Cyber warfare in the context of major military innovations by mattias almeflo 2019

P R I N C I P A L S E C U R I T Y C O N S U L T A N T
Mattias Almefo
CYBER WARFARE -
IN THE CONTEXT OF MMI

ASYMMETRIC WARFARE -
THE EVOLUTION OF CONFLICT
Alternative title 1:

SPY VS SPY
Alternative title 2:
W H A T I S O L D – I S N E W A G A I N

31/08/2019
Mattias Almeflo
the professional
5
• Systems Integrator | Information Security Architect |
Team Leader
• IT security, Systems Engineering, Team Leader
2016
2010
2017
2018 • Principal Security Consultant
• Senior Information Security Architect
• Specializing in military security frameworks
• Team Leader | Information Security Architect
• Part of the founding team of Saab Cyber Security Division
• Thesis Worker | Software Developer
• Databases, .NET software development
NIXU PUBLIC | NOT EXPORT CONTROLLED | CUSTOMER UNCLASSIFIEDRefences per slide, at the end.

31/08/20196
Mattias Almeflo
And the domains of warfare
2010 - 2013
Created the Secure
Operating Environment
(SOE) for the Swedish
armed forces
2013 – 2015
Windows Security in L16
Backbone
2015 – 2016
Docker Security in naval
systems
2016 – 2017
R&D Defensive Cyber Warfare
2017 –
Development
Environments
NIXU PUBLIC | NOT EXPORT CONTROLLED | CUSTOMER UNCLASSIFIEDRefences per slide, at the end.

31/08/20197 NIXU PUBLIC | NOT EXPORT CONTROLLED | CUSTOMER UNCLASSIFIEDRefences per slide, at the end.
The complexity of the domain is staggering
31.8.20197
• and my areas of focusAnd my areas of focus

Trusted go-to partner
for cybersecurity services
Finland
Sweden
31.8.201
9
Vision:
Keeping the digital
society running
Mission:
Be the best workplace for
cyber security
specialists
8
Cyber security
specialists
Founded in
1988
publicly listed
2014
Locations
Finland, Sweden,
Netherland, US,
Denmark
Romania and
Australia and more
400
98%
of our clients
recommend Nixu
Cyber security services
from board decisions to
deep forensic investigations
11
approx

31/08/2019
”There is no security without a threat model,
only paranoia.”
9 NIXU PUBLIC | NOT EXPORT CONTROLLED | CUSTOMER UNCLASSIFIEDRefences per slide, at the end.

• Possible, unwanted event with a negative outcome for operations, which
isn’t caused by a human actors deliberate actions.
• Generally speaking non-antagonistic threats can be divided into three
(3) categories:
• Natural phenomena (natural disasters, disease)
• Site security related threats (Fire, locks, alarms accidents etc)
• Errors in technical systems (bugs, malfunction )
• Non-intentional actions by human actors (accidents, negligence)
• Loss of device, Incorrect or careless handling of info
31/08/2019
Two types of threats
Non actor driven (not antagonistic) threat

• Threat driven by an actor in the form of an individual, group, network,
organisation, state etc.
• Actor driven threats are normally intentional.
31/08/2019
Actor driven (antagonistic) threat

"Fundamental principles by which the military forces guide their actions in
support of objectives. It is authoritative but requires judgement in
application“
- NATO's definition of doctrine, used unaltered by many member nations.
31/08/2019
Military doctrine
It is a guide to action, rather than hard and fast rules

31/08/2019
The five (5) domains of war
Doctrines are old and tend to change slowly
01000 BC 2000 AD2000 BC 1000
Human Energy
(infantry:
2500-1500 BC)
Animal Energy
(cavalry: 865-
860 BC)
Mechanical Energy with fuel
(trains: 1861, Cars: 1899,
Tanks: 1916 ”WW1”)
Ships
(300 BC)
American
Turtle (1775)
Submarines
(1941 ”WW1”)
1500
Ballons & Airplanes
(1911)
Space
(1962)
Cyber
(1996)
1600 1700 1800 1900
1. LAND
2. NAVAL
3. AIR
4. SPACE
5. CYBER
Mechanical Kinetic Energy
(Catapults: 300 BC, Crossbows: 1337-1521,
Handguns: 1500, Revolvers: 1836, Gattling gun: 1860)
Steam/Motor
Boats: (1810-
1910)

31/08/2019
The Concept of Fifth Dimension Operations
22 years in the making
“We are approaching the end of the first
decade of weaponized malware”
- Francis deSouza, 2013
“The physics of cyberspace are wholly different from
every other war domain.”
- Joshua Corman, a cybersecurity fellow at the Atlantic Council, 2018

31/08/2019
The Intelligence Community – Espionage et al.
Military Intelligence
• India (Chanakya, 321–297 BC)
• China (Sun Tzu, 512 BC)
Modern espionage techniques
• England (Walsingham,1532)
• Russia (the Bureau of Information, 1682)
From a state perspective (anno 1900)
• Military Intelligence
• Naval Intelligence
• Civil intelligence agencies
HUMINT
GEOINT
MASINT
OSINT
SIGINT
TECHINT
CYBINT/DNINT
FININT
COMINT
ELINT
FISINT (TELINT)
Espionage
Friendly accredited diplomats
Military attachés
Non-Governmental Organizations
Patrolling
Prisoners of war or detainees
Refugees
Strategic reconnaissance
Traveler debriefing

31/08/2019
Cyber: SIGINT at rest vs. HUMINT in motion
The Rise of Computer Network Operations as a Major Military Innovation…
Who “owns” cyber in the IC

31/08/2019
Espionage’s most valuable resource is data

Covert action, old school
• plausibly deniable intervention in the affairs of others
• the sponsor's hand is neither apparent nor acknowledged.
Covert action fit for the twenty-first century
• embracing implausible deniability (an open secret) and the ambiguity it
creates
• unacknowledged interference in the affairs of others.
31/08/2019 NIXU PUBLIC | NOT EXPORT CONTROLLED | CUSTOMER UNCLASSIFIED20
Grey is the new black
covert action and implausible deniability
Refences per slide, at the end.

31/08/2019
The evolution of state sponsored conflict (war)
Asymmetric warfare
“below this line…”

31/08/2019
Asymmetric warfare
below this line…

In January 2016, James Clapper (Director of National Intelligence, USA)
said that
"in 2013, 'cyber' bumped 'terrorism' out of the top spot on our list of national
threats".
31/08/2019
Cyber Trumps Terrorism as Priority Threat #1

31/08/2019
Geopolitics - An overlooked influencer in Cyber Ops
Rising tensions between NATO, EU and RU
• Baltic Sea, Crimea and Arctic of great geo-
economical and security strategic interest
• Hybrid warfare strategy; blends conventional
warfare, irregular warfare and cyber warfare;
“Green Little Men” and “Internet Trolls” etc.
Information Operations against the Nordics and
Nordic companies - a part of the strategy

• Strengthen the political
and cultural influence of
the Chinese state
• Ultimately, the ambition is
to help make China an
alternative global
“civilizational” reference
point to the United States.
31/08/2019
China: The Belt and Road Initiative

“there are friendly nations, but no friendly intelligence services”
- Raymond Rocca (deputy chief of CIA counterintelligence, 1972)

• operate covertly and are very skillful in covering their digital footprints
• not concerned with abiding by computer crime laws for whichever
country they are launching operations against
• only concerned with collecting strategically valuable information by
whatever electronic means are possible
Advanced persistent threat (APT)
All developed countries have operational APT capability today

Currently the ATT&CK framework have 86 different threat actors in its
catalogue.
• Roughly 50% of the threat actors are attributed to countries
• 23 are presumed to be Chinese-based
• 10 are presumed to be Iranian-based
• 7 are presumed to be Russia-based
• 3 are presumed to be North Korea-based
31/08/2019
APT groups aka advance threat actors
Advanced Persistent Threat groups came to light in 2013

• Geopolitical or financial relevance
• Nation state actors (Intelligence Community)
31/08/2019
The Definition / Scope
Attacks related to the fifth domain of war (aka cyber conflict)

• Geopolitical or financial relevance
• Nation state actors (Intelligence Community)
31/08/2019
Attacks related to the fifth domain of war (aka cyber conflict)
A lot of attacks don’t meet
the selection criteria…

31/08/2019
Four defining attacks in the realm of cyber
NotPetya
Stuxnet
Cloud
Hopper
QinetiQ
“old school”
“twenty-first century”

• Stuxnet is not a traditional malware
• It was the first “special forces” of cyber warfare
• It is a hybrid of Worm, Trojan horse, Rootkit and Virus
31/08/2019
01. Stuxnet
“patient zero”

It was built to do 4 steps:
• Spread/Infiltrate: Like a worm or/and a virus using a Trojan
• Discover target machine/system
• Destroy/Disrupt the target (Iran's centrifuges)
• Evade detection
31/08/2019
01. Stuxnet
“patient zero”

• Built specifically to disrupt/destroy or at least slow down Iran's nuclear
program
• The most complicated, advanced and efficient malware written at that
time
• It was almost 20 times more complex than any other previous malware
31/08/2019
01. Stuxnet
“patient zero”

Stuxnet in the wild
• Stuxnet 0.5 was found in the wild 2007,
it’s Command & Control servers had been active
since 2005
• Stuxnet 1.0 was found 2010 when it went active in Iran
targeting a specific plant.
• It was presumed dormant as of 2012 but resurfaced
to spy on USA-Iran talks in 2014-2015
31/08/2019
01. Stuxnet
“patient zero”

• ”Offline” is definitly not secure by itself
• Software can cause real world, physical damage
• You need to share intel and pool resources internationally
• Monitoring have to be protected / integrity matters
• USB-memory-sticks are merely very unprotected high latency networks
(sneaker/walk net)
31/08/2019
Lessons Stuxnet

For more than a decade (10 years!)
USB peripherals have been used as innocuous cyber weapons.
Today weaponized USB is so common that you can either buy it
“over-the-counter” or build your own with source code
from github and youtube video
31/08/2019
USB Peripherals
The weapon of choice

QinetiQ is “a privatised version of DARPA”, in UK it actually IS the privatised version of
DERA (UK’s DARPA)
The 2011 Anonymous Hack of HBGary showed
• that defence contractor QinetiQ suffered a massive breach of classified data over
four years years (2006-2010) which may have leaked advanced military secrets to
Chinas military
• QinetiQ lost terabytes of classified data
• Threat actors targeted advanced drone and robotics technology and compromised
hundreds of machines in QinetiQ’s facilities all over the US, including St. Louis,
Mississippi, Alabama and New Mexico
31/08/2019
02. QinetiQ North America Attack
Military R&D on steroids

They were notified by third parties several times
• 2007 Naval Criminal Investigative Service notifies
• 2007 NASA tells QinetiQ that NASA are being attacked by one of QinetiQ’s computers
31/08/2019

A 2008 IR-report states that
• QinetiQ’s corporate network could be accessed using unsecured Wi-Fi from a car
park outside a facility in Waltham, Massachusetts
• The software installed by HBGary to monitor for malicious activity wouldn’t function
properly and was deleted by many employees because it apparently used too much
processing power.
• The investigators even found evidence that Russian hackers had been stealing
QinetiQ secrets for over two years through a compromised PC belonging to a
secretary
31/08/2019

• Exfiltration was made in small packets to evade detection by traditional
filters.
• QinetiQ never saw the whole picture because the firm continued to treat
incidents in isolation despite it happening “all the time” for several years.
• No 2FA (only username/password or soft tokens)
• No adequate detection/monitoring
• No separation between wifi / LAN
• No separation inside the LAN
31/08/2019
Lessons QinetiQ
“There was virtually no place we looked
where we didn’t find them.”

Threat Intelligence might help…
• 30 defence contractors targeted in 2007
31/08/2019
Lessons QinetiQ

The mother of all Upstream Attacks, 2014-2016
• The Target breach in 2013 affected 41 million customer payment card
accounts along with contact information for more than 60 million Target
customers
31/08/2019
03. Cloud Hopper
"thought to be one of the largest ever sustained global cyber
espionage campaigns in an operation.“

2017, PwC UK states that Cloud Hopper impacted multiple organizations in
North America, Europe, South America, and Asia
Cloud Hopper targets Service Providers (cloud infrastrucutre)
• Managed Service Providers (MSP)
• United Kingdom (U.K.), United States (U.S.), Japan, Canada, Brazil, France,
Switzerland, Norway, Finland, Sweden, South Africa, India, Thailand, South
Korea, and Australia
31/08/2019
03. Cloud Hopper

The targets were not the MSP but their clients
• Industries affected include those in engineering, industrial manufacturing,
retail, energy, pharmaceuticals, telecommunications, and government
agencies.
• Massive exfiltration of data
Over 70 variants of backdoor families and Trojans were involved in the
cloud hopper campaign.
• Spearfishing…
31/08/2019
03. Cloud Hopper

Anti-virus is not enough and network detection lacking
• Out of 300 defined IOCs there are still 69 that no anti-virus software
currently detect
Data was moved upstream with valid (stolen) credentials.
31/08/2019
03. Cloud Hopper

• Attacked ”everyone” not just Defence Contractors…
• Used for further infiltration
• Outsourcing is very risky
• Effeciency is NOT balanced with security when facing nation state actors
• No 2FA
• The targets monitoring doesn’t catch the up-stream attack (out of scope)
The lessons are ongoing but if you are swedish a good start is to read the
unprecedented FRA report: ”Åtgärdsförslag - Angrepp via tjänsteleverantörer”
31/08/2019
Lessons Cloud Hopper

A month after the debute of WannaCry, NotPetya hit the world
• using the same EternalBlue weakness (+ Mimikatz/pass-the-hash) to
spread within corporate networks, but without being able to jump from
one network to another.
• NotPetya was seeded to victims through a hacked version of a major
accounting program widely used in Ukraine.
31/08/2019
04. WannaCry, Petya, NotPetya
“To date, it was simply the fastest-propagating piece of malware
we’ve ever seen”

More than $10 billion in total damages
• Maersk (shipping industry)
• Every 15 minutes a Maersk ship docks somewhere in the
world
• 250-300 million USD in losses
• 10 days blitz: 4000 servers, 45000 PCs & 2500 apps all rebuilt
• 20% drop in productivity
• 2 months 24/7 to rebuild Maersk’s software setup
31/08/2019
04. Notpetya - Wiperware
"In June 2017, the Russian military launched the most destructive and
costly cyberattack in history“
• Merck (pharmaceutical company)
• 870 million USD in losses
• Staff not allowed to work
• FedEX/TNT Express (postal/shipping
industry)
• 400 million USD in losses

• Be wary of doing business in war zones, even if they’re not ”hot”
• Do you know where all parts of your network is geographically located?
• Patch your systems
• Use 2FA (at least for critical systems)
• Separate email from critical systems
• Network segmentation is a good thing
• Have manual routines that work
• Offline, Off-site backup is a good thing
31/08/2019
Lessons NotPetya

Technical Controls
• Strong authentication (two factor:
smart cards, yubikey, sms etc)
• Separation (physical and logical)
• Security logging
• White/Black listening
• SANS Critical Security Controls / CIS 20
31/08/2019
The Force Multipliers
or “how to fight the war from the trenches”
Engineering
• Know your network
• Documentation vs Implementation
• Threat modeling
• Crown Jewels
• Think in graphs
• Not everything is equal
People
• Relationships matter

31/08/2019
Help Wanted!
"Ask not what your government can
do for you, but what you can do for
your government“
- John F. Kennedy

G I V E M E Y O U R F E E D B A C K !
via the event mobile app

Me, Myself & I
S05-08: Saab, the corporation video (6 min) - https://www.youtube.com/watch?v=2KsdPHsgR9Q
S05-08: The domains of war - https://saab.com/land/, https://saab.com/air/, https://saab.com/naval/, https://en.wikipedia.org/wiki/Cyberwarfare
S05-08: LinkedIn Cyber Security Domain Map - https://www.linkedin.com/pulse/map-cybersecurity-domains-version-20-henry-jiang-ciso-cissp
S05-08: Nixu Oy at 600Minutes Information and Cyber Security 2017 (Spotlight) - This is Nixu - https://www.youtube.com/watch?v=pwIIJnZ8pHo
Threatmodels
S09-10: Cybergibbons on threatmodels - https://twitter.com/cybergibbons/status/1010981698593591296
S11: TheGrugq on threatmodels - https://twitter.com/thegrugq/status/864023197145944064
S12-13: H SÄK Grunder, 2013 - https://www.forsvarsmakten.se/siteassets/4-om-myndigheten/dokumentfiler/handbocker/h-sak-grunder.pdf
S12-13: IT-Säkerhetsarkitektur, 2015 - https://www.svk.se/siteassets/aktorsportalen/sakerhetsskydd/dokument/vagledning-it-sakerhetsarkitektur-final.pdf
S12-13: Picture - https://krypt3ia.files.wordpress.com/2018/06/espionge-in-the-modern-age-of-information-warfare.pdf
Military doctrine
S14: Wikipedia - Military Doctrine - https://en.wikipedia.org/wiki/Military_doctrine
S14: Doctrine – Military usage - https://en.wikipedia.org/wiki/Doctrine#Military_usage
S15: Cyber – the fifth domain of war - https://www.economist.com/news/briefing/16478792-are-mouse-and-keyboard-new-weapons-conflict-war-fifth-domain
S15: Is War in the Sixth Domain the End of Clausewitz? - http://blogsofwar.com/is-war-in-the-sixth-domain-the-end-of-clausewitz/
S15: History of infantry warfare - https://en.wikipedia.org/wiki/Infantry
S15: History of cavalry warfare - https://en.wikipedia.org/wiki/Cavalry
S15: History of Catapults - https://en.wikipedia.org/wiki/Catapult
S15: History of Crossbows - https://en.wikipedia.org/wiki/Crossbow#History
S15: History of Handguns & Revolvers - https://en.wikipedia.org/wiki/Handgun#History, https://en.wikipedia.org/wiki/Revolver#History
S15: History of the Gatling gun - https://en.wikipedia.org/wiki/Gatling_gun#History
31/08/2019
Credits and prior art 1/11
"discovering truth by building on previous discoveries“
54 NIXU PUBLIC | NOT EXPORT CONTROLLED | CUSTOMER UNCLASSIFIEDRefences

S15: History of vehicle warfare - https://en.wikipedia.org/wiki/Armoured_train
S15: History of vehicle warfare - https://en.wikipedia.org/wiki/Armored_car_(military)
S15: History of tank warfare - https://en.wikipedia.org/wiki/Tank
S15: History of naval warfare - https://en.wikipedia.org/wiki/Navy
S15: History of submarine warfare - https://en.wikipedia.org/wiki/Submarine
S15: History of air warfare - https://en.wikipedia.org/wiki/Air_force
S15: Space warfare - https://en.wikipedia.org/wiki/Space_warfare
The Concept of Fifth Dimension Operations
S16: Fifth Dimension Operations - https://en.wikipedia.org/wiki/Fifth_Dimension_Operations
S16: Quote, Francis deSouza, RSA Conference US 2013 - http://privacy-pc.com/articles/symantecs-francis-desouza-on-building-a-higher-order-of-security-intelligence.html
S16: Quote, Joshua Corman - https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/
S16: Picture, Cyber war tag cloud - http://www.europarl.europa.eu/EPRS/EPRS-Briefing-542143-Cyber-defence-in-the-EU-FINAL.pdf
The Intelligence Community – Espionage et al.
S17: Author of The Arthashastra - https://en.wikipedia.org/wiki/Chanakya
S17: Author of the Art of War - https://en.wikipedia.org/wiki/Sun_Tzu
S17: Father of Modern espionage - https://en.wikipedia.org/wiki/Francis_Walsingham
S17: Defining European espionage scene - https://dailyhistory.org/How_Did_Spy_Services_Develop_in_Russia%3F
S17: History of espionage - https://en.wikipedia.org/wiki/History_of_espionage
S17: List of intelligence gathering disciplines - https://en.wikipedia.org/wiki/List_of_intelligence_gathering_disciplines
S17: Signals intelligence - https://en.wikipedia.org/wiki/Signals_intelligence
Cyber: SIGINT at rest vs. HUMINT in motion
S18: Perspectives on Intelligence Collection - https://www.afio.com/publications/CLARK%20Pages%20from%20AFIO_INTEL_FALLWINTER2013_Vol20_No2.pdf
S18: Twitter, The Grugq - https://twitter.com/thegrugq/status/974333937509007361
31/08/2019

Espionage’s most valuable resource is data
S19: PHD Thesis (486 pages, worth it!), The IC’s role in the creation of a major military innovation - http://ebot.gmu.edu/bitstream/handle/1920/10613/Wiener_gmu_0883E_11318.pdf
S19: Data is the worlds most valuable resource - https://www.economist.com/leaders/2017/05/06/the-worlds-most-valuable-resource-is-no-longer-oil-but-data
Grey is the new black
S20: Grey is the new black: covert action and implausible deniability (18 pages) - https://academic.oup.com/ia/article/94/3/477/4992414
S21 – 22: Picture - https://krypt3ia.files.wordpress.com/2018/06/espionge-in-the-modern-age-of-information-warfare.pdf
Cyber Trumps Terrorism as Priority Threat #1
S23: Quote, James Clapper - https://electrospaces.blogspot.com/2014/09/nsas-strategic-mission-list.html
S24-25: Picture - https://www.washingtonpost.com/world/russia-unnerves-its-neighbors/2014/11/23/ef79e1d0-738a-11e4-9c9f-a37e29e80cd5_graphic.html?utm_term=.4470722bc5ab
S24-25: Geopolitics: An Overlooked Influencer in Cyber Operations - https://www.recordedfuture.com/geopolitical-cyber-operations/
S24-25: Cyber war in perspective: Russian aggression against Ukraine (175 pages) - https://ccdcoe.org/uploads/2018/10/CyberWarinPerspective_full_book.pdf
S24-25: Made in China 2025, Explained: https://thediplomat.com/2019/02/made-in-china-2025-explained/
S24-25: Chinese geopolitics: continuities, inflections, uncertainties: http://www.cadtm.org/Chinese-geopolitics-continuities-inflections-uncertainties
S24-25: When the China dream and the European dream collide: https://warontherocks.com/2019/01/when-the-china-dream-and-the-european-dream-collide/
S24-25: New Silk Road calls for Rotterdam to take on a directing role: http://smart-port.nl/new-silk-road-calls-for-rotterdam-to-take-on-a-directing-role/
S24-25: Chinese geopolitics: continuities, inflections, uncertainties: http://www.cadtm.org/Chinese-geopolitics-continuities-inflections-uncertainties
S24-25: How China is redrawing the map of world science: https://www.nature.com/immersive/d41586-019-01124-7/index.html
No friendly services
S26: The Ten Commandments of Counterintelligence - https://www.cia.gov/library/center-for-the-study-of-intelligence/kent-csi/vol45no5/html/v45i5a08p.htm
S26: Quote, Raymond Rocca - https://twitter.com/WylieNewmark/status/1165993444185116673
31/08/2019

Advanced persistent threat (APT)
S27: How nation-states and criminal syndicates use exploits to bypass security - https://www.slideshare.net/cisoplatform7/how-nationstates-and-criminal-syndicates-use-exploits-to-bypass-security
S27: Cyber war in perspective: Russian aggression against Ukraine - https://ccdcoe.org/uploads/2018/10/CyberWarinPerspective_full_book.pdf
S27: Congressional Research Service, North Korean Cyber Capabilities: In Brief - https://nsarchive2.gwu.edu/dc.html?doc=3986441-Congressional-Research-Service-North-Korean
S27: Kaspersky Lab, Lazarus Under the Hood - https://nsarchive2.gwu.edu/dc.html?doc=3673007-Document-07-Kaspersky-Lab-Lazarus-Under-the-Hood
S27: Huawei, 5G and China as a Security Threat - https://ccdcoe.org/uploads/2019/03/CCDCOE-Huawei-2019-03-28-FINAL.pdf
APT groups aka advance threat actors
S28: MITRE ATT&CK Group pages - https://attack.mitre.org/groups/
S28: Mandiant/Fireeye report about APT1 to US Congress which outed China (2013, Nov) - https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf
S28: 2013 REPORT TO CONGRESS of the U.S.-CHINA ECONOMIC AND SECURITY REVIEW COMMISSION - https://www.uscc.gov/sites/default/files/annual_reports/Complete%202013%20Annual%20Report.PDF
S29-30: Picture - https://www.nixu.com/sites/default/files/Nixu_CMD_deck_FINAL.pdf
01. Stuxnet & Lessons
S32-36: What type of malware is Stuxnet? - https://www.quora.com/What-type-of-malware-is-Stuxnet
S32-36: Spy Virus Linked to Israel Targeted Hotels Used for Iran Nuclear Talks – https://www.wsj.com/articles/spy-virus-linked-to-israel-targeted-hotels-used-for-iran-nuclear-talks-1433937601
S32-36: Stuxnet – an American and Israeli effort to undermine the Iranian nuclear program - https://www.nytimes.com/2012/06/01/world/middleeast/obama-ordered-wave-of-cyberattacks-against-iran.html
S32-36: Stuxnet Dossier - http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf
S32-36: Duqu - http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_duqu_the_precursor_to_the_next_stuxnet.pdf
S32-36: RSA 2013: Symantec shows proof that Stuxnet has been striking since at least 2007 - http://www.scmagazine.com/rsa-2013-symantec-shows-proof-that-stuxnet-has-been-striking-since-at-least-2007/article/281979/
S32-36: Duqu 2.0 - https://securelist.com/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/70504/
31/08/2019

31/08/2019
1
2017-03-06: Trump, Putin, and the New Cold War
https://www.newyorker.com/magazine/2017/03/06/trump-putin-and-the-new-cold-war
“In 2008 (---) Russian hackers accomplished a feat that Pentagon officials considered almost impossible: breaching a classified network that wasn’t even connected to the public Internet.
Apparently, Russian spies had supplied cheap thumb drives, stocked with viruses, to retail kiosks near NATO headquarters in Kabul, betting, correctly, that a U.S. serviceman or woman would buy
one and insert it into a secure computer.”
2
2016-06-22: Say hello to BadUSB 2.0: A USB man-in-the-middle attack proof of concept
https://www.csoonline.com/article/3087484/security/say-hello-to-badusb-20-usb-man-in-the-middle-attack-proof-of-concept.html
“BadUSB 2.0 is an inline hardware implant capable of compromising USB fixed-line communications. It 'can eavesdrop, replay, modify, fabricate, exfiltrate data and BadUSB in one device.'”
3
2017-04-10: HIDden gem: Low-cost Digispark USB now quacks DuckyScript
https://www.nixu.com/blog/hidden-gem-low-cost-digispark-usb-now-quacks-duckyscript
“This allows you to use existing or custom DuckyScript payloads and convert those to Arduino sketches to run on Digispark compatible hardware. Download from GitHub: https://github.com/nixu-
corp/Dckuino.js or use the online version: https://nixu-corp.github.io”
“Cheaper alternatives (in the $15-$20 price range) exist, such as PJRC’s Teensy, which can count on support from several pen testing tools such as the Social Engineering Toolkit, Nikhil Mittal’s
Kautilya and Powershell Empire. Another viable alternative is the Arduino Micro, which just like the Teensy, comes as a circuit board with a female mini-B USB port. Its form factor is not exactly suitable
for fitting in a thumb drive enclosure, but hey, who needs one if you can hide your HID inside an ultra-cool USB-gadget of your choice? Another option is to put your 3D-printer at work.”
4
2014-07-31: Why the security of USB is fundamentally broken
https://www.wired.com/2014/07/usb-security/
“In this new way of thinking, you have to consider a USB infected and throw it away as soon as it touches a non-trusted computer.”
““You can give it to your IT security people, they scan it, delete some files, and give it back to you telling you it’s 'clean,'" says Nohl. But unless the IT guy has the reverse engineering skills to find and
analyze that firmware, “the cleaning process doesn’t even touch the files we’re talking about.””
5
2014-10-02: The Unpatchable Malware That Infects USBs Is Now on the Loose
https://www.wired.com/2014/10/code-published-for-unfixable-usb-attack/
"This was largely inspired by the fact that [SR Labs] didn't release their material. If you're going to prove that there's a flaw, you need to release the material so people can defend against it."
S37: USB Peripherals - The weapon of choice

31/08/2019
6
2013-10-29: Russia 'spied on G20 leaders with USB sticks'
http://www.telegraph.co.uk/news/worldnews/europe/russia/10411473/Russia-spied-on-G20-leaders-with-USB-sticks.html
“The USB pen drives and the recharging cables were able to covertly capture computer and mobile phone data,”
7
2013-12-29: Inside Tailored Access Operations (TAO) - Documents Reveal Top NSA Hacking Unit
http://www.spiegel.de/international/world/the-nsa-uses-powerful-toolbox-in-effort-to-spy-on-global-networks-a-940969.html
“TAO specialists have directly accessed the protected networks of democratically elected leaders of countries. They infiltrated networks of European telecommunications companies and gained
access to and read mails sent over Blackberry's BES email servers, which until then were believed to be securely encrypted. Achieving this last goal required a "sustained TAO operation," one
document states.”
“The technical term for this type of activity is "Computer Network Exploitation" (CNE). The goal here is to "subvert endpoint devices," according to an internal NSA presentation that SPIEGEL has
viewed. The presentation goes on to list nearly all the types of devices that run our digital lives -- "servers, workstations, firewalls, routers, handsets, phone switches, SCADA systems, etc."”
8
2013-12-29: Shopping for Spy Gear - Catalog Advertises NSA Toolbox
http://www.spiegel.de/international/world/catalog-reveals-nsa-has-back-doors-for-numerous-devices-a-940994.html
Advanced or Access Network Technology (ANT)
“Another program attacks the firmware in hard drives manufactured by Western Digital, Seagate, Maxtor and Samsung, all of which, with the exception of the latter, are American companies. Here,
too, it appears the US intelligence agency is compromising the technology and products of American companies.”
“Computer bugging devices disguised as normal USB plugs, capable of sending and receiving data via radio undetected, are available in packs of 50 for over $1 million.”
9
2015-01-17: The Digital Arms Race - NSA Preps America for Future Battle
http://www.spiegel.de/international/world/new-snowden-docs-indicate-scope-of-nsa-preparations-for-cyber-battle-a-1013409.html
“Even before NSA management massively expanded the ROC group during the summer of 2005, the department's motto was, "Your data is our data, your equipment is our equipment."”
“Among the data on "sensitive military technologies" hit in the attack were air refueling schedules, the military logistics planning system, missile navigation systems belonging to the Navy, information
about nuclear submarines, missile defense and other top secret defense projects.
The desire to know everything isn't, of course, an affliction only suffered by the Chinese, Americans, Russians and British. Years ago, US agents discovered a hacking operation originating in Iran in a
monitoring operation that was codenamed Voyeur. A different wave of attacks, known as Snowglobe, appears to have originated in France.”

31/08/2019
10
2014-11-03: An Unprecedented Look at Stuxnet, the World's First Digital Weapon
https://www.wired.com/2014/11/countdown-to-zero-day-stuxnet/
“Because the computers are air-gapped from the internet, however, they cannot be reached directly by the remote attackers. So the attackers have designed their weapon to spread via infected
USB flash drives.”
11
2017-01-10: Inside a low budget consumer hardware espionage implant
https://ha.cking.ch/s8_data_line_locator/
“It can, e.g., be called to listen to a live audio feed from a small microphone within the device, as well as programmed to call back if the sound level surpasses a 45 dB threshold. The fact that the
device can be repackaged in its sliding case, after configuring it, i.e. inserting a SIM, without any noticeable marks to the packaging suggests its use-case: covert espionage.”
12
2017-08-12: USB Devices Vulnerable to Crosstalk Data Leaks
https://www.bleepingcomputer.com/news/security/usb-devices-vulnerable-to-crosstalk-data-leaks/
"For the practical side of their research, scientists used a modified off-the-shelve plug-in lamp with a USB connector to log every key stroke from an adjacent USB keyboard. They then sent the data
to another PC via Bluetooth."
13
2017-03-11: USG works like a firewall for USB connections
https://www.bleepingcomputer.com/news/hardware/this-device-works-as-a-firewall-for-your-usb-ports/
", the recently released USG v1.0 only supports a data transfer speed of up to 1 MB/s, much inferior to commercial USB devices that work in the range of tens of MB/s. In addition, USG only supports
USB mass storage (flash drives), keyboards, and mice"
14
2017-11-07: Linux Has a USB Driver Security Problem
https://www.bleepingcomputer.com/news/security/linux-has-a-usb-driver-security-problem/
"The 14 flaws are actually part of a larger list of 79 flaws Konovalov found in Linux kernel USB drivers during the past months. Not all of these 79 vulnerabilities have been reported, let alone patched.
Most are simple DoS (Denial of Service) bugs that freeze or restart the OS, but some allow attackers to elevate privileges and execute malicious code."

31/08/2019
15
2016-11-16: PoisonTap Can Hijack Web Traffic and Install Backdoors on Password-Protected PCs
https://www.bleepingcomputer.com/news/security/poisontap-can-hijack-web-traffic-and-install-backdoors-on-password-protected-pcs/
"PoisonTap works by spoofing an over-USB Ethernet adapter, which sets up as the primary source of Internet traffic for all IPv4 addresses. Windows and OS X will automatically recognize and install
the fake Ethernet adapter, even when the machine is locked. This tricks the computer in sending all web traffic to PoisonTap."
16
2017-10-17: Here's a Video of the Latest ATM Malware Sold on the Dark Web
https://www.bleepingcomputer.com/news/security/heres-a-video-of-the-latest-atm-malware-sold-on-the-dark-web/
"A hacker or hacker group is selling a strain of ATM malware that can make ATMs spit out cash just by connecting to its USB port and running the malware."
17
2018-03-13: Here's a List of 29 Different Types of USB Attacks
https://www.bleepingcomputer.com/news/security/heres-a-list-of-29-different-types-of-usb-attacks/
"Researchers from the Ben-Gurion University of the Negev in Israel have identified 29 ways in which attackers could use USB devices to compromise users' computers. The research team has
classified these 29 exploitation methods in four different categories, depending on the way the attack is being carried out."
18
2018-06-22: Tick Group Weaponized Secure USB Drives to Target Air-Gapped Critical Systems
https://researchcenter.paloaltonetworks.com/2018/06/unit42-tick-group-weaponized-secure-usb-drives-target-air-gapped-critical-systems/
“The weaponization of a secure USB drive is an uncommon attack technique and likely done in an effort to spread to air-gapped systems, which are systems that do not connect to the public
internet. In addition, our research shows that the malware used in these attacks will only try to infect systems running Microsoft Windows XP or Windows Server 2003. “

02. QinetiQ North America Attack & Lessons
S38-42: 'Chinese' attack sucks secrets from US defence contractor - http://www.theregister.co.uk/2013/05/02/china_us_hacking_qinetiq_apt/
S38-42: Hackers in china compromise us defense secrets - https://www.bloomberg.com/graphics/infographics/hackers-in-china-compromise-us-defense-secrets.html
S38-42: Cyber Espionage and the Theft of U.S. Intellectual Property and Technology - https://www.uscc.gov/sites/default/files/Wortzel-OI-Cyber-Espionage-Intellectual-Property-Theft-2013-7-9.pdf
03. Cloud Hopper & Lessons
S43-47: Operation Cloud Hopper - https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html/
S43-47: The Weakest Link - https://newsfromthelab.files.wordpress.com/2017/04/the-weakest-link-f-secure-state-of-cyber-security-2017.pdf
S43-47: FRA:s åtgärdsförslag med anledning av angrepp mot tjänsteleverantörer - http://www.fra.se/snabblankar/nyheterochpress/nyhetsarkiv/nyheter/frasatgardsforslagmedanledningavangreppmottjansteleverantorer.411.html
S43-47: Så identifieras Cloud Hopper APT10 - https://kryptera.se/sa-identifierars-cloud-hopper-apt10/
S43-47: APT10 - Operation Cloud Hopper - https://baesystemsai.blogspot.com/2017/04/apt10-operation-cloud-hopper_3.html
S43-47: Global targeting of enterprises via managed service providers - https://www.ncsc.gov.uk/information/global-targeting-enterprises-managed-service-providers
S43-47: Inside the West’s failed fight against China’s ‘Cloud Hopper’ hackers - https://www.reuters.com/investigates/special-report/china-cyber-cloudhopper/
04. WannaCry, Petya, NotPetya & Lessons
S48-50: The White House Blames Russia for NotPetya, the 'Most Costly Cyberattack In History‘ - https://www.wired.com/story/white-house-russia-notpetya-attribution/
S48-50: WannaCry, Petya, NotPetya: how ransomware hit the big time in 2017 - https://www.theguardian.com/technology/2017/dec/30/wannacry-petya-notpetya-ransomware
S48-50: The Untold Story of NotPetya, the Most Devastating Cyberattack in History - https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/
S48-50: NotPetya Ushered In a New Era of Malware - https://www.vice.com/en_us/article/7x5vnz/notpetya-ushered-in-a-new-era-of-malware
31/08/2019

The force multipliers - or “how to fight the war from the trenches”
S51: Strong authentication: https://en.wikipedia.org/wiki/Strong_authentication
S51: YubiKey: https://en.wikipedia.org/wiki/YubiKey
S51: Smart Cards: https://en.wikipedia.org/wiki/Smart_card
S51: Google Authenticator: https://en.wikipedia.org/wiki/Google_Authenticator
S51: Google: Security Keys Neutralized Employee Phishing - https://krebsonsecurity.com/2018/07/google-security-keys-neutralized-employee-phishing/
S51: Microsoft: Using multi-factor authentication blocks 99.9% of account hacks - https://www.zdnet.com/article/microsoft-using-multi-factor-authentication-blocks-99-9-of-account-hacks/
S51: Separation (physical and logical). Unfortunately I have not found any good public resources describing this.
- The basis of the separation concept is the idea of a security domain - https://en.wikipedia.org/wiki/Security_domain
- which is based on the concept of domain based security - https://en.wikipedia.org/wiki/Domain_Based_Security
Examples of Network separation
- Logical separation, VLAN som separationsmetod för industriella styrsystemsnät - https://www.foi.se/rapportsammanfattning?reportNo=FOI-R--4070--SE
- Unidirectional network (a common separation mechanism within military networks) - https://en.wikipedia.org/wiki/Unidirectional_network
S51: Security logging - https://en.wikipedia.org/wiki/Security_information_and_event_management
S51: White/Black listening - https://en.wikipedia.org/wiki/Whitelisting#Program_whitelists & https://en.wikipedia.org/wiki/Blacklist_(computing)#Information_systems
S51: SANS Critical Security Controls - https://www.cisecurity.org/controls/ & https://www.sans.org/critical-security-controls
S51: (Know your network) NSA TAO Chief on Disrupting Nation State Hackers video (38 min) - https://www.youtube.com/watch?v=bDJb8WOJYdA
S51: (Know your network) Improving the Security of Your Site by Breaking Into it (20 pages) - http://www.dcs.ed.ac.uk/home/rah/Resources/Security/admin_guide_to_cracking.pdf
S51: (Threat modelling) “Think Like an Attacker” is an opt-in mistake - http://emergentchaos.com/archives/2016/04/think-like-an-attacker-is-an-opt-in-mistake.html
S51: Defenders think in lists. Attackers think in graphs. As long as this is true, attackers win - https://blogs.technet.microsoft.com/johnla/2015/04/26/defenders-think-in-lists-attackers-think-in-graphs-as-long-as-this-is-true-attackers-win/
31/08/2019

Help Wanted
S52: Help Wanted! - https://twitter.com/steffanwatkins/status/976107933305098240
General inspiration for this talk:
Black Hat Asia 2018 Day 2 Keynote: A Short Course in Cyber Warfare presented by The Grugq - https://youtu.be/gvS4efEakpY
Elizabeth (1998) - https://www.imdb.com/title/tt0127536/
Books you should read that might have been mentioned but aren’t represented by a slide:
- Site Reliability Engineering, How Google Runs Production Systems (552 pages) - http://shop.oreilly.com/product/0636920041528.do
- Vem kan man lita på?: den globala övervakningens framväxt (304 pages) - http://www.adlibris.com/se/bok/vem-kan-man-lita-pa-den-globala-overvakningens-framvaxt-9789175453958
- Konsten att gissa rätt - Underrättelsevetenskapens grunder (218 pages) - https://www.adlibris.com/se/bok/konsten-att-gissa-ratt---underrattelsevetenskapens-grunder-9789144004389
- The Perfect Weapon: War, Sabotage, and Fear in the Cyber Age (384 pages) - https://www.amazon.com/Perfect-Weapon-Sabotage-Fear-Cyber/dp/0451497899
If you lack references to something I mentioned, please contact me.
31/08/2019

Cyber warfare in the context of major military innovations by mattias almeflo 2019

Cyber warfare in the context of major military innovations by mattias almeflo 2019

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Cyber warfare in the context of major military innovations by mattias almeflo 2019

Similar to Cyber warfare in the context of major military innovations by mattias almeflo 2019 (20)

More from Nixu Corporation

More from Nixu Corporation (19)

Recently uploaded

Recently uploaded (20)

Cyber warfare in the context of major military innovations by mattias almeflo 2019