As was highlighted at the Public-Private Partnerships (PPP) for Defence & Security conference last year, there is a large emphasis on boosting South Africa’s defensive capabilities going forward; however, one key area that did not get the necessary attention was cyber.
This is the view of MWR CyberSec, a South African cyber security consultancy. The company said that cyber-attacks to further a nation state’s goals have for a long while been the ideas of movies and fiction. However, in the near past (the last decade) this has rapidly moved from an ephemeral idea into real-world actions and scenarios that could play out in pursuit of a nation’s geopolitical goals.
Around 2010, one of the most prevalent examples of cyber warfare and the weaponisation of cyber technologies was in full effect, namely the Stuxnet worm. Stuxnet was a powerful computer worm, designed by US and Israeli intelligence, that was used to derail a key part of the Iranian nuclear programme by destroying the centrifuges that Iran was using to enrich their uranium. When Stuxnet infected a computer, it would check if it was connected to specific types of Programmable Logic Controllers (PLCs) manufactured by Siemens. PLCs are a fundamental element of many industrial control systems, in this case uranium centrifuges. If no PLCs were detected, the worm did nothing. However, if PLCs were detected, Stuxnet then manipulated the PLCs, which would result in the centrifuges being spun irregularly, and thus damaging or destroying them. After deploying Stuxnet, it was successful and ultimately set the Iranian nuclear programme back approximately two years.
The only reason Stuxnet was discovered was because it accidentally spread beyond the Iranian nuclear facility. One of the more notable bits related to Stuxnet is that PLCs are commonly air gapped (i.e. disconnected from external networks, especially the internet) as a hard defensive mechanism. Stuxnet was coded to spread via USB and it would spread to the computers controlling the PLCs via this mechanism. The fundamental take-away from this attack is that even highly secured areas are hard to detect and defend successfully 100% of the time.
In a similar manner, a relatively innocuous piece of tech could be used in ways unexpected. A simple question jumps to mind, is it possible to hack a Jeep Cherokee wirelessly from a number of kilometres away? The answer is yes. It was done by two researchers in 2015 who put a journalist behind the wheel and demonstrated their control over the vehicle from a distance. The journalist recounted the experience vividly: “I was driving 70 mph on the edge of downtown St Louis when the exploit began to take hold”. The researchers were able to fully take control of the vehicle using only a laptop and an internet connection, leading to them toying with the likes of the air-conditioning, radio, and windshield wipers. But it goes beyond this: the researchers were able to cut all power to the drivetrain, rendering the car useless on the highway and with no means to move. They were still able to take this a step further by cutting the Jeep’s brakes, leaving the journalist frantically pumping the pedal as the SUV slid uncontrollably into a ditch.
Furthermore, the control of the vehicle enables surveillance too, providing the capability of tracking a targeted Jeep’s GPS coordinates, measuring its speed, as well as dropping pins on a map to trace its route. This is an interesting attack avenue as it explores hacking cars, which just about everyone uses in some shape or form on a daily basis.
A huge step-up in the cyber warfare area has been playing out as part of the Russia-Ukraine conflict. The best example of this is the suspected Russian attack on the Viasat KA-SAT network that shut down communications that Kyiv, Ukraine, heavily relied upon. The Russian operation resulted in an immediate and significant loss of communication in the earliest days of the war for the Ukrainian military, which relied on Viasat’s services for command and control of the country’s armed forces.
This attack was initially launched 1 hour before Russians invaded Ukraine in February 2022. The attack was executed with a new strain of wiper malware called “AcidRain” that was designed to remotely erase vulnerable modems and routers. In the cross-fire of this targeted attack, remote control of 5 800 wind turbines belonging to Enercon in Central Europe was also affected. This scenario demonstrated a real example of how cyber-attacks can be targeted and timed to amplify military forces on the ground by disrupting and even destroying the technology used by enemy forces.
The Danish defence minister stated that, “The cyber threat is constant and evolving. Cyber-attacks can do great damage to our critical infrastructure, with fatal consequences”, further highlighting the importance of cyber defence and incident response capabilities. These capabilities don’t explicitly end at the terrestrial. There are companies who can be incredibly technically advanced in the solutions they provide; however, they are not immune to cyber breaches.
Russia has attempted attacks against the Starlink systems in order to jam the internet service in Ukraine. A Belgian cyber security researcher was able to breach Elon Musk’s Starlink satellite system using a simple Raspberry Pi device in conjunction to other electronic components costing the equivalent of R500. This is a prime example of the fact that hacking does not always follow the “traditional” path of compromising an individual’s computer or an organisations server, but can instead begin with targeting embedded electronic systems in hardware-based attacks.
A notable Advanced Persistent Threat (ATP) group to mention is that of the “Volt Typhoon” group, which has been linked to the Chinese government and active since 2021. The existence of this particular APT group surfaced publicly in May 2023, when Microsoft reported that the group had targeted US critical infrastructure in espionage operations, and lay dormant within their infrastructure for as long as five years. Specifically, this APT group was targeting Operation Technology (OT) systems using zero-day exploits, to pre-position themselves for future attacks of sabotage. This group even demonstrating critical capabilities in compromising Microsoft to see the level of detail that the organisation had on them.
In early 2024 the Cybersecurity and Infrastructure Security Agency (CISA) released an advisory that raised concerns about the potential for these threat actors to use their network access for highly disruptive effects in the event of potential geopolitical tensions and/or military conflicts.
MWR has long spoken of the need for organisations to assume that at some point they will be breached, and prepare as such. The reality is an organisation can only prepare for compromise, by having a robust, encompassing and sound cyber security strategy and a capable suite of armaments to deal with this unfortunate scenario. The three pillars of people, process and technology need to be soundly practiced, complementary in all they do and have the ability to rapidly work to contain, eradicate and recover from a cyber security compromise.
In MWR’s experience, often the hardest phase for an attacker to complete is the initial phase to gain access. Once in a target environment it is far too common that organisations have minimal controls and restrictions within their internal network. MWR advises clients to work backward. “Understand what you have that an attacker would want access to, and structure controls, defences and barriers from this point outward towards the external perimeter. Performing this exercise will give you a view you never had of your internal network and how an attacker is likely to target you. This ultimately makes you more robust against their attacks.”
MWR said it can prove to be a very challenging endeavour to have to perform incident response activities whilst potentially incurring financial and reputational damage as a result of such a breach. As an example, IBM’s 2024 Cost of a Data Breach report shows data breaches in South Africa cost R53.10 million per incident, on average. The main driving factors of these costs are business disruption, post-breach customer support as well as remediation. In addition to this non-compliance with regulations also contributes to this number.
Companies developing new technology face near constant attempts to breach their security. Unfortunately, those companies without mature cyber security environments may never realise a breach has occurred, let alone actually respond in an appropriate manner until it is too late. Real-world attackers essentially have “unlimited” time, and if advanced and persistent enough, they will find a way in. “Would you be able to respond and eliminate the threat before substantial amounts of damage can be caused, or would you rather take the proactive approach and diminish the chances of ever having to be in such a position?” MWR asked.
