Interpret the network security situation and response under major ransomware attacks

On May 7, local time, the Colonial Pipeline Transportation Company, the largest oil product pipeline operator in the United States, was attacked by ransomware, and 5,500 miles of oil pipelines were forced to stop, causing the Federal Motor Transportation Safety Administration under the U.S. Department of Transportation to issue a “regional emergency”. Status Statement”. U.S. intelligence and cybersecurity firm investigations revealed that the ransomware gang that attacked Colonel was the “dark side.” Although there is no clear evidence that state forces were directly involved in this attack, it is undeniable that the destructive potential of this ransomware attack is no different from that of a national APT organization. This incident shows that in the structural analysis of cybersecurity threats, the proportion of non-state actors will increase rapidly, rising as the “main variable” alongside state actors. The existing cyberspace governance landscape dominated by the government and prevailing in unilateralism will also be forced to shift to a multi-stakeholder, multilateralist cyberspace order. The cybersecurity situation is undergoing major changes, and maintaining cyberspace security will face more and more challenges. more challenges.

1. The ransomware incident on a U.S. fuel pipeline company is the first targeted attack incident in the background of cybercrime that caused damage to national infrastructure, announcing the structural reshaping of cybersecurity threats

(1) The evolution of ransomware stems from the dual incentives of internal technological iteration and external state conflict

Ransomware attacks can be roughly classified as the third stage of malware development. The first stage is a computer virus in the traditional sense, which has been active since the 1990s, and is characterized by the high perception of victims and the social influence of a large-scale outbreak in a short period of time; the second stage is mainly about information theft The malware is characterized by strong stealth, low victim perception, and limited social impact unless it is rendered by the media; the third stage is ransomware, which is characterized by both the propagation effect of the first stage and the ability to steal secrets in the second stage. Although ransomware has a long history, Harvard student Joseph L. Pope wrote the first ransomware AIDS Trojan as early as 1989, but until the dark web, virtual currency and other technologies became mature, ransomware attacked this kind of network gradually. Profitable behavior broke out on a large scale and continues to this day.

The revolutionary upgrade of ransomware intrusion capabilities, starting with the combination of state cyber weapons, constitutes a new and significant threat source in cyberspace. The mapping of national conflicts to cyberspace has accelerated the arms race in cyberspace, and the special properties of cyber weapons that can be copied and are easy to copy make it difficult to control the proliferation of cyber arms. From May to July 2017, ransomware represented by “Eternal Blue” broke out in different countries and regions one after another. Compared with the more traditional ransomware attacks before, these two softwares are technical and compositional. Features significant upgrades to weapon level. The reason is that the “WannaCry” virus used “EternalBlue”, a network tool leaked by the US National Security Agency in 2016. Although “Eternal Blue” itself has no direct damage function, it has the ability to spread and spread on a large scale. Its typical feature as a national cyber weapon lies in the mining and utilization of zero-day vulnerabilities in Microsoft Windows operating system. Zero-day vulnerabilities are typically difficult to find and easy to exploit. Only countries with technological advantages in cyberspace can exploit them. Once ransomware is integrated with this new propagation tool, its attack capability and damage effect will be greatly improved immediately. As a result, ransomware, which has always been profit-seeking, has the strategic potential to be used as a network weapon, and it has become the face of global cyberspace. major threat.

Figure 1 Key technologies applied to major threat ransomware

(2) The distinctive technical characteristics of the ransomware attack on US fuel pipeline companies have approached cyber warfare operations

Industry analysts believe that the “dark side” organization is located in Russia. Since there is no evidence of direct involvement by the Russian government, this is ruled out as a state-led cyber warfare operation. The “Dark Side” ransomware attack on Colonial was the first targeted attack against a non-government, non-state background, causing damage to state-level infrastructure. This attack has the following distinctive features: First, the target is highly targeted and directional. The “Dark Side” claims that it has never attacked medical, government, education, non-profit organizations, etc. The “preference” of the enterprise; the second is the long-term continuous latent infiltration, and the “dark side” has carried out technical analysis work on the target for weeks or even months, including accounting data, execution data, sales data, customer support data, and marketing data. and other core value data; the third is double extortion, in order to ensure the successful coercion of users to pay the ransom, in addition to the encrypted data, a large amount of important data information is stolen, with “the core data will be released if the ransom is not paid” as a bargaining chip; the fourth is the attack process It tends to be APT, which is the most important feature of this ransomware attack. It uses a large number of penetration testing tools to perform vulnerability scanning and intrusion penetration on the target network system, and further lateral movement attacks after entering the intranet, even attacking Windows domain controllers. server, in an attempt to control the entire corporate intranet. The degree of specialization and precision of the entire attack is no different from the previous national APT attack process, and its destructive capability is highly close to the cyber warfare operations carried out by the country.

(3) The analysis of network security threat structure will face the parallel “double main variables” of state and non-state actors

Depending on the originator, cybersecurity threats can be divided into three categories, originating from hackers as individuals, criminal or terrorist groups, and states or state-sponsored organizations. The network attacks of different subjects are quite different in terms of life cycle, pertinence, technical threshold, economic cost and impact. Among them, the biggest difference between cyber threats originating from states or state-supported organizations is that the targets of cyber attacks are often the key infrastructure or military facilities of the target country, which can produce physical manipulation, paralysis or damage effects. Such cyberattacks are increasingly affecting the international security situation. For example, in July 2020, the then US President Trump publicly confirmed that he had approved the cyberattack on the Russian Internet Research Institute in 2018, and admitted that the attack was carried out in the United States and Russia. against the backdrop of increasingly fierce national confrontation. Protecting the country’s critical infrastructure from cyberattacks by hostile countries has become a top priority for governments in the field of cybersecurity.

Cyberspace technology has profoundly reshaped the connotation and form of international politics. The competition and order building around technology is the key to international strategic competition in the 21st century, which pushes international politics from the “geopolitical era” to the “technopolitical era”. However, the formulation of major national cyberspace strategies still continues the idea of ​​geopolitical focus on state adversaries, and pays little or no attention to non-state actors. The 2017 edition of the U.S. National Security Strategy identified great power competition as the primary threat to national security, and listed China and Russia as strategic competitors. Against this background, the U.S. military’s cyberspace policy has been substantially adjusted, identifying cyberspace competition as a national strategic competition, and proposing to use confrontational means to actively respond. In April 2018, U.S. Cyber ​​Command released a new strategy, “Achieving and Maintaining Cyberspace Superiority: The U.S. Cyber ​​Command Command Concept”, proposing the strategic concept of “Persistent Engagement”. The premise of the “continuous engagement” strategy is that the major threats to cyberspace facing the United States all come from national adversaries. The rationale for this strategy is seriously challenged with the emergence of nationally-capable cybercriminal organizations. In the future, any country must attach great importance to the destructive influence of non-state actors when analyzing cybersecurity threats, and the global cybersecurity threat structure has officially ushered in a “dual main variable” of parallel state and non-state actors.

2. The development of “dark side” cybercriminal organizations reflects the inevitable trend of continuous empowerment of non-state actors in the information age, and national security and international relations are facing new and major changes

The “dark side” ransomware attack on a US fuel pipeline company epitomises the significant influence of non-state actors in cyberspace. Entering the 21st century, the world is in the fourth wave of technological revolution, driven by the Internet, big data, artificial intelligence and the Internet of Things. Different from the previous industrial revolutions represented by steam engines, electricity and atomic energy, the impact of the information technology wave represented by the Internet on international politics is bottom-up. It first changes people’s thinking and lifestyle, and then gradually Realize the integration with traditional industries, so as to reconstruct the economic development, social order and government governance model. In the bottom-up transmission process, non-state actors are continuously empowered in cyberspace, and their roles and influences are continuously strengthened. This trend has had a huge impact on national security and international relations.

(1) Network security breaks through the national governance dimension of the traditional security field

In his 2011 book The Future of Power, Joseph Nye specifically analyzed the power generated by the web. He believes that the state is not the only actor in cyberspace, and power is spreading from state actors to non-state actors. If it is said that the transformation of individual netizens from the role of information consumers to producers has enabled them to gain greater political discourse power, then Internet companies, which are the vanguards of the digital age, rely on their ability to control key resources in the digital age. Gained greater influence and dominance in political life. With the continuous development and expansion of Internet companies and platforms, the economic and social resources controlled by a few technology giants can almost rival that of the state, and bring shocks and challenges to the existing economic, political and social order. Non-state actors such as cyberspace hackers, criminal groups or terrorist organizations challenge traditional state power more directly. In 2014, Joseph Nye proposed the mechanism complex theory of cyberspace governance. By establishing a multi-dimensional normative framework, he analyzed different issues of cybersecurity respectively, so as to determine the dominant actors under specific issues.

(2) Cyberspace may become a high-risk zone for inducing wars between countries

Cyberspace has always been in a state of low-intensity confrontation between countries. Since the destructiveness of cyber attack and defense is significantly lower than that of traditional firepower, there is no danger of escalating into a national war, so some scholars classify cyberspace as a “gray area”. However, with some countries gaining the ability to disrupt infrastructure through cyberspace, cyberspace will become a battleground that can determine the survival of nations. What is even more dangerous is that when non-state actors master such cyber weapons, on the one hand, they can cause huge damage to the target country that is comparable to war; Individuals can hide their identities or even shift responsibilities, creating the risk of escalating wars between countries due to wrong network guilt. In recent years, the number of online conflicts has generally kept rising. Among them, although there are many reasons why many countries extend real contradictions to cyberspace, at the same time, a large number of people, cybercriminal organizations and even cyber terrorist forces are taking advantage of the chaos under the cover of national cyber conflicts and cannot be ignored. At present, the cyberspace strategies of the United States and many other Western countries pursue an offensive stance, which is very likely to be misled and used in the face of increasingly serious and diverse cybersecurity threats, leading to wars between great powers.

3. The proliferation of weapon-level malware will create new opportunities for the global cybersecurity situation. my country needs to anchor certainty in the uncertainty of the complex evolution of the cybersecurity situation and shape a network situation that is beneficial to my country as a whole.

In late April, before the extortion attack on Colonial, the Biden administration had just launched a “100-day plan” to boost the cybersecurity of the energy supply system. This attack fully exposed the vulnerability of traditional military powers in cyberspace. Different from real space, there is a “glass room effect” in cyberspace, and absolute superiority of military power does not mean absolute security. The higher the degree of Internet integration of a country, the greater its dependence on cyberspace, and the greater its vulnerability to security threats such as cyberattacks. Major cybersecurity incidents such as ransomware attacks have provided a key focus for reuniting the consensus in cyberspace, and also provided a useful opportunity for my country to shape a sustainable and stable cybersecurity situation.

(1) The sustainability of the “Digital Community Route” is further highlighted

The strategic competition in cyberspace includes not only the digital economy, military strength, and technological dominance, but also the line of cyberspace. Representative examples include the “digital community line” adhered to by China and the “digital cold war line” exaggerated by the United States. General Secretary Xi Jinping pointed out: “The development of the Internet is borderless and borderless. To make good use of, develop and manage the Internet well, we must deepen international cooperation in cyberspace and work together to build a community of shared future in cyberspace.” my country regards cyberspace as a sovereign space, Oppose the new extension of traditional hegemonism to cyberspace, and call for joint construction and maintenance of the global cyberspace homeland on the basis of respecting cyberspace sovereignty, and joint response to global public hazards such as cybercrime, cyber theft, and cyber terrorism. At the same time, many countries, enterprises, and civil organizations have put forward their own propositions. For example, in 2018, French President Macron proposed the “Nine-Point Initiative” for the global co-management of the Internet, and in 2019, Tim Lee, the father of the World Wide Web, proposed the “Internet Compact”. “Nine Principles”. In addition, the United Nations focuses on cyberspace peace, cybercrime, digital economy, network information content, emerging technologies and other aspects, and coordinates and promotes multiple issues of global governance in cyberspace. Although these initiatives and propositions are quite different in content, they all reflect the basic principles of the “digital community”.

Actors who support the “digital community route” seek common solutions from a global perspective, but there are still many actors who are pushing cyberspace toward a “digital cold war.” On August 5, 2020, under the background of the new crown pneumonia epidemic raging around the world, the then US Secretary of State Pompeo launched six policy measures in the “Clean Network Plan” to force the integration of the dialogue map of global Internet governance with unilateral actions. In this way, the imaginary enemy in the traditional military field is extended to the field of the digital economy. The peaceful route in cyberspace has been seriously hindered, the opportunity period and window period for digital economic cooperation are shrinking rapidly, and discussions about Internet fragmentation, Internet fragmentation, Internet Balkanization, and digital silos have suddenly increased. With the continuous deterioration of common threats in cyberspace such as ransomware attacks, especially the proliferation of weapons-grade ransomware, the risk of war will continue to increase, and the comparison of the advantages and disadvantages of the two routes will be clearer. A new ecosystem of cyberspace that emphasizes joint participation may emerge.

(2) The major threats to global cyberspace cannot be dealt with without the role of China

Cyberspace is a complex multi-complex. Relying on a multi-stakeholder framework of different countries and different actors is an inevitable choice to deal with major threats to cyberspace. In particular, China, as the world’s second largest digital economy, is bound to play the role of a major power in it. The United States strongly advocates the “three nos” principle in cyberspace on an international scale: each other will not attack the nuclear accusation system, each other will not destroy the data integrity of the financial system, and each other will not set up backdoors in the supply chain. These principles expose America’s soft underbelly in cyberspace. At present, important network platforms including the US nuclear charge system and financial system are under threat from cybercriminal groups and terrorist organizations. The “solar wind” incident further exposed the vulnerability of the security of the US supply chain. my country can actively respond to the concerns of Western countries such as the United States, actively coordinate the positions of major powers, offset the confrontation created by a few irresponsible countries, build mutual trust in cyberspace, and promote cyberspace The space situation is generally stable.

(3) Strengthen the role of multi-stakeholders in issues such as open source tracing of cyber attacks

The public traceability of cyberattacks is the core issue of international cooperation in cyberspace. For a long time, the United States has formulated the rules of open source tracing, and has used its dominant position to frame the blame for other countries. At present, my country’s right to speak on this issue is still extremely limited. In the future, it is necessary to enhance the voice of multi-stakeholders in this field, and actively exert the influence of my country’s Internet economy, technological innovation and other advantageous positions; encourage domestic network security NGOs, enterprises, etc. The relevance of law, technology, and security, use compound means to deal with compound games, enrich cyberspace gaming means, and expand gaming space; support and participate in the formulation of international rules for the open traceability of cyberattacks under the framework of the United Nations, and hedge against the United States’ “being a referee, The special status of “player again”; promote the establishment of an internationally recognized third-party traceability agency that is not controlled by the United States and the West, and conduct open and fair traceability of cyber attacks.

The Links:   IP-260-CV SCE200AA160 LCDDISPLAY