Worms are an effective weapon in cyber warfare
CIO.com has an article about a ‘rapidly spreading virus’ that is giving the UK Ministry of Defense a run for its money.
First, viruses don’t spread on the network — worms spread on the network and a virus can be their payload.
Semantic arguments aside, the story demonstrates just how effective a worm can still be, especially in cyber warfare. Not only do you have the direct impact of the worm; delivery of the payload, but you also have secondary effects; network and host congestion and the potential over-reaction by the IT groups by simply shutting off machines to avoid compromise. According to a Ministry of Defence spokeswoman;
“The reason why so many people are without their computers is because we’ve turned them off rather than they’ve been wiped or destroyed by this virus”
Without knowing what this particular bug is and what it does, shutting down systems may very well be a solid defense but that obviates the fact that the network wasn’t well prepared for a worm outbreak. The best defense against a network worm is defense in depth but it doesn’t have to be complicated. In fact I would argue that it shouldn’t be much more complicated than:
- Patch management
- Network segmentation
- IPS and AV protection at segment links
- HIPS protection on critical hosts and AV protection on *all* hosts
- Established incident response
But I digress.
As I stated previously; targeting military networks can have far reaching, even strategic gains:
Crippling the network of a carrier group would be a punch to the solar plexus, which would allow for a follow-up attack, such as a swarm attack or suicide attack by aircraft and small watercraft. The combination of the two less-conventional and relatively inexpensive attack methods stands a good chance of forcing the carrier group to disengage until they can repair damage, replace assets, and restore their data network. This kind of ‘more bang for your buck’ is one of the key advantages of cyber warfare.
Note that neutralizing a carrier group borders on strategic, as these are key assets in any expeditionary force of modern warfare.
Wouldn’t you know it, the rumor mill suggests BBC confirms that the HMS Ark Royal, an invincible-class light aircraft carrier was or still is affected. I guess their network isn’t invincible-class.
The fact that the worm spread through multiple networks and ultimately ended up on the carrier’s network demonstrates the potential a worm has for damage simply through the Achilles heal of interconnected systems; their very connectedness.
If this is in fact the conficker worm and not some one-off, custom job cooked up by someone intentionally targeting the MoD, I’d expect some heads to roll. It would be extremely disappointing to learn that a garden-variety* worm targeting a three month old vulnerability whipped some MoD ass.
*Conficker is neither exceptional nor cutting edge as worms go. In fact, the core vulnerability that conficker targets resides in the Windows Server service, which is known to be vulnerable as early as 2006 if not earlier and RPC attacks enjoy an even longer history. Given the core role Windows’ server service and RPC play in networking Windows machines, any shop deploying it as an infrastructure should protect both at all costs.
Update:
According to the BBC, as of 1/20/09, this is still affecting the MoD and it has affected 70 sites. What’s interesting is the statement that it’s successfully redirected email traffic to email servers in Russia:
Conservative MP Mark Pritchard said he had been told by one defence official that e-mail traffic from some RAF stations had been re-directed to a Russian internet server as a result of the virus.
Officials note they don’t think the MoD was targeted, which leads me to believe it was indeed a garden variety worm that hit them. That statement (that email was redirected) could be caused by the ‘fog’ of incident handling on such a large scale. However, if it’s true, I assume it happened because the email server or servers were compromised by the worm, which deployed a bot that phoned home, and the compromise was escalated through remote control of the bot.
More than likely, someone just doesn’t know what they’re saying and are mixing rumors or separate incidents, in regards to the sending of email to Russia.
Either way, obviously there is a level of incompetence somewhere in there.
By LonerVamp on 01.20.09 3:50 pm
In the network security podcast linked twice above, they talk about this incident at 17:49 into the podcast.
They don’t really go into the worm as a weapon in cyber warfare but instead focus on the intermingling of networks. One of the points they don’t mention is that even if the networks don’t mingle and operational/navigational networks aren’t directly at risk, this threat still saps resources from those networks as IT staff scramble to regain control of the administration networks.
There is also the sneakernet to be considered. USB drives (which conficker leverages) can travel from one network to the other and deliver worms through that vector. Usually in classified networks USB drives are forbidden but if you miss restricting them on even one machine, the users will find it and exploit it, not necessarily intending to be malicious but for convenience.
Granted, this worm attack wouldn’t be a tactical win if it were a part of cyber warfare but it would certainly serve a purpose in propaganda, by demonstrating that even an aircraft carrier’s network and more importantly the Ministry of Defense network has weaknesses to be easily exploited.
By Michael on 01.21.09 9:33 am
[...] Worms run rampant through UK Ministry of Defense systems. [...]
[...] Worms run rampant through UK Ministry of Defense systems. [...]
[...] Confiker Worm Takes Down UK Hospitals and the MOD – Link Here / Link Here [...]
[...] up – Same worm variant is also attacking the UK MOD – Michael at [...]
[...] the recent compromise of the British MoD, the compromise of the French MoD appears to have been isolated to the [...]