The recent much-publicised breach of the South African National Defence Force’s (SANDF) networks by the ‘Snatch’ ransomware team, in which they stole multiple terabytes of files and published them online, has thrown into sharp relief the need for strong cybersecurity practices for African militaries, especially as they adopt more digitised processes and products such as drones and command & control systems.
This piece will focus on the South African Air Force (SAAF) in particular and look deeper at the implications of the Snatch group’s breach on how the SAAF can and should keep its systems secure.
In this era of increasingly digitised and connected systems, and as avionics, navigation systems, and operational platforms increasingly rely on software and networked communication, cybersecurity becomes not just a box to be checked and a nice to have, but a critical and strategic capability where vulnerabilities can have catastrophic consequences.
Put simply, having all of your operational, communications, planning, and intelligence systems digitised and networked together brings massive advantages in efficiency, performance, speed of action, and a host of other areas, but it opens up a huge new vulnerability.
Shut down those systems or, worse, exploit them to feed them with false information, and you can grind an air force’s operations to a halt. Reverting to paper based systems is not an option, or at least not one that can be executed in a hurry or while maintaining the same level of effectiveness. While it’s feasible to design these critical systems to operate in a degraded state (such as with jammed communications), it’s not practical to have fall back plans that go all the way back to analogue.
Let’s take a brief overview through the South African Air Force’s digital infrastructure, describing all the main systems. Note that this will necessarily include a number of smaller systems, however, it’s not intended as a comprehensive list.
First, it’s important to understand how the SAAF’s network infrastructure is designed, which will also explain why the Snatch ransomware attack appears to have only captured administrative and office documents rather than more deeply classified information or access to key systems.
A standard practice for any extremely high security network, such as one that contains classified information, is segregation. Either through complete physical air gaps between networks and systems or through partial air gaps and specialised firewalls that only allow one-way traffic of clear-text information.
The most common pattern for this, and one which has been codified in multiple international standards, is called the Red/Black concept. This divides an organisation’s networks into two main areas: Red networks, which contain classified information in plaintext, even if temporarily while being worked on, and Black networks which contain either unclassified/non-sensitive information or fully encrypted classified/sensitive information.
Specialised encryption software and devices ensure that clear-text data from the ‘Red’ side may either never reach any other network (if it’s sufficiently classified) or may only be transferred in a standardised encrypted form.
On top of this basic approach, organisations then layer additional security engineering elements such as access control, selective internet access, auditing, and so on.
The DoD/SANDF, and therefore by extension the SAAF, follow the same sort of pattern with three main categories of networks (and therefore file stores and similar):
- The intranet, with internal file stores, sites, and similar functionality and without internet access.
- ICENET, or the Internet Connected Executive NETwork, which is as the name implies connected to the internet, and which is primarily intended to host the official and unclassified emails for DoD personnel.
- A series of ‘Red’ classified networks segregated according to service and purpose, without any internet access and only reachable by specialised equipment with cryptographic hardware and software usually developed by South African companies like Nanoteq and Etion. The SAAF’s core operational systems are all in Red networks.
Ideally, you’d need entirely separate hardware to access all three. In practice, it’s not uncommon for computers to be given access to both the internet (via ICENET) and the intranet. But the same device never connects to both a Red network and the intranet or ICENET. Both the intranet and ICENET are largely maintained by SITA, the state-owned IT agency, with support from the SANDF’s CMIS (Command & Management Information Systems) division, whereas the various Red networks are largely maintained in-house by CMIS and service-specific units like OCAM (Operations Communications and Administration) in the SAAF.
The DoD has five main categories of information classification originally defined by the country’s Minimum Information Security Standards, namely: UNCLASSIFIED, RESTRICTED, CONFIDENTIAL, SECRET, and TOP SECRET.
UNCLASSIFIED was added primarily for press releases.
RESTRICTED is the lowest level of control and just means being cautious of how widely information is shared, but there are no serious controls.
CONFIDENTIAL information is a step up and is equivalent to what companies would consider to be ‘company confidential’ information. This would include most administrative issues, regular budgeting outside of the secret accounts, the personal information of DoD staff, office applications, administrative systems, and so on.
Those handling CONFIDENTIAL and RESTRICTED information need to be careful, but there are no formal document control mechanisms.
SECRET and TOP SECRET are another story: At least on paper these documents and systems are meant to be strictly controlled, with strict limitations on how many copies can exist of a document, and they may only exist in plaintext or opened form on Red networks and computers or devices.
It’s believed that the Snatch ransomware group breached only computers and drive shares on the ICENET and possibly DoD Intranet, which would explain why security researchers are reporting that they’re so far almost entirely seeing RESTRICTED and CONFIDENTIAL documents only.
That’s good news for the SAAF, as its most crucial operational systems are on Red networks. But the entire incident should be a serious wakeup call about the poor state of cybersecurity within the DoD, the over-reliance on SITA, and the long and unacceptable delays in setting up Cyber Command within Defence Intelligence.
With that explanation in place, let’s look at the SAAF’s core operational systems and the reasons why any breach of the networks containing them would be catastrophic.
The two most important tactical operations systems in the SAAF are the Ground Command and Control System (GCCS) and the Air Picture Display System (APDS) which together form the heart of all SAAF command and control.
GCCS is the mission planning and tasking system, providing the SAAF’s Command Posts with information on aircraft available for tasking at various squadrons and allowing them to send tasking orders to squadrons for the actual mission sorties. GCCS generates flight plans, assigns flight numbers and crews. It’s a sophisticated system, without which SAAF operations would pretty much grind to a halt while people tried to achieve the same through phone calls, HF signals, and faxes. APDS is, as the name implies, an integrated air command and control system that displays a tactical picture of the airspace over South Africa or any other deployed area, synthesising data from SAAF radars, SAAF aircraft transponders, and data feeds from civilian air traffic control.
Related to these two is the CURrent Intelligence System, or CURIS, which is networked to both and contains all tactical intelligence information, both historic and that being generated by ongoing sorties.
A breach of any one of these three provides the opportunity to not only disrupt SAAF operations by shutting them down, but for a sufficiently sophisticated attacker with knowledge of their internal workings to inject false data, presenting SAAF and SANDF commanders with a misleading picture. It’s sometimes said that the only thing worse than a non-functioning critical system is a semi-functioning one that you can no longer trust.
At the next level back, on the logistics side, is the Operational Support and Information System (OSIS) which manages the maintenance, sustainment, and support of all SAAF aircraft by tracking work done, work needed to be done, spare parts inventories, maintenance bulletins, scheduling, and many other areas. OSIS is a little less vulnerable than the other systems owing to its decentralised design (each unit has its own instance, which can operate in offline mode and sync when possible) and the less urgent nature of the task, but it is still a risk.
Not listed, but in the same category as GCCS and APDS, are the type-specific mission planning and systems such as the Saab Mission Support System used by 85 Combat Flying School for the Gripen and Hawk fleets which provide more specialist functionality and are linked with GCCS.
Moreover, the terrestrial networks aren’t the only area of vulnerability. Electronic Warfare is evolving from being merely a jamming and spoofing capability to one that makes use of vulnerabilities in signal processing software on aircraft, missiles, and other equipment to implant payloads into internal systems. Modern aircraft in particular are entirely controlled by software and ever more reliant on a single internal shared network that, although compartmentalised, still touches all the key operational systems.
So, while the approach is still in its earliest stages, there’s a much lower level of risk because of the high standards of avionics software, and there are no known instances of it being used in the real world, given current levels and rates of development it’s not impossible to imagine it becoming a reality in the near future. And it will be even more risky for air forces like the SAAF which lack the funding to keep updating their aircraft to the newest onboard systems software versions. For instance, the SAAF’s Gripen Cs and Ds remain on the MS19 standard, whereas all other operators are on MS20 and some are already on MS20 Block 2.
There is therefore a need for a full rethink of the SAAF’s information security strategies, linked to a broader SANDF-level shift. The threat level in this sphere is only going to increase and become more sophisticated and the ever-increasing digitisation of military systems will make it harder rather than easier to defend against attackers.
As the huge and damaging Snatch breach has so powerfully shown, complacency is no longer an option.