Winter (in cyberspace) is coming

“Winter is coming.” For Game of Thrones fans, the meaning is very clear going into the final season of the HBO smash hit series: The White Walkers have returned, wreaking havoc and destruction and laying waste to everything in their path. Winter also has a specific meaning in the case of nuclear warfare.

Nuclear winter was the term coined to describe what would happen to Earth after a nuclear war. Even in a limited regional conflict, like India and Pakistan, the effects would be significant and could last for 20 years before coming close to recovering.  This includes a temperature drop of 3 degrees after five years. Doesn’t seem like much until you factor in the effect on crops, the ozone layer and the estimated five megatons of black carbon that enter the air immediately after a nuclear exchange. All bad stuff globally, not just for the Indian subcontinent.

Now there’s a different type of winter approaching. And it’s coming for the internet.

Dubbed ‘DNSpionage’, this campaign was first outlined by Cisco’s Talos researchers. Most remarkable were the entities affected. Government sites in the United Arab Emirates (UAE) and Lebanon were targeted initially. The first part of the campaign targeted users through malicious documents on fake web sites. The second part redirected the DNS — Domain Name Service — of legitimate .gov and private sector companies. Why is this troubling?{mosads}

The Domain Name Service is the phonebook for the internet. It takes human-readable website names (e.g. TheHill.com) and translates it into an Internet Protocol (IP) address that computers and networks use to route you to your intended destination.

DNSpionage stole email and other login credentials by hijacking the DNS servers of their targets. That means even though you thought you were dealing directly with your bank, your user name and password were being harvested by bad actors.

The very foundation of trust on the internet was put under attack. The result was the first-ever Emergency Directive issued by the Department of Homeland Security. On Jan. 24 this year, DHS issued ED 19-01 called ‘Mitigate DNS Infrastructure Tampering’.

The Cybersecurity and Infrastructure Security Agency (CISA.gov) stated they took this action after “tracking a series of incidents involving Domain Name System (DNS) infrastructure tampering. CISA is aware of multiple executive branch agency domains that were impacted by the tampering campaign and has notified the agencies that maintain them.”

Why alter DNS records? Because it’s easier to change one DNS record and see all web and email traffic, than it is to attack accounts in virtual hand-to-hand combat through phishing and spear phishing. The most insidious part? Users get absolutely no notification or alert their traffic has been compromised.

According to ED 19-01, “Because the attacker can set DNS record values, they can also obtain valid encryption certificates for an organization’s domain names. This allows the redirected traffic to be decrypted, exposing any user-submitted data. Since the certificate is valid for the domain, end users receive no error warnings.”

The cascading impact of this kind of attack can persist for months and wreak long-term damage by manipulating the trust users have in their security certificates.

But winter is about to get colder. Our adversaries aren’t slowing down, in fact they’re speeding up in their ability to exploit holes in our trusted systems and attack from within.{mossecondads}

In the case of a nuclear exchange, we learned in January of 2018 (when Hawaiians received an emergency alert of their phones that stated “BALLISTIC MISSILE THREAT INBOUND TO HAWAII. SEEK IMMEDIATE SHELTER. THIS IS NOT A DRILL”) that a nuclear missile from North Korea could reach the Hawaiian Islands in 37 minutes. That alert ended up being our own massive failure in emergency response, but it highlighted the short amount of time left to prepare for a nuclear strike. In the cyber world, the time can be even shorter.

The security company CrowdStrike just published their Global Threat Report and focused on the tradecraft of our adversaries and the ‘importance of speed’. Instead of 37 minutes, Russia only needed 19 minutes to go from the initial breach of a network to ‘breaking out’ and accessing the next node. Imagine Russia compromising our electric grid, and within 19 minutes taking over control of a large portion of our power delivery.

In March of 2018, American officials publicly accused Russia of conducting a “multi-stage intrusion campaign” that involved malware and spear phishing. From there, Russian hackers were able to break out very quickly and move laterally to other critical Industrial Control Systems (ICS). The latest report from the FBI and DHS clearly says Russia is responsible for the attacks:

“This alert provides information on Russian government actions targeting U.S. Government entities as well as organizations in the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors.”

If the U.S. wants to see how a future attack on our energy grid will look, and be accomplished, we only need to look at how Russia has turned Ukraine into their digital punching bag for cyber-attacks.

Winter in cyberspace is coming. Will we be prepared, or left out in the cold?

Morgan Wright is an expert on cybersecurity strategy, cyberterrorism, identity theft and privacy. He previously worked as a senior adviser in the U.S. State Department Antiterrorism Assistance Program and as senior law enforcement adviser for the 2012 Republican National Convention. Follow him on Twitter @morganwright_us.