Stuxnet and the era of cyber sabotage
In 2010, F-Secure’s teams learned a very good lesson about risks applying to industrial control systems and factory automation. That was the year of the Stuxnet computer worm, an event so significant that sector specialists talk about the time before Stuxnet and after Stuxnet.
This computer worm was looking for a very specific factory, one with high frequency power converters positioned in a certain order that existed in only one place in the world. F-Secure’s experts were already suspicious, because during the summer of 2010, nuclear tensions concerning Iran were at their peak, leading them to suspect that the Stuxnet malware could be targeting the Iranian nuclear sector.
So, they set out to figure out if one of Iran’s nuclear power plants had a configuration like the one this computer worm was looking for. They found answer easily in photos posted on the Iranian president’s website showing his visit to the nuclear Natanz plant, just two years earlier.
This evidence proved that the worm was a case of government use of cyber power. Governments are interested in cyber weapons because they are effective, accessible, and provide deniability; a unique and most interesting combination for any type of weapon.
However, the Stuxnet attack was not part of a cyberwar. In fact, the attackers (the United States and Israel) were not even at war with the target (Iran). It was actually more a case of cyber sabotage. Contrary to apocalyptic media headlines, most of the states analysed by information security experts are not at war. Instead, they are either the targets or the perpetrators of espionage or sabotage.
What is cyberwar?
The now infamous Petya attack took place in the summer of 2017. Petya is ransomware targeting Windows computers using accounting software developed in Kiev, Ukraine. This software was used only by companies based in Ukraine, representing a unique situation in the history of information security.
Unidentified Russian attackers were able to bypass the security on the software’s company’s server. Then, on 29 June 2017, they used the server’s official update to send a patch containing Petya to all of the software’s users. Whenever the software was used on a terminal that day, the company became infected and Petya immediately began spreading through its network. The ransomware then overwrote the master boot records on laptops, desktops and servers.
Ukraine was the first country affected, and this was not the first time it had been targeted by Russia. In this case, the attack does constitute cyberwarfare because the two nations are at war. This is even more evident when we consider that there had been a previous attack two years earlier in December 2015, when Russia targeted Ukraine’s second electricity supplier, cutting electricity to over 250 000 civilians during very cold weather.
Cyberwar is a new technological area in war and conflict, following land warfare (with swords, bows and arrows), sea warfare (navigation technology) and air warfare (aeronautics). Then came satellite wars and space warfare. Today, cyberspace represents the new battleground.
However, companies outside Ukraine were also affected by the Petya episode; international brands like Oreo, Durex, Saint-Gobain and Nivea, conducting business worldwide (including Ukraine), were also harmed.
These brands were required to pay taxes to the Ukrainian government, and so all it took was a single terminal using the infected software for the malware to bypass information security. It could then spread inexorably inside incorrectly segmented and insufficiently secure networks.
It is unclear whether the extension of NotPetya to western companies was collateral damage or a message addressed directly to them to stop doing business with Ukraine. In any event, it was the costliest information security incident in history.
How to deal with cyberattacks?
For years, information security experts have advised companies to implement powerful firewalls, intrusion prevention mechanisms, filters, proxies and antiviruses, in order to create a sort of inviolable safe. However, it can be extremely complicated to detect an intrusion rapidly if hackers manage to get inside that safe in an unexpected way. It takes a company 200 days on average to realise that it has been hacked.
But now, F-Secure’s information security experts have sensors that can be positioned inside networks to collect information and determine what is normal activity. Once that has been established, they can target anomalies using advanced techniques, like machine learning, before human analysts need to get involved.
Information security professionals are facing increasingly complex challenges. Today, everything is a computer, everything is connected, and everything is becoming "smart". Not only computers need to be protected, but so do all of the new terminals like smartphones, smartwatches and, very soon, smart cars and smart cities.
For example, thousands of credit card numbers were stolen through a major retailer’s official terminals four years ago. The attackers got into the store’s ventilation system, then its central network, its financial network and finally its bank card terminals.
So, although it is important in terms of information security to prevent anyone from accessing the network, it is also essential to be able to detect a breach quickly and respond to it. Because the more important the network, the greater the risk that it will be infected.
Speaker : Mikko Hypponen, F-SECURE