How a cyber weapon is made
Stuxnet was, according to many Security researchers, one of the first and most recognizable cyber weapons. The resources needed to develop Stuxnet and its different parts are most likely something only one nation had: Several programming languages, large amounts of modules, several zero-days, knowledge of the centrifuges in the Uranium enrichment facility Natanz, and stolen certificates, are just a few reasons that make it probable only one nation was behind it.
The delivery mechanism
This part of the cyber weapon ensures it hits its target - or reaches the right client, hardware, or network. The delivery can be dome using an e-mail, USB-memory, CD-ROM, or by physically connecting to the server, client, TV or similar devices. This is something which the Vault7 leaks from the CIA showed, not entirely unusual that HUMINT and SIGINT resources were used. The delivery might happen in the form of an implant that is installed when the equipment is sent to the customer. To reach its final target, which might be further into the network, the zero-days, or code, can be used to detect and bypass so called airgaps. Networks that are sensitive and not connected to internet, for example.
The warhead makes sure that the goal of the cyber weapon is completed. It can be to influence a process in a SCADA system, or perhaps destroy vital parts in systems that are crucial for the community. It could also exfiltrate sensitive information from the target system.
The communication mechanism
This part is not always necessary but makes it possible to (using a unique ID) “call home” and notify that the cyber weapon has reached its target or completed a sub goal. The communication part is important if the cyber weapon is hidden during an extended period of time and works to activate the warhead on command.
To make discovery by network forensics and intrusion detection systems more difficult, popular sites such as Dropbox, Twitter, or Instagram can be used over TLS encrypted communication.
Steganography, where messages are exfiltrated with the help of pictures, have even been observed, including communication with IP-addresses where a satellite link is used, and the antagonist has had the opportunity to read the communication with the help of SIGINT or other equipment.
If the communication mechanism is already using existing infrastructure to update software or check if new versions are available, the process of detection gets increasingly more difficult. The communication mechanism can also be used to download and activate new modules, droppers etc.
One of the oldest and most common methods is obfuscating or encrypting. Even relatively simple things such as modularity can make it difficult to see the whole of cyber weapon, for example sniff-functions can be present in a module, or key logs in a module etc.
There are even environmental keyed payloads where a module can be encrypted with a key that is only located in the target network or system.
Another important aspect for those developing cyber weapons is OPSEC. Since everything leaves a trace and something that is increasingly common is false flagging. Traces can lead towards one country, when in fact it is ’developed’ in a completely different one. Language, time zones etc. can be changed.
Sometimes the warhead is located in the units RAM memory and disappears if the unit crashes or restarts. Creators of cyber weapons obviously wants it to stay put for a longer period of time and there are an unbelievable amount of ways to hide.
A difference between, for example, WannaCry and a cyber weapon is that the objective of the cyber weapon is to only propagate within a smaller area. It can be a smaller organization or network. A smaller spread can make eventual detection more difficult. Propagation can be a must in the delivery, and then maybe there is a gap between the process network/secret network and the internet.
Cyber weapon developers put resources on developing weapons that does not want to be discovered. The weapon deletes itself when the mission is complete, and there might be a built-in counter that automatically makes sure erasing is completed after, for example, 12 months.
We help you protect SCADA & ICSRead about how we can help you protect your SCADA and ICS against cyber weapons.