Tag

cip

Browsing

NBC News discusses denial-of-service attacks against 911 call centers across the country:

The Next Generation 911 systems will have advanced security baked into their foundations, including the ability to instantly identify suspicious activity, immediately shut down in response to intrusions, and simultaneously move incoming calls to other centers in a way that is undetectable to someone dialing for help, officials say.

But the increased connectivity also opens the modern systems to new potential modes of attack, experts say. No matter how sophisticated a defense, all it takes is one overlooked vulnerability to let hackers in, experts say.

That makes it essential to develop sophisticated defense systems run by in-house cybersecurity teams, they say.

In Baltimore’s case, the ransomware attack was discovered and repelled by Baltimore City Information Technology, which maintains defenses across the local government. It determined that the hackers had found access after a technician troubleshooting the computer-aided dispatch system made a change to a firewall and mistakenly left an opening, the city’s chief information officer, Frank Johnson, said in a statement. The FBI is now helping the city investigate.

Howard, in Tennessee, knows how his attacker obtained access to the 911 center — by finding a weak password left by a deceased former system administrator. The FBI told him it looked as if the attack came from Russia. But he still isn’t sure.

The December 2015 attack against a Ukrainian power company, which left over 230,000 people without power for up to six hours, experienced a call center denial-of-service. The attackers purposely targeted the support desk to confuse operators, so they would remain unaware their customers were experiencing an outage. It is a smart tactic from an offensive perspective, and likely a technique most groups will increasingly use in the future. Citizens need to be made aware this is a possibility, especially with Russia targeting the US power grid and other critical infrastructure.

Frankly I am surprised it has taken so long for these attack types to become mainstream news. Nation state attackers will use any means necessary to achieve their goals. Every available technique and tool in their arsenal will be used, and often times they come in shapes we do not normally associate with what is generally considered a traditional cyber attack.

That I even used that phrase – traditional cyber attack – demonstrates a certain level of expectation in cyber warfare. While there are to-date a number of traditional models, cyber attacks do not follow normal kinetic attack patterns. This is not necessarily only because cyber is ethereal, but also because of its infancy, and the sheer number and scale of attack vectors. As cyber warfare continues to age there will be a greater understanding of the techniques, the targets, their effectiveness, and the strategies used by sophisticated nation state actors.

Bloomberg offers more details on the previous pipeline data system cyber attack:

While the EDI systems may be entry points for hackers, they are likely not the ultimate target, said Jim Guinn, managing director and global cybersecurity leader for energy, utilities, chemicals and mining at Accenture PLC, a technology consulting company.

“There is absolutely nothing of intrinsic value for someone to infiltrate the EDI other than to navigate a network to do something more malicious,” Guinn said by telephone Tuesday. “All bad actors are looking for a way to get into the museum to go steal the Van Gogh painting.”

He also said there is nothing inherently different about oil and gas EDI systems.

US oil and gas pipelines have previous been seen as attractive cyber attack targets:

This isn’t the first time U.S. pipelines have been targeted. In 2012, a federal cyber response team said in a note that it had identified a number of “cyber intrusions” targeting natural gas pipeline sector companies. The group, the Industrial Control Systems Cyber Emergency Response Team, is a division of Homeland Security.

“It’s important to recognize that this does not appear to be an attack on an operational system,” said Cathy Landry, a spokeswoman for the Interstate Natural Gas Association of America. “An attack on a network certainly is inconvenient and can be costly, and something any company – whether a retailer, a bank or a media company — wants to avoid, but there is no threat to public safety or to natural gas deliveries.”

Bloomberg discusses a recent spate of cyber attacks against specific critical infrastructure targets that effectively shut down a pipeline data system:

A cyber attack that hobbled the electronic communication system used by a major U.S. pipeline network has been overcome.

Energy Transfer Partners LP was confident that, after 6 p.m. New York time on Monday, files could safely be exchanged through the EDI platform provided by third-party Energy Services Group LLC, the pipeline company said in a notice. Earlier in the day, it reported a shutdown of the system because of an attack, while saying there was no effect on the flow of natural gas.

The EDI system conducts business through a computer-to-computer exchange of documents with customers. Though it’s not clear who was responsible for the attack, it comes after U.S. officials warned in March that Russian hackers are conducting a broad assault on the nation’s electric grid and other targets. Last month, Atlanta’s municipal government was hobbled for several days by a ransomware attack.

Energy Transfer, run by billionaire Kelcy Warren, isn’t the only pipeline company using EDI. Other operators with similar systems include Kinder Morgan Inc. and Tallgrass Energy Partners LP, according to their websites. Representatives for Kinder and Tallgrass said the companies’ systems weren’t affected.

It is important to note the distinction here: a communications network was attacked, not the actual gas pipeline operational network itself. Although light on details, it seems there was no actual method for the attackers to disrupt the pipeline, only inflicting damage to the communications infrastructure.

Expect more similar attacks to occur in the future. Causing outages on the communications networks could leads to operational issues. Often times the operators will bring down the operational networks to ensure personnel safety or avoid physical damage due to lack of adequate monitoring capabilities. There will likely be no direct damage.

In these situations the operational capabilities may end up as collateral damage, not the primary target.

The Brookings Institute discusses how the US has not yet seen the worst of Russian cyber attacks, thus far only having dealt with bots, trolls, and propaganda rather than crippling critical infrastructure:

In the West, Russia’s cyberattacks so far have been at the service of its disinformation operations: stolen data used to embarrass individuals, spin a narrative, discredit democratic institutions and values, and sow social discord. This was the pattern Russian operators followed in the United States, France, and Germany during the countries’ 2016–17 elections. Hacking email accounts of individuals or campaigns, leaking that stolen information using a proxy (primarily WikiLeaks), and then deploying an army of disinformation agents (bots, trolls, state controlled media) to disseminate and amplify a politically damaging narrative. Such cyber-enabled interference falls below the threshold of critical infrastructure attacks of significant consequence that could result in “loss of life, significant destruction of property, or significant impact on [national security interests].”

The nightmare of cyberattacks crippling critical infrastructure systems still has the sound of science fiction to most Americans. But in Ukraine, this nightmare is real. As the laboratory for Russian activities, Ukraine has seen a significant uptick in attacks on its critical infrastructure systems since the 2013–14 Maidan revolution. A barrage of malware, denial of service attacks, and phishing campaigns bombard Ukraine’s critical infrastructure environments on a daily basis. In December 2015, a well-planned and sophisticated attack on Ukraine’s electrical grid targeted power distribution centers and left 230,000 residents without power the day before Christmas. The attackers were able to override operators’ password access to the system and also disable backup generators.

Ukraine is all too familiar with Russian attacks against critical infrastructure. For a while it almost appeared as if Ukraine was some kind of testbed or cyber range of sorts for Russia to try and perfect its attack capabilities against electric power plants and substations.

Imagine the chaos a debilitating critical infrastructure attack would have on the US population. There has been a lot of news lately about Russia being embedded in the US power networks. This is no longer an “if it is possible” scenario, but rather “when will it occur”.

Dark Reading discusses how DragonFly, a malicious Russian actor targeting US and UK critical infrastructure, is using a Cisco router vulnerability to compromise its targets:

Researchers from Cylance this month revealed that they recently discovered that the group had hacked a core Cisco router on the network of Vietnam’s largest oil-rig manufacturer, a state-owned entity, in order to steal user credentials and ultimately infiltrate energy firms in the UK in March of 2017. The Cisco router that was abused was an “end of life” network device that ultimately gave the attackers an attack vector to target energy firms, according to Cylance. DragonFly used the stolen credentials as phishing lures to attack energy sector entity targets in the UK.

But there are several missing pieces of the attack puzzle, according to Cylance: including just how the router was hacked and how exactly that got the attackers to their targets in the UK.

Kevin Livelli, director of threat intelligence at Cylance, says it’s also unclear whether the oil rig manufacturer was a supplier to the UK targets or not. Such a connection might explain how it chose those targets, but Cylance found no such direct connection in its research.

“This is a piece of a larger campaign that we’re reporting on here,” Livelli says. “We found a decoy document embedded in one of the hashes in malware samples in our continued research into this group. We could tell those decoy documents were being targeted at folks in the energy sector in UK.”

This sounds like an interesting campaign to follow, even if the Cisco exploit is not necessarily a major vulnerability in current and up-to-date versions of their router operating system.

TNW reports on official statements by both the Federal Bureau of Investigation (FBI) and Department of Homeland Security (DHS) in a recently released report, detailing how Russian nation state actors are targeting malicious cyber attacks at American critical infrastructure operators:

FBI and DHS officials pinpointed two distinct categories of victims: staging and intended targets. For the initial attack, hackers often infiltrated trusted third-party suppliers for their intended marks. Knowing these targets often relied on less-secure networks than their final victim, the threat actors used them as a sort of trojan horse to plant malware that was actually intended for a much bigger target. These were then used as pivot points to activate the planted malware for use in compromising larger, more-secure networks.

Today’s report didn’t reveal who these marks were, at least not specifically. It did state, however, that the attacked locations were “small commercial facilities” and that these were coordinated and targeted, not random. These also happen to be some of the most vulnerable facilities to these types of attacks, with some running systems first deployed over a decade ago.

Accompanying the allegations today were new sanctions on Russia. The sanctions target at least three organizations and 13 individuals. Of those, perhaps the most recognizable is the Internet Research Agency, the so-called “troll farm” responsible for wreaking havoc on the 2016 Presidential election through its use of Facebook ads designed to exploit divisions in American politics.

This is not anything new. Russia, and other nation state actors, have been probing US critical infrastructure, specifically the electric power industry, for years. Think about it – the US relies on computers, networks, and other technologies to conduct day-to-day work.

All of these devices require electricity to operate. That is the common denominator. Take out the electric power plants, and the nation that did so now has the upper hand in a kinetic attack.

This is not rocket science. It is why the electric power industry is one of the specifically named US critical infrastructure sectors. It is also why the industry needs to be proactive in not only securing their IT and OT assets, but also employing a strong situational awareness, and detection and alert strategy.

If an organization has no eyes on the network, they could be under attack and never know it until the lights go out. Literally and figuratively.

The New York Times has an interesting story about a cyber attack against a petrochemical plant in Saudi Arabia seemingly meant to sabotage its operations and potentially trigger an explosion:

A team at Schneider Electric, which made the industrial systems that were targeted, called Triconex safety controllers, is also looking into the attack, the people who spoke to The Times said. So are the National Security Agency, the F.B.I., the Department of Homeland Security and the Pentagon’s Defense Advanced Research Projects Agency, which has been supporting research into forensic tools designed to assist hacking investigations.

All of the investigators believe the attack was most likely intended to cause an explosion that would have killed people. In the last few years, explosions at petrochemical plants in China and Mexico — though not triggered by hackers — have killed several employees, injured hundreds and forced evacuations of surrounding communities.

What worries investigators and intelligence analysts the most is that the attackers compromised Schneider’s Triconex controllers, which keep equipment operating safely by performing tasks like regulating voltage, pressure and temperatures. Those controllers are used in about 18,000 plants around the world, including nuclear and water treatment facilities, oil and gas refineries, and chemical plants.

“If attackers developed a technique against Schneider equipment in Saudi Arabia, they could very well deploy the same technique here in the United States,” said James A. Lewis, a cybersecurity expert at the Center for Strategic and International Studies, a Washington think tank.

Schneider Electric has apparently designed their Triconex safety controllers to only be modified with physical contact, not via network-based interfaces. So if this is in fact the true design, then why would there be any worry of a potential physical explosion? No malware should be able to send a command to modify the Triconex system unless there is a missing link.

It is possible the attackers have studied Triconex so well, they were able to locate a bug Schneider Electric is unaware of, which could force other components to receive commands which would affect the safety controllers. If this is the case, then the culprit is likely an extremely sophisticated actor backed by deep resources. There are only a limited number of nation states with these advanced capabilities and the funding to purchase expensive equipment like this for the sole purpose of bug hunting.

Security experts said Iran, China, Russia the United States and Israel had the technical sophistication to launch such attacks. But most of those countries had no motivation to do so. China and Russia are increasingly making energy deals with Saudi Arabia, and Israel and the United States have moved to cooperate with the kingdom against Iran.

That leaves Iran, which experts said had a growing military hacking program, although the Iranian government has denied any involvement in such attacks.

Tensions between Iran and Saudi Arabia have steadily escalated in recent years, and the conflict has drifted online.

Iran is likely the nation state with arguably the strongest reason to want to physically attack Saudi Arabia. Leveraging this type of cyber attack to perform such damage would make attribution exceedingly difficult, and therefore with no conclusive evidence to support any claims, chances are no public pronouncements of responsibility would ever be made.

So how did the hackers get in? Investigators found an odd digital file in a computer at an engineering workstation that looked like a legitimate part of the Schneider controllers but was designed to sabotage the system. Investigators will not say how it got there, but they do not believe it was an inside job. This was the first time these systems were sabotaged remotely.

The only thing that prevented significant damage was a bug in the attackers’ computer code that inadvertently shut down the plant’s production systems.

You can bet the attackers will not make the same mistake twice, assuming their actual intent was to cause physical disruption.

CNET reports on the electric power sector requiring more practical security advice than merely recommending patches likely unable to be installed:

More than 60 percent of vulnerability warnings said critical infrastructure could get hijacked, while 71 percent of reported vulnerabilities that year could disrupt a person’s ability to monitor systems, according to the report.

In these warnings, up to 72 percent of the advisories told IT teams only to patch their systems. Except “patch your system” means nothing for 64 percent of critical infrastructure, according to the report.

That’s because they were insecure to begin with — applying a security patch would be like putting a Band-aid on a broken leg. Applying patches is generally fine for the average person, who only needs to update a phone or a laptop. It’s different for factories, which might be running nonstop for 24 hours, said Reid Wightman, Dragos’ senior vulnerability analyst.

While you can afford to have your phone off for 10 minutes while it applies the security patch, factories and power plants don’t have that luxury. There are usually only one or two opportunities a year for critical infrastructure to shut down and get updates, Wightman said.

The electric power industry is concerned not only with the security of their infrastructure and IT assets, but the reliability and stability of the power supply as well. Often times it is impossible to patch on a whim, therefore a comprehensive, multi-layered, multi-faceted security strategy is what is vital in ensuring all of the above.

While, for example, data centers are concerned with reliability and uptime, virtualization generally allows network operations to continue unhindered while applying a patch on one system. Essentially, using standardized tools, it is easy to temporarily migrate a virtual machine to different hardware, apply security and operating system patches, then move the VM back. This is almost unheard of in the electric power industry.

It is going to take some time before this problem is solved, unless someone comes up with a unique yet useful idea overnight.

The Daily Beast has an interesting article discussing how North Korea may be developing malware capable of shutting down portions of the US power grid:

But in September, Dragos picked up a new adversary, code-named “Covellite,” that appears to be trying to join that club. Covellite has been targeting electric utilities in the U.S., Europe, and parts of East Asia with spear-phishing attacks that employ code and infrastructure eerily similar to that used by the so-called Lazarus Group, the most destructive and outright criminal of the state-sponsored hacking gangs. Dragos doesn’t link attacks to specific nation-states, but the U.S. government has publicly identified the Lazarus Group as North Korea.

If Kim Jong Un is trying to duplicate Russia’s electricity-killing capability, he’s in an early reconnaissance stage—Covellite hasn’t shown any particular expertise in the arcana of industrial-control systems. But Dragos’ Joe Slowik says it’s a worrying development. “From a risk standpoint, that actor could be really interesting,” says Slowik. “Particularly if things on the Korean Peninsula get worse.”

It should come as no surprise to see North Korea attempting to develop the same type of cyber weaponry other major nation state players are leveraging. The recently semi-cozy relationship between Russia and North Korea could be a factor in a focal change for the country.

Generally North Korea conducts cyber attacks primarily for financial gain due to the global sanctions imposed against the nation, as well as the country having been cut off from the world banking system. Additionally, the tensions between Trump and Kim Jong Un are likely pieces of a strategic puzzle being developed in Pyongyang, leading North Korea to pursue more destructive cyber weapons than mere ransomware and other forms of financial generation.

The Telegraph is reporting how experts are warning UK residents that smart meters could expose British homes to cyber attacks:

The intelligence agency GCHQ is said to have raised concerns over the security of the meters, which could enable hackers to steal personal details and defraud consumers by tampering with their bills, it is alleged.

The Government wants every home in the country to have a smart meter, but only 8 million out of 27 million households have so far signed up to the £11 billion scheme.

They are designed to help consumers keep on top of their energy use and send meter readings electronically to suppliers, removing the need for visits to people’s houses to read their meters.

However, the rollout of a second generation of smart meters, known as SMETS 2, has been delayed because of worries about security.

Smart Meters are a tough proposition. They offer convenience for consumer and electricity suppliers alike, but the history of how the power industry has adopted connected technology is not comforting when considering cyber security. It is a good idea to delay the deployment of smart meters to take a good, strong look at the plan to ensure it is leveraging strong encryption, has no known backdoors, and is utilizing well established and peer reviewed standards.

Unfortunately, all too often, the electric power industry allows vendors to dictate the solution rather than the industry working together to agree on a secure, smart, resilient solution to this very challenging issue. Hopefully smart meters will help the industry take a step back and reevaluate their strategy, potentially refocusing on a better way of deploying and implementing smart meters.

WIRED reports on how cryptojacking has been found in operational technology assets in a European water utility:

Radiflow CEO Ilan Barda says the company had no idea it might discover a malicious miner when it installed intrusion detection products on the utility’s network, particularly on its inner network, which wouldn’t usually be exposed to the internet. “In this case their internal network had some restricted access to the internet for remote monitoring, and all of a sudden we started to see some of the servers communicating with multiple external IP addresses,” Barda says. “I don’t think this was a targeted attack, the attackers were just trying to look for unused processing power that they could use for their benefit.”

Industrial plants may prove an enticing environment for malicious miners. Many don’t use a lot of processing power for baseline operations, but do draw a lot of electricity, making it relatively easy for mining malware to mask both its CPU and power consumption. And the inner networks of industrial control systems are known for running dated, unpatched software, since deploying new operating systems and updates can inadvertently destabilize crucial legacy platforms. These networks generally don’t access the public internet, though, and firewalls, tight access controls, and air gaps often provide additional security.

Security specialists focused on industrial control, like the researchers at Radiflow, warn that the defenses of many systems still fall short, though.

“I for one have seen a lot of poorly configured networks that have claimed to be air gapped but weren’t,” RedTeam Security’s Cardacci says. “I am by no means saying that air gaps don’t exist, but misconfigurations occur often enough. I could definitely see the malware penetrating crucial controllers.”

As attackers grow in sophistication, so will their attacks. It should come as no surprise to see this type of malware having made its way into OT networks. If an OT network can be penetrated, attackers will find a way to leverage those assets, whether it is for hactivism, politics, to cause damage, or to even mine cryptocurrency.

Motherboard reports on vulnerabilities discovered in globally used software for controlling gas pumps:

The vulnerabilities would allow an attacker to shut down fuel pumps, hijack credit card payments, and steal card numbers or access backend networks to take control of surveillance cameras and other systems connected to a gas station or convenience store’s network. An attacker could also simply alter fuel prices and steal petrol.

Ido Naor, a senior security researcher with Kaspersky Lab, and Amihai Neiderman, a former researcher with Azimuth Security, discovered the vulnerabilities after the computer screen on a gas pump in Israel crashed one day last June as Naor was filling his tank and exposed a local IP address. The system turned out to belong to an Israeli company named Orpak Systems, which makes fuel-management software. Orpak’s system is used by commercial gas stations in Israel as well as by the military and large corporations to track gas consumption for their fleets of vehicles, to ensure employees and soldiers aren’t siphoning gas from work vehicles to fuel personal ones.

But Orpak, which makes both RFID vehicle-tracking systems and fuel-management systems, doesn’t just sell its systems in Israel; its software is installed in more than 35,000 service stations and 7 million vehicles in 60 countries, according to marketing literature. And last year, Orpak was acquired by Gilbarco Veeder-Root, a large North Carolina-based maker of gas pump and point-of-sale systems for convenience stores in the US and elsewhere.

As the article notes, if stations are networking the pumps because they are geographically separated, there is a strong chance the vulnerable pumps may be located on Shodan.

The International Business Times reports:

A powerful malware, dubbed Triton or Trisis, which allows hackers to gain remote access to energy facilities’ safety systems, has reportedly been accidentally leaked online for anyone to download. The malware is considered by some experts to be a next-generation cyberweapon and has already been used in December 2017 to shut down an oil and gas facility in the Middle East.

According to research from multiple cybersecurity firms including FireEye, Dragos, Symantec and Trend Micro, the malware is likely created by a nation-state and targets safety systems of industrial control systems (ICS). Triton specifically targets the safety instrument system (SIS) produced by Schneider Electric’s Triconex.

Triton can reportedly allow hackers to dismantle safety systems that can lead to the breakdown of machinery or even cause explosions. Quoting three anonymous sources, Cyberscoop reported that the malware’s framework was inadvertently posted to VirusTotal inadvertently by Schneider Electric. The malware has reportedly been publicly available since 22 December and could even have been downloaded by anyone.

How does such dangerous malware accidentally leak online? Someone was either extremely careless, or there was nothing accidental about this at all.

Successful attacks against critical infrastructure operators may very well prove devastating in the event of an actual global military conflict. Malware like Triton and others are not just used for gaining access to systems, but are military-grade tools developed by nation states.

Wired reports on how state sponsored Iranian hackers are laser focused on attacking critical infrastructure companies:

In fact, a new network reconnaissance group, dubbed Advanced Persistent Threat 34, has spent the last few years burrowing deep into critical infrastructure companies.

Given how aggressively Iran has pursued infrastructure hacking, previously targeting the financial sector and even a dam in upstate New York, the new findings serve as a warning, and highlight the evolving nature of the threat.

FireEye researchers tracked 34 of the group’s attacks on institutions in seven Middle Eastern countries between 2015 and mid-2017, but says APT 34 has been operational since at least 2014. The group appears to target financial, energy, telecommunications, and chemical companies, and FireEye says it has moderate confidence that its hackers are Iranians. They log into VPNs from Iranian IP addresses, adhere to normal Iranian business hours, their work has occasionally leaked Iranian addresses and phone numbers, and their efforts align with Iranian interests. Namely, targeting the country’s adversaries.

There isn’t definitive evidence of a direct link between APT 34 and APT 33, an Iranian hacking group and malware distributor FireEye published findings on in September. But researchers have seen APT 34 operating concurrently inside many of the same target networks as other Iranian hackers.

The Middle East is seemingly always involved in one conflict or another. It should come as no surprise to see Iran leveraging cyber attacks to their benefit. Implementing strong defense should be a major priority for any business within the region, but especially more so for critical infrastructure companies. They have a lot to lose, and an attack could cause major devestation in the affected country.

DARPA believes it can protect critical infrastructure from cyber attacks using a brand new tool it has developed:

Hackers have been breaking through a lot of government agency’s defenses these past years, and DARPA thinks it’s high time to do something about it. Pentagon’s mad science division has launched a new program called Rapid Attack Detection, Isolation and Characterization (RADICS), which aims to develop innovative technologies that can quickly detect and respond to cyber attacks. Not just any cyber attacks, though: RADICS was specifically created to deflect security threats on critical infrastructures in the US, especially those that are vital to the Department of Defense’s missions. The agency likely wants to make sure the government can quickly detect and fight off terrorists and/or hackers trying to switch off the country’s electricity or transportation systems.