War Games


The number of large scale cyber attacks on government and corporate institutions are increasing. Knowing that is the first step in staying prepared.

Few films and television shows accurately depict hacking or cyber attacks. Hollywood often employs creative license when it comes to the capability of hackers. They are often depicted as gaining remote access to government satellites, uploading human consciousness into computers, or typing in a few keystrokes and powering down a military facility. We’ve all seen some version of this and it can often be difficult to imagine the reality of it. So what exactly, in the real world, constitutes a large-scale cyber attack?

The very idea of a hacker targeting your district may seem ridiculous. But is it? There is a saying among cyber security experts: If you have something worth stealing, there is someone out there who is willing to steal it. Your district could have credit card information, access to sensitive public utility information, medical records, and personally identifiable information for your employees, customers, or patients. More importantly, your district has money, which many criminals would like to get their hands on.

If you’ve kept abreast of current events in the past two decades you may remember a couple of large-scale cyber attacks that made national headlines. More than a few of these caused dramatic financial losses for companies such as Home Depot and Target. Others, as we have reported in the past, targeted hospitals and other places of public accommodation. Here is a brief rundown of several significant cyber attacks from the last few years.

Titan Rain

In 2003, more than 1,500 American workers employed at the National Nuclear Security Administration had their information stolen. Designated “Titan Rain” by Federal investigators1, the attack was believed to be ongoing for at least three years before discovery.

Unfortunately, the hackers responsible for Titan Rain succeeded in gaining access to the computer networks of several US defense contractors like Lockheed Martin and even those of some internal government agencies like NASA.

Investigators suspect that the attacks came from China, more specifically, the People’s Liberation Army in conjunction with freelance hackers contracted by the Chinese government. Beijing disavowed any connection to the incident, and some analysts suspect that the perpetrators had used computers of Chinese origin to produce friction between the two countries2.

Flash Drive Back Door Attacks on US Military

In 2008, someone picked up an ordinary USB flash drive that was left in the parking lot of a Department of Defense facility located in the Middle East.3 That someone ended up plugging the flash drive into a laptop connected to US Central Command, and unwittingly began what was later described by a senior Pentagon official as “the most significant breach of US military computers ever.”

The flash drive had contained a malicious code known as agent.btz, which effectively creates “back doors” into computer systems. A “back door” is a method of bypassing normal authentication, commonly used for securing unauthorized remote access to a computer. Many of the security updates run on products like Microsoft Office or Microsoft Windows eliminate back door vulnerabilities. It took the Pentagon over a year to clear agent.btz from military networks. Though the hackers were never discovered, many investigators believe that they originated from Russia.4

Botnet Attacks on US and South Korean Governments

Over the Independence Day weekend of 2009, a number of governmental, commercial, and financial websites located in the US and South Korea were effectively shut down by unknown assailants.5 Some of the targeted websites include the White House and the Blue House (the seat of the South Korean presidency), the US Department of Defense, the New York Stock Exchange, and South Korea’s National Intelligence Service.

Through the use of a “botnet,” a group of between 20,000 and 160,000 hijacked computers, the assailants created a server overload by flooding the targeted websites with traffic, effectively disrupting business transactions and website functionality.

This type of attack is called a “DDoS” or Dedicated Denial of Service attack. A DDoS is a cyber-attack that consists of more than one (usually thousands) of unique IPs. This particular attack is a common weapon in the hacker arsenal, typically used to deface or disable websites. Though the code used in the attack had the potential to destroy data as well as keep infected PCs from rebooting, the function was never triggered, leading some analysts to believe that the attack was intended to probe for vulnerabilities.

Operation Newscaster

In 2014, the American research firm iSight discovered a wide-reaching social media scam that had successfully targeted and affected high-ranking US officials, lobbyists, journalists, defense contractors, and foreign policy authorities.6 Dubbed “Operation Newscaster,” the hackers utilized fake profiles on Facebook, Twitter, LinkedIn, and other social media platforms to make contact with their unsuspecting victims.

In some instances, the hackers co-opted the names, biographies, and photographs of others, from reporters of well-established news agencies to systems administrators of the US Navy in order to establish their online credibility. Once the hackers have established an online connection, their targets are led to a fake webpage designed to steal login and password information to their personal and professional email accounts. This particular cyber incident was considered “the most elaborate social engineering scheme […] seen associated with cyber-espionage,” and had been ongoing for several years before discovery. Though it was never confirmed, the perpetrators were believed to be backed by the Iranian government.7

This attack is an example of “spear phishing,” which is the practice of sending emails ostensibly from a known or trusted sender in order to induce targeted individuals to reveal confidential information or compromise their own devices by clicking links which lead to malicious software. This type of attack is similar to something commonly called “social engineering,” which is the use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes.

Operation Cleaver

In 2014, Cylance, a cyber security firm based in the US released a report of a global-scale cyber threat dubbed Operation Cleaver.8 Over fifty entities around the world have been compromised, ranging from hospitals and airports to universities and gas and oil companies. With stolen employee credentials and passport photos, the hackers had access to sensitive data such as operations and procedures involved with aircraft maintenance, and based on the breadth and scope of their target industries, Cylance surmises that the group’s intention is to either exploit or damage a number of critical utility infrastructures on a global level.

The report also claims that the hacking campaign was sponsored by the Iranian government, and provides detailed historical context for the motivations behind these attacks.9

The report linked Operation Cleaver to the Stuxnet incident in 2010, which involved a virus damaging Iranian nuclear facilities. Stuxnet was believed to be of American or Israeli origin and was the first instance of malicious software being used to damage physical equipment. It underscores the very real cyber warfare that has been waged between countries for nearly two decades with no sign of abatement.

Many believe Operation Cleaver is still ongoing, and though the Cylance report has given the global security industry a guideline for detecting known Cleaver codes and exploits, analysts think that the report is only scratching the surface of the hackers’ considerable cyber arsenal.10

Many of the aforementioned large-scale cyber threats demonstrate the deceptively simple techniques hackers often employ to infiltrate our computers and steal our information: requests from a stranger on your social media, the stray USB drive on the floor, and the email you failed to scrutinize before opening.

The CSD Pool takes cyber security threats very seriously. We have published numerous articles over the last several years on the topic, we offer every member free access to the cyber security resource portal eRisk Hub® and last year provided free cyber risk assessments to six districts.

This year we are making that offer again and expanding it to include an option to get NetDiligence’s Network Vulnerability Scan Test. You can find more information here.

If your district is interested in having a free cyber assessment done, fill out the application at this link. We will be doing up to six again this year at no cost. This is a great way to avoid some of the issues described in this article.

1. http://courses.cs.washington.edu/courses/csep590/05au/readings/titan.rain.htm
2. http://content.time.com/time/nation/article/0,8599,1098371,00.html & https://gcn.com/articles/2006/08/17/red-storm-rising.aspx
3. http://www.eweek.com/c/a/Security/Defense-Department-Confirms-Critical-Cyber-Attack-551206/
4. http://www.nytimes.com/2010/08/26/technology/26cyber.html?_r=1&ref=technology
5. http://news.bbc.co.uk/2/hi/technology/8139821.stm & https://www.cnet.com/news/botnet-worm-in-dos-attacks-could-wipe-data-out-on-infected-pcs/
6. https://www.washingtonpost.com/world/national-security/iranian-hackers-are-targeting-us-officials-through-social-networks-report-says/2014/05/28/7cb86672-e6ad-11e3-8f90-73e071f3d637_story.html
7. http://www.reuters.com/article/us-cybersecurity-iran-fbi-idUSKBN0JQ28Z20141213
8. http://cdn2.hubspot.net/hubfs/270968/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf
9. http://www.businessinsider.com/iran-is-officially-a-real-player-in-the-cyber-war-2014-12
10. https://www.bloomberg.com/news/articles/2014-12-02/iran-backed-hackers-target-airports-carriers-report

Both comments and trackbacks are currently closed.