda undisturbed. Some followers have even left ISIS due to an awakened disillusionment with its ideology and discriminatory practices in the organization. ISIS pays Syrian members far less than it pays European or Gulf militants. Some campaigns remind recruits that the organizational beliefs are un-Islamic and inhuman, and hypocritical. Further, some members are abandoning the cause because they are convinced that it is losing.
Military strategic cyber warfare and cyber attacks are not simple endeavors. Technological experts, military strategists, researchers, political analysts, lawyers, and military experts are required for such a campaign to develop tools and tactics and to ensure that the strategy aligns with national interests, follows national and international laws and treaties, and addresses the threat. Intelligence and counter terrorism efforts, led by the NSA or GCHQ for example, might routinely collect real names, user ids, network addresses, IP addresses, online chat logs, and other data from across the internet using classified and unclassified methods, in order to establish interconnections and inferences about potentially alarming online activity. Afterward, specific threat actors can then be monitored in greater detail. The agency can use the information to arrest suspects, issue fake instructions to militants, or otherwise disrupt malicious activities. Cyber warfare against critical infrastructure must be planned and coordinated. The aforementioned intelligence efforts can identify and monitor these campaigns before any harm is realized. However, the increasing ubiquity of anonymization and secure communication mechanisms among malcontents may severely hamper law enforcement’s attempts to preclude incidents. Consequently, it is imperative that intelligence efforts remain vigilant on the latest tools, tactics, procedures, applications, and channels. A strategy of creating backdoors in secure applications for the purpose of monitoring potential activity will not work because adversaries avoid those channels and it would have catastrophic impacts on national security because adversaries would figure out how to exploit the vulnerability intentionally introduced in the applications. The only solution is to remain technologically more advanced than the adversary.
In some instances, advanced cyber warfare may include customized software created to limit adversarial activity. Consider the Stuxnet malware that the United States and Israel allegedly used against Iranian nuclear facilities in April 2010. Stuxnet targeted Siemens industrial control systems (ICS) in developing nations such as Iran (~59%), Indonesia (~18%), and India (~8%). It contained a programmable logic controller (PLC) rootkit designed to spy upon, subvert, and in some cases sabotage Siemens supervisory control and data acquisition (SCADA) systems that regulated specific industrial systems. Stuxnet caused the centrifuges used in the Iranian uranium enrichment facilities, equipment in the oil production facilities and other critical infrastructure systems to operate differently than intended without revealing the errors to the user. John Miller (Cylance) noted, “While the capabilities to attack and affect critical infrastructure first came to public light during the Stuxnet attack on Iran in 2010, we have yet to encounter a serious attack on US infrastructure. The reason we have yet to encounter a serious CI attack has to do with offensive cyber warfare capabilities being primarily possessed by nation state actors, allowing federal authorities the ability to attribute a hack back to an attacking country and provide a proportional response, essentially ensuring mutual destruction.” Cyber terrorists are less concerned with retaliatory cyber attacks than nation states because the terrorist have less critical infrastructure under their control. Their main limitation at the moment is a lack of technical personnel and a lack of sophisticated malware.
It is possible that the United States or one of its allies are employing similar, though likely much more sophisticated, malware against the refinery systems under ISIS control. It is equally likely that Russia, whose nation state APT groups focus on espionage, and who has launched cyber warfare (physical) in the past, has deployed malware against ISIS. Both nations must remain cautious and premediate their actions with extreme care to prevent ISIS from developing new, dangerous capabilities. At the very least, increased cyber-pressure could cause the group to move deeper into secure messaging channels or it could cause them to invest significant funds into developing offensive cyber warfare capabilities for retaliation. Worse, ISIS could discover the malware and dedicate resources to reverse engineering the code so that it could use the malware on other targets. How much harm could ISIS cause if it acquired a copy of the newest variant of the BlackEnergy malware?
On December 23, 2015, a Sandworm campaign against the Prykarpattyaoblenegro power plant in Ukraine caused a severe outage. More significant than the immediate loss of power, the threat actor, demonstrated that the malware, which can be purchased on the dark web, can severely cripple a nation’s critical infrastructure as part of a cyber-physical campaign
The BlackEnergy malware is available for purchase in cyber underground communities. The BlackEnergy toolkit features a builder application that generates the clients used to infect victim systems, it features server-side scripts to create C&C servers, and it includes an interface for the attacker to communicate with their botnet. F-Secure comments that the toolkit is simple enough and convenient enough that anyone can build a botnet without possessing extensive technical skills. If ISIS has hackers of remotely the same skill level as “TriCk”, then they likely could operate a copy of BlackEnergy.
The BlackEnergy malware originally appeared around 2007 as a tool to create botnets for distributed denial of service (DDoS) attacks. Plugins enabled the malware to be used to send spam emails or steal bank credentials. The most notorious application of the malware was its use in cyberattacks against Georgia during the Russo-Georgian conflict in 2008. Since then, criminals and advanced persistent threat actors have upgraded the malware at least twice. No matter the version, BlackEnergy has a vast capability to disrupt the availability of victim systems. Stuxnet, the malware to which BlackEnergy is most often compared, required unique knowledge of the specific target domain and environment. BlackEnergy requires no such knowledge to operate. The malware is simple and becoming increasingly easier to use as new variants are developed and disseminated.
The BlackEnergy toolkit contains a builder application that can be used to generate the clients that attackers use to infect victim systems. Server-side scripts in the toolkit can be used to set up command and control servers and to provide an interface for control of the bots. The simplicity and convenience of the toolkit allow anyone possessing the kit to build a botnet without any technical skills.
Around 2010, malicious threat actors rewrote the code for BlackEnergy according to a more professional development cycle. This second iteration was designed for simple use and scalability. It included a rudimentary installer and a modular structure. In 2011, the framework was updated with User Access Control (UAC) bypass installers to enable the malware to acquire elevated code execution privileges through the framework that Microsoft developed to enable legacy applications to work with newer versions of Windows. Essentially, the malware will only infect a system if the active user is a member of the local administrator group; otherwise, the malware attempts to bypass UAC by either relaunching itself as Administrator on Vista or by exploiting a backwards compatibility feature in later versions of Windows. In 2013, the second version of the malware was updated with 64-bit driver support.
In mid-2014, the third variant of BlackEnergy was discovered. As with the second version, malicious actors rewrote the BlackeEnergy code to include more advanced features and a simpler and more efficient development structure. Due to its diverse and powerful set of plugins, BlackEnergy 3 is a powerful tool for cybercriminals and state-sponsored threat actors. Some researchers believe that this more advanced version was developed by a sophisticated state-sponsored group in an attempt to obscure their activity amongst the activity of numerous cybercriminals.
BlackEnergy 3 does not contain a driver, it uses a timestamp for its build ID, and it includes many sophisticated plugins. Its plugins are designed to prevent deconstruction of the malware in virtual environments, defend the malware against anti-debugging techniques, and kill the program if specific security features or countermeasures are detected. The plugins include: a parasitic infector, system information for the malware, a remote desktop client and the ability to view the screen of the infected host, the ability to scan the networks connected to the victim, an update mechanism for the malware, and a module to “destroy” the victim system. The malware also includes the ability: to enumerate file systems, to log keystrokes, to capture stored passwords, to take screenshots, to discover networks and remotely execute, to list Windows accounts, and to query system hardware, BIOS and Windows info. The malware also contains a wiper component, KillDisk, that removes the malware, and potentially all stored data, from the system. Some distributions of BlackEnergy 3 contain fake Microsoft digital certificates. Signed digital certificates are used to authenticate software code and indicate that the code has not been altered or corrupted. The fake certificates reduce trust in the system and suggest development by a sophisticated threat group.
In March 2015, multiple Ukrainian state institutions received a spear-phishing email allegedly from the Supreme Council of Ukraine. The email contained a malicious XLS attachment with a macro in it. If the document was opened, then the macro executed, and it created a dropper for either BlackEnergy 2 or BlackEnergy 3. Once the attackers infected a network, they compromised a web server and established a beachhead for a persistent presence. The establishment and maintenance of the beachhead relied on freely available tools for creating web shells, for tunneling, and for SSH servers. The spear phishing emails contained a SMTP header that pointed to the IP address and the name of the mail server used to launch the campaign. The attacks in December 2015 followed the same attack chain, except the malicious attachment in the spear-phishing email was an Excel spreadsheet. The SMTP header matched that of the previous attacks and the energy sector was a target in both campaigns.
In December 2015, BlackEnergy 3 was deployed against the Prykarpattya Oblenergo and Kyivoblenergo energy facilities in the Ukraine. Trend Micro also reports that the malware was deployed against mining and rail facilities as part of the same campaign. All of the samples exhibited the same functionality and they communicated with the same command and control (C2) server. The attacks coincided with Russian military activity in the region. While security firms such as F-Secure have attributed the activity to the Quedagh (aka Sandworm) group, the attribution is not definitive. This group, which may be sponsored by the Russian government, conducts politically-oriented attacks. Though the malware might have been developed by Quedagh, it is currently being used and distributed by multiple criminal and espionage groups. It is possible that Quedagh sells its service to the state sponsor and is otherwise free to sell its malware or conduct other operations. It is also possible that malware was obtained from an infection or compromised server and distributed. In either case, the developer may have allowed the spread of the malware to complicate attribution attempts.
One theory of the December 2015 campaign is that the malware was intended to destabilize Ukraine by massive and persistent disruption of its power, mining, and transport infrastructure. Another possibility is that the adversaries deployed the malware against numerous critical infrastructure systems in order to identify which ones were the most susceptible to infection. It is also possible that the actors were just testing the capabilities of the malware before selling it or deploying it elsewhere.
The BlackEnergy malware does not solely target SCADA systems. It threatens systems and organizations in all sectors – public and private. The first two versions of BlackEnergy were used to steal confidential information. In the 2015 attacks, BlackEnergy 3 also disrupted the operation of the Ukrainian power grid. Unlike Stuxnet, the malware is simple to use and easy to acquire and modify.
ISIS could use the BlackEnergy malware to conduct disruptive attacks on ICS or SCADA systems, and thereby disrupt critical services in target regions. Moreover, the malware has a significant impact on affected systems, is easy to operate, and is available for purchase in certain forums of the dark web. If motivated to acquire the malware through opposition or other pressure, ISIS could easily launch a devastating attack while also conducting physical attacks or while layering other cyber warfare components into the campaigns.