Documents
Intellipedia – Air Gapped Network Threats
Jan. 24, 2019
This page contain s dynamic content -- Highe st Possible Classification isTOP SECRET //SI/TKSecuritYBannerTerms of Use
1.
2.
3.
4.
5.
6.
7.
8.
Intelink
Blog~
Bookmarks
eCrum
Inteldocs
Intellinedia
Search
1. Entemrise Search
2. Entemrise Catalog
3. Map
4. Peonle
5. Recent Intel
6.
7. Search Su12nort
More
1. CommunitY2. GallerY3. IC Connect
4. IC PKI
5. IntelShare
6. iStO!Y7. iVideo
8. Living Intelligence
9. Maps
10. Messenger
11. Passnort
12. RSS Reader
13. Tapioca
14. URL Shortener
1. Hel12
1. Intellinedia Hel12
2.
3. Submit a Ticket
4. ISMC Watch
5. About Intelink
(U) Air-Gapped Network Threats
TOP SECRET//SI//NOFORN
Jump to: navigation , search
Contents
This page contain s dynamic content -- Highe st Possible Classification isTOP SECRET //SI/TKSecuritYBannerTerms of Use
1.
2.
3.
4.
5.
6.
7.
8.
Intelink
Blog~
Bookmarks
eCrum
Inteldocs
Intellinedia
Search
1. Entemrise Search
2. Entemrise Catalog
3. Map
4. Peonle
5. Recent Intel
6.
7. Search Su12nort
More
1. CommunitY2. GallerY3. IC Connect
4. IC PKI
5. IntelShare
6. iStO!Y7. iVideo
8. Living Intelligence
9. Maps
10. Messenger
11. Passnort
12. RSS Reader
13. Tapioca
14. URL Shortener
1. Hel12
1. Intellinedia Hel12
2.
3. Submit a Ticket
4. ISMC Watch
5. About Intelink
(U) Air-Gapped Network Threats
TOP SECRET//SI//NOFORN
Jump to: navigation , search
Contents
[hide]
o
o
o
o
L(U). Background
2-_(U).KeY-Finding~
1._(U).Recent News and Regorting
?._(U).Threat from PhY-sicalImglants
o 4.1 (U). Su1212lYChain Attacks
o 4.2 (U). BIOS Imglants
o 4.3 (U). Imglants in KVM Switches and Perigherals
o 4 .4 (U). Enabled Wireless and Other Emanations
o 4 .5 (U). Infected Removable Media
o i_(U). Threat from Remote Attacks
o 5 .1 (U). Cross-Domain Solutions
o 5 .2 (U). Virtual Private Networks
o Q...(U).
References
[edit] (U) Background
(SI INF) An "air gap" is the phy sical separation of a network from other networks . For example , classified
computer network s typically are air-gapped from the Internet or other networks of lower classification. Even
if a high-value network is designed to be isolated from the Internet , an adversary could try to circumvent an
"air gap" by finding computer s inadvertently conne cted to both the Internet and the isolated network.
(SIINF) Since Augu st 2003 and March and Augu st 2004 , viruses infected computer s on classified military
network s, apparently through unauthorized connections from the Internet , according to military reporting. W
The viruses did not target classified system s, but the incident s illu strate the potential for inadvertent
connections to bridge what should have been a secure air gap.11J
(SI INF) Growing interconne ctivity between secure and non- secure network s combined with current adversary
intru sion trend s sugge st that threat s again st sen sitive DoD network s are growing. There are fewer and fewer
actual air-gapped system s . There are some older system s where one has to tran sfer large sets of data between
classification level s, but that technology is going away and being replaced by cross-domain guards . In some
cases, for security reasons, they may always keep the air gap , such as for cryptographic key generation. There
may be other compartmented network s that are totally air-gapped still. (Some say air-gapped refer s to all
connections and other s are using it to apply to ju st the Internet. A serie s of guard s from the Internet to the
network is technically not air-gapped but those threat s should be addressed as well.)
[edit] (U) Key Findings
o (TSII SIIIREL TO USA , FVEY ) The MAKERSMARK W37B implant po ses a significant threat to U.S.
and allied cla ssified networks if policie s and pro cedure s covering remo vable media are not adhered to.
w
o (SIINF ) To attack the air-gapped system , the adversary must implant devices through direct phy sical
attack , through a trusted insider (po ssibly unwittingly ), or through attacking the supply chain to the
network.
o (SIINF ) The most successful attack against an air-gapped system would contain element s of an insider
attack with implant s that can be triggered remotely at a later time. For example , a thumb drive or other
implant may be inserted by a trusted insider that enable s a previously inactive wirele ss port that is
[hide]
o
o
o
o
L(U). Background
2-_(U).KeY-Finding~
1._(U).Recent News and Regorting
?._(U).Threat from PhY-sicalImglants
o 4.1 (U). Su1212lYChain Attacks
o 4.2 (U). BIOS Imglants
o 4.3 (U). Imglants in KVM Switches and Perigherals
o 4 .4 (U). Enabled Wireless and Other Emanations
o 4 .5 (U). Infected Removable Media
o i_(U). Threat from Remote Attacks
o 5 .1 (U). Cross-Domain Solutions
o 5 .2 (U). Virtual Private Networks
o Q...(U).
References
[edit] (U) Background
(SI INF) An "air gap" is the phy sical separation of a network from other networks . For example , classified
computer network s typically are air-gapped from the Internet or other networks of lower classification. Even
if a high-value network is designed to be isolated from the Internet , an adversary could try to circumvent an
"air gap" by finding computer s inadvertently conne cted to both the Internet and the isolated network.
(SIINF) Since Augu st 2003 and March and Augu st 2004 , viruses infected computer s on classified military
network s, apparently through unauthorized connections from the Internet , according to military reporting. W
The viruses did not target classified system s, but the incident s illu strate the potential for inadvertent
connections to bridge what should have been a secure air gap.11J
(SI INF) Growing interconne ctivity between secure and non- secure network s combined with current adversary
intru sion trend s sugge st that threat s again st sen sitive DoD network s are growing. There are fewer and fewer
actual air-gapped system s . There are some older system s where one has to tran sfer large sets of data between
classification level s, but that technology is going away and being replaced by cross-domain guards . In some
cases, for security reasons, they may always keep the air gap , such as for cryptographic key generation. There
may be other compartmented network s that are totally air-gapped still. (Some say air-gapped refer s to all
connections and other s are using it to apply to ju st the Internet. A serie s of guard s from the Internet to the
network is technically not air-gapped but those threat s should be addressed as well.)
[edit] (U) Key Findings
o (TSII SIIIREL TO USA , FVEY ) The MAKERSMARK W37B implant po ses a significant threat to U.S.
and allied cla ssified networks if policie s and pro cedure s covering remo vable media are not adhered to.
w
o (SIINF ) To attack the air-gapped system , the adversary must implant devices through direct phy sical
attack , through a trusted insider (po ssibly unwittingly ), or through attacking the supply chain to the
network.
o (SIINF ) The most successful attack against an air-gapped system would contain element s of an insider
attack with implant s that can be triggered remotely at a later time. For example , a thumb drive or other
implant may be inserted by a trusted insider that enable s a previously inactive wirele ss port that is
connected to a defeated cross domain solution via supply chain interdiction. The greater the complexity
of a compound attack, the more unlikely the probability of success, and the lower the threat. Therefore,
the likelihood of a successfully completed attack is low.
o (SIINF) There may be weaknesses that are exploitable remotely through a cross domain solution, but
the damage possible due to a remote attack without physical implant is much less than a remote attack
combined with a physical attack.
[edit] (U) Recent News and Reporting
click column header s to sort
I
Agency i
Feed
l]
IOpen Source Failed to load RSS feed from
r
r
r
State
Department
Failed to load RSS feed from
Failed to load RSS feed from
Failed to load RSS feed from
Failed to load RSS feed from
[edit] (U) Threat from Physical Implants
(SI/NF) In 2004, US Air Force personnel portraying computer infiltrators during an exercise used fabricated
credentials to enter opposing forces' headquarters and installed a device bridging two physically separated
networks to enable later access from the Internet, according to military reporting. I?!. In 2005, an unidentified
intruder broke into a US Government contractor's office building and stole computers containing employees'
personal information, according to a press report. W Also in 2005, cleaning staff at Sumitomo Mitsui Bank in
London attached hardware bugs to computer keyboards, according to a press report. The bugs captured
computer passwords, which criminals then used to access Sumitomo systems in an attempt to steal about
$300 million. l:fil
(SI/NF) In April 2006, U.S. press reported that Afghan nationals working as cleaners and garbage collectors
at the U.S. base in Bagram had stolen flash memory "thumb drives" containing classified information and
sold them at the local bazaar. [11
[edit ] (U) Supply Chain Attacks
(SIINF) A few intelligence services reportedly have stealthily penetrated computer networks by subverting
the supply chain-the people and companies who supply hardware and software. The complexity of
hardware and software makes detecting a subversion extremely difficult, but an adversary would find it
difficult and expensive to acquire the skills and tools to create a subtle subversion. Moreover, an adversary
would need to plan carefully to ensure that a subverted product makes its way into a chosen high-value target
network. [~]
(SIINF) An adversary could subvert a supply chain by recruiting or inserting a programmer or hardware
connected to a defeated cross domain solution via supply chain interdiction. The greater the complexity
of a compound attack, the more unlikely the probability of success, and the lower the threat. Therefore,
the likelihood of a successfully completed attack is low.
o (SIINF) There may be weaknesses that are exploitable remotely through a cross domain solution, but
the damage possible due to a remote attack without physical implant is much less than a remote attack
combined with a physical attack.
[edit] (U) Recent News and Reporting
click column header s to sort
I
Agency i
Feed
l]
IOpen Source Failed to load RSS feed from
r
r
r
State
Department
Failed to load RSS feed from
Failed to load RSS feed from
Failed to load RSS feed from
Failed to load RSS feed from
[edit] (U) Threat from Physical Implants
(SI/NF) In 2004, US Air Force personnel portraying computer infiltrators during an exercise used fabricated
credentials to enter opposing forces' headquarters and installed a device bridging two physically separated
networks to enable later access from the Internet, according to military reporting. I?!. In 2005, an unidentified
intruder broke into a US Government contractor's office building and stole computers containing employees'
personal information, according to a press report. W Also in 2005, cleaning staff at Sumitomo Mitsui Bank in
London attached hardware bugs to computer keyboards, according to a press report. The bugs captured
computer passwords, which criminals then used to access Sumitomo systems in an attempt to steal about
$300 million. l:fil
(SI/NF) In April 2006, U.S. press reported that Afghan nationals working as cleaners and garbage collectors
at the U.S. base in Bagram had stolen flash memory "thumb drives" containing classified information and
sold them at the local bazaar. [11
[edit ] (U) Supply Chain Attacks
(SIINF) A few intelligence services reportedly have stealthily penetrated computer networks by subverting
the supply chain-the people and companies who supply hardware and software. The complexity of
hardware and software makes detecting a subversion extremely difficult, but an adversary would find it
difficult and expensive to acquire the skills and tools to create a subtle subversion. Moreover, an adversary
would need to plan carefully to ensure that a subverted product makes its way into a chosen high-value target
network. [~]
(SIINF) An adversary could subvert a supply chain by recruiting or inserting a programmer or hardware
engineer, setting up a front company, or replacing legitimate hardware or software with a subverted version
during distribution or routine maintenance. Subversions could include "back doors" that permit covert access
or control, code that silently steals data, or disruptive "logic bombs.[9] A supply chain attack to a CDS guard
could be very effective. The U.S. government has had problems in the past buying fraudulent computer
equipment that luckily was not an attack from a foreign intelligence service.
(S//NF) As of October 2005, the German Federal Intelligence Service (BND) had established a few
commercial front companies that it would use to gain supply chain access to unidentified computer
components, according to information obtained during an official liaison exchange. Beginning in 2002, the
French external intelligence service (DGSE) delivered computers and fax equipment to Senegal's security
services and by 2004 could access all the information processed by these systems, according to a cooperative
source with indirect access. In 2000, the Iraqi regime executed or jailed a number of people connected to
technically compromised computers intended for use by the Iraqi Government. According to a source with
good access and London-based media reports, Baghdad blamed Israeli intelligence for the operation.[10]
(S//NF) Russia has experience with supply chain operations, but we do not have a firm grasp of the current
Russian supply chain threat. Russian software companies have set up offices in the United States, possibly to
deflect attention from their Russian origins and to be more acceptable to US Government purchasing agents.
We have no indication that these companies have ever served as platforms for Russian computer network
operations; however, a well-run front company would not present direct indicators. The next attacks may be
attempted while the product is part of the supply chain, or by a trusted insider outside of the supply chain.
See also: Supply Chain Cyber Threats
[edit] (U) BIOS Implants
(TS//SI) A Basic Input/Output System chip (BIOS) is used to load and start an operating system. It is stored
on a read-only memory chip on a computer motherboard. The main reason for introducing malware into an
expansion card (or BIOS) is to maintain a persisting presence through typical methods of system rebuilds. In
addition to being immune to hard disk reformatting and OS reinstallations, some BIOS implants can survive a
flashing of the BIOS by hiding in the BIOS's free space. A BIOS implant cannot be detected by traditional
security mechanisms based on an operating system's software because the BIOS resides outside the operating
system. BIOS implants are unaffected by hard drive wipes and can trick forensics tools into thinking the
BIOS is operating normally or has been properly reflashed.[11]
(TS//SI) Recent reporting corroborates the tentative view in a 2008 national intelligence estimate that China
is capable of intrusions more sophisticated than those currently observed by U.S. network defenders. DIA
assesses China's basic input/output system (BIOS) computer network exploitation capability reflects a
qualitative leap forward in exploitation that is difficult to detect.[12] There still needs to be a path to the
Internet to exfiltrate data from an implanted machine. A DOS attack is easier to achieve but still requires
activation to be used in a timed coordinated computer network attack.
See also: BIOS Threats
[edit] (U) Implants in KVM Switches and Peripherals
(U//FOUO) KVM (keyboard/video/mouse) switches are used to allow access to multiple computers, usually
connected to different networks, with a single set of interface hardware. The switch necessarily makes an
electrical connection between the interfaces and all the computers, which introduces the risk that someone
with access to a low level system will be able to obtain data from a higher level system using this
engineer, setting up a front company, or replacing legitimate hardware or software with a subverted version
during distribution or routine maintenance. Subversions could include "back doors" that permit covert access
or control, code that silently steals data, or disruptive "logic bombs.[9] A supply chain attack to a CDS guard
could be very effective. The U.S. government has had problems in the past buying fraudulent computer
equipment that luckily was not an attack from a foreign intelligence service.
(S//NF) As of October 2005, the German Federal Intelligence Service (BND) had established a few
commercial front companies that it would use to gain supply chain access to unidentified computer
components, according to information obtained during an official liaison exchange. Beginning in 2002, the
French external intelligence service (DGSE) delivered computers and fax equipment to Senegal's security
services and by 2004 could access all the information processed by these systems, according to a cooperative
source with indirect access. In 2000, the Iraqi regime executed or jailed a number of people connected to
technically compromised computers intended for use by the Iraqi Government. According to a source with
good access and London-based media reports, Baghdad blamed Israeli intelligence for the operation.[10]
(S//NF) Russia has experience with supply chain operations, but we do not have a firm grasp of the current
Russian supply chain threat. Russian software companies have set up offices in the United States, possibly to
deflect attention from their Russian origins and to be more acceptable to US Government purchasing agents.
We have no indication that these companies have ever served as platforms for Russian computer network
operations; however, a well-run front company would not present direct indicators. The next attacks may be
attempted while the product is part of the supply chain, or by a trusted insider outside of the supply chain.
See also: Supply Chain Cyber Threats
[edit] (U) BIOS Implants
(TS//SI) A Basic Input/Output System chip (BIOS) is used to load and start an operating system. It is stored
on a read-only memory chip on a computer motherboard. The main reason for introducing malware into an
expansion card (or BIOS) is to maintain a persisting presence through typical methods of system rebuilds. In
addition to being immune to hard disk reformatting and OS reinstallations, some BIOS implants can survive a
flashing of the BIOS by hiding in the BIOS's free space. A BIOS implant cannot be detected by traditional
security mechanisms based on an operating system's software because the BIOS resides outside the operating
system. BIOS implants are unaffected by hard drive wipes and can trick forensics tools into thinking the
BIOS is operating normally or has been properly reflashed.[11]
(TS//SI) Recent reporting corroborates the tentative view in a 2008 national intelligence estimate that China
is capable of intrusions more sophisticated than those currently observed by U.S. network defenders. DIA
assesses China's basic input/output system (BIOS) computer network exploitation capability reflects a
qualitative leap forward in exploitation that is difficult to detect.[12] There still needs to be a path to the
Internet to exfiltrate data from an implanted machine. A DOS attack is easier to achieve but still requires
activation to be used in a timed coordinated computer network attack.
See also: BIOS Threats
[edit] (U) Implants in KVM Switches and Peripherals
(U//FOUO) KVM (keyboard/video/mouse) switches are used to allow access to multiple computers, usually
connected to different networks, with a single set of interface hardware. The switch necessarily makes an
electrical connection between the interfaces and all the computers, which introduces the risk that someone
with access to a low level system will be able to obtain data from a higher level system using this
connectivity.
(U//FOUO) If the switch is programmable it may be possible for someone with electronic access to an
unclassified system to reprogram the switch to copy data being typed on a classified system to the
unclassified system. If the switch has memory, it may be possible for data that was entered while switched to
a classified system to be transferred to an unclassified system. A device that electrically connects classified
and unclassified systems is an ideal place for an implant. This attack requires physical access to the KVM
switch, which may be either before or after the switch has been delivered and installed.[13] Some call the
KVM switch a CDS and require strict protocols for their acquisition for this reason. A supply chain or insider
attack on a single KVM switch could be very damaging if successful. Though, it is not likely to produce
unfettered access to an air-gapped network.
(U) The U.S. attempted to use a supply chain attack to place implants in printers to perform a DOS attack on
the Iraq C2 network during the OPERATION DESERT STORM. It is unknown whether the trigger was
wireless, timed, or through Internet guards.[14]
[edit] (U) Enabled Wireless and Other Emanations
(U) Since the CDS attacks mentioned later are difficult, enabling a rogue wireless access point may be the
easiest way to access an air-gapped network. Graphic, sound, and network card firmware could provide
further hiding places for malware. Graphic cards have been subverted to support distributed brute-force
password breaking since they are essentially many parallel processors like a mini-supercomputer. Network
cards could be used to create covert channels to exfiltrate data as in the following example.[15]
(U) In 2005, an Israeli man was convicted of stealing about $90,000 from the Postal Bank in Haifa by
breaking into a bank branch and installing a wireless access device, then accessing the bank's internal
network from a nearby office using the implanted wireless signal, according to Israeli press reporting[16]
TEMPEST]] countermeasures should guard against this possibility, and this is why they are still very
necessary.
(U) A microphone could be used to capture the audio sound produced from dot matrix printers, then
evaluated to discover what exactly was printed on the device. By examining the sound wave, length, height,
intensity they were able to correctly identify the text printed with a 65% accuracy.[17] Since this only worked
from 2 meters away, an additional channel would be needed to exfiltrate the signal. Security researchers have
shown that sound cards can be controlled by malware to emit frequencies beyond normal hearing range
designed to exfiltrate data.[18] Again, TEMPEST shielding helps guard against this threat. It was shown that
an iPhone can use its accelerometer to reconstruct up to 80% keyboard activity when placed next to
keyboard. [19]TEMPEST Would not guard against this threat.
(TS//REL TO USA, FVEY) Radio Frequency (RF) Flooding, a form of close-access collection, can recreate
and display data from a smartphone, or a nearby monitor. An example of RF flooding is when a smartphone
is placed next to a classified information processing system. The RF signals from the smartphone can
unintentionally couple with the video signal on the classified computer monitor. The smartphone signal,
which includes the coupled monitor signal, can then be collected on a listening post such that the original
classified monitor signal can be reconstructed, displayed, and exploited by the adversary. For these reasons
the battery of the phone must be removed if the phone is brought in proximity to an air-gapped network.[20]
See also: Technical Surveillance Countermeasures
connectivity.
(U//FOUO) If the switch is programmable it may be possible for someone with electronic access to an
unclassified system to reprogram the switch to copy data being typed on a classified system to the
unclassified system. If the switch has memory, it may be possible for data that was entered while switched to
a classified system to be transferred to an unclassified system. A device that electrically connects classified
and unclassified systems is an ideal place for an implant. This attack requires physical access to the KVM
switch, which may be either before or after the switch has been delivered and installed.[13] Some call the
KVM switch a CDS and require strict protocols for their acquisition for this reason. A supply chain or insider
attack on a single KVM switch could be very damaging if successful. Though, it is not likely to produce
unfettered access to an air-gapped network.
(U) The U.S. attempted to use a supply chain attack to place implants in printers to perform a DOS attack on
the Iraq C2 network during the OPERATION DESERT STORM. It is unknown whether the trigger was
wireless, timed, or through Internet guards.[14]
[edit] (U) Enabled Wireless and Other Emanations
(U) Since the CDS attacks mentioned later are difficult, enabling a rogue wireless access point may be the
easiest way to access an air-gapped network. Graphic, sound, and network card firmware could provide
further hiding places for malware. Graphic cards have been subverted to support distributed brute-force
password breaking since they are essentially many parallel processors like a mini-supercomputer. Network
cards could be used to create covert channels to exfiltrate data as in the following example.[15]
(U) In 2005, an Israeli man was convicted of stealing about $90,000 from the Postal Bank in Haifa by
breaking into a bank branch and installing a wireless access device, then accessing the bank's internal
network from a nearby office using the implanted wireless signal, according to Israeli press reporting[16]
TEMPEST]] countermeasures should guard against this possibility, and this is why they are still very
necessary.
(U) A microphone could be used to capture the audio sound produced from dot matrix printers, then
evaluated to discover what exactly was printed on the device. By examining the sound wave, length, height,
intensity they were able to correctly identify the text printed with a 65% accuracy.[17] Since this only worked
from 2 meters away, an additional channel would be needed to exfiltrate the signal. Security researchers have
shown that sound cards can be controlled by malware to emit frequencies beyond normal hearing range
designed to exfiltrate data.[18] Again, TEMPEST shielding helps guard against this threat. It was shown that
an iPhone can use its accelerometer to reconstruct up to 80% keyboard activity when placed next to
keyboard. [19]TEMPEST Would not guard against this threat.
(TS//REL TO USA, FVEY) Radio Frequency (RF) Flooding, a form of close-access collection, can recreate
and display data from a smartphone, or a nearby monitor. An example of RF flooding is when a smartphone
is placed next to a classified information processing system. The RF signals from the smartphone can
unintentionally couple with the video signal on the classified computer monitor. The smartphone signal,
which includes the coupled monitor signal, can then be collected on a listening post such that the original
classified monitor signal can be reconstructed, displayed, and exploited by the adversary. For these reasons
the battery of the phone must be removed if the phone is brought in proximity to an air-gapped network.[20]
See also: Technical Surveillance Countermeasures
[edit] (U) Infected Removable Media
(U//FOUO) One attack that is known to "jump the gap" between networks can be successfully achieved
through the insertion of removable media into a computer on the Internet, before and/or after placing it in a
higher classification computer. While the media is connected to an unclassified network, malware is
downloaded onto the media. After the media is inserted into a higher classification computer, the malware
then implants the "high-side" with a callback or beacon to the attacker's computer, permitting passive
collection of data, or active accessibility by a hacker to that domain. (This also may be achieved by
disconnecting an entire computer, connecting it into the Internet, and then later reconnecting it to the higher
classification network.) This is actually a bypass of the CDS, which is a security violation that occurs
regularly. It is not certain if most of these events are an intentional breach of security or acts of negligence,
but can never the less result in infection with malware, and data exfiltration. NTOC has no evidence of any
targeted attacks that were successful using this method.
(S//REL TO USA, FVEY) According to previous reporting, an OPSEC incident involving the transfer of
malware between unclassified and classified networks occurred in July 2008. The malware, called Agent.BTZ
by antivirus vendors, existed on an unclassified computer. An authorized user placed a thumb drive into the
unclassified computer and then into the SIPRNet, thus infecting the classified network with the virus. See
SIPRNet Threat Assessment. The malware is a Trojan with worm capabilities. It can locate any physical or
logical drive and then copy itself to that drive. The next time the media is inserted into the unclassified box, a
callback occurs and network topology information is attempted to be exfiltrated to the person who initiated
the exploitation. The incident caused multiple infections in unclassified and classified DoD networks, but
there was no evidence that an actor was able to gain control of a DoD classified host. Subsequent orders were
given to prevent the use of removable media to transport data between networks. However, it is apparent that
such orders are easily ignored. Agent.BTZ was attributed to the MAKERSMARK (MM) intrusion set,
sponsored by Russia's Federal Security Service (FSB) to collection of military, diplomatic, economic and
science and technology data.[21]
(TS//SI//REL TO USA, FVEY) There are many variations to this implant such as the W37B. The MM W37B
implant is a lightweight, stand-alone implant used primarily for propagation and survey. This particular
implant is also the only known implant to possess the capability to create a communications bridge between
infected hosts on the Internet and air-gapped networks if infected removable media is continuously used
between the two. This capability poses a significant threat to U.S. and allied classified networks if policies
and procedures covering removable media are not adhered to.
(U) Disabling network ports and removable media like universal serial bus (USB) ports and CD and floppy
drives cuts off a simple way that insiders could bring unauthorized software into a network or take
information out.
[edit] (U) Threat from Remote Attacks
[edit] (U) Cross-Domain Solutions
(S//NF) The only way to get to an air-gapped system remotely is through a cross domain solution (CDS). A
possible method of attack would be tunneling from a network of one classification to a network of a different
classification. If the CDS guard is not properly configured or if it fails to an unsecure state, then it may allow
malicious code through. It is theoretically possible for an insider or supply chain attacker to make a trapdoor
in the guard. (This would have a similar effect as when someone accidently connects a SIPRNet machine to
the Internet, which happens often. ) If it is a one way up guard, an attacker can get code to the high side if
[edit] (U) Infected Removable Media
(U//FOUO) One attack that is known to "jump the gap" between networks can be successfully achieved
through the insertion of removable media into a computer on the Internet, before and/or after placing it in a
higher classification computer. While the media is connected to an unclassified network, malware is
downloaded onto the media. After the media is inserted into a higher classification computer, the malware
then implants the "high-side" with a callback or beacon to the attacker's computer, permitting passive
collection of data, or active accessibility by a hacker to that domain. (This also may be achieved by
disconnecting an entire computer, connecting it into the Internet, and then later reconnecting it to the higher
classification network.) This is actually a bypass of the CDS, which is a security violation that occurs
regularly. It is not certain if most of these events are an intentional breach of security or acts of negligence,
but can never the less result in infection with malware, and data exfiltration. NTOC has no evidence of any
targeted attacks that were successful using this method.
(S//REL TO USA, FVEY) According to previous reporting, an OPSEC incident involving the transfer of
malware between unclassified and classified networks occurred in July 2008. The malware, called Agent.BTZ
by antivirus vendors, existed on an unclassified computer. An authorized user placed a thumb drive into the
unclassified computer and then into the SIPRNet, thus infecting the classified network with the virus. See
SIPRNet Threat Assessment. The malware is a Trojan with worm capabilities. It can locate any physical or
logical drive and then copy itself to that drive. The next time the media is inserted into the unclassified box, a
callback occurs and network topology information is attempted to be exfiltrated to the person who initiated
the exploitation. The incident caused multiple infections in unclassified and classified DoD networks, but
there was no evidence that an actor was able to gain control of a DoD classified host. Subsequent orders were
given to prevent the use of removable media to transport data between networks. However, it is apparent that
such orders are easily ignored. Agent.BTZ was attributed to the MAKERSMARK (MM) intrusion set,
sponsored by Russia's Federal Security Service (FSB) to collection of military, diplomatic, economic and
science and technology data.[21]
(TS//SI//REL TO USA, FVEY) There are many variations to this implant such as the W37B. The MM W37B
implant is a lightweight, stand-alone implant used primarily for propagation and survey. This particular
implant is also the only known implant to possess the capability to create a communications bridge between
infected hosts on the Internet and air-gapped networks if infected removable media is continuously used
between the two. This capability poses a significant threat to U.S. and allied classified networks if policies
and procedures covering removable media are not adhered to.
(U) Disabling network ports and removable media like universal serial bus (USB) ports and CD and floppy
drives cuts off a simple way that insiders could bring unauthorized software into a network or take
information out.
[edit] (U) Threat from Remote Attacks
[edit] (U) Cross-Domain Solutions
(S//NF) The only way to get to an air-gapped system remotely is through a cross domain solution (CDS). A
possible method of attack would be tunneling from a network of one classification to a network of a different
classification. If the CDS guard is not properly configured or if it fails to an unsecure state, then it may allow
malicious code through. It is theoretically possible for an insider or supply chain attacker to make a trapdoor
in the guard. (This would have a similar effect as when someone accidently connects a SIPRNet machine to
the Internet, which happens often. ) If it is a one way up guard, an attacker can get code to the high side if
they have used reconnaissance to determine an address to go to. But that path is virus scanned. In most cases,
they only let certain highly formatted messages in. That makes an attack very difficult - assembling parts of
malcode on the inside to prepare for an attack. This would be difficult to do without help from an insider. If
the CDS guard works as indicated, properly configured with all controls in place, then it would be very hard
to make this attack work. It is possible for a guard to be poorly installed such as when a router or firewall is
left with a default password. But this is very unlikely on a classified network with many controls in place.
(TS//SI//REL TO USA, FVEY)
, BYZANTINE CANDOR actors participated in
activities which could indicate an interest in CDS systems. The actors exfiltrated a file which contained
instructions on how to change the password on the low side C2 Guard queue manager, as well as how to
change the root password on each UNIX server for both the test bed and high side. The file contained weak,
clear text passwords for what are believed to be CDS that transfer Global Decision Support System (GDSS)
data from NIPRNet to SIPRNet through C2 Guards. Access to GDSS queue managers could allow
BYZANTINE CANDOR to attack the C2 guards that act as security filters that process data that is passed
between NIPRNet and SIPRNet. Fortunately, we have no reports of this being successfully carried out.[22]
SIPRNet IP addresses, including SIPRNet to NIPRNet CDS hosts, are available via open source IP
repositories and have been probed.[23] Most would not call SIPRNet an air-gapped network but it is
disturbing nevertheless that sophisticated adversaries could gain access to SIPRNet if successful with these
types of attacks.
(S//NF) NTOC does not have reporting of exploitation of networks via the CDS. NTOC does have extensive
reporting of procedural violations that bypass the use of the CDS mechanisms, and the violations have
endangered classified materials, and network services.
See also: Cyber Threats to Cross-Domain Solutions
[edit] (U) Virtual Private Networks
(U) A Virtual Private Network (VPN) refers to two or more separate networks logically or virtually and
securely joined, generally over an untrusted network such as the Internet. Both government and commercial
entities rely heavily on VPN technology for secure communication. Classified networks rest on unsecured
Internet backbone with only the protection of VPN encrypted communication.
(U) Hackers and criminals have exploited VPNs and unprotected modems to find easily concealed and
plausibly deniable access paths. An adversary could compromise a computer used for telecommuting and
then hijack the trusted VPN to gain access to the target network.[24] Most VPN attacks occur through
phishing and gaining access to a box connected to the Internet and then acquiring the VPN access from that
box to the private network. VPN networks not connected to the Internet would not be exploitable in this way.
(C) In 2003, a computer virus specifically targeted bank employees' computers and captured VPN passwords,
apparently to enable later operations against the banks' VPNs. The identities of the author and releaser of the
virus are unknown.[25]
(U) In December 2004, an audit by the Department of Homeland Security's Inspector General found 20
unaccounted-for modems by war dialing and discovered that about 8,000 VPN and dial-in passwords,
including administrator passwords, were easily guessed.[26]
(U) The DOD community relies on VPN for secure communication. That is what makes these attacks worth
the effort it would take to find the few vulnerabilities wherever they may exist.
they have used reconnaissance to determine an address to go to. But that path is virus scanned. In most cases,
they only let certain highly formatted messages in. That makes an attack very difficult - assembling parts of
malcode on the inside to prepare for an attack. This would be difficult to do without help from an insider. If
the CDS guard works as indicated, properly configured with all controls in place, then it would be very hard
to make this attack work. It is possible for a guard to be poorly installed such as when a router or firewall is
left with a default password. But this is very unlikely on a classified network with many controls in place.
(TS//SI//REL TO USA, FVEY)
, BYZANTINE CANDOR actors participated in
activities which could indicate an interest in CDS systems. The actors exfiltrated a file which contained
instructions on how to change the password on the low side C2 Guard queue manager, as well as how to
change the root password on each UNIX server for both the test bed and high side. The file contained weak,
clear text passwords for what are believed to be CDS that transfer Global Decision Support System (GDSS)
data from NIPRNet to SIPRNet through C2 Guards. Access to GDSS queue managers could allow
BYZANTINE CANDOR to attack the C2 guards that act as security filters that process data that is passed
between NIPRNet and SIPRNet. Fortunately, we have no reports of this being successfully carried out.[22]
SIPRNet IP addresses, including SIPRNet to NIPRNet CDS hosts, are available via open source IP
repositories and have been probed.[23] Most would not call SIPRNet an air-gapped network but it is
disturbing nevertheless that sophisticated adversaries could gain access to SIPRNet if successful with these
types of attacks.
(S//NF) NTOC does not have reporting of exploitation of networks via the CDS. NTOC does have extensive
reporting of procedural violations that bypass the use of the CDS mechanisms, and the violations have
endangered classified materials, and network services.
See also: Cyber Threats to Cross-Domain Solutions
[edit] (U) Virtual Private Networks
(U) A Virtual Private Network (VPN) refers to two or more separate networks logically or virtually and
securely joined, generally over an untrusted network such as the Internet. Both government and commercial
entities rely heavily on VPN technology for secure communication. Classified networks rest on unsecured
Internet backbone with only the protection of VPN encrypted communication.
(U) Hackers and criminals have exploited VPNs and unprotected modems to find easily concealed and
plausibly deniable access paths. An adversary could compromise a computer used for telecommuting and
then hijack the trusted VPN to gain access to the target network.[24] Most VPN attacks occur through
phishing and gaining access to a box connected to the Internet and then acquiring the VPN access from that
box to the private network. VPN networks not connected to the Internet would not be exploitable in this way.
(C) In 2003, a computer virus specifically targeted bank employees' computers and captured VPN passwords,
apparently to enable later operations against the banks' VPNs. The identities of the author and releaser of the
virus are unknown.[25]
(U) In December 2004, an audit by the Department of Homeland Security's Inspector General found 20
unaccounted-for modems by war dialing and discovered that about 8,000 VPN and dial-in passwords,
including administrator passwords, were easily guessed.[26]
(U) The DOD community relies on VPN for secure communication. That is what makes these attacks worth
the effort it would take to find the few vulnerabilities wherever they may exist.
See also: VPN Threats
[edit] (U) References
1. ? (S) DOD-CERT Situation Awareness Report 2004-SA-0011, Netsky on SIPRNet, March 2, 2004.
2. ? ((S) DOD-CERT Situation Awareness Report 2004-SA-00311, Malicious Activity on SIPRNet,
August 11, 2004.
3. ? (TS//SI//REL TO USA, FVEY) DIRNSA, 3/OO/521496-09, Information
Operations/MAKERSMARK: Latest Version of W37B Implant (version 2.10) Deploys; Small Group
of Initial Victims Consistent with Previous Targeting from 11 August 2009, 21 August 2009. Extracted
information is TS//SI//REL TO USA, FVEY.
4. ? (S//NF) NSA, RED TEAM "QUICK-LOOK" FOR EXERCISE TERMINAL FURY 05 (TF05),
Defensive Information Operations (DIO) and Fleet Information Warfare Center (FIWC) RED TEAMS,
December 2004.
5. ? (U) Griff Witte, "Break-in at SAIC Risks ID Theft", Washington Post, February 12, 2005.
6. ? (U) Peter Warren and Michael Streeter, "Mission Impossible at the Sumitomo Bank", The Register,
13 April 2005.
7. ? (U) Watson, Paul, "U.S. Military Secrets for Sale at Afghan Bazaar", Los Angeles Times, April 10,
2006.
8. ? (U) CIA, Penetrating High-Value Computer Networks: A Look Inside the Enemy's Playbook, July
20, 2006. Extracted information is S//NF.
9. ? (U) CIA, Penetrating High-Value Computer Networks: A Look Inside the Enemy's Playbook, July
20, 2006. Extracted information is S//NF.
10. ? (U) CIA, Penetrating High-Value Computer Networks: A Look Inside the Enemy's Playbook, July
20, 2006. Extracted information is S//NF.
11. ? (S) Louchard, B., et al, (S) DIA, Defense Intelligence Digest: BIOS: China's Covert Cyber
Capability, October 14, 2010 (A-Space required. Extracted information is TS//SI.)
12. ? (S) DIA, Defense Intelligence Digest: BIOS: China's Covert Cyber Capability, October 14, 2010 (ASpace required. Extracted information is TS//SI.)
13. ? (U//FOUO)
C43 Informal Technical Note, C43-023-00, A Look At The Risks of KVM
(Keyboard/Video/Mouse) Switches with Multilevel Systems, 6 July 2000.
14. ? (U) Crawford, George, Information Warfare: New Roles for Information Systems in Military
Operations, Air and Space Power Chronicles quoting from "Computers: Chip Shot," in U.S. News &
World Report, Vol. 117, No. 23, December 12, 1994.
15. ? (S//NF) USCYBERCOM, J2 Bulletin 10-03, Hardware-Based Malware Demonstrates Resistance to
Standard Security Practices, June 30, 2010.
16. ? (U) David Rudge, "Hacker cracks bank's computer code", Jerusalem Post, April 6, 2005.
17. ? (U) Acoustic Side-Channel Attack on Printers, USENIX Security Symposium, Washington D.C.
2010.
18. ? (S//NF) USCYBERCOM, J2 Bulletin 10-03, Hardware-Based Malware Demonstrates Resistance to
Standard Security Practices, June 30, 2010.
19. ? (U) Terrazas, M.; Georgia Tech Turns iPhone into Spiphone; 17 Oct 11
20. ? NTOC, Z-T/OO/NTC/1137-09; 14 Dec 09; NTOC Threat Assessment: Threats to BlackBerry
Server/Network Infrastructure, August 2006-July 2009
21. ? (TS//SI//REL TO USA, FVEY) NTOC, SUBSTANTIVE REVISION: NTOC THREAT
ASSESSMENT: Foreign Threat to the Secret Internet Protocol Router Network, February 2010,
3/OO/NTC/0297-10, March 2010. Extracted information is S// REL TO USA, FVEY.
22. ? (TS//SI//REL TO USA, FVEY) NTOC, Information Operations/BYZANTINE CANDOR:
See also: VPN Threats
[edit] (U) References
1. ? (S) DOD-CERT Situation Awareness Report 2004-SA-0011, Netsky on SIPRNet, March 2, 2004.
2. ? ((S) DOD-CERT Situation Awareness Report 2004-SA-00311, Malicious Activity on SIPRNet,
August 11, 2004.
3. ? (TS//SI//REL TO USA, FVEY) DIRNSA, 3/OO/521496-09, Information
Operations/MAKERSMARK: Latest Version of W37B Implant (version 2.10) Deploys; Small Group
of Initial Victims Consistent with Previous Targeting from 11 August 2009, 21 August 2009. Extracted
information is TS//SI//REL TO USA, FVEY.
4. ? (S//NF) NSA, RED TEAM "QUICK-LOOK" FOR EXERCISE TERMINAL FURY 05 (TF05),
Defensive Information Operations (DIO) and Fleet Information Warfare Center (FIWC) RED TEAMS,
December 2004.
5. ? (U) Griff Witte, "Break-in at SAIC Risks ID Theft", Washington Post, February 12, 2005.
6. ? (U) Peter Warren and Michael Streeter, "Mission Impossible at the Sumitomo Bank", The Register,
13 April 2005.
7. ? (U) Watson, Paul, "U.S. Military Secrets for Sale at Afghan Bazaar", Los Angeles Times, April 10,
2006.
8. ? (U) CIA, Penetrating High-Value Computer Networks: A Look Inside the Enemy's Playbook, July
20, 2006. Extracted information is S//NF.
9. ? (U) CIA, Penetrating High-Value Computer Networks: A Look Inside the Enemy's Playbook, July
20, 2006. Extracted information is S//NF.
10. ? (U) CIA, Penetrating High-Value Computer Networks: A Look Inside the Enemy's Playbook, July
20, 2006. Extracted information is S//NF.
11. ? (S) Louchard, B., et al, (S) DIA, Defense Intelligence Digest: BIOS: China's Covert Cyber
Capability, October 14, 2010 (A-Space required. Extracted information is TS//SI.)
12. ? (S) DIA, Defense Intelligence Digest: BIOS: China's Covert Cyber Capability, October 14, 2010 (ASpace required. Extracted information is TS//SI.)
13. ? (U//FOUO)
C43 Informal Technical Note, C43-023-00, A Look At The Risks of KVM
(Keyboard/Video/Mouse) Switches with Multilevel Systems, 6 July 2000.
14. ? (U) Crawford, George, Information Warfare: New Roles for Information Systems in Military
Operations, Air and Space Power Chronicles quoting from "Computers: Chip Shot," in U.S. News &
World Report, Vol. 117, No. 23, December 12, 1994.
15. ? (S//NF) USCYBERCOM, J2 Bulletin 10-03, Hardware-Based Malware Demonstrates Resistance to
Standard Security Practices, June 30, 2010.
16. ? (U) David Rudge, "Hacker cracks bank's computer code", Jerusalem Post, April 6, 2005.
17. ? (U) Acoustic Side-Channel Attack on Printers, USENIX Security Symposium, Washington D.C.
2010.
18. ? (S//NF) USCYBERCOM, J2 Bulletin 10-03, Hardware-Based Malware Demonstrates Resistance to
Standard Security Practices, June 30, 2010.
19. ? (U) Terrazas, M.; Georgia Tech Turns iPhone into Spiphone; 17 Oct 11
20. ? NTOC, Z-T/OO/NTC/1137-09; 14 Dec 09; NTOC Threat Assessment: Threats to BlackBerry
Server/Network Infrastructure, August 2006-July 2009
21. ? (TS//SI//REL TO USA, FVEY) NTOC, SUBSTANTIVE REVISION: NTOC THREAT
ASSESSMENT: Foreign Threat to the Secret Internet Protocol Router Network, February 2010,
3/OO/NTC/0297-10, March 2010. Extracted information is S// REL TO USA, FVEY.
22. ? (TS//SI//REL TO USA, FVEY) NTOC, Information Operations/BYZANTINE CANDOR:
23.
24.
25.
26.
BYZANTINE CANDOR Views, Records, and Exfiltrate s the Content s of Cleared Defen se Contra ctor
File s Associated with USTRANSCOM Mi ssion Critical Mobility System s, July to November 2009 ,
3/00/533505-09 , December 2009. Extra cted information is TS// SI//REL TO USA , FVEY.
_j_(S//REL to USA , FVEY ) NTOC , NTOC ADVISORY: Suspiciou s Activity May Be Targeting
SIPRNET Cro ss-Domain Solution s, S/OO/NTC /0206-09 , April 2009. Extra cted information is S//REL
to USA , FVEY.
_j_(U) CIA , Penetrating High-Value Comguter Networks: A Look Inside the EnemY-'sPlaY-book, July
20 , 2006. Extra cted information is S/INF.
_j_(U) Symante c, "W32.Bugbear.B @mm ",httg://securitY-resgonse.sY-mantec.com/avcenter/venc/dat
a/w32.bugbear.b @mm.html , October 27 , 2004.
_j_(U) DHS Office of the Inspector General , "DHS Need s to Strengthen Control s For Remote Access to
Its System s and Data (Reda cted)", OIG-05-03 , November 2004.
Retrie ved from "htm:/
Categories : CY-berThreat Assessments I Russia CY-ber
TOP SECRET//SI//NOFORN
o Thi s page has been accessed 1,103 time s .
o 6 watching users
o Thi s page was last modified 19:44 , 6 July 2012 by
Per sonal tools
o
o
o
o
o
o
MY-talk
My_greferences
MY-watchlist
MY-contributions
Log out
Namespaces
o Pag~
o Discussion
Variants
Views
o
o
o
o
Actions
Read
Edit
Page historYWatch
. Mo st recent editor s:
23.
24.
25.
26.
BYZANTINE CANDOR Views, Records, and Exfiltrate s the Content s of Cleared Defen se Contra ctor
File s Associated with USTRANSCOM Mi ssion Critical Mobility System s, July to November 2009 ,
3/00/533505-09 , December 2009. Extra cted information is TS// SI//REL TO USA , FVEY.
_j_(S//REL to USA , FVEY ) NTOC , NTOC ADVISORY: Suspiciou s Activity May Be Targeting
SIPRNET Cro ss-Domain Solution s, S/OO/NTC /0206-09 , April 2009. Extra cted information is S//REL
to USA , FVEY.
_j_(U) CIA , Penetrating High-Value Comguter Networks: A Look Inside the EnemY-'sPlaY-book, July
20 , 2006. Extra cted information is S/INF.
_j_(U) Symante c, "W32.Bugbear.B @mm ",httg://securitY-resgonse.sY-mantec.com/avcenter/venc/dat
a/w32.bugbear.b @mm.html , October 27 , 2004.
_j_(U) DHS Office of the Inspector General , "DHS Need s to Strengthen Control s For Remote Access to
Its System s and Data (Reda cted)", OIG-05-03 , November 2004.
Retrie ved from "htm:/
Categories : CY-berThreat Assessments I Russia CY-ber
TOP SECRET//SI//NOFORN
o Thi s page has been accessed 1,103 time s .
o 6 watching users
o Thi s page was last modified 19:44 , 6 July 2012 by
Per sonal tools
o
o
o
o
o
o
MY-talk
My_greferences
MY-watchlist
MY-contributions
Log out
Namespaces
o Pag~
o Discussion
Variants
Views
o
o
o
o
Actions
Read
Edit
Page historYWatch
. Mo st recent editor s:
o Rename/Move
o Tag this pag~
Search
!s_e_ar_c_h _____
.....
I
____.
! Search
o MainPa~
o Recent changes
o Help
o Random Article
o Sandbox
o Guidelines
o Recent files
o Top categories
interaction
o Featured articles
o Announcements
o Collaboration requests
o Tutorial
o Bulletin Board
o Metrics
o AcronY-mS
o People Finder
social software tools
Toolbox
o PrivacY-policYo About Intelliuedia
o Disclaimers
o
.____I
_____,
o Rename/Move
o Tag this pag~
Search
!s_e_ar_c_h _____
.....
I
____.
! Search
o MainPa~
o Recent changes
o Help
o Random Article
o Sandbox
o Guidelines
o Recent files
o Top categories
interaction
o Featured articles
o Announcements
o Collaboration requests
o Tutorial
o Bulletin Board
o Metrics
o AcronY-mS
o People Finder
social software tools
Toolbox
o PrivacY-policYo About Intelliuedia
o Disclaimers
o
.____I
_____,
Use of this U.S. Government system , authorized or unauthorized , constitute s consent to monitoring of this
system. Unauthorized use may subject you to criminal pro secution.
Evidence of unauthorized use collected during monitoring may be used for admini strative , criminal , or other
adverse actions.
This page contains dynamic content -- Highest Possible Classification isTOP SECRET //SI/TKSecuritYBannerTerms of Use
Use of this U.S. Government system , authorized or unauthorized , constitute s consent to monitoring of this
system. Unauthorized use may subject you to criminal pro secution.
Evidence of unauthorized use collected during monitoring may be used for admini strative , criminal , or other
adverse actions.
This page contains dynamic content -- Highest Possible Classification isTOP SECRET //SI/TKSecuritYBannerTerms of Use