Prepared by the CyberWire (Friday, June 2, 2017)—May saw continued tension between the US and North Korea over Pyongyang's missile research, development, test, and evaluation. It also saw publication of the long-awaited Executive Order on cybersecurity, developments in US military space organization and budgeting, and advances in spacecraft security, particularly with respect to GPS hardening. And a late-month outbreak of a ransomworm has some relatively little-noticed implications for industrial control system security.
North Korea's Missile Program
On May 14, 2017, the Democratic Peoples Republic of Korea successfully tested a Hwasong-12 intermediate range ballistic missile. The test is noteworthy for several reasons. First, it represents a milestone on the path toward a reliable long-range nuclear delivery system—the Hwasong-12 is said to have traveled 787 kilometers. Its trajectory's maximum ordinate was 2111.5 kilometers. The performance was such that observers concluded the missile could reach targets as far away as Guam (with Japan relatively speaking a hop, skip, and a jump away). Second, the system reportedly used cold launch technology, another step toward reliability, and launch system hardening and reusability. Finally, the successful flight came after numerous failures in previous months.
What has this to do with cybersecurity? At least two things: The successful test underlined the likelihood that earlier flight failures were simple failures, and not induced (as many reports out of the United Kingdom had hopefully suggested) by US cyberattack on launch or flight systems. And perseverance in the program underlined the commitment in scarce resources North Korea is prepared to make on behalf of its missile and weapons-of-mass-destruction programs. The nuclear program in particular has induced formerly tolerant countries like China to sanction trade with North Korea, and there are strong indications that the Kim regime is turning to large-scale cybercrime to make up its revenue shortfalls.
The US has responded to North Korean missile tests by increasing the intelligence resources devoted to collecting against the DPRK. Coincidentally, a new Joint Staff publication outlines doctrine for air and missile defense: Joint Publication 3-01 prominently links cyber operations to air defense.
Ransomware, Revenue, and the Industrial IoT
At mid-month, on May 12th, a large-scale ransomware attack began with the workday in China and moved west across Russia into Europe. It was much attenuated by the time it reached North America, but its effects were felt globally. The ransomware, a hitherto obscure strain called "WannaCry," affected older and unpatched systems based on beyond-end-of-life versions of Windows. Windows 7 and Windows XP machines were particularly susceptible to infection.
The exploits used to deliver the ransomware payload were reported to be "EternalBlue," whose code was dumped in March by the ShadowBrokers hacking unit. The ShadowBrokers claim EternalBlue is a set of Equation Group tools obtained illicitly from the US National Security Agency. This has prompted a debate over the US Intelligence Community's Vulnerability Equities Process.
Symantec has attributed WannaCry with high confidence to North Korea. It resembles criminal campaigns undertaken over the past two years by the Lazarus Group, which is generally believed to be run by the North Korean government. Their attribution has been controversial, as such inevitably circumstantial conclusions are, but whoever was behind WannaCry set their payment system up in a fumbling, ineffectual way. The criminals are thought to have received just a bit more than $70,000 in ransom, which is very small change in comparison to the scope of the infection. As a revenue center for Pyongyang, the ransomware must be judged an annoying fizzle.
WannaCry also infected industrial control systems (ICS) based on embedded Windows versions modified by major industrial control system vendors like Siemens, Emerson, and Honeywell. It is known to have disrupted production at some European automobile plants, and it clearly has the potential to do so in other sectors as well. ICS and other IoT vendors are looking to their patching, an inherently more difficult task than simply patching Windows in an ordinary IT environment. All OT operators should pay close attention to their patching.
Executive Order on Cybersecurity
On May 11, 2017, President Trump issued his long-awaited Executive Order on cybersecurity. Its sections address "Cybersecurity of Federal Networks," "Cybersecurity of Critical Infrastructure," and "Cybersecurity for the Nation." The Federal-Government-centric order was generally well-received, and many observers remarked on how it represented continuity with existing national policy as opposed to the break many had foretold. Its recurring themes are IT modernization and rationalization (including more shared services and use of the cloud), an emphasis on resilience, and an assertion that henceforth agency heads will be held accountable for the security of the organizations they lead. It places a strong emphasis on implementing sound risk management practices. It also calls for increased cyber deterrent capability, and it mandates use of the NIST Framework across the Federal Government.
Military Space and Cyber Developments
US Cyber Command seems to be on a clear, which is to say appropriations, path toward independent status as a combatant command. The US Air Force declines to establish a separate space corps, but both space and cybersecurity receive increased resources in the Service's Presidential Budget.
The US Army is interested in GPS security and is soliciting research into the problem.
Raytheon saw its GEO 6 satellite reach orbit—the system promises improved GPS performance. Raytheon also received a contract for research and development toward DoD operational cyber capabilities. Design Knowledge received a $7.5 million contract to develop a user-defined operational picture of the the Joint Space Operations Center. Harris won a US Air Force crypto contract whose total value could reach $875 million. Vencore earned a prime spot in a National Geospatial Agency IDIQ worth up to $980 million, and General Dynamics will provide cyber support to the US Navy's Meteorological and Oceanographic Command.
And a former Boeing engineer has pled guilty to spying for China.
Today's edition of the CyberWire reports events affecting China, Japan, the Democratic Peoples Republic of Korea, and the United States.
Are Cyber Crooks Funding North Korea’s Nukes?(The Daily Beast) How does Kim Jong Un come up with the billions to pay for his nuclear tests? Increasingly successful online bank heists provide at least some of the cash, experts say.
China tried to hack THAAD system: CNN(Korea Times) “China uses cyber espionage pretty regularly when Chinese interests are at stake to better understand facts on the ground,” John Hultquist, the director of cyber espionage analysis at FireEye, told CNN. “We have evidence that they targeted at least one party that has been associated with the missile placements.”
The WannaCry Ransomware Pandemic: Week One and the Weeks to Come.(The CyberWire) WannaCry is closing out its first week in the wild. To summarize, China and Russia have been hardest hit, with the largest number of infections striking unpatched Windows 7 machines. Those behind the attack may have failed to make big money, certainly not nearly as big as the scope of the pandemic might suggest, but they have succeeded in large-scale business disruption, and in drawing odium toward the US National Security Agency. We wrap up this round of our coverage with a look at what WannaCry accomplished and failed to accomplish, what you can do to protect yourself, and what we might look for in the future.
The WannaCry Ransomware Pandemic: Implications for the Vulnerability Equities Process.(The CyberWire) NSA is now believed to have warned Microsoft of the possibility that EternalBlue vulnerabilities were likely to be exploited in the wild. Indeed, NSA was right, as the arrival of WannaCry and now BlueDoom have shown. The agency has come in for considerable criticism internationally, more for what people are calling the "stockpiling" of vulnerabilities than for failure to secure those vulnerabilities. Disclosure of bugs NSA discovers is governed by the Vulnerability Equities Process. A bill introduced this week in the US Senate would take that process out of the Intelligence Community's hands, interposing an oversight body. What are the likely implications of the WannaCry pandemic for vulnerability disclosure?
The WannaCry Ransomware Pandemic: Sloppy but Dangerous. What about ICS? And Sequelae Include the Usual Fraud.(The CyberWire) Inevitably, successful attacks have aftershocks in the form of fraudulent remediation. In this case, the WannaCry quake's reverberations include a wave of fraudulent mobile apps promising protection from the ransomware. Easy Solutions warns against the dangers of the adware being served up. Version lacking the fortunate kill switch have appeared as circumstantial and provisional attribution continues to point toward Pyongyang. Analysts look at the ransomware and see sloppy work (which in some ways increases the danger, or at least the nuisance). And why, if you run industrial control systems, you should cut your sysadmins some slack: their patching challenge is inherently tougher than someone running IT in a regular business or agency.
The WannaCry Ransomware Pandemic: Attribution, Kill Switches, Crimes, and Torts(The CyberWire) Organizations continue their recovery from the WannaCry ransomware pandemic amid warnings that the first wave is unlikely to be the last. Enterprises that failed to protect themselves against the known vulnerabilities that enabled the worm to spread the crypto ransomware are thought by legal observers to bear considerable risk of civil litigation. There are also some preliminary gestures toward attribution, with some seeing the hand of the Lazarus Group (associated with North Korea's government) behind the campaign.
The WannaCry Ransomware Pandemic: Perspective, Reactions, and Prospects(The CyberWire) WannaCry ransomware hit hard late last week, and enterprises worldwide are bracing for further waves of infestation. The hitherto obscure strain of ransomware propagated in wormlike fashion against systems running older Microsoft software. It exploited the vulnerability the Shadow Brokers leaked last month as the weaponized EternalBlue tool. The rate of infection has been very high, temporarily slowed by discovery and activation of a "kill switch," but most observers expect renewed attack as the unknown controllers upgrade the malware.
RCO: Electronic warfare capability hits European soil(C4ISRNET) The Army’s Rapid Capabilities Office has sent its near-term electronic warfare capability solution to Europe, and soldiers there will get a chance to put it to the test this summer, said RCO Director Doug Wiltsie.
What is the Army doing to assure GPS and navigation?(C4ISRNET) All domains of war will be contested. This is the notion of multi-domain battle. And it includes the GPS signals that the military and the commercial world — think everyday navigation for ride-hailing app Uber — are so reliant upon for location and timing of operations.
US Executive Order on Cybersecurity (with industry reactions).(The CyberWire) US President Trump yesterday signed his long-anticipated Executive Order on cyber security. Its sections address "Cybersecurity of Federal Networks," "Cybersecurity of Critical Infrastructure," and "Cybersecurity for the Nation." It's a Federal-Government-centric order whose recurring themes are IT modernization and rationalization (including more shared services and use of the cloud), an emphasis on resilience, and an assertion that henceforth agency heads will be held accountable for the security of the organizations they lead. It mandates use of the NIST Framework across the Federal Government and places a strong emphasis on implementing sound risk management practices. It also calls for increased cyber deterrent capability. We cover a selection of industry reaction to the Executive Order.
AF rolls out fiscal 2018 space budget(U.S. Air Force) Air Force leaders met with media to discuss specifics of the service’s fiscal 2018 space investment budget at the Pentagon May 24, 2017. The request totals $7.75 billion, an approximately 20 percent
Defense intelligence has opportunity to be ‘reimagined’(C4ISRNET) With the goal of providing military commanders and policy-makers with the best possible analysis, defense intelligence has reached a point where innovations in information technology and cyber present an opportunity to drastically reimagine the entire enterprise, according to a Defense Intelligence Agency expert.