The Pentagon’s chief digital and artificial intelligence offer, Craig Martell, is alarmed by the potential for generative artificial intelligence systems like ChatGPT to deceive and sow disinformation. His talk on the technology at the DefCon hacker convention in August was a huge hit. But he’s anything but sour on reliable AI.

Not a soldier but a data scientist, Martell headed machine-learning at companies including LinkedIn, Dropbox and Lyft before taking the job last year.

Marshalling the U.S. military’s data and determining what AI is trustworthy enough to take into battle is a big challenge in an increasingly unstable world where multiple countries are racing to develop lethal autonomous weapons.

The interview has been edited for length and clarity.

Q: What is your main mission?

A: Our job is to scale decision advantage from the boardroom to the battlefield. I don’t see it as our job to tackle a few particular missions but rather to develop the tools, processes, infrastructure and policies that allow the department as a whole to scale.

Q: So the goal is global information dominance? What do you need to succeed?

A: We are finally getting at network-centric warfare — how to get the right data to the right place at the right time. There is a hierarchy of needs: quality data at the bottom, analytics and metrics in the middle, AI at the top. For this to work, most important is high-quality data.

Q: How should we think about AI use in military applications?

A: All AI is, really, is counting the past to predict the future. I don’t actually think the modern wave of AI is any different.

Q: Pentagon planners say the China threat makes AI development urgent. Is China winning the AI arms race?

A: I find that metaphor somewhat flawed. When we had a nuclear arms race it was with a monolithic technology. AI is not that. Nor is it a Pandora’s box. It’s a set of technologies we apply on a case-by-base basis, verifying empirically whether it’s effective or not.

Q: The U.S. military is using AI tech to assist Ukraine. How are you helping?

A: Our team is not involved with Ukraine other than to help build a database for how allies provide assistance. It’s called Skyblue. We’re just helping make sure that stays organized.

Q: There is much discussion about autonomous lethal weaponry – like attack drones. The consensus is humans will ultimately be reduced to a supervisory role — being able to abort missions but mostly not interfering. Sound right?

A: In the military we train with a technology until we develop a justified confidence. We understand the limits of a system, know when it works and when it might not. How does this map to autonomous systems? Take my car. I trust the adaptive cruise control on it. The technology that is supposed to keep it from changing lanes, on the other hand, is terrible. So I don’t have justified confidence in that system and don’t use it. Extrapolate that to the military.

Q: The Air Force’s “loyal wingman” program in development would have drones fly in tandem with fighter jets flown by humans. Is the computer vision good enough to distinguish friend from foe?

A: Computer vision has made amazing strides in the past 10 years. Whether it’s useful in a particular situation is an empirical question. We need to determine the precision we are willing to accept for the use case and build against that criteria – and test. So we can’t generalize. I would really like us to stop talking about the technology as a monolith and talk instead about the capabilities we want.

Q: You are currently studying generative AI and large-language models. When might it be used in the Department of Defense?

A: The commercial large-language models are definitely not constrained to tell the truth, so I am skeptical. That said, through Task Force Lima (launched in August) we are studying more than 160 use cases. We want to decide what is low risk and safe. I’m not setting official policy here, but let’s hypothesize. Low-risk could be something like generating first drafts in writing or computer code. In such cases, humans are going to edit, or in the case of software, compile. It could also potentially work for information retrieval — where facts can be validated to ensure they are correct.

Q: A big challenge with AI is hiring and retaining the talent needed to test and evaluate systems and label data. AI data scientists earn a lot more than what the Pentagon has traditionally paid. How big a problem is this?

A: That’s a huge can of worms. We have just created a digital talent management office and are thinking hard about how to fill a whole new set of job roles. For example, do we really need to be hiring people who are looking to stay at the Department of Defense for 20-30 years? Probably not. But what if we can get them for three or four? What if we paid for their college and they pay us back with three or four years and then go off with that experience and get hired by Silicon Valley? We’re thinking creatively like this. Could we, for example, be part of a diversity pipeline? Recruit at HBCUs (historically Black colleges and universities)?

Related: Pentagon Adopts New Ethical Principles for Using AI in War

https://www.securityweek.com/insider-qa-pentagon-ai-chief-on-network-centric-warfare-generative-ai-challenges/

Ask any three people to define cyberwar and you will get three different answers. But as global geopolitics worsen and aggressive cyberattacks increase, this becomes more than an academic question.

The common view is that cyberwar is war in the cyber domain. This is only partially true. It is more productive to consider war and cyberwar as two separate entities, albeit with overlapping edges.

The Merck insurance ruling illustrates this. For most people outside of government and military, the NotPetya attack against Ukraine was an obvious act of cyberwar. It was aggressive, it caused damage, and it was perpetrated by a Russian agency (the GRU) as part of an undeclared war against Ukraine. If it was an act of war within Ukraine, surely it was an act of war beyond Ukraine?

The answer is no. NotPetya was never, technically, an act of cyberwar. Misunderstanding this and the definition of cyberwar cost the insurance industry $1.4 billion. Trying to shine a light on a common person’s actionable understanding of cyberwar and cybersecurity is the purpose of this article. 

War is usually defined as kinetic military action between two nations, following the declaration of a state of war. This not a universal view. The purpose of war is for one party to exert supremacy over another – and this can be achieved by means other than armed conflict. It can be achieved just as effectively by economic means, by psyops including disinformation, or any other non-military means of effecting regime change.

Kevin Tierney, VP of global cybersecurity at General Motors and a member of the CISA cybersecurity Advisory committee (CSAC), holds this wider view. “If two countries are fighting over something, it’s not always by kinetic means. Sometimes it involves economic disruption,” he told SecurityWeek.

“If you disrupt large parts of the operational system of the target country, disrupt the financial systems, have a country lose trust in its information, lose governmental data, halt transportation or damage energy or water supplies, you can win a war without killing each other.”

[See The Vulnerable Maritime Supply Chain – a Threat to the Global Economy for the potential effect of disrupting the maritime supply chain.]

The Cold War was an undeclared war, primarily non-kinetic (with localized flare-ups around the world), between the USSR and the West. The West prevailed in this war by economic means rather than force of arms – the USSR ceased to exist.

But however you define war, there is a fundamental difference between the physical and cyber domains. Physical war is largely constrained within the national boundaries of the combatant nations. Cyberwar is not constrained by national boundaries and has a greater potential for spilling out to become global in effect, very rapidly. 

Largely for this reason, cyberwar is usually and arbitrarily described as something separate to the wider concept of war. Cyberwar is neither viewed nor defined in the same terms as non-cyber-war.

Most nations consider the correct response to a foreign nation-state’s cyberattack against their critical industries could include kinetic action. Cyber activity thus has the potential to spread accidentally and expand into a global military conflict. To limit this potential, the definition of what constitutes cyberwar must be, and is, set very high. 

Most definitions ultimately derive from the Tallinn Manual – developed by international experts at the NATO Cooperative Cyber Defense Centre of Excellence based in Tallinn, Estonia. From this work, cyberwar is limited to cyber activity that causes, or can be expected to cause, death or destruction.

Anything less than this is generally considered to be cyberespionage rather than cyberwar – and cyberespionage is specifically excluded by Tallinn. This ultimately leads to a common binary view of cyberwar based solely on the delivery of death or damage – especially if that occurs to the critical infrastructure.

Tom Kellermann, senior VP of cyber strategy at Contrast Security, takes this view. “Cyberwarfare is when a nation state launches a destructive cyberattack against a critical infrastructure,” he told SecurityWeek. Almost everything else he would describe as cyberespionage.

John Hultquist, VP of intelligence analysis at Mandiant, agrees. “Economic suppression isn’t war,” he said. He disagrees with calling the Cold War an actual war, describing the term as a metaphor. “The moment it is war is when violence or the threat of violence is being applied. I think that’s a crucial element. You only really cross that line when people start dying.” The implication is that anything that falls short of death (or at least the expectation and intent to cause death or destruction) can only –at the worst – be classified as cyberespionage and not part of cyberwar.

The argument for excluding cyberespionage as a part of cyberwar is simple. It is spying conducted in the cyber domain. Spying is and always has been a part of everyday life, from individuals to corporations to governments. If spying is an act of war, the world has been at war with itself since the dawn of time. The only difference in the modern world is that cyber-spying is easier, more scalable, and more deniable than ever before.

The danger here is the difference between genuine cyberespionage and actual cyberwar could be a simple instruction from a C2 server at any time, or a mistake from the attackers, or a bug in their software. This brings two other terms into the classification: expectation and intent, both of which are fundamentally subjective interpretations that are easily deniable by an aggressor.

Vladimir Putin once famously denied government involvement in hacking, saying it may have been patriotic Russian citizens “contributing, as they believe, to the justified fight against those speaking ill of Russia.” In short, it wasn’t the Russian state, it didn’t cause death or destruction, and it cannot be considered an act of cyberwar.

Deniability is important. In a western democracy, legality is defined by the courts. Knowing something is not enough – it must be provable to the higher standards of a civilian court. Intelligence agencies may know something to be true, but be unable to make public the source of their knowledge.

Helder Figueira, founder at Incrypteon, studied and briefly practiced law before becoming an Electronic Warfare Signals Officer commanding a cryptanalysis unit with the South African Army. “Cyberwarfare is military action in the digital domain,” he said. “But a cyberattack by a sovereign state is hard to prove or identify. To complicate identification further, such activities are usually outsourced to independent contractors – which leads to the incidence of these activities increasing, since there are no actual diplomatic repercussions.” 

He adds a further complication for the future. “Now imagine AI attackers waging ‘cyberwar’ against a target.” There are no legal remedies against a sub-contracted AI attacker.

Dr. Stephanie Carter, principal of FedRAMP advisory services at Coalfire, comments, “The last official release of what this means was published by the Senate Armed Services Committee stating that ‘The determination of what constitutes an act of war in or out of cyberspace, would be made on a case-by-case and fact-specific basis by the President.’” 

Right now, she continued, “We are at the mercy of the Presidents to declare what is a part of cyberwar and what is not. That decision will be greatly influenced by political power and national defense… the goal should be defining cyberwar so that there are only clear-cut lines, not ‘clear as mud’ interpretations.”

A commonsense view of NotPetya is that it was an act of cyberwar undertaken by Russia against Ukraine in 2017. There was an undeclared state of war between the two nations since the annexation of Crimea in 2014. The attack was perpetrated by a Russian state agency (the GRU), and it caused damage.

It would be equal commonsense to view any collateral damage (such as that to the US pharmaceutical giant, Merck) to be a part of that act of cyberwar. However, on May 1, 2023, the US courts declared that the NotPetya attack could not be classified as an act of cyberwar. Among other arguments, the ruling stated, “While the attack caused property damage, there was no evidence the NotPetya malware caused bodily injury or death… the NotPetya attack is not sufficiently linked to a military action or objective as it was a non-military cyberattack against an accounting software provider.”

Juan Andres Guerrero-Saade, principle threat researcher at SentinelOne and an adjunct professor of strategic studies at John Hopkins SAIS, explains some of the complexities in describing a cyberattack as an act of cyberwar. Firstly, can it be proven in a court of law (beyond simply known to the intelligence agencies) that it was delivered by (in this case) the GRU? “Who exactly did it; where they were sitting; what uniform were they wearing. Who ordered what, and to what extent was it a premeditated action rather than the result of fat fingering something that turned it from a simple cyberattack into a potential act of war?”

This is where expectation and intent become important. The NotPetya weaponry could hardly be called a traditional weapon of war – it was fundamentally ransomware. The aggressor could simply claim that it was criminal ransomware that went wrong – certainly not an act of war. “In the context of intentional damage to critical infrastructure, I really like to point to malware such as Industroyer, as a really clear case,” continued Guerrero-Saade. “Industroyer has specialized tooling that is baked into the code and is specifically designed to interact with infrastructure so that it can damage it.”

If it is difficult for a third party (the US) to prove NotPetya was an act of war within Ukraine, it becomes impossible to prove that collateral damage outside of Ukraine (such as that caused to Merck and very many other global companies) was caused by an act of cyberwar against the US or other nations. “I’m not sure how you could prove intent to cause collateral damage without having access to the notes or recording of the meeting at which the decision to use NotPetya was made,” comments Robin Long, founder of Kiowa Security.

The basic problem is that much of the artifacts of any cyberattack are primarily dual purpose tools used as much for ‘friendly’ purposes as for nefarious purposes. “Many of the things that would be considered reconnaissance phases in cyber [and therefore a fat finger away from causing damage] are things that are currently being done to our systems every day by ad tracking networks, by Google – run of the mill things,” added Guerrero-Saade.

But herein lies an example of the fundamental problems with what amounts to an interpretive definition of cyberwar. A cyberwar wiper could be delivered by ransomware with broken decryption and be invisible as an act of war. Any damage could be claimed as accidental to the proffered purpose of collecting money, while the perpetration could be blamed on criminals.

This is not just a theoretical possibility. “The actors,” said Hultquist. “have known that for a long time. They were doing it before NotPetya. They were experimenting with that for a year. They’ve done it many, many times since the invasion in Ukraine. It’s a wonderful tool if you want to hide yourself behind an operation that looks criminal. I’ll go one step further,” he continued. “I’m certain that has already happened, and the real motivation has simply been ascribed to financial motivation.”

The Colonial Pipeline incident demonstrates these blurred lines. It caused damage to the critical infrastructure but is not classed as an act of cyberwar. “If you look at Colonial Pipeline” comments Hultquist, “there was a massive disruption to American critical infrastructure. But the intent wasn’t to disrupt the infrastructure, the intent was to just make money. So, although it followed the same sort of blueprint you might expect from a state actor in a time of war, it was just designed to make money.”

Now apply this reasoning to Russian meddling in the 2016 US elections. To many, it may appear to be an attempt at engineering regime change – from a global liberalism to a local America First platform (and from there to a weakened NATO and a more successful war against Ukraine). While attempted regime change might seem an obvious act of war, how can you prove this when you cannot prove the perpetrator in a court of law, no physical damage was done, and nobody died?

The official definition is clear: it must result in physical damage and or loss of life. Cyberespionage is excluded. Intent, which is largely a value judgment by the defender, is part of the argument. It is perpetrated by one nation state against another nation state. Knowing that an action is an act of cyberwar is not enough – it must be provable to a western democracy’s court of law.

The difficulties in this semi-formal definition are not all bad because it allows flexibility in government response. A government is not required to ask a civilian court of law, ‘is this an act of war to which we can respond?’ Politically, the government can simply say, this is too much – we respond. 

The international danger is that the UK made it clear as long ago as 2018 that it considers an actual cyberwar attack can legally trigger in an immediate and unannounced kinetic response; and that since this is an interpretation of international law, any of its allies can take a similar stance. For this ultimate reason, the definition of cyberwar is purposely set high.

The Merck ruling makes it clear that the political/military definition of cyberwar is not a common person’s understanding of cyberwar. The correct response to what appears to be cyberwar needs to be based on the visible effect of a nation-state or nation affiliated attack, and not a government’s definition of cyberwar.

A cyber act that is a clearcut act of cyberwar could easily demand or spiral into military kinetic retribution. For the reasons we have discussed, that final decision is ultimately left to the President – and that being so, the final question we need to ask is whether this distinction between cyberwar and cyberespionage has any practical relevance to the corporate cyber defender. After all, that defender must be resilient to all attacks by whomever and for whatever purpose.

Just as there are multiple opinions on the constitution of cyberwar and its relation to general war, there are multiple answers to this question.

“There’s a risk equation,” says Malcolm Harkins, chief security and trust officer at Epiphany Systems. “Risk is a function of threat, vulnerability, and consequence. I have no ability to control either the threat actor or the threat agent – it’s an uncontrollable variable. As a CISO, the only thing I have in my ability to manage security for my organization is my ability to manage how exploitable I am. That’s the only thing I can control. Everything else is just what it is. Running security is managing exploitability. If I over-focus on the nature of the perpetrator, I’m wasting time, because I have no ability to affect the actor.”

Hultquist has a different view. “It absolutely matters. You can’t do risk assessments if you don’t care who the attacker is. If you were in Ukraine two years ago and were responsible for securing the IT infrastructure, and you decided it didn’t matter whether or not there was a war looming, you would have failed. If you don’t consider who the adversary is, you can’t begin to secure your systems.”

He continued, “We sometimes forget to ask, who are the bad guys and what capabilities do they have – when will they attack and when will they not attack? Am I even at risk of these people? Imagine it’s the eve of World War Two, and you are responsible for making all the purchasing decisions for the military. You want to know what capabilities the enemy has developed, but somebody says to you: ‘You don’t need to know that; you can just make decisions based on what you think is best.’“

A third, potentially more political view comes from Guerrero-Saade. “This should be a very real nuanced concern for people both as citizens of law-abiding nations and as people trying to figure out what the right measures are for defense.” If the President is ultimately responsible for the right measures beyond CISOs defending their networks, we need to understand the arguments underlying those decisions taken in our name.

Related: The Lessons From Cyberwar, Cyber-in-War and Ukraine

Related: Security Pros Believe Cybersecurity Now Aligned With Cyberwar

Related: Leaked Documents Detail Russia’s Cyberwarfare Tools, Including for OT Attacks

Related: 11 Countries Take Part in Military Cyberwarfare Exercise

https://www.securityweek.com/what-is-cyberwar/

Secret documents that provide details of US and NATO plans to help prepare Ukraine for a spring offensive against Russia have spilled onto social media platforms, the New York Times reported on Thursday.

The Pentagon said it is assessing the reported security breach. “We are aware of the reports of social media posts, and the Department is reviewing the matter,” Deputy Press Secretary Sabrina Singh said.

The documents were spread on Twitter and Telegram, and reportedly contain charts and details about weapons deliveries, battalion strengths and other sensitive information, the Times said.

Information in the documents is at least five weeks old, with the most recent dated March 1, the report said.

One of the documents summarized the training schedules of 12 Ukraine combat brigades, and said nine of them were being trained by US and NATO forces, and needed 250 tanks and more than 350 mechanized vehicles, the newspaper said.

The documents — at least one of which carried a “top secret” label — were circulated on pro-Russian government channels, it said. Information in the documents also details expenditure rates for munitions under Ukraine military control, including for the HIMARS rocket systems, the US-made artillery rocket systems that have proven highly effective against Russian forces, it added.

The report quoted military analysts who warned that some documents appear to have been altered in a disinformation campaign by Russia, in one document inflating Ukrainian troop deaths and minimizing Russian battlefield losses.

—

https://www.securityweek.com/secret-us-documents-on-ukraine-war-plan-spill-onto-internet-report/

Documents leaked from Russian IT contractor NTC Vulkan show the company’s possible involvement in the development of offensive hacking tools, including for the advanced persistent threat (APT) actor known as Sandworm, Mandiant reports.

Based in Moscow, NTC Vulkan advertises its collaboration with Russian organizations and government agencies, without mentioning any involvement in the operations of state-sponsored groups or intelligence services.

Documents dated between 2016 and 2020, however, show that the company has been contracted by Russian intelligence, including the Main Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU) Unit 74455 (also known as Sandworm, Telebots, Iron Viking and Voodoo Bear), for the development of tools, training programs, and an intrusion platform.

The leaked documents, referred to as The Vulkan Files, were obtained by a whistleblower and analyzed by Mandiant in collaboration with several major media outlets in Europe and the United States. 

While it is unclear whether the required capabilities have been indeed implemented, the documents, which Mandiant believes to be legitimate, do show NTC Vulkan’s involvement in projects to enable Russia’s cyber and information operations (IO), potentially targeting operational technology (OT) systems.

“Mandiant did not identify any evidence indicating how or when the tools could be used. However, based on our analysis of the capabilities, we consider it feasible that the projects represent only some pieces of a variety of capabilities pursued by Russian-sponsored actors to conduct different types of cyber operations,” Mandiant notes.

Three projects are detailed in the analyzed documents, namely Scan (dated 2018-2019, supports large-scale data collection), Amesit (also called Amezit and dated 2016-2018, the tool supports IO and OT-related operations), and Krystal-2B (2018-2020, a framework for simulating coordinated IO/OT attacks via Amesit).

A comprehensive tool for information gathering, Scan can harvest network, configuration, and vulnerability details, along with other types of data, automating reconnaissance in preparation of operations and requiring coordination across operators.

“A framework like the one suggested in the Scan project illustrates how the GRU may be trying to enable fast-paced operations with high coordination among regional units. A once-segmented GRU cyber operation may become streamlined and more efficient using a framework like Scan,” Mandiant notes.

Focused on forming and manipulating public opinion, Amesit can manage the full information operations lifecycle, including the monitoring of media, creation and dissemination of content, and assessing an operation’s effectiveness.

Designed to support offensive and defensive exercises, Krystal-2B is a training platform for attacks targeting OT environments in coordination with IO components and uses Amesit for disruption. The platform simulates attack scenarios targeting transportation and utility systems.

“Amesit and Krystal-2B demonstrate a high value placed on the psychological impact of offensive cyberattacks, specifically OT operations, by highlighting the role of information operations in determining the impact of an ICS incident. The combination of different tactics in cyber operations is familiar to Russian cyber operations,” Mandiant notes.

The documentation associated with the three projects provides requirements on data collection and processing, describes capabilities available for operators, and outlines attack paths and methods to avoid identification, while showing Russian intelligence’s interest in critical infrastructure targets, such as energy, oil and gas, and water utilities and transportation systems.

Related: Cyber Insights 2023 | The Geopolitical Effect

Related:Microsoft Links Prestige Ransomware Attacks to Russian State-Sponsored Hackers

Related: Russian Cyberspies Targeting Ukraine Pose as Telecoms Providers

https://www.securityweek.com/leaked-documents-detail-russias-cyberwarfare-tools-including-for-ot-attacks/

L’inchiesta “Vulkan Files” svela come la società russa Vulkan, che si occupa di sviluppo software e sicurezza informatica, lavori per i servizi segreti russi realizzando armi informatiche e fornendo servizi all’intelligence russa.

I documenti, che fanno riferimento al periodo che va dal 2016 al 2021, provengono da un informatore anonimo probabilmente interno alla NTC Vulkan che mosso dal disappunto per il cyber-conflitto invia al quotidiano tedesco Süddeutsche Zeitung circa 5.000 pagine dopo l’invasione Russa dell’Ucraina.

“People should know the dangers of this. Because of the events in Ukraine, I decided to make this information public. The company is doing bad things and the Russian government is cowardly and wrong. I am angry about the invasion of Ukraine and the terrible things that are happening there. I hope you can use this information to show what is happening behind closed doors.”

Virgolettato riportato dal The Guardian, che insieme ad altri media internazionali indagano sul consistente fascicolo contenente documenti interni dove si raccontano gli strumenti messi a disposizione del Servizio di sicurezza federale russo (FSB), le sue forze armate (GOU e GRU) e il Servizio di intelligence estero (SVR) da parte della società Vulkan e apparentemente utilizzati in diverse operazioni informatiche di grande rilievo, come le interferenze nelle elezioni presidenziali degli Stati Uniti del 2016 e il cyber spionaggio.

Il 30 marzo 2023 vengono diffusi i primi dettagli dell’indagine, anche se un giudizio definitivo sulla veridicità rimane difficile da sostenere, i file appaiono autentici a molteplici agenzie di intelligence; essi sono composti da progetti ben strutturati, comunicazioni email, dettagli di contratti e relativi budget.

Pur non essendo ancora confermato l’utilizzo degli strumenti realizzati da Vulkan in contesti reali, si indaga su possibili connessioni con gli attacchi informatici perpetrati da gruppi di cyber criminali risalenti alla Russia quali Sandworm, ritenuto responsabile di cyber attacchi su scala globale come il lancio del malware NotPetya, il blackout che per ben due volte ha paralizzato l’Ucraina e l’interruzione delle Olimpiadi in Corea del Sud. Le tecnologie messe a punto dalla Vulcan appaiono in grado di colpire infrastrutture critiche come le linee elettriche, trasporto ferroviario, marittimo e aereo.

Dai dati analizzati emerge la preferenza di target fortemente sensibili, quali le infrastrutture critiche e sistemi industriali, prediligendo l’indirizzamento di operazioni offensive verso obiettivi OT attraverso attacchi IT/OT. All’interno dei documenti si rintracciano i dettagli relativi a tre progetti in particolare: Scan – strumento che scansiona Internet alla ricerca di vulnerabilità da utilizzare in futuri attacchi informatici; Amesit – un framework per la sorveglianza e il controllo di Internet nelle regioni sotto il comando della Russia che consente anche la disinformazione tramite falsi profili di social media – e Krystal-2B – programma di formazione per operatori informatici sui metodi necessari per abbattere le infrastrutture ferroviarie, aeree e marittime.

A cura della Redazione

https://www.ictsecuritymagazine.com/notizie/i-vulkan-files-e-la-cyberwar-di-putin/

Russian authorities said Tuesday that several regional television and radio stations that have recently broadcast air raid alerts had been breached by hackers.

The alerts are common across Ukraine, which is routinely targeted by drone and missile attacks, but the impact of fighting within Russia is limited to regions bordering the conflict.

“As a result of hacking of servers of radio stations and TV channels, in some regions of the country, information about the announcement of an air raid alert was broadcast,” Russia’s emergencies ministry said in a statement.

“This information is false and does not correspond to reality,” it added. Russian media reported that the alerts had been broadcast in the Belgorod and Voronezh regions bordering Ukraine, near Moscow and Saint Petersburg and on the Crimean peninsula annexed by Russia in 2014.

The emergencies ministry said a similar cyber attack last week triggered air raid sirens across Russia.

The hacks targeted only private radio and television stations. 

The breaches came shortly after the first anniversary of Russian President Vladimir Putin’s decision to send troops into Ukraine in February last year.

Several Russian regions bordering Ukraine have been targeted in attacks that Moscow has blamed on Ukraine.

Related: A Year of Conflict: Cybersecurity Industry Assesses Impact of Russia-Ukraine War

Related: Russia-Ukraine: Threat of Local Cyber Operations Escalating Into Global Cyberwar

Related: Russian Espionage APT Callisto Focuses on Ukraine War Support Organizations

Related: Russian Use of Cyberweapons in Ukraine and the Growing Threat to the West

https://www.securityweek.com/hackers-behind-air-raid-alerts-across-russia-official/

Nel primo anniversario dell’invasione russa dell’Ucraina e senza trascurare in alcun modo il gran numero di morti, profughi e sfollati tra la popolazione civile che la guerra sta causando e che costituiscono il vero problema da risolvere, questo contributo ha come obiettivo quello di riassumere quanto abbiamo imparato durante l’anno di conflitto definito come la prima cyberwar.

Alcune premesse sono necessarie. Poiché la nebbia della guerra non si è ancora alzata, è necessario ricordare che ogni analisi è parziale dato le molte informazioni non ancora disponibili. Ad esempio, in questi giorni è apparso un autorevole rapporto dei servizi di intelligence olandesi secondo il quale buona parte delle intrusioni russe non sono ancora di dominio pubblico perché non ancora scoperte o con l’intenzione di non non rivelare le vulnerabilità sfruttate dagli attaccanti. Secondo il rapporto, queste intrusioni hanno come obiettivo lo spionaggio ed utilizzano informazioni raccolte in campagne di intrusione e phishing condotte dalla Russia nell’anno precedente all’invasione. Una ulteriore premessa, quasi complementare alla precedente, è che le intrusioni informatiche per loro natura diventano visibili solo quando hanno successo, capita spesso che la robustezza di un sistema le blocca provocandone così il fallimento. In questo caso, spesso un osservatore esterno può non avere evidenze dell’intrusione. Quindi, nel seguito, parleremo solo delle intrusioni pubbliche che hanno avuto successo o che hanno lasciato qualche traccia visibile ad un osservatore esterno. La sensazione è che, per alcune delle ragioni discusse nel seguito, molte intrusioni siano fallite, ed anche di questo occorre tener conto.

Tattiche e tecniche utilizzate dalla Russia nella cyberwar

Da un punto di vista puramente informatico, non ci sono state innovazioni significative nelle tattiche e nelle tecniche utilizzate nelle intrusioni rese pubbliche. Abbiamo assistito all’uso di strumenti tradizionali quali phishing e wiper. Ad esempio, ufficialmente l’invasione russa è iniziata il 24 febbraio 2022, ma in realtà le intrusioni informatiche sono cominciate molto prima con attacchi di phishing tesi a scoprire informazioni utili a garantire l’accesso nei sistemi ucraini. Indichiamo con accesso iniziale le azioni che permettono ad un attaccante di poter accedere in una infrastruttura informatica e che costituiscono il primo passo di una intrusione.

Sostanzialmente, per tutto il 2021 si è osservato un aumento delle campagne di phishing condotte da agenti russi con picchi a Marzo-Aprile ed a Settembre-Ottobre. In 11 giorni, nel secondo periodo, FrozenLake ha inviato più di 14.000 mail di phishing. FrozenLake è un gruppo che altri chiamano FancyBear e che fa parte del GRU, Direttorato generale per le informazioni militari, il servizio informazioni delle Forze armate russe che dipende direttamente dal capo di Stato maggiore. FrozenLake è il gruppo a cui è attribuita l’intrusione contro il comitato elettorale del partito Democratico USA durante le elezioni presidenziali del 2016.

Dieci giorni prima dell’invasione, la Russia ha lanciato una intrusione, fallita, contro istituzioni ucraine per ridurre l’efficacia delle azioni di coordinamento del governo ucraino. Successivamente, la Russia è passata all’uso massiccio di malware di tipo wiper. Un wiper è un programma che cancella le informazioni sui siti attaccati al fine di impedire l’uso dei siti stessi. Il giorno prima dell’invasione, è stato lanciato un malware wiper contro 19 enti governativi ed infrastrutture ucraine. MSTIC, il Microsoft Threat Intelligence Center ha chiamato questo wiper Foxblade. Il wiper è stato sviluppato da un altro gruppo operativo del GRU che Microsoft chiama Iridium, mentre Google lo identifica come FrozenBarents ed altri Sandworm. E’ lo stesso gruppo che ha sviluppato NotPetya, il wiper mascherato da ransomware che ha colpito l’Ucraina nel 2017. Dopo Foxblade, sono rilevati altri attacchi wiper o comunque di malware distruttivi contro 48 enti ed imprese ucraine. Questi dati sono stati confermati dal CyperPeace Instute di Ginevra, un ente indipendente e no profit con sede a Ginevra.

Una analisi più dettagliata della strategia russa dimostra che le intrusioni informatiche non sono isolate ma vengono integrate con attacchi fisici condotti con armi tradizionali per aumentarne il potere distruttivo. Secondo molti analisti questa strategia si diffonderà e quindi anche nelle guerre future le intrusioni informatiche si combineranno con gli attacchi fisici senza sostituirli. Una differenza fondamentale emersa in quest’anno è che, con la notevole eccezione dell’attacco a ViaSat, le forze armate russe hanno posto estrema attenzione a confinare la diffusione dei malware nel territorio ucraino. Non si è più ripetuta la diffusione indiscriminata e devastante di NotPetya che, uscito ben presto dal territorio ucraino, ha devastato sistemi informatici in tutto il mondo. Limitare la diffusione di un malware richiede controlli sofisticati e potenzialmente costosi in termini di tempo.

In generale, il numero di casi in cui l’attacco fisico è stato coordinato con una intrusione informatica è stato molto limitato rispetto al numero di attacchi fisici, di conseguenza si può affermare che il numero di intrusioni informatiche di molto inferiore a quello degli attacchi fisici. Questa limitazione è legata ad un’altra proprietà delle intrusioni informatiche che forse già sapevamo, ma che un anno di invasione russa ha confermato. Le intrusioni informatiche possono essere armi estremamente devastanti e quindi potenti ma, contemporaneamente, sono

1. operativamente lente, cioè lunghe da preparare anche se poi sono eseguite in tempi brevi;
2. con impatti che è difficile:
   • prevedere in modo accurato,
   • controllare.

Una intrusione informatica è lunga da preparare perché richiede informazioni sulla struttura del sistema da attaccare, sui moduli che lo compongono, sulle loro vulnerabilità e sugli attacchi che le vulnerabilità abilitano. Tutte queste informazioni devono essere raccolte prima dell’intrusione o, se questo non è possibile, durante l’intrusione stessa. E’ possibile che le numerose campagne di phishing russe prima dell’invasione non abbiamo raccolto informazioni sufficienti per realizzare un maggior numero di intrusioni o che le intrusioni non siano state preparate a causa di una previsione errata sul tempo necessario per sconfiggere l’Ucraina.

Un’altra ragione del ridotto numero di intrusioni coordinate può essere la difficoltà di prevederne gli impatti. Questa difficoltà nasce perché c’è necessariamente un ritardo tra la raccolta delle informazioni ed il loro uso in una intrusione. In questo intervallo, il sistema da attaccare può essere cambiato, ad esempio una vulnerabilità fondamentale per una intrusione può essere patchata oppure il modulo afflitto dalla vulnerabilità può essere diventato irraggiungibile a causa dell’aggiornamento di una regola di un firewall. Queste operazioni richiedono tempi estremamente ridotti ma sono risolutive nel bloccare l’intrusione. Ovviamente può essere possibile modificare i vari passi dell’intrusione e raggiungere ugualmente gli obiettivi originali, ma questo richiede tempo e questo tempo può non essere disponibile se l’attacco con cui coordinarsi è già in atto.

Infine, gli impatti dell’intrusione sono difficili da controllare. Esempi tipici sono quelli di NotPetya e di Stuxnet. Entrambi i malware si sono diffusi all’esterno di quello che pare essere stato il dominio di interesse ma Stuxnet, molto più sofisticato nei controlli per limitarsi a tale dominio, non ha avuto gli effetti devastanti di NotPetya. E’ possibile includere in un malware controlli rigorosi ed accurati per limitare gli impatti al di fuori di una certa area geografica, come pare stia facendo l’esercito russo, ma questo rallenta lo sviluppo ed aumenta il tempo per raccogliere le informazioni.

Molti ricercatori di cybersecurity e cyberwar hanno evidenziato la correlazione inversa tra velocità di preparazione, impatti certi e controllo. Quando uno dei parametri migliora, gli altri peggiorano. Ad esempio, è possibile preparare ed eseguire una intrusione in tempi brevi al prezzo di potenziali insuccessi, e quindi impatti incerti, e di scarso controllo sugli effetti che possono essere anche molto superiori a quelli previsti. Se, invece, desideriamo un grande controllo sugli impatti è necessaria una grande quantità di informazioni e questo aumenta non solo il tempo per raccoglierle ma anche quello per progettare e realizzare l’intrusione.

Inoltre gli effetti saranno non certi proprio perché limitiamo i possibili impatti. Per questa ragione, alcuni parlano di un trilemma che si pone durante una cyberwar quando occorre decidere quale dei tre parametri privilegiare in una intrusione. Tenuto conto dei vari dilemmi e trilemmi, quando è possibile operare con un missile invece che con una intrusione è chiaro che verrà preferito il missile.

Total warfare e attacchi distruttivi, la strategia della Russia

In quest’anno di guerra si è osservato un cambiamento delle incursioni russe. Mentre inizialmente tali intrusioni erano limitate a ridurre l’efficacia dei militari e del governo ucraino, ora sembrano essere progettate per essere distruttive ed aumentare gli impatti sulla popolazione civile. Questo spiega gli attacchi distruttivi alle infrastrutture per distribuzione di energia elettrica e gas. La priorità data alla distruzione è confermata dal fatto che in molte intrusioni si è preferito massimizzare gli impatti anche a costo di rivelare la capacità russa di accedere ad infrastrutture ucraine, capacità che ovviamente è stata persa dopo l’intrusione. Alcune analisi evidenziano come la strategia dell’Ucraina sia centrata su operazioni contro l’esercito russo mentre la Russia sta utilizzando una politica di total warfare in più domini, compreso quello cyber, contro l’Ucraina e la sua popolazione.

Oltre alle intrusioni, la Russia opera nel dominio delle informazioni con la diffusione di fake news e la propaganda. Sostanzialmente, queste azioni hanno come obiettivo quello di demoralizzare la popolazione ucraina e diminuirne la resilienza all’intrusione. Ad esempio attacchi fisici contro infrastrutture critiche per la distribuzione di energia e gas sono state integrate non solo con intrusioni informatiche ma anche con campagne psicologiche che hanno diffuso informazioni di propaganda che attribuivano gli effetti degli attacchi, quali mancanza di luce elettrica o di riscaldamento, alle autorità ucraine. Altri attacchi nel dominio delle informazioni hanno diffuso video deep fake con falsi video televisivi che annunciavano la fuga di Zelensky ed invitavano le truppe ucraine ad arrendersi.

La diffusione di notizie false ha avuto luogo anche in occidente e sono state segnalate intrusioni contro reti sociali in paesi occidentali, ad esempio in Polonia, per diffondere documenti falsi a favore dell’invasione. Queste azioni nel dominio delle informazioni confermano l’adozione da parte russa della dottrina che postula l’esistenza di un unico spazio informatico su cui si deve operare e che comprende sia le informazioni per la gestione di infrastrutture che quelle per influenzare e manipolare la pubblica opinione. Il già citato rapporto dell’intelligence olandese evidenzia come spesso la stessa unità operativa e le stesse persone siano responsabili di intrusioni informatiche per spionaggio, per sabotaggio di infrastrutture critiche e per la diffusione di fake news e propaganda.

E’ interessante ricordare che, secondo Google e Mandiant, la maggior parte della propaganda non è però rivolta all’esterno ma all’interno e mira ad aumentare il favore del popolo russo per l’invasione e per la strategia di Putin. Ad esempio, circa il 93% delle informazioni sono state diffuse solo in lingua russa.

Un particolare tipo di coordinamento o di supporto dell’esercito russo è stato stabilito con alcuni, non tutti, gruppi criminali russi che hanno intensificato le loro intrusioni in generale finalizzate alla installazione di ransomware contro obiettivi nel mondo occidentale. Il gruppo più noto è Conti, una gang che anche fonti russe indicano in stretto rapporto con il governo russo. I legami tra Conti e i servizi di intelligence e sicurezza russi sono così accertati che molte vittime della gang preferiscono non pagare il riscatto per la chiave di decrittazione per il timore di essere poi accusati di violare le sanzioni contro lo stato russo. Come verificato da Chainanalyis, società che analizza i flussi di criptovalute, ciò ha portato ad una drastica riduzione degli incassi della gang. Alla luce di queste evidenze, non è azzardato ipotizzare che la Russia stia ripetendo, almeno in parte, quanto da anni sta facendo la Corea del Nord che usa le intrusioni informatiche come mezzo per acquisire risorse finanziare in violazione delle sanzioni internazionali. E’ comunque evidente che non ci sia stata la temuta impennata di attacchi ransomware pronosticata all’inizio dell’invasione. Si è comunque osservata una forte innovazione nelle tecniche e tattiche usate nelle gang nelle loro intrusioni ransomware che avrà forti ricadute anche dopo la fine della guerra.

Tecniche difensive dell’Ucraina, le scelte vincenti

L’analisi delle tecniche difensive utilizzate contro le intrusioni evidenzia che la migrazione delle varie applicazioni e dei vari sistemi su architetture cloud allocate fisicamente fuori dall’Ucraina è stata una delle mosse vincenti che ha permesso al governo ucraino di continuare le proprie attività. Una lezione importante per la progettazione e gestione delle infrastrutture della pubblica amministrazione ed in particolare di quelle per la difesa.

L’ultima considerazione introduce quella che riteniamo la lezione più importante di quest’anno poiché la migrazione delle applicazioni e dei sistemi è stata possibile in tempi estremamente brevi grazie a personale di aziende informatiche private ed ha avuto successo grazie all’utilizzo di infrastrutture informatiche private. Siamo ben oltre la parternship tra pubblico e privato di cui si parla spesso nel campo della cybersecurity in riferimento, ad esempio, alle infrastrutture critiche perché abbiamo un pesante coinvolgimento di aziende private nello scontro informatico e quindi nella guerra in atto. Molte aziende private operano nelle infrastrutture informatiche ucraine, le difendono dagli attacchi, analizzano gli attacchi ed informano il mondo informatico. Altre aziende operano sulle proprie infrastrutture per limitare altre offensive russe, ad esempio Google ha individuato ed eliminato circa 2.000 attività russe coinvolte nella diffusione di fake news e propaganda. Ad ulteriore conferma del coinvolgimento del settore privato, per la prima volta, le informazioni interessanti sugli scontri in atto non provengono dai bollettini di guerra ma da rapporti di aziende nazionali e multinazionali attive nella sicurezza informatica.

E’ chiaro che senza il coinvolgimento di queste aziende, e soprattutto delle grandi multinazionali informatiche, la difesa informatica dell’Ucraina non sarebbe stata cosi efficace. E’ talmente ovvio che molte nazioni si stanno ponendo il problema di quali rapporti stabilire con le multinazionali per poter disporre delle persone con le competenze necessarie a difendere le proprie infrastrutture in tempo di pace e di poter aumentare tali persone durante una guerra. Questo punto viene focalizzato da un rapporto dell’Aspen Digital, che discute il problema della CDA o cyber defence assistance che un gruppo di nazioni e di industrie può prestare ad una nazione prima, dopo e durante una guerra per aiutarla a migliorare le sue difese. Anche se la definizione di CDA fa riferimento a nazioni ed aziende, il rapporto evidenzia che la maggior parte della CDA è, come nel caso dell’Ucraina, a carico delle aziende poiché sono le sole ad avere la flessibilità e le risorse per prestare assistenza celermente ed in qualunque parte del mondo. Non si tratta quindi nemmeno di piccole o medie aziende ma di grandi multinazionali. La necessità di coinvolgere multinazionali informatiche pone il problema di come creare dei rapporti permanenti tra loro e gli Stati. Il modello ucraino dove le aziende hanno creato una associazione, la Cyber Defense Assistance Collaborative o CDAC, non è utilizzabile nei tempi lunghi che richiedono rapporti più strutturati e stabili. Questi rapporti porteranno probabilmente ad aggiornamenti del diritto in tempi di pace ed in guerra, sullo jus ad bellum e lo jus in bello. Se una multinazionale difende le infrastrutture di uno Stato durante una guerra, i nemici di questo Stato possono attaccare quest’azienda ed i suoi dipendenti? Cosa cambia se la sede dell’azienda è in uno Stato terzo che non è in guerra, almeno ufficialmente? Le risposte a queste ed altre domande determineranno molti dei possibili scenari delle future cyberwar.

Bibliografia

• Lennart Maschmeyer, “The subversive trilemma: Why cyber operations fall short of expectations.” International Security 46.2 (2021): 51-90.
• Brad Smith, “Defending Ukraine: Early Lessons from the Cyber War.” Microsoft on the Issues, June 22 (2022).
• Ilona Khmelova, Economic Security Council of Ukraina, Cyber, Artillery, Propaganda. A comprehensive analysis of Russian Warfare Dimensions, Dicembre 2022
• Alexander Martin, NATO official: Alliance needs to consider ‘a more structural cooperation’ with Microsoft, Google The Record, 12 Febbraio 2023, https://therecord.media/google-microsoft-nato- structural-cooperation/
• Google TAG, Mandiant, Google Trust & Safety, Fog of War, How the Ukraine Conflict Transformed the Cyber Threat Landscape, Febbraio 2023
• Joe Slowik, What we have learned? Stranded on Pylos, 16 Febbraio 2023, https://pylos.co/2023/02/16/what-have-we-learned/
• Roman Osadchuk, Andy Carvin, Undermining Ukraine: How the Kremlin Employs Information Operations to Erode Global Confidence in Ukraine, Atlantic Council & DFRLab, Febbraio 2023, https://www.atlanticcouncil.org/wp-content/uploads/2023/02/Undermining-Ukraine-Final.pdf
• Aspen Digital, The Cyber Defense Assistance Imperative. Lessons from Ukraine, Febbraio 2023, https://www.aspeninstitute.org/wp-content/uploads/2023/02/Aspen-Digital_The-Cyber-Defense- Assistance-Imperative-Lessons-from-Ukraine.pdf

Articolo a cura di Fabrizio Baiardi, Dipartimento di informatica, Università di Pisa & Haruspex srl

Profilo Autore

Full Professor, Università di Pisa
E’ attualmente è professore ordinario di Informatica presso l’Università di Pisa dove coordina il gruppo di ricerca su ICT risk assessment and management. La sua attività di ricerca è focalizzata su strumenti e metodi formali l’automazione dell’analisi e la gestione del rischio.

https://www.ictsecuritymagazine.com/articoli/cyberwar-cosa-abbiamo-imparato-dalla-guerra-russo-ucraina-un-anno-dopo/

Amidst the tragic toll of Russia’s brutal and catastrophic invasion of Ukraine, the effects of the Kremlin’s long-running campaign of destructive cyberattacks against its neighbor have often—rightfully—been treated as an afterthought. But after a year of war, it’s becoming clear that the cyberwar Ukraine has endured for the past year represents, by some measures, the most active digital conflict in history. Nowhere on the planet has ever been targeted with more specimens of data-destroying code in a single year.

Ahead of the one-year anniversary of Russia’s invasion, cybersecurity researchers at Slovakian cybersecurity firm ESET, network security firm Fortinet, and Google-owned incident-response firm Mandiant have all independently found that in 2022, Ukraine saw far more specimens of “wiper” malware than in any previous year of Russia’s long-running cyberwar targeting Ukraine—or, for that matter, any other year, anywhere. That doesn’t necessarily mean Ukraine has been harder hit by Russian cyberattacks than in past years; in 2017 Russia’s military intelligence hackers known as Sandworm released the massively destructive NotPetya worm. But the growing volume of destructive code hints at a new kind of cyberwar that has accompanied Russia’s physical invasion of Ukraine, with a pace and diversity of cyberattacks that’s unprecedented.

“In terms of the sheer number of distinct wiper malware samples,” says ESET senior malware researcher Anton Cherepanov, “this is the most intense use of wipers in all computer history.”

Researchers say they’re seeing Russia’s state-sponsored hackers throw an unprecedented variety of data-destroying malware at Ukraine in a kind of Cambrian Explosion of wipers. They’ve found wiper malware samples there that target not just Windows machines, but Linux devices and even less common operating systems like Solaris and FreeBSD. They’ve seen specimens written in a broad array of different programming languages, and with different techniques to destroy target machines’ code, from corrupting the partition tables used to organize databases to repurposing Microsoft’s SDelete command line tool, to overwriting files wholesale with junk data.

In total, Fortinet counted 16 different “families” of wiper malware in Ukraine over the past 12 months, compared to just one or two in previous years, even at the height of Russia’s cyberwar prior to its full-scale invasion. “We’re not talking about, like, doubling or tripling,” says Derek Manky, the head of Fortinet’s threat intelligence team. “It’s an explosion, another order of magnitude.” That variety, researchers say, may be a sign of the sheer number of malware developers whom Russia has assigned to target Ukraine, or of Russia’s efforts to build new variants that can stay ahead of Ukraine’s detection tools, particularly as Ukraine has hardened its cybersecurity defenses.

Fortinet has also found that the growing volume of wiper malware specimens hitting Ukraine may in fact be creating a more global proliferation problem. As those malware samples have shown up on the malware repository VirusTotal or even the open source code repository Github, Fortinet researchers say its network security tools have detected other hackers reusing those wipers against targets in 25 countries around the world. “Once that payload is developed, anyone can pick it up and use it,” Manky says.

https://arstechnica.com/?p=1919531

First it was SolarWinds, a reportedly Russian hacking campaign that stretches back almost a year and has felled at least nine US government agencies and countless private companies. Now it’s Hafnium, a Chinese group that’s been attacking a vulnerability in Microsoft Exchange Server to sneak into victims’ email inboxes and beyond. The collective toll of these espionage sprees is still being uncovered. It may never be fully known.

Countries spy on each other, everywhere, all the time. They always have. But the extent and sophistication of Russia’s and China’s latest efforts still manage to shock. And the near-term fallout of both underscores just how tricky it can be to take the full measure of a campaign even after you’ve sniffed it out.

By now you’re probably familiar with the basics of the SolarWinds attack: likely Russian hackers broke into the IT management firm’s networks and altered versions of its Orion network monitoring tool, exposing as many as 18,000 organizations. The actual number of SolarWinds victims is assumed to be much smaller, although security analysts have pegged it in at least the low hundreds so far. And as SolarWinds CEO Sudhakar Ramakrishna has eagerly pointed out to anyone who will listen, his was not the only software supply chain company that the Russians hacked in this campaign, implying a much broader ecosystem of victims than anyone has yet accounted for.

“It’s become clear that there’s much more to learn about this incident, its causes, its scope, its scale, and where we go from here,” said Senate Intelligence Committee chair Mark Warner (D-Va.) at a hearing related to the SolarWinds hack last week. Brandon Wales, acting director of the US Cybersecurity and Infrastructure Agency, estimated in an interview with MIT Technology Review this week that it could take up to 18 months for US government systems alone to recover from the hacking spree, to say nothing of the private sector.

That lack of clarity goes double for the Chinese hacking campaign that Microsoft disclosed Tuesday. First spotted by security firm Volexity, a nation-state group that Microsoft calls Hafnium has been using multiple zero-day exploits—which attack previously unknown vulnerabilities in software—to break into Exchange Servers, which manage email clients including Outlook. There, they could surreptitiously read through the email accounts of high-value targets.

https://arstechnica.com/?p=1747573

Vodafone, the largest mobile network operator in Europe, found backdoors in Huawei equipment between 2009 and 2011, reports Bloomberg. With these backdoors, Huawei could have gained unauthorized access to Vodafone’s “fixed-line network in Italy.” But Vodafone disagrees, saying that while it did discover some security vulnerabilities in Huawei equipment, these were fixed by Huawei and in any case were not remotely accessible, and hence they could not be used by Huawei.

Bloomberg’s claims are based on Vodafone’s internal security documentation and “people involved in the situation.” Several different “backdoors” are described: unsecured telnet access to home routers, along with “backdoors” in optical service nodes (which connect last-mile distribution networks to optical backbone networks) and “broadband network gateways” (BNG) (which sit between broadband users and the backbone network, providing access control, authentication, and similar services).

In response to Bloomberg, Vodafone said that the router vulnerabilities were found and fixed in 2011 and the BNG flaws were found and fixed in 2012. While it has documentation about some optical service node vulnerabilities, Vodafone continued, it has no information about when they were fixed. Further, the network operator said that it has no evidence of issues outside Italy.

The sources speaking to Bloomberg contest this. They claim that the vulnerabilities persisted after 2012 and that the same flaws could be found in Vodafone-deployed Huawei equipment in the UK, Germany, Spain, and Portugal. In spite of this, Vodafone continued to buy equipment from the Chinese firm because it was so cost competitive.

The sources also claim that the story was not so simple as “Vodafone reports bug, Huawei fixes bug.” Vodafone Italy found that Huawei’s routers had unsecured telnet access, and the company told Huawei to remove it. Huawei told Vodafone that it had done so, but further examination of the routers found that telnet could be re-enabled. Vodafone told Huawei that Vodafone wanted it removed entirely, only to be told by Huawei that the company needed to keep it for testing and configuration.

The Bloomberg report doesn’t offer any detail on the other alleged “backdoors” in the gateways or service nodes.

When is a front door a backdoor?

The accuracy of Bloomberg’s report hinges on the distinction between a vulnerability and a backdoor. A vulnerability is an accidental coding error that permits unauthorized parties to access the router (or other hardware). A backdoor, in contrast, is a deliberately written piece of code that permits unauthorized parties to access the router. While a backdoor could be written such that it’s obvious that it’s a backdoor (for example, one could imagine an authentication system that allowed anyone to log in with the password “backdoor”), any competent backdoor will look either like a legitimate feature or an accidental coding error.

Telnet access, for example, is a common feature of home routers. Typically, the telnet interface gives greater control over the router’s behavior than is available through the Web-based configuration interface that these devices usually have. The telnet interface is also easier to automate, making it easier to preconfigure the devices so that they’re properly set up for a particular ISP’s network. Even Huawei’s initial response to Vodafone’s request, which allowed users to re-enable the telnet service, isn’t out of the ordinary: it’s common for the Web front-ends to allow telnet to be turned off and on. Vodafone’s assertion that the telnet service wasn’t accessible from the Internet is also likely to be true; typically, these telnet services are only accessible from the local network side, not from the Internet IP address.

As such, Vodafone and Huawei’s posture that this isn’t a backdoor at all is entirely defensible, and Huawei has done nothing that’s particularly out of the ordinary. This is not to say that the hardware is not backdoored—routers with unauthenticated remote access or bypassable authentication have been found in the past and are likely to be found in the future, too. But there’s no indication that these particular Huawei issues are an attempt to backdoor the routers, and nothing in the Bloomberg report corroborates this specific claim.

What there is, however, is a concern fueled by the US government that Huawei wishes to compromise or undermine networks and systems belonging to the US and Europe, as well as a concern that the company tries to unlawfully use intellectual property taken from Western countries. Among Chinese firms, Huawei is viewed with particular suspicion due to its ties to the Chinese military.

Huawei’s CFO was arrested in Canada on behalf of the United States, which says that Huawei has violated the US sanctions against Iran, and the company has also been indicted for stealing robotic phone-testing technology from T-Mobile. The US government has pressured domestic companies to not buy or sell Huawei hardware, and more broadly, the US has pushed its allies to avoid Huawei network hardware. Examination of Huawei’s firmware and software by the UK government has revealed a generally shoddy approach to security, but these problems appear to be buggy code that was carelessly written and leaves systems hackable rather than deliberate insertion of backdoors.

This pressure is particularly acute when it comes to deploying 5G networks. Huawei’s 4G hardware is already widely deployed in Europe, and Huawei’s 5G hardware is aggressively priced and seen as critical to the timely deployment of 5G infrastructure in Europe. Vodafone, for its part, continued to buy Huawei gear until January of this year; further purchases have been paused because of the concerns about the company.

https://arstechnica.com/?p=1498049