At 11:42 pm, Britt’s eyes snapped open. She shot up in bed, wide awake, heart pounding. Sirens screamed. Her neighbors hollered and scrambled around the courtyard of her modern Dallas apartment complex. The Midwest native is accustomed to hearing storm sirens. The Dallas sirens were different. And louder. The blaring monotone warning radiated from every direction.
“In a tornado, the siren will shut off when the storm passes. These were much louder and blasted for a long time. We had no idea what was going on, but we knew it wasn’t a tornado. There was a guy standing close to my window screaming, ‘We’re at war! The shit’s going down!'” For a fleeting moment, she said, “I thought he might be right.”
On April 7, 2017, a radio frequency trigger hack caused 156 emergency sirens in Dallas, a city of 1.2 million people, to wail concurrently for 81 minutes. The incident serves as a clarion call to organizations everywhere that cyberweapons could be used against your infrastructure in order to make a statement.
“Technically, each siren went off for 90 seconds, 15 times. There was a lot of confusion,” said Dallas public information officer Richard Hill, because there were no storms in the region. “We had close to 4,000 calls to 911. The system was nearly overwhelmed.”
The Dallas siren episode will be increasingly common, and enterprise companies and public organizations are targets. CIOs will have to adapt to an increasingly volatile security landscape driven by new Internet of Things threats, malware, and artificial intelligence. Consider: A ransomware attack that hit the U.K.’s National Health Service (NHS) brought down hospital systems initially, then went global.
As a show-of-force in December 2015, cyberattacks by Russian-linked hackers took down a large portion of the Ukraine power grid. “The initial breach of the Ukraine power grid was–as so often in cyberattacks–down to the human factor,” wrote ZDNet’s Charles McLellan. “Spearphishing and social engineering were used to gain entry to the network. Once inside, the attackers exploited the fact that operational systems–the ones that controlled the power grid–were connected to regular IT systems.”
It remains to be seen whether CIOs and enterprise companies realize they are already in the middle of a cyberwar. But it is clear that attackers may compromise your company to make a statement, your network could be used as a staging area for a larger attack, and malware is likely to use artificial intelligence in the near future. Enterprises will have to be as vigilant as nation states when it comes to attacks. This story lends perspective on the evolving cyberweapons landscape, how AI will shape the future of security, and best practices for defense.
Dallas’ outdoor warning system, like most municipalities in the United States, is radio controlled and triggered when a storm is imminent by a signal sent from the National Weather Service. For security reasons, the city of Dallas would not discuss the details of how the system was compromised. But the city’s senior public information officer, Monica Cordova, said, “we believe [the attack] came from the Dallas area.”
Dallas police are working with the FBI and “special agencies,” Cordova said, to examine “how [emergency systems] interface with other systems in the city and validate what we think happened. The investigation will also examine the water system, radio network, 911 and 311, police-fire dispatch, flood warning system, [and] financial systems.”
It could take the city’s leaders months to reveal what many security experts already know: Cyberattacks against outdated critical infrastructure are as easy to execute as the stakes are high. And the arsenal of cyberweapons–malware that is designed to inflict disruption, damage, and destruction–is growing rapidly.
“As technology is increasingly integrated into the manner in which our society operates,” said Chris Pogue, CISO of cybersecurity firm Nuix, “the potential of cyberattacks that have a kinetic impact also increases.”
Pogue can rattle off a long list of attacks against critical infrastructure that portend a future where companies, government agencies, and consumers are all victims of cyberweapons. During the Romantik Seehotel Jaegerwirt attack, the hotel lost the ability to generate new key cards; the remote access and control of a Jeep Cherokee endangered drivers; CCTV cameras were disabled prior to the inauguration of President Trump. And, “the latest iteration of these types of attacks occurred [in April],” Pogue said, “when attackers turned on emergency sirens in Dallas.”
No one died in the Dallas cyberattack, but the city was hit by something even more destructive than a storm. “Tornados are damaging. They take lives and destroy everything in their path,” said a former hacker and current senior analyst at a small but respected East Coast cybersecurity firm. “But they’re localized. The damage is tremendous, but located in one geographical region.”
The Dallas sirens were a warning, he said, and a perfect metaphor for the coming cyberstorm. “With a cyberattack the threat is existential and the path of destruction is unlimited.”
When everything becomes a cyberweapon
One week after the Dallas incident–at 11:21 am UTC, 10,895 kilometers away–a North Korean ballistic missile fired and exploded moments after launch. The April 2017 test was the latest in a series of recent North Korean missile misfires.
Reporting by CBS News and The New York Times indicates that American-made cyberweapons may have been responsible for the floundering rockets. “Presuming the missile batteries run on a computer-based launch control system, which they do,” Pogue speculated, “an attacker could do anything the system allows: change fuel mixtures, time on launchpad after engine fire but before launch, destination of target, trajectory, and payload arming and disarming.”
A former government digital weapons specialist said, “The systemic failure of North Korea to develop a working ballistic missile program is likely due to US espionage efforts, including offensive cyberweapons. Cyberweapons exist, and they are in fact weapons. They contain custom payloads designed for a custom target. The customization is almost always part of a process that includes human assets, traditional espionage, and technical development.”
These weapons require considerable capital investment, the specialist said, and take a long time to develop. The development teams might be quite small, but the need for specialization is high. “Custom code is used by most governments and is generally designed to protect the national interest. They could be concerning in the abstract, but practically speaking I’d be a lot more concerned about malware and spying tools than a so-called cyberweapon.”
The Dallas attack was as crude as the North Korean attack was sophisticated. Both likely involved cyberweapons, and the sophistication gulf between the two attacks mirrors the evolution of hacking and of digital weapons. What makes these attacks unique is that, unlike conventional hacks, they targeted critical infrastructure and caused physical damage.
The most infamous example of a cyberweapon is Stuxnet, a worm reportedly developed as a joint operation between the US and Israel and intended to deter Iran’s nuclear program. Discovered by security researcher Sergey Ulasen in 2010, the malware targeted Siemens industrial control systems using a programmable logic controller rootkit. The worm targeted, spied on, and ultimately damaged nuclear centrifuges at Iran’s Natanz facility. In the process, it proliferated widely, infecting thousands of machines. The custom code, which may have cost millions to develop, is now open source.
“I’d like to clarify the term ‘cyberweapon,'” said the French hacker x0rz. “Anything can be a cyberweapon nowadays. With very basic programming skills you can weaponize a Word Office document.” Chatting on an encrypted messaging application from a bare Paris flat the 20-something self-described penetration tester articulated the hacker’s definition of digital munitions and malicious code.
“For example, you have the computer network operations tools such as [malware] implants,” x0rz said. “These could also be described as backdoors. Often these are scripts that help exfiltrate data. And then you have the exploits themselves that [take advantage of] some vulnerability such as a malformed PDF document that will trigger unnoticed code on your computer.
“The first category is just code. It will basically require manpower and some advanced OS knowledge [to build]. If you are a government you could hire developers to build such tools. It’s fairly easy and there are a lot of known techniques to bypass antivirus software.”
Finding and exploiting bugs in existing software, he explained, is a lot harder. Mitigation systems exist on every software level, from ASLR and DEP to stack cookies. “It becomes harder to exploit a simple buffer overflow. That’s why the cost of 0days [sic] increased a lot in the last decade. As exploit mitigation goes up, exploitable 0days should be harder to find and hence more expensive.”
“Offensive technology and diplomacy are complicated and so interconnected I worry that someone will do something accidentally and a disaster will happen that unintentionally kicks off a kinetic cyberwar,” said Sergio Caltagirone, director of threat intelligence and analytics at Dragos, a cybersecurity firm that specializes in enterprise security. “That’s what keeps me up at night.”
Defining a cyberweapon, he said, requires examining the intent of the actor and the effect of the attack. “The technical definition is less important than how malicious code is used, and by whom.” Caltagirone frets about potential accidents, or that malicious code will leak to a rogue actor. Unlike nuclear weapons, however, “code proliferates very quickly and is easy to build or steal,” he explained. “Anyone with a laptop, some coding skills, and a few free hours can create a ‘cyberweapon.'”
On May 12, 2017, a ransomware attack targeting machines running older versions of the Windows operating system crippled Britain’s National Health Service (NHS). The worm evolved rapidly and, according to CBS News, infected more than 100,000 organizations in 150 countries with variants of the WannaCry virus. Casualties of the “largest extortion attack ever recorded” also include enterprise companies running older versions of Windows, Chinese universities, and transportation networks. The ransomware seizes machines and encrypts all local data. If the extortion fee of $300 in Bitcoin is not paid in 24 hours, the data is permanently erased.
In an interview with CBS News Symantec CEO Gregory Clark explained, “In this case, there is a fragment of the technology that was associated with Lazarus,” a hacking team often linked to North Korea. Security firms like Symantec, Rapid7, and FireEye have uncovered similar links and suggest that exploits used in WannaCry were first developed by the NSA.
Policymakers who have tightly controlled access to nuclear weapons over the past century, Caltagirone said, are beginning to realize digital weapons pose the same–or greater–threat. “I’m not worried about well-intentioned people designing weapons. I’m worried about Kazakhstan, North Korea, and maybe Iran handing over powerful hacking tools to a rogue agent.”
According to the United Nations, any software deployed for diplomatic, military, or intelligence purposes can be a cyberweapon. Actors wielding cyberweapons can be state, non-state, and rogue actors. Security experts at the UN say that cyberweapons can take the shape of custom code, common viruses, and even propaganda. “[Digital weapons] are reliant on geopolitical posturing as much as technology. Any offensive technology with a custom built payload designed for a custom target can be a cyberweapon,” one UN law enforcement expert said.
The distinction between cyberweapons, malware, and hacking tools is blurry, and likely won’t exist in the future, said Brett Thorson of Dtex Systems. Hacking tools like Nmap and Metasploit “are the tools that someone would use in order to gain access to a system. Malware, on the other hand, will remove the human equation from [the attack]. Often times [automation] can come pre-packaged.”
The cyberweapon environment isn’t shaped like a standard munitions warehouse with bombs and guns in it, Thorson said. “It’s easy to put those two words together–‘cyber’ and ‘weapon’–and make it sound cool, but there isn’t [an easy definition].” Using a cyberweapon in an offensive situation, Thorson explained, “requires finesse, work, and long-term effort.”
Former CIA case officer Jack Rice agrees. “Of course, countries are developing ‘weapons’ with custom payloads designed for a custom target. These sound scary until you consider the production overhead needed to create customized weapons. The public, companies, or governments should be less concerned about these weapons and more concerned with everything else that’s out there, including malware, hackers, and the government.”
The true cost of developing a weapon like Stuxnet is hidden in human assets. “People are needed to steal the encryption keys that protect hardware systems like the JMicron and Realtek controllers used in the Natanz nuclear facility,” Rice said, “or the controllers used in North Korean missiles.”
What does scale, Rice said, are modern tools developed by hackers and government agencies that target mobile devices, the Internet of Things, and outdated industrial control systems found in municipalities across the country. The Mirai botnet and the CIA’s Vault 7 cache are more worrying to Rice than the weapons targeting Iran and North Korea. “When powerful tools can be modified and distributed by criminal agents and non-state actors at scale,” he said, “it becomes a lot harder to determine what a cyberweapon is and how it might be deployed.”
Use geopolitical posture as a signal to help understand who’s hacking who and for what purpose, Rice said. He points to spambots, Russia’s alleged meddling in the 2016 US election, and the data dump on the eve of the French presidential election. None of these “hacks” were technically sophisticated, he said, yet resulted in democratic destabilization that changed the geopolitical landscape.
“Within intelligence communities, the US and Israel are respected for their technical proficiency,” Rice explained, “so it was no real surprise when spy tools [like Vault 7] were leaked. Russia, on the other hand, has been a spam and piracy haven for decades. That the Russian government might support bot-makers and hackers and use those ‘assets’ to achieve political goals is believable.”
Advances in IoT malware in particular make cybersecurity experts like Joe Saunders, CEO of RunSafe Security, especially nervous. “Whether it is stealing passwords, exfiltrating sensitive data, disrupting traffic signals, taking control of a vehicle’s operations, or locking devices for ransom, IoT devices are extremely vulnerable to cyberattacks,” Saunders said. “The underlying issue is that the operating system running on these devices often has security vulnerabilities. Additionally, poorly written software code allows hackers to take control of a device and use its own code to do malicious actions.”
In 2016, hackers commandeered IoT devices and brought down a significant portion of the internet on the East Coast. “Mirai exploited outdated versions of the Linux operating system, a common issue with many devices,” Saunders explained. “And it turned IoT devices into a network of botnets flooding websites with requests. In the 2016 attack, a common provider across hundreds of websites was attacked with a distributed denial-of-service attack.”
All networked devices are vulnerable, he said, but SCADA (supervisory control and data acquisition) systems used to manage power plants, cooling systems in large data centers, and legacy industrial control systems running inside enterprise companies and in government agencies are particularly vulnerable. “Imagine sensors on instrumentation systems or oil rigs being manipulated, or consider the hack of a New York state water dam a couple years ago, or the shutdown of the power grid in Ukraine. We used cranks or levers to manually adjust control systems in the past. These systems are now centrally managed via software systems talking to remote devices.”
Here comes the AI
Custom malware augmented with automation and artificial intelligence spooks most cyberdefense experts. “In all likelihood, the next Stuxnet has already been built. Lots and lots of them,” Pogue said. “They (plural) are just waiting to be deployed. Where? What is controlled by computers? Nuclear power facilities, dams, missile batteries, air traffic control, and sewage systems will be [targeted].”
At scale, said chief scientist of financial prediction firm Aidyia Holdings Ben Goertzel, AI will be used to locate zero day exploits in IoT and industrial control systems that currently take teams of hackers months or years to develop. “It seems obvious, but intelligent algorithms work much faster than humans and finding exploits will be a trivial task,” Goertzel said.
As investments in AI increase, he said, so does the AI control problem. “My colleagues and many [AI] researchers want to use machine learning to improve the human condition. But if hackers can steal or have access to the same [AI and machine learning] technology they will use that tech for the same motivations they do today. A Windows hack will seem antiquated when the stock market or the power grid or nuclear power is the target.”
AI will also make unsophisticated cyberattacks like spearfishing more effective. “Take phishing,” wrote ZDNet’s Danny Palmer. “It’s the simplest method of cyberattack available–and there are schemes on the dark web which put all the tools required to go phishing into anyone’s hands. It’s simply a case of taking an email address, scraping some publicly available personal data to make the phishing email seem convincing, then sending it to the victim and waiting for them to bite. That could become even more effective if AI is added.”
So now what?
AI is also part of the solution, and security firms use machine learning to help enterprise companies uncover hidden threats and deter attacks. “AI will be the ‘enterprise immune system’ against cyberattacks,” said Justin Fier, director for cyber intelligence and analysis at security firm Darktrace. “It can take weeks or months for a company to learn about and then patch security holes. But discreet AI modules can be installed on an enterprise network, learn about the specific network, and get a ‘sense of self’ that helps it identify unique threat vectors quickly.”
Because there is no single defense tactic to serve all organizations, Cisco’s senior director and trust strategy officer Anthony Greico encourages a “holistic approach” to cyberdefense. “You can think about all the different actors and bad people that are out to get you and never find a solution. But by thinking about it from a systemic perspective … you can really think about how to make your company resilient.”
Greico identified four steps organizations and companies, regardless of size, should take to build a proper cyberdefense posture. First, he said, identify what you’re worried about and enumerate your critical assets. “People–humans–are your best line of defense. Talk with your team. Identify your critical assets and ask simple questions about your company,” he said.
Next, “Ask yourself and your team: What are the most important data processing functions that are critical to my business? Then you can begin to build a system of processes, technologies, and education to ensure you are protecting those [critical assets].”
The biggest challenge for many companies is operationalizing defense detection. “You can’t just proactively put [policies] in place and then forget about them. You must continue to look for active adversarial activity … so you are able to detect and respond to an attack.”
Finally, Greico said, when an attack is successful and you have detected it, “you need to focus on recovery. In the end ‘resilience’ is about getting back to your business … up and operational in the face of a cyberattack. When you walk your business through those steps you really begin to put a boundary on real risk and real [threats].”
In the Dallas sirens incident someone discovered the radio frequency signal used to trigger the activation of the sirens, Dtex’s Thorson said. “Ten years ago it would have been a significant amount of work to discover the correct frequency of transmission as well as any signal encoded within that transmission. However, with software defined radios and computers able to monitor large portions of the radio frequency spectrum, it becomes much easier [to hack].”
Danger lurks, he warned, “in a legacy system that no one cares about, easily hacked via hardware and software easily obtained.”
The city of Dallas responded to the attack by shutting down attack vectors and retesting internal systems. Pogue said it was lucky no one was hurt–this time. The next attack could have serious consequences. As more and more systems are digitized, threat vectors increase exponentially.
“I hate to be a doomsayer,” he said, “but there is a massive kinetic attack on the horizon. It’s coming.”
Credit for image at top: Getty/Ed Jones