Cybersecurity And Cybercrime - Appunti

Botnet

Numbers of computers controlled externally to launch an attack a DoS or DDoS that force a lot of traffic into a computer that cannot process. The main motivation is related to cybercrime, the rest is cyber espionage and warfare.

Crypto AG

Swiss cryptography firms that sold its equipment to governments and militaries after WWII. Secretly controlled by CIA and after 2018 sold- Selling backdoor crypto equipment to benefit the US, UK, and defense intelligence. Revealed on Feb 11, 2020, by media.

Stuxnet

Warm designed for sabotage and that's the target is a specific industrial process and actually target a particular subsystem of a scale industrial control system (ICS) of a specific producer which is Simmons. Once injected, it spreads silently through a Windows infrastructure looking for a specific PLC (programmable logic controller) to reprogram/alter the functionality of this PLC while at the same time showing normal running condition to the monitoring system. It was first reported in mid-June 2010.

and it is defined as a military grade cyber weapon with the goal to hit and produce real world physical targets so through virtual cyber through the virtual cyber war world you produce physical damages on physical systems operating the machinery, implies deep insider knowledge so this is a mixture of cyber war, cyber weapon technology and intelligence. The goal of Stuxnet was to be able to disrupt the production mechanism of the centrifuges used in an in a uranium enrichment facility in Iran. Stuxnet placed itself in between the two so intercept the communications between the PLC and the industrial control system, to modify the PLC internal code and to change the operational parameters, it hides the piercing infection through a rootkit functionality. Stuxnet lives and operates in two different environments: the windows environment and the plc environment where the payload is parachuted, injected and executed. A warm is a segment of code able to replicate and travel autonomously through the

networks without human intervention, the difference with viruses is that the virus to activate and to move around the network needs some kind of human activity while warmsare completely autonomous and usually contain a payload to attack the specified target. An exampleof one of the first words appeared on the networks, Code Red (2001), incredible capability to travelnetworks. Worms go around by themselves and there are many cases in which they ended up innuclear power plants for example. In 2003 Slammer Warm has been able to enter a nuclear powerplant in Ohio and disable for a few hours the safety monitoring system; in 2008 in Georgia there wasan automatic shutdown of the nuclear power plant after the application of a software update to a singlecomputer; in 2014 a South Korean nuclear power plant was hacked to access blueprints of reactorsfloor Maps and other internal information (this is very likely an intelligence operation). Criticalinfrastructures like distribution of electricity

La produzione e la distribuzione di elettricità, gasdotti, acqua, prodotti chimici e alimentari sono controllate da software chiamati Sistemi di Controllo Industriale (Industrial Control Systems). SCADA, acronimo di Supervisory Control and Data Acquisition, controlla asset molto dispersi per centralizzare l'acquisizione dei dati e il controllo delle operazioni dei sistemi critici. Al livello più basso ci sono i PLC (Programmable Logic Controllers), dispositivi di basso livello che controllano i processi del mondo reale all'interfaccia tra il mondo virtuale e il mondo reale (ad esempio, sensori, attuatori, pompe...). L'architettura generale di SCADA prevede centri di controllo con interfacce umane per gli operatori che controllano il framework e collegamenti di comunicazione attraverso diverse tecnologie (cavo, collegamenti radio, collegamenti satellitari...) e siti remoti in cui è possibile avere sensori con intelligenza locale, unità di telemetria remota. Stuxnet è specializzato per gli ICS, che stanno diventando infrastrutture sempre più vulnerabili a causa del loro livello sottostante di tecnologie ICT, cibernetiche e digitali.

These control systems for large infrastructures historically used to be more isolated than they are now, closed environments, less effective and flexible but probably a bit safer. Now tendency to start connecting SCADA systems to the general network, convergence between control networks and component corporate networks, SCADA components are being standardised, extensive use of ICT protocols. Each one of them come with its vulnerabilities (ex: the monitoring framework communicating with remote devices without any encryption). Afterwards, it's difficult to take control again of the device, in some cases had to be rebooted or power cycled but in case of industrial frameworks and systems you may not be able, or you may don't want to power cycle something important. Stuxnet is a cyber weapon, probably the first Stuxnet infection was caused by USB key and it's very likely that the person who plugged the USB key with the Stuxnet inside into the first computer of the local area network.

of the plant was not even aware of injecting the warm (not clear whether that was done on purpose). Immediately Stuxnet installs on that machine a rootkit so that it hides files and activities on that machine, it tries to connect to a Command and Control (C&C) server - if he finds a way out to the external - if it doesn't the Stuxnet is completely autonomous, from that point on it infects all USB keys inserted into that machine then it starts spreading this to the enterprise network, starts spreading to all the nodes through print servers and file services. It doesn't do this very quickly - the warm is stealthier, even more difficult to figure out what's going. Then establishes a Peer-to-Peer network (P2P) for self-update and again tries to access a Command-and-Control server external if it if it finds one. It it's what the military terms is called a "fire and forget launching" it does everything by itself completely autonomous you don't even have to tell

where the target is the weapon goes and look for the target. Infects any new USB flash drive inserted on any computer at that level then it goes down in depth so through databases network and printer and file shares. It spreads through windows vulnerabilities but also vulnerabilities of the Siemens software and goes down one step-by-step, start infecting all the machines at that level and proceeds infecting 7 project files which are project files of the industrial control system until it gets at the very bottom here to the PLCs and starts fingerprinting them – infecting only the one necessary applying the payload (15,000 lines of code). So, what it does is to replace the communication library used by the control system with the Stuxnet library. The new library is able to control the communication between PLC’s input values from sensors and give fake pre-recorded data to the legitimate monitoring programme. The functionality of the inserted code was varying the rotational speed of

The centrifuges slowly over a month. It uses 7 different propagation mechanisms to propagate, in addition establishing a peer to peer in connexion to C&C servers to download and execute code update, rootkit on the windows infrastructure and a rootkit at the PLC level so it not only hides itself and the activity in the files on the windows infrastructure, but it does the same at the lower level. NSA jumps the air gap by having a transceiver planted inside the USB key connecting short a short distance to a different station.

- Duqu (2011) a remote access Trojan, not self-replicating similar to Stuxnet but targeting computers rather than ICSs, more an information gathering worm, so it had a back door recording keystrokes and system information (cyber reconnaissance) unless it was a precursor of something. The targets were limited, and it was designed to destroy itself after 36 days.

- Flame (2012) was optimised for espionage and was mainly found in Iran and the Middle East apparently. Large and

beginning; it gathers information for a few days then module deployment and compromises and a resurrection module if you update the system or if the C&C servers are shutdown you can regain control over the previously infected machine with a simple email.

Logic bombs you can implant things that wait for specific conditions before activating. Possibly a cyber-attack on the electric power grid in Ukraine causing a blackout (2016), Steel mill meltdown in Germany (2014), pipeline blast in Turkey (2008).

Two other important aspects: the threat to military systems and the digitalization of battlefield so military systems have more are being more and more digitalised, an increase in vulnerabilities on weapon platforms so you have increasing dependence on software systems. You have communications and control systems on the battlefields lots of sensors everywhere and networking automation of weapon platforms and of course you have more and more embedded computing power. Advanced aircraft, large part of

Their functionality comes from software. F16 it's uncontrollable without flight control which is software. F22 which is another fighter is a cyber controlled aircraft - it's not a closed system it gets information during operations and external system updates during operation. Unmanned platforms which aerial, ground and underwater vehicles. Real time system data acquisition system so you have coordinate weapon and people on ground you need high network bandwidth for all you need on the battlefield - live video feeds image transfer voice and sensor data transfer and processing surveillance. Example of drone - Global Hawk - longer endurance, surveillance reconnaissance sensors, infrared sensors, electromagnetic sensor, it can also strike. It's an integrated system. The drone is one part of the system, but you have to have Mission Control which is somewhere else, so you plan command control and communication you have to have system for launch and recovery of the drone and vehicle.

Since they are remotely controlled, they had to have permanent communication link opened to the pilots with the second problem being the bandwidth.

Possible hardware attac