Raj Ahten wrote:To be able to pull of such a sophisticated attack on an enemy system, wouldn't you have to know it intimately? If you don't know how thier software and such works, how could you get your virus to mess with the threat registries and so forth? My only knowledge of this sort of thing is working with my PC, and I know that crackers often design viruses by looking at the code of a program for flaws that they could exploit.
I honestly don't know. I do know that some viruses and worms are portable and that they can work on a number of different systems (akin to a civilian virus being able to infect both Apple and IBM-class machines) but the details of how these things work is way beyond my area of expertise. I do know that in the 1980s when we were working on RTADS and IUKADGE, the vulnerability of the datalinks was a very serious consideration.
For a very old version of how this may work, take the battle of Leyte Gulf in 1944. Halsey was heading north to engage what he thought was the man Japanese fleet. Nimitz sent him a message that read "Where is Task Force 34?" A simple query. However, the officer encrypting the message added padding to make decrypting it harder. The post-script padding read "the world wonders". By an error, the padding got added to the real message, making it read "Where is Task Force 34, the world wonders." Turning a simple query into a stinging rebuke. Halsey turned his ships around and Ozawa escaped.
Now, for the sake of illustration, assume the comms officer was really a Japanese spy trying to save Ozawa and we have a picture of how this might work. The message is a datalinked communication, the padding becomes the underlying cryptography. The underlying code contains a message that disables a large part of the system. So, for example, it might be "and all aircraft bearing this IFF code are friendly and can be filtered from the operational display".
It would seem to my untrained eyes that unless you had examples of the enemy system to work with, viruses you could make to seriously affect their systems wouldn't be able to work. Is SIGINT just that different from normal computer operations? (Got to admit all I know about the practicalities of SIGINT is that its very complicated, changes every ten minutes, and even most people in the military and intelligence communities know next to nothing about it.)
Not really because of the way data is handled. Take ESM. We pick up a signal, say a radar transmission. The first thing we do is process that signal and feed it into our threat library. The threat library is a computer archive of radars and the transmission characteristics of those radars. The signal is compared to that archive and a match found, thus identifying the radar (or so the operator hopes; with software controlled radars it isn't that easy). Now, look at what's happened; the signal is in the computer being processed; the two have to be compatible. Now, if there is something very nasty buried in that signal, its in and being worked on, thus the system working on it is vulnerable. That worm or virus might, for example, hijack the threat library and add a whole series of new radars to it labelled as being "friendly". So, our IDF F-15 can fly across hostile airspace with its radar banging away because the F-15s IFF codes are being interpreted as friendly and its radar is also listed as friendly - and we have two complementary sources saying the contact is friendly. Until it drops its bombs.
COMINT could easily work the same way. To decrypt a message it gets fed into a computer (modern computer-based decrypts are very good, they can even break conventional one-time pads). The computer is now working on a message and if there is something nasty buried in that message, the computer is vulnerable. Another way the thing is open is using frequency-agility. Most modern tactical radios are frequency-agile, they hop from frequency to frequency to avoid eavesdropping. The problem is that the network has to be coordinated so everybody hops to the same place - that needs coding buried in the message. If a signal is intercepted that interferes with that coding, the network stops working.
In the case of the raid on Syria, ****my guess**** is that the Israelies played with the IFF codes - probably instructing the air surveillance system that the IDF aircraft were commercial airliners or Syrian Air Force flights. If that's correct, then it was a very simple, small-league operation.
