Digital Drones

Red Teams
Digital, Fieldcraft

Note: I wrote this for SOFREP, you can see the post here.

There has been a lot of talk about drones lately. There is no doubt that they are a valuable asset in the current war and they will most likely have a central role on upcoming wars.

But there is another kind of drone. The digital counterpart.

Digital drones are sophisticated little programs that hackers and security penetration testers have been using for years to recon their targets, to collect information, to download and upload malicious or utility code, to control the remote system or to attack it. They can also deliver a payload, execute it and self destroy.
This is not new, we've been using these kind of programs to attack/recon since the 90s, however due to the increase support for more intelligent interfaces on operating systems, the drones too have gotten more intelligent and capable through the years.

One early version of a drone we coded had the ability to recon the network, search for specific files, record sound (from laptops or computers with microphones) and take screenshots of the systems it was surveilling. This particular piece of code could also be used in real time. If the drone detected a way to covertly egress information it would send a signal to one of many servers located around the world, letting us know we could control it. Then, we would open a command console on our end, connect to the IP the drone sent us and control it directly. We could request for network information and it would send the intel a few moments laters, we could request the search for specific files, which would be uploaded to a server at random intervals stealthily so the drone could remain undiscovered. We could also request for a shell. A shell is simply a command line terminal that allowed us to control the target system remotely by issuing command line instructions or running programs remotely.

Another newer drone we used, was able to install itself at kernel level, like a rootkit or device driver, and specifically monitor the system for the use of cryptography. If a known program was used, the drone could steal the private keys (in cases where a public key crypto like PGP was used) or simply record the keys as they were being pressed by the bad guys when they were entering the password. There were many ways to achieve all this back then and remain undetected, and there many more now.

A good recon program utilizes stealth techniques. For example, it can bypass or disable personal firewalls, antivirus or antimalware software. It loads all the functions at runtime so monitoring software will have a harder timer detecting it, it exploits unknown vulnerabilities on the host operating system (also known as 0day attacks) and it utilizes covert channels to extract information or provide real time control, for example - and without giving too much detail - by manipulating TCP packet headers or the data section, or by sending information in the form of DNS requests.

Does this sound familiar? Does the names Stuxnet, Duqu and Flame come to mind? Yes, those were drones too. Very sophisticated and with a very specific purpose.

Current technology allows the writing of highly stealthy and advanced. The tempo on the digital warfare front is increasing so expect the use of these programs to increase too.

Don't take the elevator...