Netwarfare refers to fighting wars over civilian and military computer systems and networks. It differs from traditional warfare in that there may be no formal declaration of war, attacks are not targeted at countries but organizations, and the attackers may not want a traditional victory. Perpetrators of netwarfare include independent hackers, client hackers working for groups, political or paramilitary movements, and governments and armed forces conducting secret netwarfare operations. Common methods of netwarfare include direct system intrusion, social engineering, denial of service attacks, trojan horses, sniffers, and viruses.

1. GGuueerriillllaa WWaarrffaarree
bbyy mmeeaannss ooff NNeettwwaarrffaarree
OOccttoobbeerr 1177tthh,, 22000011
NNaattiioonnaall DDeeffeennccee CCoolllleeggee,, FFiinnllaanndd Mikko H. Hyppönen
Manager, Anti-Virus Research, F-Secure Corporation
Mikko.Hypponen@F-Secure.com
Copyright © 2001 F-Secure Corporation. All Rights Reserved.
All product names referenced herein are trademarks or registered trademarks of their respective companies. F-Secure Corporation disclaims proprietary interest in the marks and names of others. Although F-Secure Corporation makes every effort to ensure that this information is
accurate, F-Secure Corporation will not be liable for any errors or omission of facts contained herein. F-Secure Corporation reserves the right to modify specifications cited in this document without prior notice. Companies, names, and data used in examples herein are fictitious unless
otherwise noted. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of F-Secure Corporation.

2. WWhhaatt iiss nneettwwaarrffaarree??
• Special subset of information warfare
• Leaves out electronic warfare and psychological
operations
• Netwarfare means fighting a war over civilian and
military computer systems and networks
• Abstract scenario
• Physical being and location of the fighters is
almost completely irrelevant

3. DDiiffffeerreenncceess bbeettwweeeenn
nneettwwaarrffaarree aanndd
ttrraaddiittiioonnaall wwaarrffaarree
• There might be no war declared
• Attacks might not be targeted against a country
but against a group, company or organization
• The attackers or defenders might not be soldiers
• The attackers might not want a victory in
traditional sense
• In fact, they might favour that the enemy never
realizes it is in war

4. PPeerrppeettrraattoorrss
• The independent hacker
• The client hacker
• Political or paramilitary movements
• Governments and armed forces

5. The iinnddeeppeennddeenntt hhaacckkeerr
• Individuals or groups
• Illegally enter and manipulate
computer systems
• Motives:
– Causing annoyance
– Thrill
• Sometimes hit sensitive targets
– Power (Case Cal-ISO, June 2001)
– Water
– Military
• Case NATO
• Case Pentagon
• Case BND
• Case Naval Research Laboratory
• Case White Sands Missile Range
• Case NASA

6. KKeevviinn MMiittnniicckk
ddaammaaggeess
11999933--11999944
• Sun, USA; Solaris source code: $80M
• NEC, Japan; Mobile phone sources: $1.75M
• Nokia, Finland; HD760 project: FIM 2.5M
• Nokia, UK; "Mobile software": $135M
• Novell, USA; Netware sources: $75M
• Fujitsu, USA; PCX phone sources: $2.1M
• SSeenntteenncceedd oonn AAuugguusstt 99tthh,, 11999999
• TToottaall ddaammaaggee:: $$229966,,000000,,000000
• MMiittnniicckk oorrddeerreedd ttoo ppaayy:: $$44,,112255
• AAnndd ttoo sseerrvvee 4466 mmoonntthhss iinn pprriissoonn
Source: http://www.hackernews.com/orig/letters.html

7. TThhee cclliieenntt hhaacckkeerr
• Individual hacker or a group
• Working on behalf of a sponsor
• Hackers being hired by guerilla, terrorist or paramilitary
movements
• Motives:
– Money
– Girls
– Thrill of victory
• Might also be used as a smoke screen
• Very few reported cases
– Case Pengo…
– Case Microsoft / QAZ

8. Political oorr ppaarraammiilliittaarryy
mmoovveemmeennttss
• Guerilla armies
• Insurgency groups
• Religious fanatics and cults
• Activists
• Net-based propaganda already commonplace
– Hizbollah in Lebanon
– Zapatistas in Mexico
– Tamil Tigers
• Isolated occurrences of hacking
have been seen
– Aum Shinrikyo doomsday cult
in Japan
– “Hacking schools” in middle
east
• Future looks bad

9. Governments aanndd aarrmmeedd
ffoorrcceess
• “Official" netwarfare
• Typically undisclosed with secret funding
• Capabilities related to technical development and
finance
• Asymmetric attack
• Using hackers for espionage or intelligence purposes
• Spreading directed attacks with viruses and network
worms
• Best way to guard
against:
DON’T
USE
TECHNOLOGY

10. NNeettwwaarrffaarree aanneeccddootteess
• The Gulf War 1991
– “Viruses planted to printers”
– “Remote control of Iraqi air force radar
systems”
– Iraqis using university e-mail systems to
communicate after their own systems were
destroyed

11. NNeettwwaarrffaarree
aanneeccddootteess
• The Kosovo conflict 1999
– US EC-130H “Compass Call” planes
– Air-to-ground communication
– Penetrated Serb air defense computer systems
– Planted false messages and targets in the air defense
system
– Case Detailed in Aviation Week & Space Technology
magazine, October 2000
• Serb attacks
– DDoS attacks against NATO sites from Belgrad
– Attacks against western systems
• Serbs & possibly Chinese?
– Viruses written by Serb kids

12. MMeetthhooddss ooff NNeettwwaarrffaarree
• Direct intrusion
• Social Engineering
• Denial of Service Attack (DoS)
• Trojan Horses
• Sniffers
• Viruses

13. DDiirreecctt iinnttrruussiioonn
• Gaining direct access on the target systems
• Getting root
• Wide range of methods
– Open remote access points
– Known security holes
– Network spoofing
– Fragment attacks
– Dial-up lines
– Weak passwords
– Social engineering

14. YYIIHHAATT

15. RRyyDDeenn

16. SSoocciiaall EEnnggiinneeeerriinngg
• Using the weakest link in security -
humans
• Psychology tricks
• Hacking by phone
• "Here's the Sales Director from the
Frankfurt department. What the heck is
wrong in your systems! I can't access our
order database and clients are waiting in
the meeting room! Now you go and give
me a new password."
• Learning what the contact isn’t
willing to tell you

17. Distributed DDeenniiaall ooff
SSeerrvviiccee
• Overloading a service by misusing its resources
• February 2000: Yahoo, Amazon, eBay, CNN…
• Attacks done by a teenager “Mafiaboy”
• Very effective way to take someone down
• Not much we can do about it
• Combine this with a virus? Whoa.

18. CCooddee RReedd
• First web worm
• First DDoS worm
• Jumps from www site to another
• Three phases
– Spreading
– Attack
– Sleeping
• Infected 340,000 machines in July
• Infected 170,000 machines in August
• Demo

19. TTrroojjaann HHoorrsseess
• The malicious masquerading as the friendly
• FUNNYGAME.EXE which formats your hard drive
• Backdoor trojans
• Trojan functionality planted in commercial software
• NSA operations with commercial vendors
– Semi-confirmed:
• Crypto AG, Switzerland
– Unconfirmed / rumoured / approached?
• Microsoft, USA
• Lotus / IBM, USA
• Grattner AG, Switzerland
• Gretag AG, Switzerland
• Siemens, Germany
• Philips, France
• Transvertex Ab, Sweden
• Ericsson Ab, Sweden
• Nokia Oy, Finland
Source: Covert Action Quarterly

20. VViirruusseess && wwoorrmmss
• Virus = program which has been programmed to
spread further by infecting other programs
• Worm = a standalone virus. Does not infect
existing programs, just sends itself further
automatically
• Very effective in network assisted attacks
• The viruses we’ve seen so far have been simple
• This might change

21. NNuummbbeerr ooff vviirruusseess
11998866--22000011
• Binary PC viruses: more than 55,000
– DOS ~45000
– Windows 9x/Me: 500
– Windows NT/2000: 300
• Macro viruses: more than 8,000
– Word: 7000
– Excel: 1400
– Powerpoint: 100
– Script viruses 650
• Other: less than 100
– Macintosh: 50
– Linux: 25
– EPOC: 6 trojans
– Palm OS: 1 virus, 1 trojan
0 1 6 90 180 360 1100
2450
3550
5500
7850
18500
45000
55000
33500
10350
1986 1987 1988 1989 1990 1991 1992 1993 1994 1995 1996 1997 1998 1999 2000 2001
June 2001

22. GGlloobbaall VViirruuss ccoossttss
YEAR VIRUS COSTS US$
1999 ExplorerZip 1 020 000 000
1999 Melissa 1 100 000 000
2000 Loveletter 875 000 000
2001 Sircam 1 050 000 000
2001 Code Red 2 620 000 000
2001 Nimda 590 000 000
SSoouurrccee:: CCoommppuutteerr EEccoonnoommiiccss,, IInncc,, SSeepptteemmbbeerr 22000011

23. VViirruuss ffuunnccttiioonnaalliittyy
• On an infected system, the virus
can do anything the user can do
– Read
– Write
– Delete
• Spying is easy: email documents out / record speech via
microphone / receive further instructions from web
pages / etc
• Modern net-assisted worms can also be crafted to
spread very, very fast
• In theory you could infect the whole internet in 15
minutes
• And the Future is wireless

24. SSiirrccaamm
• Most widespread data stealing virus
• Locates e-mail addresses
• Locates recently used documents
• …and sends them away

25. NNiimmddaa
• Four different viruses in one
• Infected 2.2 million machines
in a day
• Network traffic jams
• Shares your drives
• Who made it?

26. Reaction ttiimmeess ooff oouurr
aannttii--vviirruuss rreesseeaarrcchh llaabb
• Typical reaction time around 2.5 hours
• Reaction times history:
– Melissa 1999: 3h 15min
– Loveletter 2000: 1h 40min
– Anna Kornikova 2001: 2h 5min
– Sircam 2001: 1h 50min
– Nimda 2001: 1h 57min

27. GGuueerriillllaa ttaaccttiiccss
• Netwarfare potentially provides crucial assistance
to ’traditional’ guerilla operations
• Taking down enemys communication systems
• Inserting false data
• Corrupting existing data
• Shutting down civilian systems to create confusion
• Net-assisted spying
• Using guerillas to physically access closed
systems and network
• Guerilla-installed remote access tools

28. Implementing nneettwwaarrffaarree
aattttaacckkss
• Indeed
• It’s relatively easy to think about possible
scenarios and how to protect against them
• Starting netwarfare attacks is another thing
entirely
• And out of scope
for this
presentation...

29. FF--SSeeccuurree AAuutthhoorriizzeedd
RReeffeerreennccee CCuussttoommeerrss
• Government
French Army, IRS, NASA Headquarters, Naval Air Warfare Center, U.S. Army
Medical, U.S. Department of Defense
• Leading universities
Harvard University, University of California Berkeley
• Research
Lawrence Livermore National Lab, Los Alamos National Lab,
Oak Ridge National Lab, San Diego Supercomputer Center
• Banking
Charles Schwab, Credit Agricole, Daiwa Bank, DresdnerBank, E*TRADE, Fuji
Bank, Merita-Nordbanken, Sumitomo Bank
• Information Technology
Andersen Consulting, EDS, First Data Corp, IBM, Unisys
• Communications
Cisco, Ericsson, Motorola, Nokia
• Internet
Amazon.com, Digital Island , eBay, Yahoo
• Telecommunications
AT&T Wireless, British Telecom, Cegetel, Concert, Deutsche Telekom, GTE,
NTT, Sonera, Telecom Italia, Telia, US West
• Other
BMW, Boeing, DaimlerChrysler, Volkswagen