Recent reports reveal Iran is planning a cyber attack on the United States and the United Kingdom in retaliation for the US’s departure from the Joint Comprehensive Plan of Action (aka The Iran Nuclear Deal).

This type of threat — cyber — is fast becoming part of the geopolitical norm as nation-states try to influence the behaviour of their adversaries, not through all-out war and military confrontation, but by exploiting their dependency on technology.

To understand just how severe a cyber threat from Iran is, it’s important to know what can happen when such an attack is carried out successfully. Two of history’s most successful cyber attacks can help shed some light on what actions public and private firms should take in order to prevent others.

When it comes to cyber, everyone’s at risk and the consequences can be truly chaotic.

Powerless: The 2015 Ukraine Power Grid Attack

When the lights go out, how do you gain your vision?

On December 23, 2015, Ukraine experienced one of the most aggressive cyber attacks in history, demonstrating the manifestly tangible consequences a carefully planned cyber offensive can cause when aimed at a nation’s infrastructure.

Approximately 230,000 Ukrainians were left without power in the middle of winter, for up to six hours, as a result of the 2015 power grid attack. While it is commendable that the Ukrainians were able to restore power within a six-hour time frame, one only needs to conduct a quick thought experiment to imagine how bad things could have gotten had a few variables been slightly different: a few hours more without power or a few degrees lower below zero and parts of western Ukraine could have been dealing with burst water pipes and severe cases of hypothermia; perhaps even death.

There are many reasons why the attack on Ukraine is used as a cautionary tale among cybersecurity experts, not least of which is the fact that is it the first of its kind to successfully and publicly disrupt a major energy grid operation. The attack is often referred to as a watershed moment in cyber warfare, and its sophistication, both in planning and execution, makes it worth revisiting as it highlights some of the key vulnerabilities public and private firms need to defend against if they are to succeed in mitigating the effects of — let alone prevent — such an attack.

Attack overview

In the Spring of 2015, roughly six months prior to the attack, the perpetrators started an aggressive and wide-scale spear-phishing campaign aimed at IT staff and system administrators working across the multiple companies charged with distributing electricity throughout Ukraine.

The objective of this initial stage was to get workers to click and download a Microsoft Word document that had had its macros exploited with a malware programme known as Black Energy: a Trojan that can be used to conduct a variety of different cyber attacks, such as DDoS, network reconnaissance or data destruction. Once installed, the perpetrators conducted several months’ worth of reconnaissance, gaining insights into the companies’ networks, their Windows Domain Controllers, and harvesting workers’ credentials. Key to the perpetrators’ success was their ability to log in remotely to the companies’ Supervisory Control and Data Acquisition (SCADA) networks, as well as reconfiguring the Uninterruptible Power Supply (UPS), which provides backup power in the event of a power outage.

To overcome the fact that each company used a different distribution management system, the perpetrators used the information they had uncovered during their reconnaissance mission to write malicious firmware that could replace the original firmware on serial-to-Ethernet converters. Once the converters were disabled, the perpetrators would be able to block operators from sending remote commands to breakers once the attack was underway.

To cause even further disruption and also to delay workers from noticing that a full-scale attack was taking place, the perpetrators organised a telephone denial-of-service attack (TDoS) on the electrical grid’s customer service call centres. A TDoS attack used in this way is highly effective in bringing about panic in the public as it leaves them ‘in the dark’ as to what is happening and allows for worse case scenarios speculation. By removing access to credible information, people are unable to orient themselves and governments/firms are unable to restore trust in the system.

Once all the groundwork was laid, the perpetrators were well placed to carry out a flawless attack. In the afternoon, on the 23 December, using hijacked VPNs that had already been reconfigured earlier during the reconnaissance stage of the attack, the perpetrators gained access to the SCADA networks and disabled the UPS systems. They then tripped the breakers remotely using valid staff (single-factor authentication) credentials and disrupted power to large parts of Western Ukraine.

Workers were only able to restore power as quickly as they did (within one to six hours depending on location) because they were able to control the breakers manually. Had they not had a manual backup system in place, power restoration would have been a significantly more complex issue to resolve and could have dragged on for hours or worse, days.

Somebody call a doctor: The 2017 NHS WannaCry attack

Healthcare carries more than just the sick

In May of last year, a ransomware attack referred to as WannaCry was deployed by North Korea. The effects of the attack were felt all over the world, with close to 150 countries affected to varying degrees. Of those affected, Britain’s National Health Services (NHS) is considered to have been hit the hardest, with 81 of its 236 trusts across the country either being infected directly by the ransomware or taken offline as a precautionary measure. In addition to this, 603 primary care and related NHS organisations were also infected, including 595 general practices.

For an entire week — from Friday 12 May to Friday 19 May — the NHS was left scrambling, trying to mitigate the effects of the attack and installing the various patches and anti-virus software needed to restore its systems back to normal. While this was happening, particularly during the first weekend of the attack, thousands of patient appointments and operations were cancelled; and while the NHS continued to provide emergency care, as per its major incident management procedures, there were five acute trusts — in London, Essex, Hertfordshire, Hampshire and Cumbria — responsible for treating urgent and emergency patients that had to redirect patients to other Accident and Emergency Departments (A&E).

As with the power grid attack in Ukraine, one only needs to conduct a simple thought experiment to imagine how bad things could have gotten had a few variables been slightly different: a few more A&E departments taken offline or a major physical disaster taking place alongside the cyber attack (such as a coordinated terrorist attack or significant accident) and the NHS could have been faced with a situation where it was unable to effectively treat ‘critical-to-life’ emergencies.

Apart from the global scale of the attack, and its ability to drain billions of dollars’ worth of damage, the 2017 WannaCry attack has become famous for its almost comic level of preventability. The ransomware used to carry out WannaCry was weaponised via a vulnerability found in Microsoft’s Windows Operations Systems. When Microsoft was made aware of the vulnerability, it issued a patch in March of that year. What left most cybersecurity experts shocked, however, was the fact that the United States’ National Security Agency (NSA) had — prior to the attack — discovered the vulnerability, yet decided to keep it secret as a way to leverage the vulnerability for its own cybersecurity offensives. The reason the perpetrators became aware of the vulnerability was because a hacking group by the name of Shadow Brokers, who stole WannaCry from the NSA in April, published the details online. By May 12, the attack was wreaking havoc the world over.

Attack Overview

The 2017 WannaCry attack relied on a vulnerability found in older versions of Microsoft’s Windows Operating System (WOS). WannaCry exploits this vulnerability, nicknamed EternalBlue, by mapping a ransomware payload onto it. What makes EternalBlue so dangerous is its ability to be turned into a worm, and therefore able to infect any WOS that doesn’t have the necessary patches in place. Unless an organisation has installed the requisite patches or is acutely aware of the vulnerability and has developed a bespoke workaround, there is nothing an organisation can do to stop this type of ransomware from compromising their network.

[FYI: A worm is a ransomware that has a transport mechanism built into it so it can automatically spread itself. It does this by scanning vulnerable code in a system and makes use of the EternalBlue vulnerability to gain access. It then uses a vulnerability known as DoublePulsar to install itself and make copies.]

Every NHS trust affected by WannaCry was either running unsupported/old WOS or had not implemented the patch Microsoft had announced and released nearly two months prior to the attack.

Running up-to-date operating systems, however, was not the only thing the NHS could have done to prevent the attack. According to a report that reviewed the attack, had the NHS adhered to basic cybersecurity principles and put in place an Internet firewall on its N3 Network (the broadband network that connects all NHS organisations in England), the WannaCry ransomware would have been unable to spread, as the Internet was the only mode of transportation the malware utilised — i.e. the virus did not spread via email.

The global WannaCry attack came to a halt on the evening of the 12 May when a cybersecurity researcher by the name of Marcus Hutchins, aka Malwaretech, discovered the kill switch domain that was hardcoded in WannaCry’s malware. Working with GCHQ, Hutchins set up a domain name for a DNS sinkhole and stopped any further proliferation of the malware from taking place.

[FYI: Prior to encrypting a computer and exploiting the server message block (SMB), the WannaCry malware first checked the kill switch domain name. If it could not find it, then it carried on infecting the computer and proliferating. Setting up a DNS sinkhole with the kill switch guaranteed that any further attempts to spread would be stopped, as the malware would keep encountering the kill switch and thus not carry out its orders.]

While Hutchins’ discovery prevented any further attacks, it did nothing to resolve those that had already taken place. As a result, the NHS spent the following week trying to restore operations back to normal and putting in place the requisite security measures needed to prevent such an attack from happening again.

It should be noted that even today, the NHS still has much work to do. A parliamentary inquiry into the attack found that all 200 trusts continued to not meet standard cybersecurity requirements. The fact that cybersecurity continues to be overlooked, even after an attack like WannaCry, should be a red flag to any public or private organisation. When it comes to cyber warfare, private firms are just as responsible for their citizens’ security as intelligence firms and governments.

The politics behind the attacks

The 2015 Ukraine power grid attack and the 2017 WannaCry attack were not isolated random incidents; they were strategically carried out cyber warfare initiatives. Just as Iran is currently planning to attack the UK and US via cyber, so too have other nation-states planned to attack their adversaries.

Since May 2014, Ukraine has been the victim of various cyber attacks aimed at disrupting the nation’s electricity, government, railway, media and mining sectors. The reasons behind these attacks are not entirely clear; there is simply not enough conclusive evidence to point to one specific state or non-state actor. However, a probable theory put forward by the international security community is that these attacks are part of a political destabilisation campaign carried out by Russia to reduce confidence and credibility in the Ukrainian government. The objective, therefore, is not to target any one specific sector or industry, but rather cause sufficient disruption across all critical infrastructure in order to cause discontent within the country and thus help bring about political and economic collapse.

Russia has a long history of undermining Ukrainian independence and sovereignty. Since the February 2014 annexing of Crimea by the Russian Federation, cyber has played an increasingly important role in destabilising the former Soviet state.

In the case of WannaCry, two months after the attack took place, Britain’s Government Communications Headquarters (GCHQ) and National Cyber Security Centre (NCSC) concluded that North Korea was responsible for the global attack. In December of 2017, The United States confirmed the United Kingdom’s attribution. Since then, the governments of Australia, Canada, New Zealand and Japan have all come out in support of the United Kingdom, each concluding that all intelligence evidence points to North Korea.

Due to the global and random nature of the attack, security experts believe it was not aimed at any one specific target. Rather, the objective of the operation — which intelligence agencies around the world believe was carried out by a group of North Korean hackers known as the Lazarus Group — was to extract sufficient amounts of money through crypto-ransom in order for Pyongyang to circumvent the heavy sanctions levelled against it due to its growing nuclear programme. The funds, it is speculated, were to further expand North Korea’s development of nuclear weapons.

Lessons Learned

Both of these attacks show that public and private firms, especially those associated with critical infrastructure — need to take seriously the fact that politically motivated cyber attacks are now part and parcel of a nation’s military and defence strategy, especially those under heavy sanctions. Businesses with operations and dealings with Iran beware!

Governments and their intelligence agencies need to be as transparent as they can (within reason) with firms, so they can plan their own corporate cybersecurity strategies with the knowledge of the geopolitical threats facing their country. Businesses also need training, in order to understand how their business or sector could be exploited to cause the maximum amount of public damage.

An unprecedented global attack, like WannaCry, could have easily been prevented had the NSA shared its discovery of Microsoft’s vulnerability with their counterparts in allied countries and then publicised the vulnerability to ensure all businesses and public organisations had the proper patches and software in place to stop such an attack from being carried out in the first place.

Iran may not have the military might to cripple the United States or the United Kingdom, but it certainly has the cyber warfare capabilities in place to cause serious damage and chaos. It’s important to understand that when nations threaten cyber, they mean business.