Platt Perspective on Business and Technology

Stuxnet and the evolution of threat assessments and responses with system complexity

Posted in business and convergent technologies by Timothy Platt on November 9, 2010

This is my sixth posting in an ongoing series on the changing face of conflict and cyber-conflict, and a direct continuation of the fifth entry which can be found at Stuxnet and the Evolution of Vulnerabilities Emergent to System Complexity. I used that posting to define a couple of terms that are needed in conceptually addressing an emerging form of systems-level cyber-security risk factor:

• Complex systems and systems of components that cannot be fully mapped and understood for potential risks and vulnerabilities at a piece by piece, component by component or simple subsystem level.

The terms I defined in the last posting before this in this series were elemental system and complex system, and I left off at the end of that posting having proposed that attacker and attacked (elemental) systems nontrivially form a single overarching system and that vulnerabilities arise when these separate systems functionally connect and combine.

I want to pick up on this story with a working example, drawn from the April, 2007 cyber-attacks on Estonia. I have already cited at least a few aspects of this series of events in previous installments in this series (see Ubiquitous Computing and Communications – everywhere all the time, postings 58-60, 62 and 63.) I want to follow up on that with some intriguing additional details, and to do that I have to start by writing a bit about Russian sourced spam.

When the Soviet empire fell, a great many people with what may be called specialized access and resources suddenly found themselves entering the free market, or at the very least in a situation where their previous personal and financial status and security were gone. Many simply entered the open marketplace and sought to compete through publically acknowledged business ventures of one sort or other, but some chose a different path. The availability of computer expertise coupled with growing opportunity in the online environment led to proliferation of numerous new businesses of a more shadowy nature, some focusing on phishing and identity theft, some on viruses and related malware, initially to show prowess, but quickly as a means to gain income, and more. One of these approaches that has gained a tremendous amount of traction through successful effort is in suborning networks of computers (here identified as zombies) into botnets.

Actually, very few of these entrepreneurs have specialized in only one tool or approach. And one of the more powerful and prevalent fruits of this labor, dependant on coordinated application of several of these approaches, is spam. Spammers send out seemingly endless millions of unwanted, unsolicited and undesirable email ads, for Viagra, porn and other products and services. Their distribution systems depend on availability of vast networks of surreptitiously controlled computers – botnets. And one of the most effective of these entrepreneurs in Russia was, until quite recently reported to be a gentleman by the name of Igor A. Gusev. He, at any rate, has been credited with this feat.

On September 27, 2010 a normally quite laissez faire Russian government shut him down on charges of operating an unlicensed pharmacy. It is estimated that this caused a sudden worldwide drop by approximately 20% in the total volume of spam messages sent out daily. I said millions above, but the actual number that was suddenly not sent because of this clamp-down is more like 50 billion spam messages a day – just sent out through the botnets that Mr. Gusev was reported to control.

This gets interesting because evidence indicates that much of the April, 2007 denial of service attacks launched against Estonia in what was allegedly a protest over removal of Soviet era statues was launched through Gusev controlled botnets. And when this came out publically, Ivan A. Gusev was in effect singled out for special treatment.

This attack was set up and run out of _ fill in the blank _. As I have stated repeatedly, it is easy to hide the actual source of an attack behind multiple layers of diversion and misdirection. The homeowners who own the computers suborned by infection with root kits and other software into being zombie nodes in botnets did not plan or launch these attacks, even if these attacks were proximally launched through their computers. I would argue that it is equally likely that Mr. Gusev did not plan or launch these attacks either, unless that is he was trying to build a strong insanity defense plea for a future anticipated court case. Why would a businessman who depends on remaining in the shadows for success, position himself intentionally in the crosshairs as an active and dangerous enemy of nation states and national governments? That just does not make any sense.

Did these attacks initiate from planning carried out in Russia? That is possible, and it is certainly true that many of the largest, most extensive and best managed botnets going are run out of the former Soviet Empire, in Russia and in some of its former vassal states (e.g. Romania and managed by some of its forced retirees of the now former Romanian KGB.) But this was done in such a way as to cast suspicion on Russia and on Russian intentions towards the border countries who would be most receptive to believing bad intentions. That includes a lot more than just Estonia and the Baltic States. That would include a wide range of flanking nations that Russia needs to be on good terms with but with whom they have had a troubled past. Was this attack on Estonia actually an attack on Russia and its capacity to develop agreements and alliances with its key neighbors?

Whoever did plan and launch the April, 2007 attacks on Estonian computer networks and networked governmental and private sector facilities had their own elemental systems to launch this from. They (probably) attacked through botnets that they suborned from their usual botnet herders (e.g. the technical support staff who were at the very least paid for services by people like Mr. Gusev.) These botnets and possibly other elemental systems that were worked through in stages to cover tracks led to the intended (visible) target elemental systems in Estonia. And together all of these elemental systems formed a single complex system.

• Elemental systems, and here SCADA systems are excellent examples, are build and run with homeostatic balance and stability as a core requirement and goal.
• Attacking elemental systems are developed and launched with an overarching goal of capitalizing on complex system nonlinearities to break this homeostasis, and create overall systems breakdowns. They need stability in their own systems; they are designed to break stability, or to suborn it in larger complex systems.
• Then the attacking system, hidden behind the anonymity of middleman systems (e.g. Botnets and Mr. Gusev) safely detach and are disassembled until needed again, updated from the learning curve opportunities that this attack created.

My next posting in this series is going to take a look at internet protocols and how they can be suborned in launching and masking the source of cyber-conflict.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: