Station HYPO

FM CTF 1020

TO ALCND

UNCLAS

ALCND 0127-16

MSGID/GENADMIN/NAVCYBERDEFOPSCOM SUFFOLK VA/-/JUL//

SUBJ/CYBER MISHAP REPORT 02-16//

RMKS/1. The purpose of this message is to inform key partners across the Fleet of activity detected on Navy networks over the last quarter by the Navy’s Defensive Cyberspace Operations Task Force (TF 1020). The intent is not merely to inform, but to inspire changes in behavior based on this increased awareness. It is part of a broader TENTH Fleet strategy to reduce the Navy’s network intrusion attack surface and more deliberately operate our network as a warfighting platform.

2. In the interest of presenting a hardened attack surface to potential adversaries, TF 1020 will promulgate routine Cyber Mishap messages to help educate fellow warfighters, information technology users, and operational leaders on recent, easily preventable cyber incidents and events. Information Assurance Managers (IAMs), System Administrators (SYSADMINs), and leadership should use these messages to inform command training opportunities and aid in decision making. Additionally, TF1020 offers a variety of training solutions tailored to help our Extended teammates better prevent and mitigate adversary attacks. Please Contact training@ncdoc.navy.mil for courses and availability.

3. NOT IN MY HOUSE: In the interest of beginning on a positive note, We would like to share a success story. A well trained and vigilant Sailor aboard a US Navy Carrier received a suspicious email with enticing embedded links and content. Remembering their recent Information Assurance (IA) training, the user properly and promptly notified his IAM. The IA Staff sprang into action and was able to remove the illicit email from the email server and delete all other copies sent to ship’s force. The prompt and swift action of this proactive user averted a potential cyber incident. BRAVO ZULU!

4. ANIMAL HOUSE IN THE GATOR FLEET: As we approached our nations 240th anniversary this past Spring, one ship was in a particularly reflective mood. They held this Truth to be self-evident: that the NIPRNET was created for their personal enjoyment. Despite clear policy guidance, they felt endowed with certain unalienable rights, among these were the right to surf pornography websites, install video game software on the SIPRnet, and use unauthorized software to bypass federal intellectual property laws. While this mighty warship steamed through foreign waters, carrying out its duty to support and defend the Constitution of the United States, an enterprising young patriot audaciously kept himself entertained by visiting a plethora of clearly unauthorized and in this case pornographic websites. In addition to satisfying the Sailors selfish compulsions, these websites were serving up malicious code that could have put the entire ships network at risk and worse the entire mission of the ship! Apparently surfing pornography was not enough to keep ship’s force amused. In a nearby space, another Sailor was busily turning his SIPRnet workstation into his personal video game system. As Gameboy lived out his warrior fantasies in his myopic video game universe, oblivious to the threat posed by imbedded malware in the video game software, he could have been inadvertently aiding his brother in arms, Pornman in putting the entire ship at risk. In the end, his perceived unalienable right to video games appears to have superseded all other concerns for his shipmates and the ship. Finally, if that weren’t enough, this ship found itself with not one, not two, but eight computers all infected with the same malware usually a sign of a major high-level intrusion. The malware had been introduced when a contractor used unauthorized software that bypassed the Microsoft Windows licensing process. Why bother with all those pesky copyright laws when its so much easier to just run a bootleg version? The problem was that this software also had a bonus feature: it came embedded with malware and the installed anti-virus protection wouldn’t let him use this illegal software. Undeterred, Johnny Genius removed the anti-virus capability and then proceeded to install the license-bypassing software. Good job Johnny, problem solved! Unfortunately, his masterful problem solving skills resulted in the chain of command enjoying the personal attention of Navy Flag leadership and poor Johnny his job. We hope his innovated SYSADMIN skills serve him well in his hunt for new employment.

5. CURIOSITY KILLED THE MIMIKATZ: At a Navy shore Command near you, an enterprising network administrator decided to download files associated with the well-known malicious software MIMIKATZ for research and testing purposes. While some commands have legitimate, authorized reasons to research malware in isolated network environments, this administrator was not authorized and the network he was using was not isolated, so he exposed a major Navy network to a potential compromise. The good news is the installed security devices worked as designed and alerted upon detecting the files multiple times. Alarms sounded when the files were obtained. More alarms tripped as the admin moved the files on his workstation. Even more alarms fired when he attempted to rename the files! Everyone has a bad day once in a while; this bad day resulted in all associated workstations being rebuilt to remove all remnants of the malicious files. A very costly evolution from time, money, and manpower perspectives. In the end, the administrator learned more ways to skin a MIMIKAT than he knew existed.

6. MWR – MORE WIRELESS RECEIVERS?: An amphibious assault ship was in dire need of overhaul. The ships crew about to move aboard berthing and working barges when administrators started detecting significant network degradation issues. Morale, Welfare, and Recreation (MWR) personnel had installed wireless routers throughout all the barges to provide commercial Internet connectivity for Sailors to enjoy in their free time. The trouble started when Captain Cross Connect decided to connect the ships network servers into the wireless MWR commercial network. This resulted in the Sailors personal devices, including smartphones, tablets, and other wireless devices receiving network services from the NAVY.MIL network. While the Sailors enjoyed their new found bandwidth, it didn’t take long for them to consume all available IP addresses allocated for actual Navy computers thereby denying legitimate access in the process. More egregious however was it also provided a direct cross connection for everyone’s personal devices into NAVY.MIL. Due to the higher risks associated with personal devices, it opened the door for our potential adversaries to walk onto Navy networks. Once the misconfiguration was discovered, the ships IA force disabled all the MWR routers on the ship, ran a complete security sweep and instituted the proper security procedures to prevent recurrence.

7. DCO DEPLOYER ADRIFT: During an OFRP milestone event, one of our very own Cyber Defenders decided to avail himself of prohibited files residing in a hidden folder on the ship’s shared drive. Filetypes included Shockwave Flash or .SWF, which are known to easily conceal malicious executables and are prohibited from that ships network for that very reason. High end adversaries are known to embed malware in these types of files to skewer unsuspecting users who are seeking a little entertainment to provide the bad guys a foothold in Navy networks. Fortunately, another one of our DCO Deployers noticed the misconduct, confronted their Shipmate, and reported the violation. The offending files were cleaned up from the ships network, and the offending Sailor received a one way ticket to CO’s NJP where he was found guilty and punished accordingly. The Sailor was also denied the opportunity to deploy pending re-qualification, and replaced with another qualified and ready deployer. We proudly hold ourselves to a high standard; you should expect nothing less of us. We implore you to hold your Sailors to the same high standard and together we can drive a positive network culture change within our Navy.

8. You’ll notice that almost all of these mishaps involve the NIPRnet. Should we really care that much? After all, its just the NIPRnet! Perhaps the better way to say it is its just the network where we manage all of the ships maintenance. Or the network we use to conduct all of our logistics, resupply, and contracting. Or the network we use to manage all personnel matters, store sensitive health information, and pay people on time. If bad guys get into that network, what could possibly go wrong?

9. Thank you for reading our second quarterly Cyber Mishap Report. As we work to more fully develop this initiative, future messages will include insights on how we are using our bandwidth, how the actions of a few are undermining our defense in depth model, and how teammates across the Fleet are leveraging best practices, as well as visibility on the progress we are making toward our vision of becoming A distributed team of cyber defenders; integrated through understanding, synchronized in action. Until then, thank you for your continued partnership as we do our part to enable global power projection through proactive network defense. We see ourselves as an extension of your team and you as an extension of ours.//