5.1 Introduction

Ever since the computer revolution first began with cheap and powerful personal computers reaching each and every household in the world, the risk of the computation tool being misused according to the whims of bad people also increased. This has led to significant cyberattacks in the time period so far and is continuing with new connections extending the cyber battlefield.

The very first generation of threatening viruses was released by Bob Thomas of BBN Technologies in 1971, which was called Creeper [1]. The originator was not self-replicating initially. It was injected into a system which, once infected, would display the message “I’M CREEPER: CATCH ME IF YOU CAN.” It corrupted DEC PDP-10 computers, the reputed mainframe computers in 1968, operating on TENEX operating system. Creeper led to the development of its adversary named Reaper, one of the world’s first anti-virus softwares. Early definitions of so-called viruses began displaying a sentence in a third party personal computer without the attackers own presence.

The act of displaying a message turned out to display a poem with the evolution of Rich Skrenta’s Elk Cloner in 1981. Elk Cloner [1] set Apple II computers as its target. It is actually a boot sector virus spread via floppy disk as a game. The game, when booted the 50th time, closes it and displays the poem of Elk Cloner. Elk Cloner actually didn’t create any harm to the victim but it corrupted the disk. Skrenta added a signature byte to the disks memory to point out that it is already corrupted. The computer needed to be rebooted every time to get rid of cloner.

Furthermore, Skrenta decided to spread cloner without the use of floppy disks by creating a boot sector virus that would display a message automatically in an Apple II computer. The cloner was spread via a hard drive which modified the boot sector codes. When the computer was booted the next time, Elk Cloner made its presence in the system even without starting any application or game explicitly.

After being used to display messages as a prank in other’s computers, viruses came to play a role in business. In 1986, Basit Farooq Alvi and Ajmad Farooq Alvi, two brothers from Pakistan, worked to prevent customers of their computer store from using illegal copies of their medical software. The evolution of the boot sector virus from Skrenta, led them to create the Brain boot sector virus [2], the name Brain being the name of their computer store. It became the first virus threat to MS-DOS. The Brain boot sector virus was injected into the machines which used illegal copies of their software. It placed the 5KB virus in the boot sector of floppy disks, which slowed down the system. It cannot be detected as it does not harm the system. Rather, it displayed a message which warned against using pirated software and provided their contact information to get rid of the infection.

In 1988, an experiment conducted by Robert Tappan Morris from Cornell University to determine the size of the Internet led to the creation of the first worm distributed over the Internet. The worm was released from MIT as an experiment. Once downloaded into a system, the worm infected the system by slowing it down. The actual exertion of determining internetgauge changed to a virus affecting system because of the nature, the Morris worm [3] spread over the systems. The worm is more likely to be run in the same system many times, slowing it down every time and finally making it unusable. Hence, self-replicating worms are more harmful even today. The unintended results of the graduate student’s experiment was responsible for about $10 million of damage, as stated by the U.S. Government Accountability Office.

The worm was washed out by Clifford Stall, whose survey noted that the Morris worm infected about two thousand computers in just fifteen hours. He also stated that the disinfection took about two days. Colleagues of Morris stated that the survey was cooked up. Robert Morris was sentenced to three years probation and fined $10,500 plus the cost of his supervision. The Morris worm was actually the impetus for security personnel to concentrate on Internet security

With the slow relief from the accidental worm of Morris in the Internet, there entered an intentional injection of a worm named Michelangelo [4] in 1991. The attacker was Roger Riordan, an anti-virus expert from Australia. Although the impact of the Michelangelo virus was expected to be great, in reality only a few thousand computers were found to be infected by it. Yet another boot sector virus, it actually did little harm to the systems.

Michelangelo has been considered one of the threatening viruses of the 1990s mainly because of its media hype. The Michelangelo virus works by infecting the first 17 sectors of every track in the infected hard disk on March 6^th of each year. As seen so far, boot sector viruses seem to be more threatening. A boot sector virus affects the master boot sector (MBR), which runs every time the computer starts. The MBR controls the boot sequence and also determines the partition in which the computer boots into. Once the virus can successfully infect the MBR, then the computer boot will fail and the contents inside the memory will be lost. Boot sector viruses are hard to remove; hence, the better solution is to prevent them by appropriate verification of external drives for viruses before being injected into the system. Good anti-virus software does the job.

After a decade of Michalangelo’s hype, in January 2003, a huge computer worm threatening the internet world by causing a denial-of-service attack was discovered. The attack requires prerequisite knowledge of the loophole in ancient Microsoft SQL. IP address spoofing over a particular UDP port can cause buffer overflow and destruct normal service of the SQL server [5]. David Litchfield from Microsoft conducted a proof of concept and fixed the issue of this SQL Slammer attack. The issue was submitted to the Microsoft Security Response Center and a patch was developed to counterfeit it. In the next Black Hat, Microsoft released the patch and requested every SQL user to add the patch for security. The POC was studied by researcher Michael Bacarella released publicly during Black Hat. The attacker implemented it and released it over the Internet. About 75,000 servers that were not patched were affected in just 10 minutes. It was thought that the victims did not report the virus attack because it resulted from their mistake of not adding the patch.

After the era of using viruses to threaten and demolish computers passed, the era of destroying targeted computer sources using viruses evolved. The dot product was named Stuxnet [6], which has the capability of attacking the programmable logic controller (PLC) of industrial control systems. The PLC is responsible for making logical decisions by monitoring input and producing appropriate output in an automated machine. Stuxnet was born in 2009 at Kaspersky Lab. Stuxnet attacks systems running Windows, which actually is not a kind of PLC. As PLC is a proprietary machine-language-based device, the virus initially captures the system running the PLC. Then it infects Siemens SIMATIC WinCC¹, a supervisory control and data acquisition (SCADA) and human-machine interface (HMI) system. As these program the PLC, infecting them destroys the proper programming of PLC. This results in an improper automation process by PLC, disrupting the industrial process on a large scale. Stuxnet initially spreads in three systems, each of which has the capability of infecting another three and so on.

Stuxnet has a record of causing substantial damage to Iran’s nuclear program. The worm can be wiped out by a suitable anti-virus program.

Once Stuxnet reached its supremacy, a so-called extended version of Stuxnet was developed, not with the same notion of destroying industrial control systems, but with the aim of gaining information from and deleting recent information in those systems [7]. The attack was created by Unit 8200 of the Israeli Intelligence Corps in 2009. The unit captures sensitive information that is encrypted and transferred as signals.

The worm creates a file, with a prefix ~DQ, in the infected system. Hence, the model is named Duqu. Duqu also targeted the Iran nuclear deal, but with the goal of gathering sensitive information, instead of demolishing it. Unlike Stuxnet, the worm is very difficult to predict because of its passive nature. This behavior let it prevail in Kaspersky Lab for a long time without being detected. Once the threat was discovered in 2010, the worm program codes were kept and added in antivirus software.

The recent attackers started concentrating on espionage rather than sabotage. The result was the development of a modular computer worm named Flame [7] in 2012. The worm, also known as Skywiper, has the ability to wipe away the contents in the infected system. Kaspersky Lab² and CrySyS Lab³ called it the most tedious malware they had ever seen. The wiper acquires the system in a similar way as its ancestors, Stuxnet and Duqu, by affecting the rootkit functionality. Flame is capable of spreading over a LAN or via a USB stick. It can capture user activities by recording audio and capturing screenshots, keystrokes and network traffic. Skype conversations also find a place on the list. The collected data and other files can be sent to the control server for analysis by attackers. The worm targeted sources in Iran, Syria and Israel. Kaspersky entered into a program with its competitors as yet another precaution against the espionage worm.

5.2 Ransomware Attacks

Ransomware continues to be the most threatening form of modern cybercrime [8]. Ransomware acquires data from an entire computer through email attachments, drive-by downloads, malicious pdfs and exploit kits, and then openly blackmails the owners by asking them to pay to restore the computer to its original state. The malware may be locker, where the entire system is locked and not able to be used, or it may be crypto, where some dedicated, sensitive files are locked and access is denied. The lock or access denial is released only after the demand is met for mammoth amounts of bitcoins to be transferred to the hackers as a fine, owing to the innocence of the owner. Also, ransomware makes no assertions that the key will decrypt the lock on files or the system even after the fine is paid. Listed below are the siblings of ransomware, each becoming more threatening and blackmailable.

5.2.1 Petya

One of the family members of encrypting ransomware is Petya. The malware was discovered in March 2016. Petya infects the master boot record (MBR) of Windows-based systems. The propagation is via email attachments to victims. Once Petya corrupts the MBR, it prompts a restart of the system. Upon restart, the corrupted boot sector encrypts the Master File Table of the computer. Petya then bids for a fine amount that must be paid as bitcoins to get back the old state of the system (Figure 5.2 shows a screenshot of the ransom note left on an infected system). Several patches came from Microsoft for the victims’ sake. But the overfitting, makes the next worm version cleverer. The new version of Petya, named NotPetya [8] by Kaspersky, pretended to be a Ukraine tax software update and infected thousands of systems throughout around 100 countries. Pharmaceutical giant Merck paid a ransom of $300 million to NotPetya for its information.

5.2.2 WannaCry

Undisputably, the most devastating attack in history, which infected several thousand banking, law and government agencies, was perpetrated by WannaCry ransomware in May 2017 [8, 9]. The attack exploited a vulnerability in Microsoft’s implementation of the Server Message Block (SMB) protocol. The SMB, which is responsible for authentic interprocess communications and message transfer, was developed by the U.S. National Security Agency. The loopholes in the protocol were released as EternalBlue by some brokers. This led to the implementation of WannaCry (WannaCrypt). Once WannaCry reaches a computer, it searches for the kill switch if not found. This option is used to shut down the computer immediately, if it is not possible to do so in the usual way. Then it encrypts the computer in its usual fashion, as was done in Petya.

WannaCry also attempts to exploit the SMB vulnerability to spread to random systems on the internet. The modern versions, instead of encrypting computers as a whole, encrypt dedicated files and then demand bitcoins for a decryption key. The demand proposed is $300 in bitcoins within 3 days or $600 in bitcoins within 7 days. A screenshot of the ransom note left on an infected system is shown in Figure 5.3.

Marcus Hutchins discovered the hardcoded “kill switch” step of WannaCry, which severely reduces the spread of the worm. Several variants of the worm came with distributed attacks with the intention of spreading offline. Research was carried out on the encryption process of WannaCry. The Windows operating systems were updated to get rid of unauthorized encryptions.

5.2.3 Locky

The Locky worm was discovered in March 2016 but became much more insidious in 2017 by spreading via emails with an attachment containing malicious macros as Word document. It used a social engineering technique by using the sentence “Enable macro if data encoding is incorrect”. If a user enables the macros, then the malicious macros get installed. It is followed by encryption of files with a particular extension and the demand for bitcoins for a key. Hollywood Presbyterian Medical Center lost their patient data due to Locky [10]. The data were recovered at a cost of $17,000 ransom.

Several ransomware attacks came in 2017 with similar encryptions and demands. The attacks targeted government agencies and industries having potential data. Even though ransomware is responsible for some of the biggest cyberattacks in history, it is not part of technology as a whole. It evolved with many shadow brokers and insiders leaking bugs in software.

As depicted in Figure 5.4, initially worms were intended to threaten others or show off the attacker’s technical competency to others. Later, they were formulated for business computers business to punish those involved in illegal activities. Then, the worm began to be used for illegal purposes. The aim was to make money by stealing/destroying data. Today, cyberattacks have become a money-making business. Both millionaires and criminals are using the technology for an ill-intentioned purpose. The attackers seem to count on the innocence of the victims, as researchers coming up with patches and anti-versions to restrain from most of the worms are not reaching users immediately. This reachability deficiency is used by most of the attackers. In the future, cyberattacks are expected to create life risks for users. Blakmailing someone for money now can lead to threatening their lives later.

5.3 Are Nations Ready?

As the world nations are moving towards a digital economy evolution, the army that protects the citizens of a nation on land, air and water now has to move to digital medium as a cyber army to protect the netizens as well. The number of warriors on the digital battlefield has been increasing over the years. Cyber warriors are no longer just those employed by the nation’s military, but rather include rogue cyber hacktivist groups with an agenda for hacking other nations or their own. Let’s look at the state of preparedness for some nations in the world.

India: Some of the different intelligent agencies and government agencies in India regarding cybersecurity are:

• Department of Electronics and Information Technology (DeitY), which includes the Indian Computer Emergency Response Team (ICERT)
• Intelligence Bureau or Central Bureau of Intelligence
• National Intelligence Agency
• National Technical Research Organization
• Defense Research and Development Organization (DRDO)

Apart from these, there are private agencies or NGOs regarding cybersecurity, like the Indian Cyber Army [11], which is an autonomous association with ethical hackers in it, and also acts as a resource center for the Indian national police and other intelligence agencies.

Bangladesh: Even though Bangladesh is a smaller country, the ideas put forth in the National Cybersecurity Strategy of Bangladesh document [12] show how effectively the nation is equipping itself for maintaining the cybersecurity of their country. The strategy to improve the cybersecurity of the nation includes:

• Improving the cybercrime laws through globalized laws and authorizing government entities.
• Improving national infrastructure on cybersecurity through a national security framework, spreading of awareness, preventive measures, tracking and fixing vulnerabilities.
• Improving organizational structures to respond to attacks through collaboration of stakeholders, National Cybersecurity Council, incidence management at the national level, collaborating with private sectors, skill training for citizens.

Apart from legal government entities, there are hacktivist groups in Bangladesh like Bangladesh Cyber Army, and news has been reported online about their hacking activities, such as attacks on Indian websites and making demands on Indian officials [13].

United States of America: The United States of America is one of the most powerful nations in the world with the largest army, which is supported by the largest military budget in the world. It has also invested in the cybersecurity of the nation. As per the world economic forum, the Pentagon has announced an increase in cybersecurity staff, and U.S. Cyber Command has also been involved in launching attacks against the Islamic State [14].

In 2007 the United States launched the Stuxnet worm to advert Iran’s nuclear program, which shows the power of a network security breach. But what if this attack was more malicious and was used to launch an attack on another country unilaterally? This case shows the importance of security in the army sector, as weapons are connected to the cyber world and the probability of any countries weapon system being compromised has increased.

Privacy has also been a big concern in the cyber world. Tensions around the world rose when Edward Snowden, a former contractor for the United States government, exposed the surveillance activities of the US intelligence NSA and also global intelligence agency [15], which created awareness and panic in people all around the world.

Russia: As per the world economic forum, it is believed that many military cyberattacks on Georgia and Ukraine originated from Russia. Russia has been involved in many cybersecurity controversies, including the controversy over the 2016 U.S. elections results, which the intelligence experts suspect Russian hackers were involved in [16].

Many of the attacks that have happened in the cyber world were traced backed to Russian IP addresses, which puts Russia in an uncomfortable position in the cybersecurity world [17]. Attacks on Estonia, France, Germany, Kyrgyzstan, and Ukraine were suspected to be done from Russia.

Pakistan: Pakistan has also been honing its cyberwarfare capabilities for years, and has been suspected of various attacks like Operation Arachnophobia and Operation Hangover [18]. Operation Arachnophobia is the name of the investigation done by the FireEye cybersecurity company to study a a Bitterbug malware that was targeting Indian computers. Operation Hangover was an attack from India that targeted Pakistan; the response from Pakistan was Operation Arachnophobia, which targeted Indian computers.

China: China is the world’s most populous nation with a population count of 1.4 billion. China has one of the biggest armies in Asia.

There have always been tensions over China’s cyberattacks; even google has closed their search engine facility in China. Because of the size of its population, the number of internet users is large, but so is the growth in the number of hackers in the nation. Its been reported by Symantec that a third of the malicious software in the world originates from China. Many of the Chinese hackers are driven by patriotism and call themselves “Honker”. When Baidu, the biggest search engine in China, was hacked and the Iranian Cyber Army left a message saying that it had done it, the Honker Union retaliated by hacking Iranian websites. There are also other hacktivist groups such as the Red Hacker Alliance.

There have been multiple accusations made against China about hacking other nations like Australia, Canada, India and the United States of America.

Germany: The German Government is developing a major program to protect its computer networks and supply systems. A new institution the National Cyberdefence Centre (Nationales Cyber-Abwehrzentrum) will be responsible for detecting potential threats, analyzing them and coordinating the necessary measures to disable the threat. In addition, a National cybersecurity Council will be established [19].

Iran: Iranian hackers attack on a Saudi oil company is a notable influence of Iran in the cyberwarfare domain. There are different Iranian hacker groups, like Rocket Kitten, which are acting aggressively in attacking, which in turn creates tensions within cyber radar.

Israel: There have been alleged reports that Israel has hacked Russia’s Kaspersky Lab to get intel about nation state attacks research conducted in it. In the 2006 war against Hezbollah, Israel alleges that cyberwarfare was part of the conflict, where the Israel Defense Forces (IDF) intelligence estimates several countries in the Middle East used Russian hackers and scientists to operate on their behalf. As a result, Israel attached growing importance to cyber-tactics, and became, along with the U.S., France and a couple of other nations, involved in cyberwar planning [20].

In the war between Israel and Syria, an air attack dubbed Operation Orchard was launched by Israel on Syria. U.S. industry and military sources speculated that the Israelis may have used cyberwarfare to allow their planes to pass undetected by radar into Syria.

United Kingdom: It’s been reported in sites like Wired that the United Kingdom has hacked undersea cables of Yahoo and Google to decipher the data traffic [5], and also a hack organized by United Kingdom government on Belgacom for data monitoring of traffic.

In the UK, the National cybersecurity Centre, part of the signals intelligence agency GCHQ, has been taking steps to protect public bodies and companies. It has been advising them on how to deal with these lower-level criminal attacks that, it says, “affect the majority of people, the majority of the time.” Ian Levy, NCSC’s technical director, says that “there is much hyperbole about the capabilities of cyber actors.” “Certainly, some nation states invest huge sums of money and significant highly skilled resources in their cyber programmes and use those for various things that are detrimental to the interests of the UK” [16].

North Korea: North Korea is believed to be the source of various cyberattacks on the United States and South Korea. CNN news reported the direct involvement of North Korea’s hacker army attacking banks worldwide. The hackers, who stole 81 million dollars from Bangladesh banks, were traced back to North Korean IPs. Experts have speculated that this money could be used for the country’s military budget. The security groups found similarities in the malware attack on Bangladesh banks and the attack that happened in Sony, which was also suspected to be done by North Korean hackers.

There are already tensions resulting from the nuclear tests being done by North Korea, and with their development in cyberwarfare, they are the ones to watch out for in the future.

5.4 Conclusion

History has shown us that there have always been disputes between various nations of the world. The only difference is that the nature of weapons has changed from stones, swords and guns to computers. In the first section of this chapter, we have seen how various malicious attacks can impact organizations and countries on a large scale. Some attacks are done for fun, some for money, and some for vengeance. These attacks are done by a single person on a small scale and also by a country on another country. So, in the next section of the chapter we compiled information on how various nations are progressing in the development of cyberwarfare capabilities. It is evident that each nation is key to building their cyber army to protect themselves and to compromise other nation’s security system. It is essential that the international intelligence and peace agencies must form treaties in order to avoid any catastrophic cyberattacks. Because in the future a coordinated massive cyberattack might destroy the world due to everything being connected.

References

1. Touchette, F. (2016). The evolution of malware. Network Security, 2016(1), 11-14.

2. https://home.mcafee.com/virusinfo/virusprofile.aspx?key=221, Retrieved 2018-03-30.

3. https://www.cisco.com/c/en/us/about/press/intemet-protocol-joumal/back-issues/tablecontents-25/virus-trends.html, Retrieved 2018-03-30.

4. https://home.mcafee.com/virusinfo/virusprofile.aspx?key=1446, Retrieved 2018-03-30.

5. Schultz, E., Mellander, J., & Peterson, D. (2003). The MS-SQL Slammer Worm. Network Security, 2003(3), 10-14.

6. Shakarian, P., Shakarian, J., & Ruef, A. (2013). Attacking Iranian Nuclear Facilities: Stuxnet. Introduction to cyber-warfare: A multidisciplinary approach, 223-239.

7. Shakarian, P., Shakarian, J., & Ruef, A. (2013). Introduction to cyber-warfare: A multidisciplinary approach. Newnes. Paulo Shakarian, Jana Shakarian, Andrew Ruef, Chapter 8 Duqu, Flame, Gauss, the Next Generation of Cyber Exploitation, pp. 159-170.

8. Mansfield-Devine, S. (2017). Ransomware: the most popular form of attack. Computer Fraud & Security, 2017(10), 15-20.

9. “Player 3 Has Entered the Game: Say Hello to ’WannaCry’”, blog.talosintelligence.com. Retrieved 2018-03-30.

10. Winton, R. (2016). Hollywood hospital pays $17,000 in bitcoin to hackers; FBI investigating. Los Angeles Times, 18.

11. Indian Cyber Army (https://www.ica.in)

12. National Cybersecurity Strategy of Bangladesh (https://www.unodc.org/cld/lessons-learned/bgd/the_national_cybersecurity.strategy_of_bangladesh.html?&tmpl=cyb)

13. Bangladesh Cyber Army(https://www.hackread.com/indian-government-and-and-30-websites-hacked-by-bangladesh-cyber-army/)

14. Breene, K. (2016, May). Who are the cyberwar superpowers. In World Economic Forum. Retrieved October (Vol. 27, p. 2017). (https://www.weforum.org/agenda/2016/05/who-are-the-cyberwar-superpowers/)

15. Edward Snowden Leaks (https://en.wikipedia.org/wiki/Edward_Snowden)

16. More countries are learning form Russia’s Cyber Tactics (https://www.ft.com/content/b7dbc0de-1b04-11e8-aaca-4574d7dabfb6)

17. Cyberwarfare by Russia (https://en.wikipedia.org/wiM/Cyberwarfare_by_Russia)

18. Pakistan Cyber war capabilities (https://defence.pk/pdf/threads/has-pakistan-developed-cyber-attack-and-defense-capabilities.482614/)

19. Germany prepares for Cyberwar (http://www.newsecuritylearning.com/index.php/feature/88-germany-prepares-for-a-cyber-war)

20. Cyberwarfare(https://en.wikipedia.org/wiki/Cyberwarfare)

21. North Korea Cyberwarfare CNN report (https://edition.cnn.com/2017/10/11/asia/north-koreatechnological-capabilities/index.html)