The fictional island state of Berylia was under a devastating attack on military and civilian IT systems. Networks, communications, water purification systems, the electric power grid and even the central bank had all suffered critical disruptions as over 5,500 virtualised systems came under 8,000 coordinated attacks.
Some 24 defending "Blue Teams", each 50-strong, were tasked with helping "Berylia" resist the attacks in Locked Shields 2022 -- the world's "largest and most complex international live-fire cyber defence exercise this month, organised by the NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE) in Talinn, Estonia.
From C2 to C3 -- Hackers use Slack API, queued print jobs to exfiltrate data
The Blue Teams also had to report on the incidents and tackle what NATO described as "forensic, legal, media operations and information warfare challenges" during the four-day NATO cyber exercise.
"Locked Shields is a unique opportunity for participants to practice the protection of national civilian and military IT systems and critical infrastructure. It is conducted under conditions of intense pressure, with teams countering sophisticated and intense series of cyberattacks," said Ian West, Chief of the NATO Cyber Security Centre.
NATO Cyber Exercise includes private sector partners
Locked Shields 2022 added new twists to the annual NATO cyber exercise and brought 24 member nations as well as partners from outside NATO like Finland playing Cyber Rapid Reaction Team roles.
Among the new additions were "simulation of reserve management and financial messaging systems of a central bank" for the first time, as well as the inclusion of a standalone 5G network.
The exercise is organised by CCDCOE with NATO, but also includes a range of private sector partners including Siemens; TalTech; Clarified Security; Arctic Security and Estonian cyber range centre CR14. The organisers also acknowledged the "unique elements added to Locked Shields 2022 by Microsoft, the Financial Service Information Sharing and Analysis Center (FS ISAC), SpaceIT, and Fortinet".
And there was a clear winner: Finland scored highest as a Blue Team in the exercise, with a joint Lithuanian-Polish team taking second place and Estonia coming in third.
CCDCOE report sketches fears of future integrated system compromise
The NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE) is staffed and financed by Austria, Belgium, Bulgaria, Canada, Croatia, the Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Japan, Latvia, Lithuania, Luxembourg, Montenegro, the Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, South Korea, Spain, Sweden, Switzerland, Turkey, the UK and the US.
As well as running the Locked Shields NATO cyber exercise, the CCDCOE produces a "Horizon Scanning" report, the latest volume of which was published in April 2022 and titled “Cyberspace Strategic Outlook 2030: Horizon Scanning and Analysis [pdf]. One chapter in the report, by Franz-Stefan Gady -- a Research Fellow for Cyber, Space and Future Conflict Institute for International Strategic Studies -- sketches a scenario in which "all deployed NATO forces are equipped with the new advanced battle management system (ABMS), which links ‘sensors to shooters’ in the internet of military things (IoMT) and fuses vast amounts of information with the aid of machine learning algorithms, thereby providing decision support to Allied commanders".
See also: The Big Interview with US Army CIO Raj Iyer
In one envisioned scenario "in 2031, a group of specialist GRU tactical cyber warfare experts... succeed in breaching the ABMS by targeting its weak perimeter rather than its strong core. Shadowing the US Recon Scout troop from the Russian side of the border, [they target] the cloudlets, servers, and communications equipment installed on the unit’s ground vehicles that serve as a collection point for ISR data heading to the NJWCC-enabled cloud. [The unit] has been able to track the troop and determine its geolocation with ease thanks to lax electronic signature discipline (one US trooper even smuggled his cell phone to the exercise, occasionally turning it on to share updates with his girlfriend).
"Unbeknownst to the troop", the report conjectures, "for three days the Spetsnaz GRU specialists have been attempting to break the relatively weak cryptographic security of one of the vehicle’s cloudlets. For many months, GRU specialists had been analysing the US cloudlet system in detail and have developed programs to hack it. On the morning of the fourth day, the Russian unit finally succeeds and inserts into the system a polymorphic attack package (or ‘worm’) – a type of malware that repeatedly changes its identifiable features to evade detection in the cloudlet by subverting the cryptographic security of the wireless networking protocol that supports the cloudlet operations. From the cloudlet, it is transferred to the cloud. The malware, disguised as a datapoint on a 9K720 Iskander mobile short-range ballistic missile system, would (or so the Russian hackers hoped) make it all the way to NATO’s Joint Force Training Centre in Poland, where the exercise was coordinated, given the likely high priority classification it would receive from the ML algorithm.
"In reality, the Russian malware goes well beyond that. As a result of the rapid fusion and redistribution of data under ABMS and NJWCC, the malware makes it all the way to US Strategic Command...."
As Horizon Scanning exercises go, it's a vivid imagining of future fears.
Locked Shields meanwhile aims to continue building resilience across the alliance and train national teams to tackle potential sophisticated attacks under huge pressure and multiple domains.