“This is How They Tell Me the World Ends: The Cyber-Weapons Arms Race,” by Nicole Perlroth, Bloomsbury Publishing, NY, 2020. This 491-page hardback tells the story of cyber warfare from the perspective of a professional journalist who has covered the subject for years and interviewed many of the players. She is given to long, wordy chapters with lots of details.
Zero-day software faults are the essence of much cyber security. These are software defects that allow entry to the software bypassing whatever password or other security protects the front door. Initially they were found by hacker hobbyists who reported them to software companies and often were threatened with law suits for copyright infringement. Over time, government agencies like NSA learned these flaws were useful to invade computers for intelligence or even for destruction. After Stuxnet many governments–friend and foe–jumped on the bandwagon.
In 2002, a zero-day for HP software resulted in a threat to sue under copyright laws. A dealer sued and forced the company to retract threats, apologize, and do vulnerability research. An MP3 song file that gave full access to the machine playing it sold quickly. Software companies decided to patch flaws. They began to pay rewards to those who found them. As more buyers emerged, values increased. In 2002, Microsoft became more interested in fixing bugs. The result was “patch Tuesday.” Patches were issued the second Tuesday of the month.
The book makes clear that zero-days are available for most software and hardware. Most get patched after a while, but agencies like NSA must decide which to disclose and which to maintain for their mission. Brokers make them available; often they are sold to multiple players. It is not uncommon to find multiple active taps on a system from both friend and foe.
The first rule of cyber is no one talks about the zero-day market. We get a glimpse of some of the players. Symantec is one that buys up smaller companies. Avast, a Czech antivirus company, is another; TrendMicro, a Japanese player another. Defenders include FireEye and Crowdstrike and from Russia Kapersky.
In 2006, Charlie Miller, a former NSA employee, discovered a zero-day for Linux. He sold it for $50K and published his sales methods. The buyer was not disclosed but he proved that government agencies would pay good money for zero-days. Immediately the price increased.
Some history of espionage is described. In 1983, the French embassy found the Soviets had planted bugs in its teleprinters–undetected for six years. In 1945, the US Embassy in Moscow found 120 hidden microphones. The Great Seal of the United States presented to the American ambassador by Soviet school children in 1945 was found bugged seven years later. In 1984, the feds brought equipment back from the US Embassy in Moscow for examination. A tiny magnetometer in a metal bar in IBM Selectric typewriters could transmit every keystroke. The system had been in place for eight years. The Soviets disallowed use of electric typewriters for classified information in their offices.
In the Hiroshima bomb, only 1.38% of the nuclear core fissioned. In 1954, the hydrogen bomb at Bikini Atoll produced 15 megatons, five times the energy expected. In 1985, Sandia challenged its staff to find malicious implants hidden in computer code. The experts failed with rare exceptions. Disguised code may be undetectable but still runs when assembled for use. Programs with millions of lines of code can be impossible. In 1987, the Morris Worm was released by a student at Cornell by accident. From World War II, implants in encryption machines made by Crypto AG, a Swiss company, made their code easy for decoders to decrypt. With the arrival of the internet, crypto budgets increased. CIA or NSA would ask manufacturers to embed their microchip in their systems.
NSA’s capabilities are far more capable than Snowden revealed. With the arrival of the Apple iPhone in 2007, NSA could monitor every keystroke, text, email, search, etc. China’s Huawei became a concern. Its equipment was riddled with Chinese backdoors. NSA had gotten into Huawei’s headquarters in Shenzhen, stolen its source code and planted back doors in its routers, switches, and smartphones. Low prices made Huawei first choice in many applications around the globe.
Seven zero-days allowed Stuxnet. American and Israeli spies sabotaged Iran’s nuclear program via Microsoft Windows and Siemens industrial software. The attack required co-operation from NSA, Israel’s Unit 8200, CIA, Mossad and national energy labs. The code spread as a worm that looked for Siemens controllers. It caused the centrifuges to destroy themselves while sending false info to operator’s monitors. Getting the code inside the secure facilities was a challenge. How is unknown. Later the code escaped and was detected as a worm by antivirus companies who learned its purpose by investigation.
Snowden gave a vague description of NSA capabilities. Additional sources soon became available suggesting contributions by moles or spies. A 50 page catalog was published. They could monitor geolocation, eavesdrop with phone mikes, collect keystrokes. A USB stick included a radio transmitter to pass data to another gadget.
Most of the work was done at Ft. Meade, MD or at Sandia in Albuquerque, NM. Over time NSA trained experts moved to defense contractors: Booz Allen, Northrop Grumman, Raytheon, Lockheed, and Harris. And pros set up their own boutique companies. Some sold services to test facilities for vulnerabilities. Banks and governments were major customers.
In 2012 and 2013, British spyware was sold to many countries including some that used it to monitor journalists, dissidents, and human rights activists. Export of spyware was regulated in Europe but not in the US.
In the Mideast, Qatar became a thorn in the paw of its neighbors. It had been a poor backwater best known for pearl divers and fishing. It became a leading seller of LNG and used its resources to support liberal causes. Al Jazeera was its news agency that often blasted its oil rich neighbors. It supported the Arab Spring in 2011. They backed the Muslim Brotherhood and Hamas.
In Israel, NSO Group, a spyware company had hacks for phones: Blackberries, Nokia, Android, and iPhones. Developed in 2008, the early days of iPhone, it could by-pass encryption. The author found the program used to block a tax on soft drinks in Mexico. Mexico is Coca-Cola’s biggest consumer market.
In December 2009, a cyberattack began at Google in Taiwan where a miss-click let loose a zero-day exploit on Microsoft’s Internet Explorer that gained access to the Google network. It was an attack by a Chinese government contract group, Mandiant, known to NSA as Legion Yankee. Chinese attacks conducted by China’s People’s Liberation Army followed two tracks: foreign governments and ministries in selected regions and intellectual property in targeted industries. In addition to Google, others included Adobe, Intel, Juniper Networks, Northrup Grumman, Dow Chemical, Morgan Stanley, and many more.
They wanted Google source code for dissident’s Gmail accounts. Until 2009, source code in Silicon Valley was unprotected. Pressure from China to share info on dissidents caused Google to pull out of China. It became an international incident with answers demanded by President Obama. As a result Chinese hackers destroyed their hacking tools. Later they hacked Lockheed Martin, as well as banks, NGOs, auto makers, law firms, and chemical companies. Under president Xi Jinping, China pioneered digital surveillance including facial recognition, hacking tools, and novel spyware.
In 2011, a whistleblower said the Pentagon paid Computer Sciences $613MM to secure its systems. They subcontracted coding to a small Massachusetts company who farmed it out to a programmer in Moscow. A low bid from Russia got them a Trojan Horse. The Chinese hacked into the US Office of Personnel Management for employee data including Social Security numbers, medical records, and fingerprints. It was discovered in 2015 after more than a year inside the system.
Argentina was fertile ground for zero-day hunters. It was necessary to hack systems for access otherwise denied by government regulations. In DC an Argentinian was able to turn traffic lights red or green from his laptop. A contact could hack into chips by sending malware via radio emissions to the copper in a chip. An appliance company asked him to look into their firmware. It had been compromised by a Tier-1 nation.
In 2012 Iranian hackers attacked Saudi Aramco and demolished thirty thousand computers. It copied software used by Americans and Israelis to attack Iran’s oil network four months before. The US knew much of its computer equipment was privately owned and vulnerable. Congress failed to pass legislation that would require protection of infrastructure. A denial of service attack on US banks soon followed. Next they tried to attack the Bowman Dam in Oregon but by mistake got the smaller Bowman Dam in Westchester Co., NY. Next Iran attacked the Sands Casino. In December, North Koreans attacked Sony. Soon North Korea’s connection to the outside world went dark for an entire day.
In 2014, Apple announced iPhone 6. It encrypted everything–messages, call logs, photos, and contacts. FBI went ballistic. The issue came to a head after the San Bernardino health department shooting in which a perp left a locked iPhone. FBI requested a back door; Apple refused. The case was dropped after FBI admitted paying $1.3MM for access. The seller was not identified. Likely a zero-day access. Probably Cellebrite, an Israeli firm specializing in iPhones and Androids.
In 2015, Xi and Obama reached an agreement not to engage in state sponsored theft of intellectual property and to set up a hotline to alert each other of malicious software. And they adopted the UN accord to refrain from targeting critical infrastructure including power plants, cell phone networks, banks, and pipelines in peace time.
Efforts to protect the US grid began in 2012 but John McCain opposed the legislation as too complex. Attacks on the grid probably from Russia began the same year. Crowdstrike found Russian language and named the source Energetic Bear. In 2014–before the Russian invasion of Crimea–Crowdstrike learned Russia had Trojans in industrial control software. The Kremlin signaled that retaliation for invasion of Ukraine or turning off the lights in Moscow might result in mass destruction of US infrastructure. Sandworm also from Russia went looking for industrial controls used by General Electric equipment and Peabody. The worm could shut down equipment on demand.
For the 2016 election, Russia began its Translator Project–to spread distrust toward candidates and the political system. They launched the Heart of Texas Facebook group–Hillary is coming to take your guns away–with 5.5MM likes. Followed by the United Muslims of America. They used stolen Ids to post in purple states: Colorado, Virginia, and Florida. Black Lives Matter and Woke Blacks pages followed frustrating the African American vote needed by Hillary. The DNC computers were invaded by another Russian group known as Cozy Bear. Stolen files went to WikiLeaks and were released embarrassing Hillary. After the election, the Obama administration kicked out 35 Russian diplomats and closed two Russian diplomatic properties.
NSA came up with EternalBlue, a zero-day on Microsoft server software that transferred files from server to server. If miss-applied it crashed the computer giving the famous blue screen. In 2016, Shadow Brokers offered to sell enemy cyber weapons on Twitter. The first ones came from NSA and were designed to break through firewalls sold by Cisco and Fortinet and widely used in China.
Snowden gave only Power Points with brief descriptions of NSA software; Shadow Broker sold the actual programs. Soon a vault of CIA hacking tools was published. CIA could hack into cars, smart TVs, web browsers, Apple and Android phones, Windows, Mac, and Linux computers. A CIA programmer was prosecuted but not convicted. Some came from a NSA employee whose home computer used Kaspersky antivirus. Israelis found the Kaspersky antivirus used by computers everywhere could capture top secret documents.
Criminals began to use Shadow Brokers software in 2017 for ransomware attacks. First was 50 British hospitals. The attacks were global and included Russian railroads and banks. In the US FedEx and small utilities were attacked. The software was known as WannaCry. It used NSA’s EternalBlue. Symantec traced it to North Korea. It exploited Microsoft Windows. They quickly developed a patch, but it often took months or years to get them installed. And then only on supported software; not on expired software. Many companies and hospitals still ran Windows XP long after it expired.
Soon Ukraine’s computer systems were attacked by Petya ransomware, another EternalBlue program. NotPetya followed. Its encrypted data could not be recovered. Russians had installed a trojan in the tax software used in most of Ukraine. Updates spread the ransomware. The attacks soon went elsewhere. Merck, Reckitt Benkiser, FedEx, Maersk, Cadbury as well as hospitals in Virginia and Pennsylvania were infected. Insurance companies refused to pay for NotPetya attacks claiming the “war exemption” in their policies.
The agreement with China to cease industrial espionage expired the day Trump took office. North Korea began hacking into cryptocurrency exchanges pocketing hundreds of millions. In 2019, the author found renewed activity from China. Boeing, GE Aviation, and T-Mobile were targets. After Trump nullified the Iran nuclear deal, attacks from Iran heated up. Targets were European diplomats, government agencies, telecoms, and critical infrastructure. Iran became our most active nation state attacker. On January 2, 2020, Trump ordered an attack on General Suleimani, head of Iran’s Revolutionary Guards Quds Force. Iran responded by defacing websites and postings on Facebook, Twitter, and Instagram.
In Nov 2016, NSA signed a statement saying it turned over 91% of the zero-days it found; only 9% were retained for national security purposes.
Washington Post coverage of the Khashoggi murder caused the Saudis to attack Jeff Bezos. They tapped his phone using a WhatsApp zero-day and published his extramarital affair in National Enquirer.
Trump was reluctant to take action against Russia to protect the 2018 election, but the responsibility passed to the Pentagon where warnings were directed to Russian IRA screens of response to election interference. The election was relatively unscathed. Department of Homeland Security took charge of protecting the 2020 election under the Cybersecurity and Infrastructure Security Agency Act which was elevated as a cybersecurity agency under DHS.
This book makes clear that nothing digital is truly safe. Everything is subject to attack by the experts. This is how they tell me the world ends is an appropriate title. Many nations participate but we learn little about the work of our allies. The chapters are long but readers will learn much about the players and their methods. References. Index.