May 16, 2017

Ransomeware Possible Threat to SSBNs' Microsoft "Windows for Submarines"

At work at the NSA where cyber-defensive software is assessed and developed and also malware. 
---

Combining the current international ransomware scare and nuclear missile submarines (SSBNs) is the following:

GLOBAL RESEARCH ARTICLE

Graham Vanbergen for Canada based Global Research, May 14, 2017 reports in part:

“British Nuclear Submarines, Microsoft and That Ransomware Attack”

[The BBC has reported that the recent ransomware attack hit 100 countries. Cyber-security firm Avast said it had seen 75,000 cases of the ransomware worm – known as ‘WannaCry’ and variants of that name – around the world. The ransomware worm parasitically spreads by itself between computers with alarming speed and effectiveness. So fast, that this cyber-attack had the potential to hit critical infrastructure that supports human life and disable it.] “Microsoft was[and is] the only fully vulnerable operating system...”

"“Who are culprits? The BBC blame hackers known as ‘The Shadow Brokers’, who made it freely available in April, saying it was a “protest” about US President Donald Trump... The NSA in America lost all of these hacking tools, specifically the one that caused this attack and subsequent mayhem across the world. The hackers exploited a piece of NSA code known as “Eternal Blue.”... This extraordinary collection, which amounts to more than several hundred million lines of code, gives its possessor the entire hacking capacity of the CIA. The archive appears to have been circulated among former U.S. government hackers and contractors in an unauthorized manner, one of whom has provided WikiLeaks with portions of the archive.”
From a 2008 article by The Register reported:
“[Britain’s Vanguard class SSBNs use Microsoft’s Windows for Submarines] The programme is called Submarine Command System Next Generation (SMCS NG), and uses varying numbers of standard multifunction consoles with two LCD screens, hooked up on an internal Ethernet network installed on each sub. Initial reports as the programme developed suggested that the OS in question would be Windows 2000, but those who have worked on it have since informed the Reg that in fact it is mostly based on XP.”

Windows were so chuffed at “Windows for Submarines” they even advertised the fact to the entire world (HERE)

“Windows for Submarines is the programme undertaken by the Royal Navy and BAE Systems to equip the nuclear-propelled and nuclear-armed warship fleet with a Windows-based command system.  The transition to the Windows for Submarines command system on HMS Vigilant, a Trident nuclear missile submarine, was completed in just 18 days.”

PETE’S COMMENT
The possible ransomware threat to the SSBNs' Microsoft software depends on many factors, including:

-  how similar the software is to software already effected by the ransomware
-  how difficult it is for an infiltrator to access any thumdrive ports or other points of access to the 
    SSBNs' computer hardware and software.

The ransomware used in this current crisis may have been adapted by well organised hacker networks from the almost decade old Stuxnet worm:
Stuxnet functions by targeting machines using the Microsoft Windows operating system and networks...
Stuxnet became most famous in 2010 for causing thousands of centrifuges (used for boosting levels of  bomb-grade Uranium-235) to spin erratically and destructively at Natanz and other Iranian sites.
The three country organisations that may have Stuxnet were the US NSA and Israel’s Unit 8200 with Middle Eastern and Iranian targets in mind. 
All developed countries have their NSA equivalents, including Russia (FSB-IT but mainly GRU-IT) and China (including PLA Unit 61398 within the broader PLA Third Department). 
Pete

4 comments:

MHalblaub said...

Dear Pete,
I first thought I read a late 1. of April article. "Windows for submarines" Oh, no. That raises the question: How deep can Microsoft sink?

The problem for British submarines could be availability of USB ports. Nice feature to transfer data but not quite secure. The reason should be obvious. There are not only USB-sticks for data but also keyboards and mice for the same port. So a stick could tell the computer: I'm a keyboard and a mice. And what can you do with keyboard and mice after log in? As an admin everything. The Stuxnet malware was also delivered via USB-stick.

Windows on submarines? So the need for a nuclear reactor is evident...

Regards,
MHalblaub

Peter Coates said...

Hi MHalblaub

Microsoft is, of course, an admirable naval outfit that admirals love.

Yes the USB sticks beating the mice would be bloody indeed.

"Windows on Submarines"? in Hawaii or Tahiti. Why not!

All those colourful tropical fish https://www.carnival.com/~/media/Images/PreSales/Excursions/Ports_A-F/CZM/304002/Pictures/atlantis-submarine-cozumel-mexico-1.jpg

Cheers

Pete

Ztev Konrad said...

You need to look at what the particular ransomware does
"When a computer is infected, the ransomware typically contacts a central server for the information it needs to activate, and then begins encrypting files on the infected computer with that information. Once all the files are encrypted, it posts a message asking for payment to decrypt the files – "
https://www.theguardian.com/technology/2017/may/12/nhs-ransomware-cyber-attack-what-is-wanacrypt0r-20

Having a look at how a closed system like the Windows for Submarines would likely work we can see some likely differences from your typical home network.
Usually ransomware would come from an email based infection. So we can rule out using WfS for reading emails
Secondly they wont be possible to contact another site on the web.
Thirdly a standard Windows encryption tool wont be resident on WfS.

Without knowing what software is loaded onto the windows operating system used in the subs, its likely to be restricted to the specific applications it runs without all the rubbish that is used on business/home systems.

Anonymous said...

White-hat wise, much would depend on:

- inside job (a technically skilled SSBN maintainer/repairman or crewman)

- backed by a large state sponsor (Russia) with a large FSB/GRU-IT to write the million line malware

- USB ports or more exotic points of entry into the SSBN's electronics

- to inject sleeper malware that reacts to certain real-war software programs being run