Since the terrorist attacks of 9/11 , a handful of information security professionals have warned of the dangers of relying on software developed overseas by foreign companies. In particular, companies such as the Cyber Defense Agency (CDA) warns that hostile actors could create backdoors in the software that runs gas, electricity, telecoms, banking, and water companies. Security professionals fear these same hostile actors could exploit these backdoors and wreak havoc by crashing or remotely executing hostile code on the critical infrastructure of the United States . Additionally, the Government Accountability Office (GAO) warned in a May 2004 report (Document) that the Department of Defense was potentially vulnerable to software developed by foreign companies.
The insertion of malicious code into software does have historical precedence. During the Cold War with the Soviet Union, the United States uncovered an underground technology procurement operation run by the KGB’s Technology Directorate. The KGB was buying technology through third parties or stealing it directly from western companies. The illegally procured technology was used to help the Soviets compete with the US and NATO during the Cold War. Rather than expose this illicit procurement network, US Intelligence opted to exploit it. The US inserted hostile code into software destined to automate the operation of the trans-Siberian gas pipeline. According to Thomas C. Reed, a former secretary of the Air Force, ?the pipeline software that was to run the pumps, turbines and valves was programmed to go haywire to reset pump speeds and valve settings to produce pressures far beyond those acceptable to the pipeline joints and welds. The result was the most monumental non-nuclear explosion and fire ever seen from space.”
It is precisely this type of scenario that worries information security professionals. However, information security professionals need not worry about the possibility of a terrorist group training and inserting a cadre of IT professional into an overseas software development company. Frankly, this type of scenario is likely too cumbersome for a terrorist group or a hostile nation-state. Rather, a hostile actor is better served and may see results more quickly by simply creating exploits for the never-ending stream of vulnerabilities that exist in today?s commercial software market. Unfortunately, much of the commercial software produced today is already unintentionally riddled with vulnerabilities and is exploited by hostile actors. The ongoing ?Titan Rain? (WAR Report 9/07/2005 and WAR Report 11/30/2005) attacks offer a good case study.
?Titan Rain? is the US government official designation for a series of seemingly coordination cyber attacks on US defense-related computer networks. According to SANS Institute director Alan Paller, ?From the Redstone Arsenal, home to the Army Aviation and Missile Command, the attackers grabbed specs for the aviation mission-planning system for Army helicopters, as well as Falconview 3.2, the flight-planning software used by the Army and Air Force.? Additional targets are thought to include computer networks at Lockheed Martin, Sandia National Laboratories, and NASA. Many of the attacks were traced Guangdong province of China . Security professionals believe that the attacks might be a coordinated espionage campaign by the Chinese government. “Of course, it’s the government. Governments will pay anything for control of other governments’ computers. All governments will pay anything. It’s so much better than tapping a phone,? said Paller.
It is also instructive to note that recent series of targeted attacks that exploit a previously undisclosed Microsoft Word vulnerability appear to emanate from China or Taiwan . Johannes Ullrich, Chief Technology Officer of the SANS Internet Storm Center, said that servers connected to the attack have been traced back to China and Taiwan and that Chinese characters have been found in a malicious word document used to exploit the Microsoft Word vulnerability.
While targeting the software that runs critical infrastructure holds the potential to carry out a crippling and destructive attack, installing a Trojan into standard commercial software is equally dangerous, as it allows a malicious actor to gather important intelligence on an adversary. This intelligence can be used for a multitude of nefarious purposes. It is, therefore, curious that extra attention is paid to the threat of a terrorist group or hostile nation-state inserting malicious code into software when there are already pre-existing vulnerabilities in popular commercial software. The information security community would be better served by first securing the multitude of vulnerabilities in commonly used commercial software before spending valuable resources on the remote possibly of hostile actors inserting malicious code into software responsible for the administration of components of the nation’s critical infrastructure.