美国国家应急规划情景（2006）中文简译 之 情景15：网络攻击

写在前面：情景构建是近年来公共安全管理领域最热门的专业方法之一，对应急准备规划、应急预案管理和应急培训演练等一系列应急管理工作实践具有不可或缺的支撑和指导作用，对企业的应急、连续性和危机管理也意义重大。为学习情景构建方法和推进企业级情景构建项目，我在今年3月份组织了一个公益翻译小组（小组成员征募链接： https://mp.weixin.qq.com/s/Ua-JgZUIUY4xHEbsN8qiXQ），对一些主要的情景构建资料进行翻译。7月份前后，翻译小组成员陆续将翻译文稿发送给我，近期我会将这些资料审校完成，陆续在公众号发布。

刘铁民在《重大突发事件情景规划与构建研究》一文中指出：《美国国家应急规划情景》（2006）由美国国土安全部组织了近1500名应急管理官员和来自大专院校与科研单位的科学家，经过一年多的调查研究，认真总结回顾了之前发生在美国和其他国家的重大突发事件典型案例，尤其是对未来可能发生重大突发事件的风险做了系统分析与评估，对可能发生事件的初始来源、破坏严重性、波及范围、复杂程度以及长期潜在影响作了系统归纳和收敛。经过反复多次评审和修改，总结提出15种重大突发事件情景是美国面临最严重的风险和挑战，这些情景被列为国家应急准备战略最优先考虑的应对目标。为强调对应急预案编制工作的指导性，又进一步把这15种重大突发事件情景整合集成为具有共性特点的8个重要情景组（如下表），使应急准备的重心更加聚焦。

重要情景组	国家预案编制情景
1.爆炸物攻击—使用自制爆炸装置进行爆炸	情景12：爆炸物攻击—使用自制爆炸装置进行爆炸
2.核攻击	情景1：核爆炸—自制核装置
3.辐射攻击—辐射扩散装置	情景11：辐射学攻击—辐射学扩展装置
4.生物学攻击—附病原体附件	情景2：生物学攻击—炭疽气溶胶 情景4：生物学攻击 情景13：生物学攻击—食品污染 情景14：生物学攻击—体表损伤皮肤疾病
5.化学攻击—附各种毒剂附件	情景5：化学攻击 情景6：化学攻击—有毒工业化学品 情景7：化学攻击—神经毒气 情景8：化学攻击-氯容品爆炸
6.自然灾害—附各种灾害附件	情景9：自然灾害—大地震 情景10：自然灾害—大飓风
7.计算机网络攻击	情景15：网络攻击
8.传染病流感	情景3：生物学疾病暴发—大流行性流感

本篇为《美国国家应急规划情景》（2006）中文简译的”情景15：网络攻击”部分，以下译文由我负责翻译并审校定稿，如对译文有意见或修改建议，请给我留言。

王曙(kevinwang) 2024.12.05

---

情景15：网络攻击 Scenario 15: Cyber Attack

项目	描述
伤亡情况 Casualties	无直接伤亡 None directly
基础设施损坏 Infrastructure Damage	网络 Cyber
撤离与流离失所者 Evacuations/Displaced Persons	无 None
污染情况 Contamination	无 None
经济影响 Economic Impact	数亿美元 Hundreds of millions of dollars
多重事件的可能性 Potential for Multiple Events	是 Yes
恢复时间表 Recovery Timeline	数月 Months

15.1 情景概述 Scenario Overview：

15.1.1 一般描述 General Description —

这个情景说明，“通用对手”（Universal Adversary，UA）组织的攻击能够破坏各种与互联网相关的服务，并削弱国家对互联网的信心，从而对美国经济造成损害。在这个情景中，UA通过长期建设的复杂指挥与控制（C2）网络，对依赖互联网的关键基础设施发动网络攻击。

This scenario illustrates that an organized attack by the Universal Adversary (UA) can disrupt a wide variety of internet-related services and undermine the Nation’s confidence in the internet, leading to economic harm for the United States. In this scenario, the UA conducts cyber attacks against critical infrastructures reliant upon the internet by using a sophisticated C2 network built over a long period of time.

15.1.2 详细情景 Detailed Scenario —

UA试图在美国内部制造无法追踪的破坏，以分散公众和决策者的注意力，并使其持续数月。UA认为，网络攻击能够有效实现信息提息的目标，同时削弱用户对互联网的信心。破坏底层的互联网基础设施将对经济产生重大影响，因为这将严重削弱公众对美国金融基础设施的信心，并影响到网上银行、电子商务及其他基于互联网的服务。

The UA seeks to cause internal, untraceable disruptions in the United States to distract the populace and decision makers for months. The UA believes a cyber attack can effectively meet the goals of information extraction, undermining user confidence in the internet. Disrupting the underlying internet infrastructure will have significant economic impact by severely reducing the public’s confidence in the U.S. financial infrastructure and affecting online banking, e-commerce, and other internet-based services.

UA花费数年时间组建了一个联合军事和情报团队。该团队包括负责发现并利用计算机漏洞的团队，基于这些发现设计攻击的团队，进行侦察和战斗损害评估的部门，以及实施实际网络行动的成员。其主要目标是削弱美国人民的信心。

The UA has spent several years to assemble a joint military and intelligence team. This team includes groups that discover and exploit computer vulnerabilities, create attacks related to those discoveries, conduct reconnaissance and battle damage assessments, and conduct actual cyber operations. The primary target is the confidence of the American people.

此次攻击活动分为三个阶段实施。

The attack campaign is conducted in three phases.

第一阶段：攻击准备 **目标：**构建一个具备底层加密指挥与控制（C2）机制的攻击网络，用于发起未来的攻击。此阶段将在攻击”D日”事件大约2年前开始，并持续到事件前约1周。期间，将向攻击网络注入数十万个僵尸程序（bots）。

事件1.1：部署”内鬼”软件 **攻击机制：**编写一款个人防火墙软件，并通过可信赖的计算机安全软件供应商（如ZoneAlarm）进行分发。该软件将包括自动更新功能。自动更新功能允许软件按需”变形”，但最初看起来对检查和批准者是无害的。即使是在管理良好的系统中，人们通常不会检查老旧的软件。自动更新功能会检查攻击时间，或仅获取最新版本。在更新时，软件仅连接已知地址和服务器，直到实际攻击开始时才与僵尸网络通信。当此软件加载到受害者计算机上时，它会参与僵尸网络。

事件1.2：设计并开发僵尸程序（Bot） **攻击机制：**编写一款僵尸程序，用于扫描和利用各种新发现的漏洞。（漏洞及其利用方法的生命周期相对较短，难以适应两年的规划周期。）该僵尸程序将使用与”内鬼”软件相同的C2技术，但在攻击开始前不会通信。

事件1.3：交易和交换资源 **攻击机制：**互联网地下市场有着独特的文化，可用于交易和交换几乎任何东西，包括已被攻陷的系统。攻击者将从地下市场获取已被攻陷的主机（包括路由器），安装新开发的僵尸程序。为防止其它攻击者的干扰，这些主机将被修复。

事件1.4：使用传统且广泛可用的工具和技术构建C2网络 **攻击机制：**使用传统的扫描和探测技术，以及新开发的工具，构建C2网络和僵尸网络。

Phase 1 – Attack Preparation Objective: Construct an attack network with underlying encrypted C2 mechanisms with which to launch future attacks. This phase will initiate about 2 years prior and continue until approximately 1 week prior to the D-Day event. It will continue until several hundred thousand bots are populated in the attack network.

Event 1.1: Deploy mole software Attack Mechanism: Write a personal firewall and distribute it via a trusted computer security software provider, such as ZoneAlarm. The software would include an auto-update function. With auto-update, software can be morphed on-command but will appear benign to anyone initially inspecting and approving it. Even on well-run systems, people rarely check old software. The auto-update function will check if its time to start the attack, or just get the latest version. When conducting auto-updates, the software will only connect to known addresses and servers, reserving communications with the botnet until it is time for the actual attack. When loaded onto a victim’s computer, the software will participate in the botnet.

Event 1.2: Design and build a bot Attack Mechanism: Write a bot to scan and deploy using a wide variety of vulnerabilities as they are identified. (Vulnerabilities and the ability to exploit them have a very short life span, relative to a 2-year planning cycle.) The bot will communicate using the same C2 technology as the mole software but will not do so until it is time to launch the attack.

Event 1.3: Trading and bartering Attack Mechanism: The internet underground has its own culture for trading and bartering for almost anything, including compromised systems. Compromised hosts (including routers) will be acquired from the underground, and the new bot will be installed. The hosts will also be repaired to prevent other unwanted infiltration.

Event 1.4: Build the C2 network using traditional, widely available tools and techniques Attack Mechanism: Use traditional scanning and probing techniques in addition to the newly created tools to build the C2 network and botnet.

第二阶段：压垮网络安全人员 **目标：**此阶段的目标是在”D日”前削弱互联网服务提供商（ISP）社区的第一响应能力。攻击将在通常第一响应人员不工作的时间段（如凌晨2:00或假期）持续2至3小时。攻击将在ISP和核心互联网服务社区中随机重复，旨在使第一响应人员士气低落。这些事件将集中发生在”D日”前的最后几天。

事件2.1：伪造地址解析协议（ARP）回复 **攻击机制：**使用部署在僵尸网络中的大量节点伪造随机的互联网协议（IP）地址和强制访问控制（MAC）地址信息。通过伪造的ARP回复毒化ARP缓存，造成故障，此类故障通常难以追踪和排队。

事件2.2：破坏动态主机配置协议（DHCP） **攻击机制：**随机生成DHCP释放请求，假装来自已部署僵尸节点的其他系统，干扰正常网络运行。随机DHCP请求，耗尽网络中的地址资源。此类攻击将迫使本地系统和网络管理员花费大量时间排查局域网中的问题。

Phase 2 – Overwhelm Network Security Personnel Objective: This goal of this phase is to wear down the first-responder capabilities of the Internet Service Provider (ISP) community just prior to D-Day. The attacks will occur for 2 to 3 hours during periods when first responders are normally not at work (e.g., 2:00 a.m. or holidays). Attacks should repeat randomly across the ISP and the core internet services community with the intent of demoralizing the first responders. These events will all take place in the last few days before D-Day.

Event 2.1: Forge Address Resolution Protocol (ARP) replies Attack Mechanism: Forge ARP replies with random Internet Protocol (IP) and Mandatory Access Control address information. This is done using the widely deployed zombies. Poison ARP caches causing failures that are very difficult to trace and troubleshoot.

Event 2.2: Undermine Dynamic Host Configuration Protocol (DHCP) Attack Mechanism: Randomly generate DHCP release requests on behalf of other systems on networks that have zombies deployed. Randomly generate DHCP requests with the intent of consuming network addresses. This will cause local system and network administrators to spend valuable time tracking down problems on local networks.

第三阶段：大规模网络中断 **目标：**攻击主要的互联网服务，削弱消费者和政府对互联网功能的信心。此阶段仅持续数日。

事件3.1：攻击DNS功能 **攻击机制：**对网站及其上游服务提供商实施分布式拒绝服务（DDoS）攻击。这些攻击将利用来自内部和外部组织的”僵尸”设备。启用过去两年间建立的”僵尸网络”，发起大规模的DDoS攻击。

Phase 3 – Massive Network Outages Objective: Attack major internet services to undermine consumer and government confidence in the functionality of the internet. This phase will also last only days.

Event 3.1: Attack DNS functionality Attack Mechanism: Conduct Distributed Denial of Service (DDoS) attacks against the websites and their upstream providers. These attacks will use zombies from both inside and outside organizations. Unleash the botnet built over the past 2 years in a massive DDoS attack.

15.2 规划考虑因素 Planning Considerations：

15.2.1 地理考虑因素/描述 Geographical Considerations/Description —

这些问题不仅在美国国内广泛存在，而且在国际上也有所体现。由于对美国互联网基础设施的信任不足以及美国经济存在的困境，海外贸易可能受到影响。

The problems are experienced across the Country, as well as internationally. Overseas trade could be affected due to the mistrust in the U.S. internet infrastructure and the problematic U.S. economy.

15.2.2 时间线/事件动态 Timeline/Event Dynamics —

准备工作需要一到两年时间。这次攻击会在几个月内实施，以确保获得长期的媒体报道，并削弱人们对互联网的信心。

A year or two is needed for preparation. The attack is executed over a period of months to ensure extended press coverage and undermine confidence in the internet.

15.2.3 假设 Assumptions —

初期侦察要么未被发现，要么即使被发现也未受到有效应对。 UA可以通过使用美国本土的托管公司来规避美国情报机构的察觉，同时为攻击积累资源。 UA的组织结构可以解决协调几乎同时进行的多起攻击的指挥和控制（C2）时间问题。

Initial reconnaissance is either undetected or detected but not effectively acted upon. The UA can avoid tipping off U.S. intelligence by using U.S.-based hosting companies as it gathers resources for the attack. C2 issues of timing several nearly simultaneous attacks can be worked out by UA’s organizational structure.

15.2.4 激活的使命领域 Mission Areas Activated —

15.2.4.1 预防/威慑： 私营部门公司在预防和威慑方面的实力将受到考验。 Prevention/Deterrence: The strength of private sector companies will be tested in regard to prevention and deterrence.

15.2.4.2 基础设施保护： 虽然物理基础设施的风险并不大，但互联网软件却在不断退化，许多系统需要修复。这需要软件专业知识、时间和资金来解决。如果这些系统尚未受到影响，那么许多系统可能被迫关闭。 Infrastructure Protection: Although physical infrastructure is not at great risk, internet software deteriorates, and numerous systems must be repaired. This requires software expertise, time, and money to correct. If not already impacted, numerous systems would have to shut down.

15.2.4.3 应急评估/诊断： 这次攻击将很难被识别出来。每次攻击都会在任何人有足够时间完全诊断出问题之前结束。 Emergency Assessment/Diagnosis: The attack will be difficult to recognize. Each attack will end before anyone would have enough time to completely diagnose the problem.

15.2.4.4 应急管理/响应： 应急响应将分为两部分：一是从技术上使系统重新上线，并启动业务连续性流程；二是控制公众对局势的看法，以恢复信心并防止恐慌行为。 Emergency Management/Response: Emergency response will be split between technically bringing systems back online and instituting business continuity process, and controlling the public perception of the situation to restore confidence and prevent panicky behaviors.

15.2.4.5 危害缓解： 所有互联钢服务提供商（ISP）、域名服务器/系统（DNS）运营商和其他组织都需要评估其网络拓扑、多样性、备份流程的完整性以及其他攻击防御方法。各公司还需考虑提高第一响应能力的方法。 Hazard Mitigation: All ISPs, Domain Name Server/System (DNS) operators, and other organizations will need to evaluate their network topologies, diversity, integrity of backup processes, and other methods of attack prevention. Companies will also have to consider methods to improve the first-responder capabilities.

15.2.4.6 受害者关怀： 主要来说，对受害者的”关怀”将以经济保障为基础。公众将寻求政府的承诺，以确保互联网是开展商业和其他金融业务的稳定且可行的方法。 Victim Care: Primarily, victim “care” will be based on economic assurance. Citizens will look for Government assurances that the internet is a stable and viable method for conducting business and other financial operations.

15.2.4.7 调查/逮捕： 调查人员需要利用情报和执法来源及方法，确定可能的技术来源和作案者的身份。 Investigation/Apprehension: Using intelligence and law enforcement sources and methods, the investigators will need to determine the likely technical source and the identity of the perpetrators.

15.3 影响 Implications：

15.3.1 伤亡情况 Fatalities/Injuries —

预计不会造成重大人员伤亡，但附带影响（如涉及医院、应急服务响应和控制系统）可能会造成有限的致命后果。 No significant fatalities or injuries are expected, although collateral effects (e.g., involving hospitals, emergency services responses, and control systems) may have limited fatal consequences.

15.3.2 财产损失 Property Damage —

预计不会造成财产损失，但那些双主机（dual-homed）控制系统可能会造成物理损坏。 No property damage is expected, although those control systems that are dual-homed may cause physical damage.

15.3.3 服务中断 Service Disruption —

许多领域的服务都将中断，人们可能会对互联网及其所提供的服务（如网上银行和电子商务）失去信心。 Service disruption would occur across many sectors with possible loss of confidence in the internet and services offered such as online banking and e-commerce.

15.3.4 经济影响 Economic Impact —

最大的影响将是互联网间歇性和不可预测的中断，这将影响网上银行、其它电子商务服务和公众的信心。 The greatest impact will be intermittent and unpredictable disruptions to the internet, which will affect online banking, other e-commerce services, and general public confidence.