Jonathan talks about the Pipedream attack and the implications of hacking industrial control networks. Can VPNs increase vulnerabilities, and how vulnerable are industrial control networks generally? Christian and Jonathan discuss.
Christian Whiton (
00:09):
Welcome to Cyber Context, the podcast featuring Jonathan Moore, the Chief Technology Officer of SpiderOak. Jonathan, the Ukraine war is going on and revealing more and more about our cyber capabilities and cyber defenses and Russian and other bad actors and their cyber capabilities against us. It seems in the past week, the US government has become concerned. It appears to have gotten the upper hand on this one incident, but something called Pipedream, which I gather was a compromise that was directed at LNG. So natural gas facilities here in the United States.
Christian Whiton (
00:48):
So not a 100% sure it came from Russia, whether it was the Russian government or other actors, but probably knowing what's going on in the world and with the target being gas that's kind of interesting. Of course, that's the one thing Europe seems still to have to buy from Russia if they want to keep the lights on the price has gone up. Maybe Russia wants it to go higher. Still, maybe Russia doesn't like the idea of Europeans buying our natural gas instead of getting it from there or getting it from Cutter. What does this tell us? This is sort of an interesting and different attack targeting critical energy infrastructure?
Jonathan Moore (
01:26):
Yeah. Well, I think if I recall correctly, this has been attributed to Sandworm, which is the same threat actor that attacked the Ukraine power system in the past. Shutting power off to Kyiv in two different events and I mean, the Pipedream is a tool kit piece of malware. So it's a piece of software or collection of software and tools used to cause temporary or permanent loss of capability in these industrial control systems. So, I think it's interesting and there's several interesting things about it. So one I want to think that it's, I think we have a good belief that this is a real incident and not just sort of propaganda and trying to show yet again, we've got the better of Russia either through intelligence or having better capabilities it's actually been commented on.
Jonathan Moore (
02:28):
And apparently the original research and reverse engineering was done by Dragos who's really the premier security company in these industrial control systems in the US. So, it is really interesting. And it does show if this was something that Russia meant to use that they were trying to escalate and bring some of the conflict directly back to us domestically, which I think it would be an interesting shift if we saw it stop. We've heard the government warning us for months now that, "Hey, Russia's coming and we haven't seen them yet." So if it is an attack that we thwarted that they meant to follow through on that is really interesting. And I wonder, what else we are defending against successfully? I think I'm super interested too, whether this was a detection that we caught early and stopped them by hard work and luck, or whether this is tipped off by espionage. Since apparently we've got some great espionage capabilities in Russia, as we've repeatedly called out what their plans of the next week were to their frustration. So, it is a very interesting event.
Christian Whiton (
03:47):
Yeah. I'd like to talk more about the vulnerability of these industrial control networks, but maybe before we get there, another recent attack on US energy related infrastructure of course, was Colonial Pipeline. It sounds like this potentially was much more sophisticated because it wasn't Colonial Pipeline. I mean, didn't that come down to a password that one of their senior officers said was really complicated, but nonetheless was discovered and it was an attack on a billing system. Am I right? Is what we're talking about here more sophisticated than that one?
Jonathan Moore (
04:19):
Well, I think I'm not sure... Sophisticated may or may not be the right language to use, but I think that the right way to think about it is what the goal of the adversary was. So yes, Colonial Pipeline shut down because they couldn't do billing and they didn't want to give away energy for free. But the goal of those adversaries was to shake down Colonial Pipeline. To get money in return where the apparent goal of these adversaries was to shut down capability as a form of attack as a tool of politics and military, not as a way to make more money. So it was not a financially motivated attack it was a politically motivated attack. So that I think is really the big difference to see in terms of framework. I mean, without having these various things in hand and we do not, I do not have this in hand and if there is a report that's available, I haven't read it myself.
Jonathan Moore (
05:19):
I can't really speak to the actual level of complexity, but if it was targeted industrial control systems generally the goal in those systems is meant to overcome the safety controls in those systems that keeps the plant both available and safe for people in the vicinity. So, all of these kind of systems work in control loops. Where you have some kind of actuator and you need to keep some process within some safety balance. And you have a series of controls that allow you to keep that and you probably have redundant controls. Like you might have a pipe that it's rated up to some pressure and you have some sensor test checking what the pressure is. And if it's a process of the heater, you have some heater control modulating the temperature to keep the pressure safe.
Jonathan Moore (
06:08):
And maybe you have another pressure release valve. So you have this whole set of systems and you need to keep everything within the safety envelope. And what we've seen that these attempts have been historically is to subvert the safety systems, to allow things to go out of the range of safe, to cause temporary or permanent damage to the facility and lack of capability. So it's meant to deny capability in a political or military context rather than again, to temporarily deny capability as a way to ransom money out of somebody. So I think it's more important than sophistication is the goal of the attack.
Christian Whiton (
06:47):
Interesting with... I mean, how interconnected are these systems, I guess sort of you think the sum of all fears would be a cyber attack on a nuclear plant where you yank all the control rods out, the reactor is prompts critical, maybe the fuel all melts, maybe the reactor itself explodes. I mean, is that sort of the apex thread and is that unlikely or is that actually within the realm of theoretically possible?
Jonathan Moore (
07:13):
Well, I mean, I think it really depends. Well, I mean, theoretically possible. I mean, I believe it was in Bhopal India, where there was a large chemical accident that killed thousands of people. And so I think if you want to look at the extreme of what's theoretically possible, those kind of things are possible. Now a well designed system should that should not be possible in. That incident was to multiple failures largely at the administrative level, as well as the personnel level. There were where there were safe, redundant safety systems that had failed and hadn't been maintained. There was instant staffing and all that kind of stuff. So, should a cyber only attack be able to cause that kind of large damage? I hope not in systems, but I got to be clear. I am not an expert in industrial control systems.
Jonathan Moore (
08:07):
I mean, I've got a little bit of knowledge, maybe just enough to be dangerous, but I don't want anybody to take anything I say as correct. But it's merely as something to inform more research. But so I think the most likely thing we would look at is less human safety concerns and more lack of capability. If natural gas plant can be damaged to the point where it takes weeks or months to repair, that would be a useful outcome for Russia who is as you pointed out is primarily makes a lot of their economy selling natural gas, which is now has a limited market.
Jonathan Moore (
08:52):
And so that's sort of in their interests or maybe it's just spiteful and they feel this is a way to rub it in our face. In the same way that when they attacked Ukraine with the no Peta attack it used a leaked NSA exploit as part of that attack. Not even probably necessary, but was a way to kind of thumb their nose at us. So, maybe this particular thing use of natural gas is more about making a point than it is the particular outcome. So, I think the loss of capability is probably the primary thing that you're looking at. Could it extend into harm or loss of life? It's possible. Hopefully the systems are engineered such that there are trolls outside the cyber realm that would keep things in a safe envelope.
Christian Whiton (
09:44):
So sticking still with industrial control is the sort of quintessential, I guess, attack, is it still the attack? I think, was it on the Natanz, the Iranian nuclear site where you have a concentration of center futures that enrich uranium or could enrich uranium where an Israeli US operation reportedly in the mid 2010s an exploit was introduced by putting it on just a number of memory sticks. And eventually if you give enough of those things to enough people who work at the same facility sooner or later, someone's going to plug one into a computer and someone did. And it tampered with, I guess, just the speeds of the center fusions, which are very sensitive. And I don't know if they exploded or just malfunctioned or were damaged or destroyed. Is that still kind of the best known success story of one of these attacks?
Jonathan Moore (
10:43):
Well, let's hold our judgment for a second on success. I mean, it is certainly one of the most well documented, highly technical attacks. So it was the attack, as we understand or as I understand it was, they attacked the IT networks of a contractor who worked at that facility, infected their computers, that computer infected the thumb drive, which was then used to bridge the air gap and go to the air gap systems, because the configuration files were moved from the engineering firm to the production plant. That was really interesting in that it was a tack that explicitly jumped an air gap and shows that air gaps have a lot more connectivity, pretty much always. That's the thing that we've looked as you look into this more. Air gap systems aren't really ever air gaps, they're just harder to step through.
Jonathan Moore (
11:41):
And then it was a very well engineered thing in that they were careful in that it looked for a very particular configuration of controllers and systems. So, this couldn't accidentally be deployed at another plant is very targeted and then it did some very devious things in that it sampled the measurements of some of the sensors about how fast things were running. And then when it ran its attack program to run at a sort of duties cycles that were thought to damage the equipment, it would lie about what it was actually doing on the controls so that it was covert. And potentially had the results of damaging several of these center fusions. And now the question is, what impact did that really have? I mean, did they significantly increase the rate of failure of center fuse above what was already happening?
Jonathan Moore (
12:37):
Did that attack significantly push out the time period in which the Iran would have acquired a critical amount of enriched uranium? These are all questions that I think are not clear. I mean, certainly the press, which one we must imagine at some level is at least partially propaganda, the press about this that are published in the US. It almost certainly had the influence of the state who performed the attacks in it. So whether intentionally or unwittingly we have to look partially as propaganda. How effective were those attacks? And it's not clear they were significantly impactful. In months impact at best and that maybe was politically useful at the time given that we were in the middle of negotiations about Iranian capabilities at the time, but maybe it also wasn't. So, I think it's a little unclear of the effectiveness of that attack. So, I'm not sure whether it's the most effective attack yet. I mean, a lot of these SCADA attacks are not well documented. So, but it certainly is one of the most technical attacks that's been documented.
Christian Whiton (
13:57):
Now shifting from technology to some of the policy, if you want to call it that implications of this, that earlier as we discussed in the last episode. Earlier in the Ukraine war, you had wiping technology deployed by Russia, targeting Ukraine and care taken, not to disable networks that the Russians themselves were using, perhaps in addition to the Ukrainians for their own command and control. This if in fact it does turn out to be Russia and if what early reports indicator are true. LNG facilities in the US I mean, and that's a big category we don't know exactly what that means based on the limited information we have. But does that tell you anything about a shift or about modus operandi of Moscow in the fight?
Jonathan Moore (
14:55):
Well, if this was Russia trying to strike at domestic US facilities, it certainly seems like an escalation. And I think it's an interesting escalation because one of the things we've seen historically is that in lack of sort of global agreement about cyber, the de facto behavior seems to be that we do not consider cyber attacks to raise the level of armed conflict. So it's interesting that it shows Russia going as far as they can to take actions against us engaging in arm conflict against Western nations. And I think that in itself is sort of an interesting signaling. They have been threatening about nukes, they've been threatening about attacking Scandinavia if they joined NATO, they've been all these sort of saber rattling around the kind of military outcomes that might occur if we make the wrong decisions. And none of those have come to fruition, but this is seems to be one of the largest escalations they could make without it crossing the line of what has at least historically been in the line of armed conflict.
Christian Whiton (
16:17):
Yeah, that's interesting. And the Cold War did the fight between the KGB on one side and the CIA and MI6 on our side, it seemed there was an unwritten code of conduct that eventually worked its way out. Same too with, for example, the way that fighters flying from Alaska or Maine would engage Russian bombers that were coming over just on patrols or on probing missions or whatever you want to call it that there were certain you arrive after a certain amount of time in a conflict, even a Cold conflict with a code of conduct. And it seems we haven't really gotten there yet, or that sort of all sides are still feeling out what's permissible. And maybe so far, I don't know, it's safe to say people are pushing on an open door because there often isn't a response and maybe there can't be a direct response in cyber war.
Jonathan Moore (
17:11):
Yeah. Well, I mean, I think there's a lot of sides to why that is. I mean, one is its very new and I think our strategists don't understand cyber. You still see a lot, hear a lot of generals in the US talking about more lethal cyber weapons or cyber bullets. We hear people talking about outmaneuvering somebody in cyber, like it's a physical field, but cyber is radically different. There are no borders in cyber or in that you might be able to say, "Well, we're going to draw our borders at all of the undersea cables than enter the US." But each time you make a satellite connection, is that another border, when you have a VPN that connects from a European office into the US, that I think arguably is another border as well.
Jonathan Moore (
18:02):
So the borders are reach to anywhere in the US. If I have a company headquarters in the Midwest and it has a VPN that goes out to India now I've got a border with India that's in the center of the country. So, borders aren't at the edges, they're dynamic, they're changing. And I think that's another really key thing as well. That's so different about cyber that resists creating norms, which is that cyber is constantly influx. When you think about the norms of engagement at sea in the end, the massive water doesn't change, boats still float next week and new kinds of and boats that didn't float a week ago, don't float next week. But In cyberspace, the rules change drastically in periods of months or years. So, it's very hard to have that sort of understanding of what the realm is.
Jonathan Moore (
19:03):
And I think another real confounding factor is that it's very hard to tell before action is taken the difference between espionage and military action, and that's a very blurred line in cyber. And I think that we all accept that espionage is good for global stability in that we don't want any other people knowing our secrets cause we want those strategic secrets and capabilities. But we also kind of do want Russia to know how many nukes we have pointed at them and vice versa. So, a lack of knowledge between powers leads to more instability and more fear. So, we kind of accept espionage as part of the game and not considered to be a evil against humanity where we consider unjustified war to be such. We have the idea of war crimes and illegal wars.
Jonathan Moore (
20:00):
We don't have the idea of illegal espionage. So, I think that blurring of that line is also another confounding factor. And I would say the last is proliferation and that it's very hard to control these technologies. So, I think there's so many things that stop norms and it is so new. And we wouldn't also have, I think have maybe been resistant to put down norms because then once the norm, then we can't violate them either. Nobody wants to take away capability. So, I would say yeah, we don't have norms, but I'm not sure we ever will.
Christian Whiton (
20:36):
Interesting. If I could do a deep digression just for a minute, since you mentioned VPNs and in the case you illustrated, actually it was an instance of a VPN increasing vulnerabilities. I mean, you think of these things as a way for individuals to conceal your internet traffic from your internet service provider or whoever. Do they actually make you more safe and secure? Do they increase the number of attack surfaces that an adversary can exploit?
Jonathan Moore (
21:10):
Well, I think that's a sort of complicated question to ask. So they, at one level increase complexity and every line of code you add to a system is another line of code that might have a vulnerability. They increase complexity in reason about the total system. They confound ability to analyze traffic which if you're trying to observe an attack might make it harder. So in those ways, I think they do increase risk. And I think the way they're applied is very often papering over risk. So a lot of times the reason they're used is because the historical approach to network security is to secure the perimeter. And so now if I'm outside, how do I use the resources on the inside which are not properly secured? Well, I can use a VPN to extend my perimeter to just one more host that's outside of my physical network.
Jonathan Moore (
22:22):
And so in that way, if you have an insecure internal network that VPN does provide you a control to allows you to "safely", use it from outside your network. But again, it's making your perimeter bigger. There's now yet another node. And one, that's very hard for IT to manage because it's somewhere out in the field potentially that now is considered part of your network, which by the fact that you're using the VPN kind of indicates that you don't believe that's secure in of itself. So, as a control, they provide a reasonable control, which is saying that I don't want my traffic to be analyzable by third parties who are helping me transit between my VPN terminator and my endpoint, the two endpoint of my VPN.
Jonathan Moore (
23:10):
And that in some scenarios can be a useful control that can make you safer. If you're worried about your ISP, spying on you and selling your data, and that's a risk, you care about a VPN might improve that. Probably not if you buy one of these commercial ones because really what they are is aggregation points to go watch people. And very many of these VPN companies are themselves adversarial or have adversaries literally sitting at their door. We've certainly seen that with Tor Exit Nodes. So, it's a control which have to use properly, might get you more security. But I think in practice, what we see is it's probably usually increasing risk.
Christian Whiton (
24:00):
That's fascinating. It's very interesting. As usual with a lot of what takes place in cyber it's the end sort of it depends one last area quickly for discussion. Another development in the Ukraine war was the sinking of Russia's flagship in the Black Sea, the Moskva, if I'm pronouncing that right. The Russian word for Moscow, the capital. It's a flagship in excuse me, the Black Sea, but it's an old ship. She was, I guess, laid down in the '70s commissioned either late '70s, early '80s pulled out of commission in the early 2000s put back in. Not nearly as sophisticated as I would say, an early Burke class destroyer of the US Navy. But anyway, she's now at the bottom of the Black Sea having been attacked by the Ukrainians.
Christian Whiton (
24:49):
And I gather a domestically built cruise missile, not a hypersonic one, not even a supersonic one, just a plain old cruise missile. But is there anything that we should infer about the scrappiness of the Ukrainians or the state of the Russians or whether we are mirroring them when we look at this military thinking that they have the same objectives and tools that we do. And in fact, they're very different or is it best to keep what happens in the physical realm, like a missile attack on a ship outside of our cyber assessment realm?
Jonathan Moore (
25:26):
Well, I mean, I'm not an expert in that field, but I think it is interesting. I mean, I personally find it interesting. This is the first use we've seen of this anti shift capability that Ukraine has. I think the questions we might want to ask ourselves is, where did the Ukraine get their intelligence? Was it through signals intelligence? Was it through cyber? Was it luck? Was it a human asset? Or was it support by another nation providing [crosstalk
00:26:01].
Christian Whiton (
26:01):
Yeah, I was going to say an American P eight flying over the Black Sea maybe.
Jonathan Moore (
26:05):
Yeah. I mean, the truth of details are hard to come by because both Ukraine and Russia have a vested interest in using this, or producing propaganda around this. Russian claiming like, "Oh, it was just a fire that happened on the ship." And the Ukraine claiming they took it down.
Christian Whiton (
26:27):
Technically true. It's just a 2000 degree fire burning a loon. I'm started by a cruise missile, but fire.
Jonathan Moore (
26:34):
Yeah. So, I think we won't know the details, but it does show the ingenuity of the Ukraine. The reports that I've read about how the attack was pulled off and the subter-fusion involved and the careful planning, and I do think we should... The thing I would really like to know is more about Ukrainian cyber operations. We've been hearing a lot about Russian cyber operations, but it's very clear that Ukraine is working very hard to maintain capabilities and maybe use them in offensive ways that we don't really know all that much about. So, I guess the intelligence aspects might be cyber related. And I think just as more evidence to the tenacity and resourcefulness of the Ukraine, I think sort of brings back to, how is that playing out in the cyber?
Christian Whiton (
27:25):
Right. And well, the history is being written and we'll reveal itself over time, but all the time we have for this episode of Cyber Context. Thank you Jonathan Moore, Chief Technology Officer of SpiderOak. I'm Christian Whiton. We'll be back again soon with another episode. Thanks for listening.