The Suter Cyber Attack: Unveiling the Threat and Its Implications

The first installment of this piece discussed the outcome and operational mysteries surrounding the Israeli Air Force’s attack on the presumed Syrian nuclear facility on the Euphrates.

Although Israel declined comment on the raid, entities from the United States provided advice and conducted background monitoring of the raid, which employed information warfare techniques from two programmes: network-centric collaborative targeting (NCCT), which finds targets; and Senior Suter, a component of the highly classified Big Safari programme. Having already discussed NCCT in part I, we now turn to the actual Suter attack technology.

EXPLOIT IT WITH SUTER

Once NCCT localises and identifies the target, Senior Suter goes to work. The Suter technology enables USAF operators to invade enemy communications and computer networks, particularly those associated with integrated air defence systems, while preventing enemy operators from understanding or counteracting the exact nature of the invasion.

First, the Suter technology pinpoints the actual antennas that are creating the emissions. The actual precision of the location is not known, but a reasonable guess is that Suter reduces the target zone initially calculated by NCCT by at least an order of magnitude, which implies tens of feet if not single digits.

After pinpointing the target antennas, Suter then performs its real magic – beaming electronic pulses into the antennas that effectively corrupt, if not hijack, the processing systems that present the enemy operators with their physical picture of the battlefield.

How well do you really know your competitors?

Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.

Company Profile – free sample

Thank you!

Your download email will arrive shortly

Not ready to buy yet? Download a free sample

We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form

By GlobalData
Visit our Privacy Policy for more information about our services, how we may use, process and share your personal data, including information of your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.

Unlike classic jamming or EMP attacks, these data streams do not flood enemy electronics with excess ‘noise’ or power, but instead insert customised signals, including specialised algorithms and malware, into the vulnerable processing nodes.

Continuing the viral analogy, network invaders can then extend their ‘e-tack’ from network to network until they reach the target’s communications loop. “Whether the network is wireless or wired doesn’t matter anymore,” says one expert.

“Suter beams electronic pulses into the antennas that effectively corrupt, if not hijack, the enemy processing systems.”

Corruption of an ADS network does not involve actual control over the system or its components, but rather the insertion of misleading data. In conceptual terms, such false positives, including the fabrication of phantom targets and fake messages, are the most traditional form of corruption.

In contrast with WWII-style aluminium chaff or Cold War-style radar echo replication, Suter technology entirely bypasses the enemy’s radar wave machinery per se, instead inserting garbage information into the late-stage signal processing and communications functions.

Hijacking an ADS network goes a step beyond corruption in that Suter operators can then act as replacement managers to control enemy radars, just as a co-pilot can take over from a captain and fly a plane. By steering the enemy sensors away from friendly aircraft, Suter operators can figuratively put blinders on the enemy operators. Consequently, friendly aircraft don’t even have to be stealthy because enemy sensors can’t scan to find them, like eyes that can focus but can’t rotate.

Whether Suter technicians can actually accomplish the hijacking task without alerting the enemy operators is, not surprisingly, a question that has no definitive answer, and moreover often seems to be suppressed. However, even if the operators know they’re being hijacked, regaining control of the system is not necessarily easy. The enemy’s problem is akin to playing a video game like Grand Theft Auto on a glitchy computer, except that the glitches are deliberate and occur so as to cause maximum disruption.

SUTER TASKS AND PLATFORMS

As with any cybernetic system, Suter has two generic parts: one for inserting input and one for monitoring output. Working with BAE Systems, the USAF used two programmatic blocks to develop these components, which basically operate through two specialised platforms.

Block one encompasses the output collection task. Technology from this block allows friendly operators to monitor what enemy radars see. By itself, this technology enables the USAF to measure the baseline capability of adversarial units in general and assess the specific impact of USAF countermeasures, from passive techniques such as terrain-masking flight profiles to active techniques such as Suter input.

“Suter technology entirely bypasses the enemy’s radar wave machinery.”

The main platform for this collection task is the RC-135 Rivet Joint electronic surveillance aircraft. Rivet Joint is based on the venerable KC-135 strategic tanker airframe, designed for high altitudes, fast subsonic speeds, and long ranges or loiter times.

The highly modified R (for reconnaissance) platform can therefore carry aloft for extended periods the large quantities of gear necessary to perform passive monitoring.

Block two encompasses the input insertion task. Technology from this block allows friendly operators to seize control of enemy networks via complex algorithms, become de facto system managers, and thus physically manipulate enemy sensors. Such manipulation most likely involves control over the electromagnetic vectoring of radar beam produced by the non-rotating SAR (synthetic aperture radar), but it might also involve mechanical shifts of the array panels away from bearings that would point toward friendly aircraft.

The main platform for this insertion task is the EC-130 Compass Call electronic attack aircraft. Compass Call is based on the equally venerable C-130 Hercules tactical cargo transport. Relative to Rivet Joint, Compass Call flies lower, slower, and shorter, but this profile maximises the aiming precision of the Compass Call’s signal beams, which have to flood a critical area measured in meters from a distance of several kilometres – analogous to shooting someone exactly between the eyes from 80ft away.

Israel replicated the system architecture of blocks 1 and 2 when it deployed its two new Gulfstream G550 special mission aircraft models. The intelligence version monitors hostile signals traffic, while the surveillance version pumps out invasive data streams from onboard phased-array radars.

More recently, the Suter programme added a block 3, which focuses specifically on penetrating networks controlling time-critical and tactically elusive targets, such mobile missile launchers. Block 3 does not add new tasks, but rather refines Suter technology to meet more stringent mission requirements.

DELIVERING THE PACKAGE: IF YOU CAN’T UNLOCK IT, SOCK IT

Although not part of the NCCT or Suter programmes as such, the USAF network attack package also includes the F-16CJ, which focuses on suppressing enemy air defences using traditional weapons, i.e. kinetic impactors and explosive munitions.

“Even if the operators know they’re being hijacked, regaining control of the system is not easy.”

Should the Suter electronic attack fail, which could mean many things depending on mission parameters, the F-16CJ can electronically jam or destroy enemy radar and communications assets the old-fashioned way, using anti-radiation missiles or other PGMs.

Of course, Compass Call could jam enemy radar too, but that would be equivalent to killing someone with a machine gun by using it as a club.

Also, to the extent that electronically foiling enemy air defences is just a way of creating unimpeded access to hostile airspace, the F-16CJ can fulfil the underlying mission by attacking the ultimate target with traditional weapons. For that matter, all F-16s retain the underlying dogfighting capabilities of the original Falcon version, in case hostile air defences actually include fighter aircraft.

In most cases, however, F-15 aircraft would undertake the primary air superiority task. Later Eagle models, most notably the F-15E, also have sophisticated ground attack capabilities, so either the Falcons or Eagles can execute attacks on the terminal ground target.

PUTTING IT ALL TOGETHER

In executing the 6 September raid, the IAF apparently used many of the offensive options mentioned above. According to US observers, the strike force used some traditional jamming, which is still an important means of defeating air defence systems.

The penetration of the Syrian ADS network involved both corrupting attacks, probably as part of the initial penetration at Tall Abyad and to clear the flight path from there to Dayr az-Zawr, and hijacking of the broader system through viral propagation across the computer network. The strike force used traditional kinetic attacks against some of the Syrian assets at Tall Abyad, and obviously destroyed the ultimate target at Dayr az-Zawr with explosive munitions.

Given that this raid was, at least officially, the first of its kind against a sovereign nation with comprehensive air defences, Israel prudently provided some indirect support for the raid in real time.

According to one intelligence source, Israel used network attack techniques to perform ‘higher-level, non-tactical penetrations, either directly or as diversions and spoofs, of the [wider] Syrian command-and-control capability’. Whether Israel conducted these penetrations using the NCCT / Suter package, other military means, Mossad-style clandestine operations, or even pure civilian ‘geek-style’ hacking is unknown.

“Syria’s ADS network is centralised, which is an invitation to disaster without a network firewall.”

Israel’s pre-strike preparation should not be ignored. In particular, Israel launched the IAI-built Ofek-7 reconnaissance satellite, which gives Israeli intelligence specialists site and system mapping capability of unprecedented accuracy, during summer 2007 – a month or two before the raid.

Moreover, as long ago as the Bekaa Valley engagements in 1982, Israel has used unmanned drones to provoke Syrian surface-to-air missile (SAM) systems into ‘lighting up’ and thus revealing their emissions signatures to lurking sensor platforms, such as Rivet Joint.

Regarding the direct strike, though, the NCCT / Suter package was remarkably pure. Israel apparently did not attack Syria’s electrical grid, like the US attacks on Belgrade during the Balkan conflict. Nor, evidently, was the raid supported by spec-ops ground actions or UAV deployments.

In fact, a key factor in the success of the raid was probably the architecture of the Syrian ADS itself. Although the Syrian ADS is extensive in all respects, the quality of the systems deployed is uneven.

More importantly, Syria’s ADS network is centralised, which is an invitation to disaster without a network firewall. Also, Syria’s ADS communicates on dedicated frequencies, which implies that IAF operators knew exactly where, when and how to find it on the radio dial – even before the raid started.