S2Ep8 Planning the Hack
How an Advanced Persistant Threat attacker might have planned the hijack of MH370
Three episodes ago we looked at how MH370 might have been planned by a rogue pilot who wanted to commit mass murder suicide. In particular, we looked at how the evidence that we have in hand might have been produced as a result of decisions made in the pursuit of a clearly defined goal. In today’s episode we’re going to carry out the same exercise with a different possible perpetrator — an “advanced persistent threat” actor (or APT, an idea we explored in the last episode) with state-level resources and strategic goals.
Again we’ll ask, given the actions that were carried out, what might the motivation have been? Do we get a consistent story or instead, as with the application of this method to Zaharie three episodes ago, are e left struggling to come up with a story that hangs together to form a cohesive whole?
So let’s talk about the world we’re living in circa 2014.
Russia has committed itself to waging “new generation warfare” against the United States and the democratic West in general. It cannot fight directly through conventional warfare, as it is too weak, poor, and isolated. But it has one very important advantage. Its opponent does not know that the war has started.
The West is democratic. It is hundreds of millions of voices talking and arguing about a million things. It doesn’t have the focus and single-minded purpose that a dictatorship does. It’s asleep. Russia can do what it needs to do so long as it doesn’t wake up the sleeping giant. If it does something that might rouse the West to counterattack, it will fail.
What if it steps over the line? Then it has to have a distraction, something to pull the collective attention away from what it has done. This is what information warfare is all about — setting the terms of the conversation.
You saw, by the way, this happen after the Access Hollywood tape dropped during the 2016 election. Russian intelligence dropped hacked DNC emails a half hour later, pulling attention away from the embarrassment to the Trump campaign.
So for the purpose of today’s exercies, imagine that you have an APT actor that’s always on the prowl, looking for ways to cause mischief. Always looking for blind spots, much as someone who makes magic tricks looks for blind spots in the audience’s perception.
If there was an APT on the prowl circa 2013-2014, how might they have laid the plans that led to the disappearance of MH370?
One possibility is that they started by studying Air France 447.
To recap, the A330 took off from Rio de Janeiro for a red eye flight to Paris on June 30, 2009. In the middle of the night it was out over the middle of the Atlantic, out of contact with air traffic control, when it ran into trouble and crashed into the ocean. It was not until a few hours later that anyone realized that the plane was missing because the plane had been out of range of air traffic control. Only later did official go back and find the automatic satellite messages that had been logged with GPS data indicating where the mishap had occurred. This told them where to search the seabed. Nevertheless, finding the wreckage, recovering the black box and solving the mystery took two years. It was a big story during that time.
Now, imagine you’re an APT and you want to create a diversion. You watch AF447 unfolding and ask yourself, “Wow, that really captured the news cycle. Is there a way we could reverse engineer AF447 to make an artificial version? Could we hijack a plane out over the ocean where no one can see us, then leave a trail of digital breadcrumbs that will subsequently lead investigators out into the deep ocean even though our operatives have snuck off someplace else? The press will flip out and obsess over the mystery, so they’ll be distracted from whatever else we don’t want them to think about.”
So what would you need to do to reverse engineer AF447?
First off, you couldn’t just spoof the ADS-B because, as we discussed last week, GPS provides extremely accurate location. If you spoof that, then the searchers will know exactly where to look, and they’ll realize before long that the plane isn’t where they thought it was. Something like this actually happened in April 2014, when the search time thought they’d detected the underwater acoustic pinger from MH370’s black box. The area they needed to search was very small, so it only took them a couple of weeks to realize that they were wrong.
Instead, you want to leave a clue whose meaning is clear but whose precision is low. That is, you want to create a false trail of breadcrumbs that will later leave investigators with the impression that the plane has gone in a certain direction, but that is not accurate enough that it can be easily be disproven.
So you assemble a team of technical experts to talk about the idea and see what you can come up with. One of the satcom experts says, “You know, there is a kind of vague navigational signal we deal with, when a satellite is running out of fuel the transmission frequency gets out of whack because of the relative motion between the plane and the satellite. If you’re dealing with a plane that’s using a MCS-6000 Satellite Data Unit from Honeywell, there will be a residue of the plane’s velocity in the satellite metadata. If you tamper with the SDU, you could make it seem to someone looking at the data after the fact that the plane went south when it really went north.”
In order for this to work, though, the airline has to be subscribed to the cheapest level of Inmarsat service, Basic Aero, because higher levels of service automatically attach GPS data to all of the recorded metadata.
You think: Hmm. Interesting idea. But how could we get into the SDU to meddle with it?
One of the guys who’s been studying cyber physical raises his hand. He says they’ve been studying western aircraft for cyber vulnerabilities, and one is just riddled with them: The Boeing 777. It’s a fly-by-wire plane but all the electronics are accessible through an unsecured hatch. None of the Line Replaceable Units have a security layer, so if you can get an operative through that hatch, they can do anything.
So the team goes off and studies how they can take control of the plane from the electronics bay and then spoof the BFO value to make the plane go one way when it’s really going another.
As they develop their scheme, the team realizes that the trick will only work near the equator. They need to plan the caper so that the real route the plane will travel is to the north or south with a phantom, mirror-image route going the other way.
They look at the map and see that there’s one place on the globe where this will work. If the plane starts around the Andaman Islands and flies northwest to Kazakhstan in the middle of the night, it won’t pass over any active radar stations and the mirror route will look like it’s heading into the southern Indian Ocean.
It turns out there’s an airline that flies 777s equipped with Honeywell SDUs in that area quite a lot, and they subsribe to the cheapest level of Inmarsat. It’s called Malaysian Airlines.
So the special forces directorate activates some operatives they’ve had on standby, get them up to speed, and put them through training.
The team buys tickets on a flight that matches all the criteria, they pack up their special electronic boxes, and away they go. The plane takes off. Half an hour later, some tough-looking characters from economy class go forward to Business Class and start a ruckus. They say they want to move up. The flight attendants won’t let them. While everyone’s distracted a Russian passenger sitting a dozen feet from the E/E bay hatch slips through it and plugs in his special computer.
The guys from economy class go back to their seats and, right at IGARI, the man in the electronics bay switches on his equipment and takes over the plane.
As we think about this scenario, a question naturally arises: Why would they target a flight that’s heading to the northeast, so that you have to do a turnback and fly through Malaysia military radar coverage?
As you’ll recall, we asked the same question about Zaharie three episodes ago. If he wanted to discreetly sneak off into the southern Indian Ocean, why would he commandeer a flight heading in the other direction?
One possibility is that the attackers wanted to make sure that they were seen absconding with the plane in order to frame the narrative, in the same way that the magician frames a trick by setting up an expectation that will later be subverted.
Thanks to the turnback, it would be obvious to investigators from the get-go that this wasn’t an accident; it would look very much like someone in the cockpit had stolen the plane. All of the evidence they accumulated after that would be viewed through that lens.
Now, back to our imaginary scenario. To make the plane vanish, the man in the EE bay turns off all the electronic forms of communication, then steers the plane to the west and flies for an hour through Malaysia military radar. Then, once the plane out of radar range, he turns the plane north, then turns the SDU back on — but it’s not the real SDU, it’s a spoof SDU. Off MH370 flies to north, while its ghostly mirror image flies to the south.
MH370 has been stolen, and the investigators who later go searching for it will be convinced that the plane went south. In fact, they won’t even be able to conceive of any other possibility, because in 2014 cyber hijacking is not a concept that many people are familiar with. GPS spoofing is ten years in the future and very few people have heard about Iran using cyber hijacking to take over a US drone.
So that’s my theory.
The three things that we had the hardest time explaining from the Zaharies murder/suicide perspective — namely the turnback and the reboot of the SDU — are necessary parts of the plan. And the bizarre diving and gliding and divng that Zaharie would have to have done at the end never happened, it was just an artifact of the data spoofing.
In this scenario, the reason the plane was stolen was to serve as a distraction for the public, and maybe to show Western intelligence agencies how dangerous Russian special operations could be.
The reason this particular plane was targeted was that it had a rare combination of chracteristics that would allow the attackers to carry out their idea. It had a 777 equipped with a Honeywell SDU, the lowest level of Inmarsat subscription, a starting point near the equator in the middle of the night, and an escape route under a single wobbly satellite with a mirror route that lay out over the open ocean.
For Captain Zaharie Shah and the other two-hundred odd passengers and crew, it was just a case of being in the wrong place at the wrong time.
In-flight upset of 9M-MRG (Malaysia Airlines Flight 124) Aug 2005. This is the only 777 ADIRU issue I could find, coincidence and/or informative?
Accident report:
https://www.atsb.gov.au/sites/default/files/media/24550/aair200503722_001.pdf
AD Aug/Sept 2005 - The NOT Fix
AD 2005-18-51 - rolls back software updates 3470-HNC-100-04 to -07 to old version :
"Install OPS, part number (P/N) 3470-HNC-100-03, in the air data inertial reference unit (ADIRU)" which will "reintroduce unsafe condition" "potential drift angle discrepancies on the primary flight display and the navigation display"
with this comment further down:
"We consider this AD interim action. The manufacturer is currently developing a modification that will address the unsafe condition identified in this AD (2005-18-51) and AD 2005-10-03. Once this modification is developed, approved, and available, we may consider additional rulemaking".
I can't find any more ADs or Service Bulletins regarding the 777 ADIRU, from those in 2005 to now. I think I am correct in saying that the Operation Manual changed to make pilot's aware of the issue and how to work around any problems that came up.
Then this Paper was produced : The Dangers of Failure Masking in Fault-Tolerant Software: Aspects of a Recent In-Flight Upset Event https://ntrs.nasa.gov/api/citations/20070034017/downloads/20070034017.pdf
It appears that the ability to accept 'faulty' information and display erroneous heading data seems to be possible in 2014. Additionally there were display screens blanking, mention of this post-disappearance, can be found here: https://www.federalregister.gov/documents/2014/10/01/2014-23231/airworthiness-directives-the-boeing-company-airplanes.
Could a combination of all of these known issues have overwhelmed the workload of the pilots causing them to struggle with controlling the plane and unable to go through checklists?