WAR.COM by Frank Vizard

Originally published in Popular Science, July 1999

The enduring memory of this year’s Yugoslavian conflict willno doubt bethe image of thousands of Albanian Kosovars being forced out of the country by the Serbian military. But what you didn’t see — a clandestine attack on NATO computer systems — could have an equally lasting impact. It marks the first time in history that NATO’s computer systems have been attacked in wartime. And it almost certainly won’t be the last.

Far from being surprised by the cyberattack, however, the U.S. military and its NATO allies were relatively prepared. For the past few years, the U.S. military has been engaged in a quiet but seemingly never ending series of e-mail skirmishes against an unseen enemy. These cyberbattles are helping the military develop the tools it needs to defend itself and are proving to be better than any training exercise.

NATO began its bombing missions over Yugoslavia on March 27. Three days later, the war expanded into cyberspace when hackers began a campaign designed to disrupt NATO’s e-mail communications system. The tactics included what’s called a “ping” attack, in which one computer automatically and repeatedly calls another, and e-mail “bombs,” a large volume of messages that overloads the servers of the targeted network and shuts it down. NATO soon found itself receiving as many as 2,000 of these e-mail bombs per day.

While the actual identities of the NATO attackers are uncertain, it seems likely they were a five-member Serbian group called Crna Ruka (Black Hand) that had hacked the Web site of the Kosovo Information Centre in October 1998. At the time, the group announced to a Belgrade newspaper that NATO would be its next cybertarget.

It’s nearly impossible to locate and shut down such a group, since these cyberattacks can come from any computer linked to the Internet anywhere on the planet, and the attackers can easily disguise their identities and locations. NATO’s computers were temporarily disabled for only a few hours. The quick recovery shows how sharply cyberwarfare skills are being honed. Despite its brevity, the attack is noteworthy not only for its place in the annals of military history, but because it is among the early volleys in what promises to be lengthy war against electronic enemies.

The NATO attack is, in fact, only the latest in a series of incidents that can’t be chalked up to the work of wayward teenagers or the technically curious operating without harmful intent. Within the past year, several branches of the U.S. military have been experiencing what they describe as coordinated hacker attacks. The Navy reported such an event last September, adding that none of its systems were compromised. NASA, government labs like Los Alamos, and military contractors like Boeing have also been targeted. Cyberattacks are not limited to the U.S. military either. In February, hackers unsuccessfully attempted to seize a British military communications satellite and hold it for ransom.

The fact that hackers haven’t been more successful is remarkable given that the Internet has some 30,000 hackeroriented Web sites, and roughly 17 million people have the necessary computer skills to do damage, according to Interpol, the European police agency. But their success rate is hard to know for certain. It could be that some hackers haven’t yet been caught, or their attacks are not being reported by victims.

The Pentagon says it experiences an eye-opening 60 to 80 cyberattacks per day, most of them deemed not serious. most of them deemed not serious. But all these cyberattacks did serve to prepare the military establishment for the real thing when NATO was targeted. The military’s defense had already been worked out during a secret cyberbattle that took place in early 1997. The attack took place at Langley Air Force Base in Virginia and was serious enough to shut down the base’s email system, eliminating a method of communicating that is as intrinsic to the operation of the Air Force as it is to any company. It was this attack more than any other event that dictated how the military was going to respond to future cyberspace conflicts.

The attack on Langley began when Dale Meyerrose, at the time a colonel and now a brigadier general in charge of information systems, opened an e-mail ostensibly from President Clinton. The likelihood of Meyerrose receiving a presidential message circumventing the chain of command was slim. The missive obscenely “questioned my mother’s lineage,” says Meyerrose, and prompted him to order an investigation, disturbed not only by the message’s content but by the fact that someone had surreptitiously used the base’s computer system for his own ends. Potentially, such an e-mail could have serious repercussions, as Langley is headquarters for the Air Combat Command (ACC), which coordinates and carries out all worldwide fighter and bomber missions assigned to the Air Force by the Pentagon.

The first order of business was to examine the log files attached to incoming e-mail messages for clues. The problem was that, in an attempt to conserve disk space, these log files had been set to record only a minimum amount of information. The email system was immediately reconfigured to provide the maximum amount of data on incoming traffic.

Within a day of that change, Airman Chris Soubeih, responsible for maintaining the base’s e-mail system, knew something odd was happening. The amount of traffic being routed through the network’s servers to other sources was much larger than the amount of e-mail being received by the base itself. “We didn’t realize how much mail was going through the system,” says Soubeih. “The system would send and receive mail and never tell me. I was only noticing failures. I wasn’t noticing deliveries.”

Investigators soon found they had a bigger problem on their hands than a single obscene message. ACC computers were being covertly used to distribute massive amounts of hate mail and pornography — about 800 files per day — mostly to America Online users. The danger to the Air Force’s image was obvious: If it were to be perceived as a distributor of hate mail and porn, the damage to its integrity could be severe. Indeed, commanders wondered if this wasn’t the actual purpose of the attack.

In retrospect, the signs of misuse were there but went unrecognized. The computer systems occasionally “locked up” due to the overwhelming traffic, but the system operators interpreted the failure as software glitches and simply rebooted. Since none of the covert traffic was being sent to Air Force personnel, the operators were blissfully unaware that anything but legitimate e-mail traffic was on the network. The problem was how to regain control of the network without shutting down the e-mail system that the entire base was depending upon. The answer came from a unlikely source outside the ranks of the military.

By coincidence, Tim Bass, an independent computer consultant, was on hand, working on an unrelated project. Bass isn’t exactly the military type; he once used the flight line at Langley to go Rollerblading. A 40- something with blond hair and a boyish enthusiasm for computers and just about everything else, Bass goes to the Orient to relax, speaks Thai fluently, and collects statues of Buddha. As a one -man operation, he has a hacker’s mentality. Better yet, Bass is among the best programmers in the country, with a solid history of computing wizardry in both the military and financial communities, both of which survive on the promise of secured transactions. Security is Tim Bass’ special area of expertise.

As the wisest computer guru on campus, so to speak, he was asked to look at the problem, with Airman Soubeih joining him in an apprentice’s role. The solution devised by Bass was relatively simple, but hadn’t been done before. Bass wrote a program that removed the suspect mail from the server and put it in a separate processing queue for examination. If the suspect mail was judged to be bad mail, or “spam,” then it would be “jailed” in another queue. This approach was adopted for two reasons. It kept the spam mail for later use as evidence if the Air Force decided to prosecute. Secondly, it offered no feedback to the senders of the spam. From the hackers’ point of view, e-mail routed through the ACC servers simply disappeared down a black hole. Within 48 hours, hacker bulletin boards were reporting that the ACC was no longer working as an e-mail relay point.

“Hackers generally insert some kind of feedback loop that lets them know that their bomb has been delivered,” says Bass. “When we initiated the black hole strategy, the feedback loop cut out, and that’s when they got pissed off.” The response was immediate. “It was as if the hackers said to us, ‘If you’re going to block our mail, then we’re going to make sure you don’t get any,'” says Soubeih.

ACC was suddenly deluged with e-mail bombs to the tune of approximately 30,000 per day. These messages can be sent automatically and continuously at the touch of a mouse- ACC’s e-mail address already was coded into many of the hacker programs available for free on the Internet. These programs have names like Avalanche, Voodoo, and KaBoom. Dropping a bomb is as simple as double-clicking on the ACC name. Legitimate e-mail traffic at ACC, by contrast, averaged between 5,000 and 6,000 messages per day, a load the 486-based system could handle. But the load soon intensified to about 75,000 e-mail bombs per day. Bass had been adding new rules every day to counter the spam mail, but now the volume was overwhelming. That’s when the e-mail server crashed, thus suspending e-mail service all over the base.

The hackers’ victory only lasted a fewhours. The ACC computer squad rushed toupgrade the e-mail system to a Pentium class processor and increase its storagecapacity. It was as if the cloud cover hadlifted and suddenly there was lots of sky tofly in. Even better, the computer squad,now called the Tiger Team and under thecommand of Lt. Col. Dave Gruber, had beenworking the problem all this time, lookingfor recurring patterns and turning Bass’initial code into a more sophisticatedhacker-busting program. Nevertheless, the hacker community tendedto breach each new set of rules within 48hours, and at one point used the public emailservers at the White House to launch bombs at Langley. The base’s computer squad countered with new fixes. Soon, theimprovised black hole strategy had evolved into a complicated software package thatwould become known as Bombshelter.

Hacker e-mail,meanwhile, continued to disappear into a black hole, but became more probing. Messages soon began appearing with forged sender addresses, for example, seeking to unearth the countermeasures being used by ACC. With each probe, Bass, Soubeih, and the rest of the computer squad responded with a new defensive measure. “People were shooting everything at us,” recalls Bass. “It was wonderful action!”

As the hackers’ patterns were divined, itbecame clear that the ACC was now beinghit by a coordinated hacker attack. For allpractical purposes, ACC had created a cyberfront. But unlike conventional warfare, their adversaries on the other side of the line were unknown. Some of the probes were identified as being from locations in Estonia and Australia, but that meant little, since these locations could merely be relay points themselves. “The actual geographic location is mostly irrelevant” anyway, explains Bass. “I can log into any server in the world from my house and use it as an attack point.”

E-mail bombs continued to hit Langley unabated for another month. Roughly 80 percent of the e-mail traffic coming into Langley was spam, but it was all disappearing into a black hole managed by Bombshelter. Suddenly, the volume dropped dramatically, declining to less than 5,000 and continuing to decline. Soubeih decided to check through the hacker Web sites and discovered that ACC was no longer being listed as an attack point or a relay — Bombshelter had done its job.

Since the 1997 cyberattack, ACC has revamped its e-mail system so that its servers can no longer be used as a relay point. But the attack on Langley was a wake-up call to the entire military as to the vulnerabilities of their computer systems. Traditional firewalls and other hardware attempts to filter this type of spam mail were ineffective. Instead, Bombshelter would ultimately become the first line o cyberdefense for the U.S. military and its NATO allies. “The notion that a firewall will protect the network was completely blown away by this event,” says Meyerrose. “You can’t buy a box and have information protected. Someone will figure out how to get around it.”

Cyberattacks are still notoriously hard to detect. Bombshelter got to the root cause of the problem and is still working, but clever hackers have shown themselves to be adept at adapting to defensive measures of this sort — and they all talk to one another. Langley continues to get bogus e-mails every day, and Meyerrose admits that “we’re trailing by a couple of years” in the ability to deal with cyberattacks — a game of catch-up that all of the armed services face. A Pentagon-sponsored study concluded in March that “the rate at which information systems are being relied upon outstrips the rate at which they are being protected.”

To get up to speed, the Pentagon is creating a Joint Task Force for Computer Network Defense, which should be operational this Summer. And the individual services have their own organizations, such as the Navy’s Secondary Heuristic Analysis for Defensive Online Warfare (Shadow) unit. Critics suggest the Pentagon may be crying wolf since there is no evidence — at least in the public record — that any classified computer system has been compromised. Neither is there any hard evidence of a state-sponsored attack. But as the Langley and the Serbian incidents clearly demonstrate, cyberattacks on the military are moving beyond the realm of pranks.

Reference:  PDF Copy of Popular Science On-Line Reprint of WAR.COM