Russia is Targeting Cyber Attacks at American Critical Infrastructure

TNW reports on official statements by both the Federal Bureau of Investigation (FBI) and Department of Homeland Security (DHS) in a recently released report, detailing how Russian nation state actors are targeting malicious cyber attacks at American critical infrastructure operators:

FBI and DHS officials pinpointed two distinct categories of victims: staging and intended targets. For the initial attack, hackers often infiltrated trusted third-party suppliers for their intended marks. Knowing these targets often relied on less-secure networks than their final victim, the threat actors used them as a sort of trojan horse to plant malware that was actually intended for a much bigger target. These were then used as pivot points to activate the planted malware for use in compromising larger, more-secure networks.

Today’s report didn’t reveal who these marks were, at least not specifically. It did state, however, that the attacked locations were “small commercial facilities” and that these were coordinated and targeted, not random. These also happen to be some of the most vulnerable facilities to these types of attacks, with some running systems first deployed over a decade ago.

Accompanying the allegations today were new sanctions on Russia. The sanctions target at least three organizations and 13 individuals. Of those, perhaps the most recognizable is the Internet Research Agency, the so-called “troll farm” responsible for wreaking havoc on the 2016 Presidential election through its use of Facebook ads designed to exploit divisions in American politics.

This is not anything new. Russia, and other nation state actors, have been probing US critical infrastructure, specifically the electric power industry, for years. Think about it – the US relies on computers, networks, and other technologies to conduct day-to-day work.

All of these devices require electricity to operate. That is the common denominator. Take out the electric power plants, and the nation that did so now has the upper hand in a kinetic attack.

This is not rocket science. It is why the electric power industry is one of the specifically named US critical infrastructure sectors. It is also why the industry needs to be proactive in not only securing their IT and OT assets, but also employing a strong situational awareness, and detection and alert strategy.

If an organization has no eyes on the network, they could be under attack and never know it until the lights go out. Literally and figuratively.

Cyber Attack Saudi Arabia Petrochemical Plant Appears to Have Been Designed to be Deadly

The New York Times has an interesting story about a cyber attack against a petrochemical plant in Saudi Arabia seemingly meant to sabotage its operations and potentially trigger an explosion:

A team at Schneider Electric, which made the industrial systems that were targeted, called Triconex safety controllers, is also looking into the attack, the people who spoke to The Times said. So are the National Security Agency, the F.B.I., the Department of Homeland Security and the Pentagon’s Defense Advanced Research Projects Agency, which has been supporting research into forensic tools designed to assist hacking investigations.

All of the investigators believe the attack was most likely intended to cause an explosion that would have killed people. In the last few years, explosions at petrochemical plants in China and Mexico — though not triggered by hackers — have killed several employees, injured hundreds and forced evacuations of surrounding communities.

What worries investigators and intelligence analysts the most is that the attackers compromised Schneider’s Triconex controllers, which keep equipment operating safely by performing tasks like regulating voltage, pressure and temperatures. Those controllers are used in about 18,000 plants around the world, including nuclear and water treatment facilities, oil and gas refineries, and chemical plants.

“If attackers developed a technique against Schneider equipment in Saudi Arabia, they could very well deploy the same technique here in the United States,” said James A. Lewis, a cybersecurity expert at the Center for Strategic and International Studies, a Washington think tank.

Schneider Electric has apparently designed their Triconex safety controllers to only be modified with physical contact, not via network-based interfaces. So if this is in fact the true design, then why would there be any worry of a potential physical explosion? No malware should be able to send a command to modify the Triconex system unless there is a missing link.

It is possible the attackers have studied Triconex so well, they were able to locate a bug Schneider Electric is unaware of, which could force other components to receive commands which would affect the safety controllers. If this is the case, then the culprit is likely an extremely sophisticated actor backed by deep resources. There are only a limited number of nation states with these advanced capabilities and the funding to purchase expensive equipment like this for the sole purpose of bug hunting.

Security experts said Iran, China, Russia the United States and Israel had the technical sophistication to launch such attacks. But most of those countries had no motivation to do so. China and Russia are increasingly making energy deals with Saudi Arabia, and Israel and the United States have moved to cooperate with the kingdom against Iran.

That leaves Iran, which experts said had a growing military hacking program, although the Iranian government has denied any involvement in such attacks.

Tensions between Iran and Saudi Arabia have steadily escalated in recent years, and the conflict has drifted online.

Iran is likely the nation state with arguably the strongest reason to want to physically attack Saudi Arabia. Leveraging this type of cyber attack to perform such damage would make attribution exceedingly difficult, and therefore with no conclusive evidence to support any claims, chances are no public pronouncements of responsibility would ever be made.

So how did the hackers get in? Investigators found an odd digital file in a computer at an engineering workstation that looked like a legitimate part of the Schneider controllers but was designed to sabotage the system. Investigators will not say how it got there, but they do not believe it was an inside job. This was the first time these systems were sabotaged remotely.

The only thing that prevented significant damage was a bug in the attackers’ computer code that inadvertently shut down the plant’s production systems.

You can bet the attackers will not make the same mistake twice, assuming their actual intent was to cause physical disruption.

Russian Criminals Targeting Cyber Attacks at Russian Owned Banks

The Financial Times reports Russian criminals have been targeting cyber attacks at Russian owned banks and are making decent profit:

In Russia, however, the scourge of its hackers is fast becoming a problem for the country’s own businesses.

Russia was one of the countries worst affected by the WannaCry attack last year. Even though the US and UK have blamed the Kremlin for using the NotPetya attack a few months later to target Ukraine, Russian companies such as Rosneft, state-run oil giant, were also affected.

Most vulnerable, however, are Russia’s banks. Hackers used the Cobalt Strike security-testing tool to steal more than $17m from more than 240 Russian banks in 2017, according to the central bank. In the past few months, hackers used the Swift payment system to steal $6m from an unnamed bank and tried to steal nearly $1m from state-owned Globex.

Russia is now keen to change the perception of the country as a hacker’s paradise by showing that it, too, is trying to clamp down on cyber threats.

No honor among thieves indeed.

Trump Administration Hits Russian Spies, Trolls with Sanctions over US Election Interference, Cyber Attacks

The Washington Post is reporting the Trump Administration finally implemented sanctions previously passed by Congress, focusing on the spying, propaganda, and cyber attacks during the 2016 US Presidential election:

The Trump administration on Thursday imposed fresh sanctions on Russian government hackers and spy agencies to punish Moscow for interfering in the 2016 presidential election and for a cyberattack against Ukraine and other countries last year that officials have characterized as “the most destructive and costly” in history.

Sanctions also were imposed on individuals known as “trolls” and the Russian organizations — including the Internet Research Agency — that supported their efforts to undermine the election. Additionally, the administration alerted the public that Russia is targeting the U.S. energy grid with computer malware that could sabotage its systems.

Taken together, the moves represent the administration’s most aggressive actions to date against Russia for its incursions against the United States, though analysts say their impact is mostly symbolic and noted that a number of the individuals and groups had already been subject to sanctions. Nonetheless, officials hope the actions will help deter tampering with this year’s midterm elections while signaling to Russia that Washington will not allow its attacks to go unchallenged.

Although the administration imposed sanctions, I have yet to hear Trump categorically state his belief the Russians were involved in election tampering. I consider that quite peculiar.

WeChat Joins List of Chinese Technology Banned by Overseas Militaries on Security Worries

CNBC reports on Australia’s Department of Defense prohibiting the popular Chinese chat app WeChat from being used on its network assets:

Messaging and e-payment app WeChat has become the latest Chinese technology to be banned by an overseas military on security grounds, with Australia instructing its armed forces not to use it.

The country’s defence department said the service did not meet its standards, although it did not directly link the ban to security concerns.

“Software and applications that do not meet Defence standards will not be authorised for use on Defence networks and mobile devices,” the country’s defence department said in an email statement. “Defence has a strict policy concerning the use of social media on its networks and mobile devices. Defence allows very few applications on Defence mobile devices. WeChat has not been authorised for use.”

Australia is part of the Five Eyes, so it should come as no surprise to see them banning Chinese internet technology. It simply boils down to a matter of trust, and it is hard to have any when China is wreaking havoc all over the world, even if they have been a bit quiet lately.

What are the Cyber Security Threats at Sea?

The Maritime Executive has a decent article detailing cyber threats to ships while underway:

In 2017, I.H.S. Fairplay conducted a maritime cyber security survey, to which 284 people responded. 34 percent of them said that their company had experienced a cyber attack in the previous 12 months. Of those attacks, the majority were ransomware and phishing incidents; exactly the same sort of incidents affecting companies everywhere, and not at all specific to the maritime world.

The good news is that only 30 percent of those responding to the survey had no appointed information security manager or department, meaning that the majority of companies have a resource able to respond and mitigate any attack.

However, the survey did reveal that there are still a lot of employees who have not received cyber awareness training of any kind, which means the shipping industry must try harder, for its own security.

Additionally, only 66 percent of those questioned said that their company had an IT security policy, which is a serious cause for concern; IT security cannot be approached on an ad hoc, incident by incident basis. It’s the security equivalent of plugging holes in a hull with cardboard.

To underline that, 47 percent of those questioned believed that their organization’s biggest cyber vulnerability was the staff. Hardly a glowing endorsement but, if you don’t train your staff to be aware of threats, it’s not surprising.

Cyber security absolutely starts with awareness training. If the employees have no clue about cyber security, nor is there a company culture to take it serious, then the organizations is almost guaranteed they will be breached, even by amateur hackers, much less the more sophisticated types.

‘Highly Advanced’ Slingshot Malware Used for Espionage has Remained Hidden for Six Years

iTnews reports Slingshot, a highly advanced malware, has remained hidden for six years and was just recently discovered:

They were unable to pinpoint how Slingshot infected all of its targets, however in several cases the malware’s operators targeted routers and used them as a springboard to attack computers within a network.

“The initial loader replaces the victim’s legitimate Windows library ‘scesrv.dll’ with a malicious one of exactly the same size. Not only that, it interacts with several other modules including a ring-0 loader, kernel-mode network sniffer, own base-independent packer, and virtual filesystem, among others,” Kaspersky Lab reported.

“While for most victims the infection vector for Slingshot remains unknown, we were able to find several cases where the attackers got access to Mikrotik routers and placed a component downloaded by Winbox Loader, a management suite for Mikrotik routers. In turn, this infected the administrator of the router.”

Slingshot likely used other methods – like zero-day vulnerabilities – to attack targets, Kaspersky Lab said.

After infection Slingshot downloads a variety of additional modules onto the victim device. The two most powerful modules – GollumApp and Cahnadr – are connected and can support each other in gathering data.

Slingshot appears targeted towards espionage; Kaspersky Lab said the malware was used to log desktop activity, steal data from the clipboard, and collect information about open windows, keyboard data, and network data, among other things.

Considering Slingshot is targeting espionage, it may be backed by nation state actors. Now the questions is: which nation state stands to benefit from spying on, and exfiltrating data from, the thus-far identified victims in the Middle East and Africa since 2012?

One local sophisticated player comes to mind: Iran.

Tim Berners-Lee Believes Tech Firms Need Regulation to Prevent “Weaponised” Web

The Guardian is reporting on the father of the Internet, Tim Berners-Lee, who believes technology firms need some form of regulation to attempt to prevent a “weaponised” web:

Berners-Lee, in an open letter to mark the 29th anniversary of his invention, said: “In recent years, we’ve seen conspiracy theories trend on social media platforms, fake Twitter and Facebook accounts stoke social tensions, external actors interfere in elections, and criminals steal troves of personal data.”

These problems have proliferated because of the concentration of power in the hands of a few platforms – including Facebook, Google, and Twitter – which “control which ideas and opinions are seen and shared”.

“What was once a rich selection of blogs and websites has been compressed under the powerful weight of a few dominant platforms,” said the 62-year-old British computer scientist.

These online gatekeepers can lock in their power by acquiring smaller rivals, buying up new innovations and hiring the industry’s top talent, making it harder for others to compete, he said.

Google now accounts for about 87% of online searches worldwide. Facebook has more than 2.2 billion monthly active users – more than 20 times more than MySpace at its peak. Together, the two companies (including their subsidiaries Instagram and YouTube) slurp up more than 60% of digital advertising spend worldwide.

On the one hand, he is absolutely correct. There are too few gatekeepers, and this small concentration of power has allowed these companies to collect far too much data on internet users, and control the web’s capabilities.

But on the other hand, it is too late to stop it. Pandora’s proverbial box has been opened and there is no going back. What central global government is going to regulate the technology firms? Let’s suppose a scenario where the US opts for such legislation. Startups will simply avoid the US, and will go elsewhere, eschewing all the benefits the US has to offer, while not being burdened with the regulation

There is simply no way will all modern nations create laws to regulate technology firms. This is a tough problem to solve, and will require out-the-box thinking. Legal remedies rarely work in technology. This time is no different than the countless previous other attempts.

Audit Finds Department of Homeland Security’s Security is iInsecure

The Register reports on a recent and pretty embarrassing Department of Homeland Security IT security audit:

The report also scolds DHS for continuing to use unsupported operating systems. DHS, the Coast Guard, and the Secret Service were all found to be using Windows Server 2003 after Microsoft’s July 2015 discontinuation of support.

The OIG also noted that Windows workstations at DHS, the Federal Emergency Management Agency (FEMA), and the Coast Guard were missing a variety of patches.

“Windows 2008 and 2012 operating systems were missing security patches for Oracle Java, an unsupported version of Internet Explorer, and a vulnerable version of Microsoft’s Sidebar and Gadgets applications,” the report says. “Some of the missing security patches dated back to July 2013.”

A number of Windows 8.1 and Windows 7 workstations were missing key security patches, including the WannaCry fix, various browser updates, and patches for Adobe Flash, Shockwave, and Acrobat flaws.

The report concludes that the observed deficiencies run contrary to the President’s Cybersecurity Executive Order and demonstrate the need for stronger security oversight.

Unfortunate yet likely these agencies rely on some legacy code requiring these extremely dated operating systems. Welcome to the wonderful world of government contracting, where there are a lot of custom built applications running in extremely insecure environments. The question: are these vulnerabilities an acceptable risk required to complete the mission?

Cyber Security at Power Plants Needs Advice it Can Actually Use

CNET reports on the electric power sector requiring more practical security advice than merely recommending patches likely unable to be installed:

More than 60 percent of vulnerability warnings said critical infrastructure could get hijacked, while 71 percent of reported vulnerabilities that year could disrupt a person’s ability to monitor systems, according to the report.

In these warnings, up to 72 percent of the advisories told IT teams only to patch their systems. Except “patch your system” means nothing for 64 percent of critical infrastructure, according to the report.

That’s because they were insecure to begin with — applying a security patch would be like putting a Band-aid on a broken leg. Applying patches is generally fine for the average person, who only needs to update a phone or a laptop. It’s different for factories, which might be running nonstop for 24 hours, said Reid Wightman, Dragos’ senior vulnerability analyst.

While you can afford to have your phone off for 10 minutes while it applies the security patch, factories and power plants don’t have that luxury. There are usually only one or two opportunities a year for critical infrastructure to shut down and get updates, Wightman said.

The electric power industry is concerned not only with the security of their infrastructure and IT assets, but the reliability and stability of the power supply as well. Often times it is impossible to patch on a whim, therefore a comprehensive, multi-layered, multi-faceted security strategy is what is vital in ensuring all of the above.

While, for example, data centers are concerned with reliability and uptime, virtualization generally allows network operations to continue unhindered while applying a patch on one system. Essentially, using standardized tools, it is easy to temporarily migrate a virtual machine to different hardware, apply security and operating system patches, then move the VM back. This is almost unheard of in the electric power industry.

It is going to take some time before this problem is solved, unless someone comes up with a unique yet useful idea overnight.

Global Nation State Actors Adopting Russian “Maskirovka” Doctrine to Deceive Victims

Dark Reading discusses how nation state cyber attacks appeared to have adopted the Russian “Maskirovka” military doctrine:

Positively identifying the actual threat group behind a cyberattack as well as its true intentions is getting harder than ever as nation-state hacker groups out of North Korea and Russia, for example, in 2017 employed tactics typically used by their cybercriminal counterparts, and vice versa. In May of last year, North Korea’s massive ransomware campaign WannaCry at first appeared to be the handiwork of traditional financially motivated hackers, while Russia’s data-destruction attack via NotPetya initially presented itself as a pure ransomware attack.

The cloak-and-dagger feature of NotPetya, for example, reflects a Russian military doctrine called “maskirovka,” which is all about deceiving and confusing the victim, while also hiding the actual intent of the operation, according to CrowdStrike. “Although NotPetya was eventually revealed to be a wiper, the veneer of ransomware delayed this initial assessment,” the security firm wrote in its new Global Threat Report published this week, which analyzes findings and trends from its incident response investigations and data from its cloud-based Falcon endpoint detection system in 2017.

The destructive NotPetya attack was a data-wiping campaign against Ukraine that also hit companies in the US (Merck and Federal Express), Russia’s top oil company Rosneft, Danish shipping giant A.P. Moller-Maersk, Russian metals manufacturer Evraz, as well as Ukraine’s Boryspyl Airport. In rare public attack-attribution statements, the US, UK, Canada, New Zealand and Australia, this month all pointed the finger at Russia as the culprit.

In the context of military operations, cyber space is still relatively new when compared to the traditional domains of land, sea, and air. As a result of this immaturity, it is only natural for nations to iterate and their strategy to evolve. What we saw ten years ago is not what we are seeing today, and will not what we see in ten years from now.

The Russian “Maskirovka” doctrine is actually far easier to pull off in a cyber attack than it is in a kinetic one. It should come as no surprise to see nation states attempting to deceive forensic attempts to attribute an attack to a specific actor.

Alternatively, the idea behind “Maskirovka” is the basis for conducting a false flag operation. This is basically a malicious actor framing a different group for an attack, to thwart attempts to be discovered while deceiving and confusing the intended target(s). Once again, cyber attacks make it exponentially easier to successfully pull off a false flag because of the nature of how these attacks are executed.

North Korean Hackers May Be Developing Malware That Could Shut Down the U.S. Power Grid

The Daily Beast has an interesting article discussing how North Korea may be developing malware capable of shutting down portions of the US power grid:

But in September, Dragos picked up a new adversary, code-named “Covellite,” that appears to be trying to join that club. Covellite has been targeting electric utilities in the U.S., Europe, and parts of East Asia with spear-phishing attacks that employ code and infrastructure eerily similar to that used by the so-called Lazarus Group, the most destructive and outright criminal of the state-sponsored hacking gangs. Dragos doesn’t link attacks to specific nation-states, but the U.S. government has publicly identified the Lazarus Group as North Korea.

If Kim Jong Un is trying to duplicate Russia’s electricity-killing capability, he’s in an early reconnaissance stage—Covellite hasn’t shown any particular expertise in the arcana of industrial-control systems. But Dragos’ Joe Slowik says it’s a worrying development. “From a risk standpoint, that actor could be really interesting,” says Slowik. “Particularly if things on the Korean Peninsula get worse.”

It should come as no surprise to see North Korea attempting to develop the same type of cyber weaponry other major nation state players are leveraging. The recently semi-cozy relationship between Russia and North Korea could be a factor in a focal change for the country.

Generally North Korea conducts cyber attacks primarily for financial gain due to the global sanctions imposed against the nation, as well as the country having been cut off from the world banking system. Additionally, the tensions between Trump and Kim Jong Un are likely pieces of a strategic puzzle being developed in Pyongyang, leading North Korea to pursue more destructive cyber weapons than mere ransomware and other forms of financial generation.

Equifax Hack Worse Than Originally Thought, Additional 2.4 Million Customers Affected

NBC News is reporting the Equifax hack is worse than originally thought, with an additional 2.4 million customer records affected:

The company said it was able confirm the identities of U.S. consumers whose driver’s license information was taken by referencing other information in proprietary company records that the attackers did not steal.

“Equifax will notify these newly identified U.S. consumers directly, and will offer identity theft protection and credit file monitoring services at no cost to them,” the company said.

The new information is the latest blow to the industry giant, which lost three top executives — including its longtime CEO Rick Smith — in the fallout of the mega-breach that exposed private information belonging to 143 million people.

Equifax is a company whose entirely existence relies upon their collecting personally identifiable information. Therefore it should be blatantly obvious to even the most inexperienced layman that properly securing and defending this data is of the utmost importance. To have identified an additional 2.4m people months after the original disclosure demonstrates their complete and utter disregard for the people.

This company needs to be slapped with fines and investigated for their exceedingly poor security posture, even they had any to begin with.

Russia’s ‘Fancy Bear’ Reportedly Hacks German Government Network

NPR is reporting Russia’s “Fancy Bear” cyber operations team has breached German government network assets:

Germany says it managed to fend off a cyberattack against key ministries, but declined to confirm media reports that the culprit was the Russian intelligence operation blamed for interference in U.S. elections.

“We can confirm that the Federal Office for Information Security (BSI) and intelligence services are investigating a cybersecurity incident concerning the federal government’s information technology and networks,” an Interior Ministry spokesman said Wednesday.

“The attack was isolated and brought under control within the federal administration,” which manages government computer networks, the spokesman said in a statement, Reuters reports.

According to Reuters: “Western governments and security experts have linked the hacker group known as APT28 or Fancy Bear to a Russian spy agency, and have blamed it for an attack on the Democratic National Committee ahead of the 2016 U.S. elections.

Welcome to the new normal, where Russia conducts daily cyber operations, gets caught, and periodically publicly reprimanded for their bad behavior. I do not expect anything to change, unless one of the more powerful nation states severely breaches Russian assets. However, with Trump “in charge” in the US, it is doubtful a strong response will ever occur while he is in office.

Porsche Japan Leaks Customers Data

NHK WORLD reports that Porsche Japan had a network breach leading to customer data being leaked:

The Japanese arm of German automaker Porsche says more than 28,000 email addresses have been leaked via a hack.

Porsche Japan says information at risk includes 23,151 email addresses belonging to customers who asked for product brochures via the internet between 2000 and 2009.

Its officials suspect their customers’ names, postal addresses, phone numbers and income information may also have been compromised.

They have also admitted to a leak of email addresses of customers who participated in a 2015 sales campaign.

Not good at all. I am curious what attack vector was used to breach the network and subsequently exfiltrate the data. Additionally, I wonder what their security operations center and situational awareness capabilities are.

Site Footer