Operation: Olympic Games

Emilie Borel may or may not have been the father of Game Theory. But it was John Von Neumann, referred to as a practical joker by many, who gave this subject and its varied field of applications the zing! That the applications varied from Poker to economics to military may be incidental. But what is of relevance is Neumann's stint with the RAND Corporation where he explored possible strategies for nuclear conflict.

If that were not enough, for a person to whom the proof of the Min-Max Theorem in Game Theory is attributed, did examine Kyoto, Yokohama, and Kokura in Japan, for becoming the potential target for the nuclear bomb!

A not so innocuous inference is that, mathematicians, who pursue the purest of sciences, too land up as jokers playing games that lead to bombs!

A Glance at State-sponsored Cyber Attacks

At an abstract level, how different should Game Theory's insidious application during WWII period to deduce probability of choosing a target for a nuclear bomb be viewed from planning a malware implant in the nuclear installation of another country in the first decade of this millennium?

The purpose of this article was to look at state-sponsored cyber attacks in general and operation Olympic games in particular, through an IT security prism.

‘Olympic Games' under different circumstances may have gone unnoticed. But if it stood for a code word to mask a highly secretive cyber operation undertaken by the US government to damage a major nuclear installation, through a surreptitious implant of a malware called ‘The Bug', then the cyber warriors of all hues need to pay heed.

What may seem encouraging is that the team that went stripping this new worm, referred to as Stuxnet by them, emanated from the same country that triggered it viz the US along with a set of freelancers participating from far away Germany. Though they did not neutralize it, they did dissected this uniquely designed weapon.

 

Substantial documentation was generated post forensics carried out of this major IT sector incident affecting 'critical infrastructure'. That the investigation resulted in nearly pin-pointing the root-cause of such a complex operation and re-constructing the whole story with a reasonable accuracy, was indeed a tribute to the minds that pursued the investigation to its very end.

But confirmation that this was indeed a state-sponsored action, practically from the horse's mouth has changed the dimension of cyber warfare.

The Attacker's Approach

In 2006, under the Bush's administration, an initiative was undertaken to contain Iran's nuclear capability and expansion program. The trigger happy Israel needed an assurance that any alternative other than directly bombing the targets would actually work. Hence the US was forced to co-opt Israel into the development of a unique cyber-weapon. A secret military unit of Israel had very similar expertize akin to the NSA's. Coupled with deep operational knowledge( that Israelis possessed) of the working of Natanz ( nuclear site in Iran which the US had decided to target), the US team got into action. The initial vibrations of these thoughts emanated from the ‘bowels of the US strategic command'.

The two countries developed the complex worm. What is of interest to any IT/IT security professional is how they planned the test bed for the same. There was very little margin for error. So the US began building a nearly identical replica of the aging centrifuges that Iran possessed, which was apparently purchased from a nuclear scientist who was selling fuel making technology in the black market. This knowledge along with its own backyard having relics of similar centrifuges, in a weapons laboratory at Tennessee-courtesy the Libyan intervention-a formidable test bed was created by the US team. As Marc Ambinder in the June 2012 edition of the Atlantic reports that this operation ‘is the most significant covert manipulation of the electromagnetic spectrum since world war-II, when cryptanalysts broke the enigma cipher that allowed access to Nazi codes.'

Vulnerability Exploited

David Sanger's ‘Confront & Conceal' in Chapter 8, reveals details of this major covert operation. The idea of the architects of this weapon was to make the initial breakdown look like a random accident. Make a few of the centrifuges race out of control, ‘beyond the speed of sound' and if the attacker was lucky, force the plant to be completely shut down-a la comprehensive DoS attack. From an attacker's perspective this made sense as the ‘raw material', in this case the knowledge that the P1 centrifuge that was in use at the target site, was susceptible to random malfunction. A minor glitch that could vary from a bad ball bearing or an electrical malfunction could create substantial damage.

Iran's nuclear engineers had another challenge as they had to manage their program surreptitiously. Therefore, assembling of the machines had to be distributed across multiple shops. This too would have been an added input as this weakness of the adversary and consequently the challenges faced in manufacturing the rotor at the center of the machines, would have given better teeth to the overall strategy of the attacker.

 

Attack Construct

Even with the above facts how exactly the computers at Natanz controlled the operations of the centrifuges eluded the attack team. There was also a need to know how the centrifuges were connected to the PLCs, that run the fast spinning machines and control the whole operation.

Again the advantage to the attacker was that these devices were virtually unprotected at the technology layer, with the best protection only available at the physical access control level, some electronic and some manual. Because of the weak defense a bank-fraud approach of breaking into the vault was all that was needed. Computer code to attain this objective was written.

The attack team had another edge-the Israeli's proven and demonstrated social engineering capability. This was evident from the various ‘assassinations, defections and flow of documents-the Israelis had informants deep inside some of Iran's most critical nuclear and missile projects.' This had to be leveraged to plant the code within the boundary of the plant.

Pandemonium at Target Site

Iranians knew all along that they were potential targets. There were instances in the past, in 2003-04 when sabotage was experienced by them (The Inheritance, David Sanger) on the centrifuges. They had also a case of a manipulated UPS to disrupt precisely controlled electric feeds, which led to explosion of about 50 centrifuges. This did not deter Iran from proceeding further with their program. But it clearly did not force them to look at their vulnerability state more scientifically.

Corporate Investigation Team

Around mid-June of 2010, Stuxnet became visible to the corporate world. Sergy Ulasen, a techie who was working for a smaller computer security company then, and who later joined VirusBlokAda, in Minsk, Belarus, was the first to observe this, while servicing a customer from Iran.

There was also another angle to this major incident. The fact that it got formally reported nearly first hand from the US; the fact that the major corporate investigation was led by the US, was it different from any report made public by Wiki Leaks? From a US standpoint there was a compromise of ‘national security equity'. As Marc puts it in the Atlantic ‘What complicates the issue is that almost every major IT company in the world is owned by the US citizens or is based in the US. And these companies have a complex relationship with the US government. There is no coordinated way for the government and the private sector to share information about cyber threats. There are almost no standards, even for critical infrastructure, with which companies must comply.

 

Lessons For India

There was evidence to show that Stuxnet had hit machines in India too. So with the recent major shutdowns in South Korea due to the ‘wiper' malware, which has been attributed to North Korea's military intelligence, or the general reconnaissance bureau; suspected from IPs originating there or through proxies from China, there are enough reasons for us not just to be concerned but to get into a ‘battle ready' mode swiftly. That Y2K had very little impact on us in 2000, more because of the default status of us having very few related IT Systems, may not save us this time around. Iran's passivity during ‘peace', reaction and in many cases ‘over reaction' when the incident occurred and consequently increased its downtimes that further helped its adversary, provides us with valuable lessons.

A report from FireEye quoted in Tech Week Europe's (April 23 2013, Tom Brewster) edition, 9 in 10 Advanced Persistent Threat (APT) tools are made in China, which are apparently funded by Nation Sates. As per Verizon (quoted in the same magazine) 96% of cyber espionage over the last year had Chinese origins. Of all the breaches 19% had links to the Chinese government. If China has transgressed land, water and air boundaries what stops them from hitting deep into the information territory?

Against the above backdrop, it is time that critical infrastructure in India is listed and an overall risk assessment both from an infra and technology perspective be carried out at the earliest. Even if the fixes for the open vulnerabilities are handled over a period of time, the faster we know what needs to be done the better.