Tag

electricity

Browsing

The Brookings Institute discusses how the US has not yet seen the worst of Russian cyber attacks, thus far only having dealt with bots, trolls, and propaganda rather than crippling critical infrastructure:

In the West, Russia’s cyberattacks so far have been at the service of its disinformation operations: stolen data used to embarrass individuals, spin a narrative, discredit democratic institutions and values, and sow social discord. This was the pattern Russian operators followed in the United States, France, and Germany during the countries’ 2016–17 elections. Hacking email accounts of individuals or campaigns, leaking that stolen information using a proxy (primarily WikiLeaks), and then deploying an army of disinformation agents (bots, trolls, state controlled media) to disseminate and amplify a politically damaging narrative. Such cyber-enabled interference falls below the threshold of critical infrastructure attacks of significant consequence that could result in “loss of life, significant destruction of property, or significant impact on [national security interests].”

The nightmare of cyberattacks crippling critical infrastructure systems still has the sound of science fiction to most Americans. But in Ukraine, this nightmare is real. As the laboratory for Russian activities, Ukraine has seen a significant uptick in attacks on its critical infrastructure systems since the 2013–14 Maidan revolution. A barrage of malware, denial of service attacks, and phishing campaigns bombard Ukraine’s critical infrastructure environments on a daily basis. In December 2015, a well-planned and sophisticated attack on Ukraine’s electrical grid targeted power distribution centers and left 230,000 residents without power the day before Christmas. The attackers were able to override operators’ password access to the system and also disable backup generators.

Ukraine is all too familiar with Russian attacks against critical infrastructure. For a while it almost appeared as if Ukraine was some kind of testbed or cyber range of sorts for Russia to try and perfect its attack capabilities against electric power plants and substations.

Imagine the chaos a debilitating critical infrastructure attack would have on the US population. There has been a lot of news lately about Russia being embedded in the US power networks. This is no longer an “if it is possible” scenario, but rather “when will it occur”.

Dark Reading discusses how DragonFly, a malicious Russian actor targeting US and UK critical infrastructure, is using a Cisco router vulnerability to compromise its targets:

Researchers from Cylance this month revealed that they recently discovered that the group had hacked a core Cisco router on the network of Vietnam’s largest oil-rig manufacturer, a state-owned entity, in order to steal user credentials and ultimately infiltrate energy firms in the UK in March of 2017. The Cisco router that was abused was an “end of life” network device that ultimately gave the attackers an attack vector to target energy firms, according to Cylance. DragonFly used the stolen credentials as phishing lures to attack energy sector entity targets in the UK.

But there are several missing pieces of the attack puzzle, according to Cylance: including just how the router was hacked and how exactly that got the attackers to their targets in the UK.

Kevin Livelli, director of threat intelligence at Cylance, says it’s also unclear whether the oil rig manufacturer was a supplier to the UK targets or not. Such a connection might explain how it chose those targets, but Cylance found no such direct connection in its research.

“This is a piece of a larger campaign that we’re reporting on here,” Livelli says. “We found a decoy document embedded in one of the hashes in malware samples in our continued research into this group. We could tell those decoy documents were being targeted at folks in the energy sector in UK.”

This sounds like an interesting campaign to follow, even if the Cisco exploit is not necessarily a major vulnerability in current and up-to-date versions of their router operating system.

TNW reports on official statements by both the Federal Bureau of Investigation (FBI) and Department of Homeland Security (DHS) in a recently released report, detailing how Russian nation state actors are targeting malicious cyber attacks at American critical infrastructure operators:

FBI and DHS officials pinpointed two distinct categories of victims: staging and intended targets. For the initial attack, hackers often infiltrated trusted third-party suppliers for their intended marks. Knowing these targets often relied on less-secure networks than their final victim, the threat actors used them as a sort of trojan horse to plant malware that was actually intended for a much bigger target. These were then used as pivot points to activate the planted malware for use in compromising larger, more-secure networks.

Today’s report didn’t reveal who these marks were, at least not specifically. It did state, however, that the attacked locations were “small commercial facilities” and that these were coordinated and targeted, not random. These also happen to be some of the most vulnerable facilities to these types of attacks, with some running systems first deployed over a decade ago.

Accompanying the allegations today were new sanctions on Russia. The sanctions target at least three organizations and 13 individuals. Of those, perhaps the most recognizable is the Internet Research Agency, the so-called “troll farm” responsible for wreaking havoc on the 2016 Presidential election through its use of Facebook ads designed to exploit divisions in American politics.

This is not anything new. Russia, and other nation state actors, have been probing US critical infrastructure, specifically the electric power industry, for years. Think about it – the US relies on computers, networks, and other technologies to conduct day-to-day work.

All of these devices require electricity to operate. That is the common denominator. Take out the electric power plants, and the nation that did so now has the upper hand in a kinetic attack.

This is not rocket science. It is why the electric power industry is one of the specifically named US critical infrastructure sectors. It is also why the industry needs to be proactive in not only securing their IT and OT assets, but also employing a strong situational awareness, and detection and alert strategy.

If an organization has no eyes on the network, they could be under attack and never know it until the lights go out. Literally and figuratively.

CNET reports on the electric power sector requiring more practical security advice than merely recommending patches likely unable to be installed:

More than 60 percent of vulnerability warnings said critical infrastructure could get hijacked, while 71 percent of reported vulnerabilities that year could disrupt a person’s ability to monitor systems, according to the report.

In these warnings, up to 72 percent of the advisories told IT teams only to patch their systems. Except “patch your system” means nothing for 64 percent of critical infrastructure, according to the report.

That’s because they were insecure to begin with — applying a security patch would be like putting a Band-aid on a broken leg. Applying patches is generally fine for the average person, who only needs to update a phone or a laptop. It’s different for factories, which might be running nonstop for 24 hours, said Reid Wightman, Dragos’ senior vulnerability analyst.

While you can afford to have your phone off for 10 minutes while it applies the security patch, factories and power plants don’t have that luxury. There are usually only one or two opportunities a year for critical infrastructure to shut down and get updates, Wightman said.

The electric power industry is concerned not only with the security of their infrastructure and IT assets, but the reliability and stability of the power supply as well. Often times it is impossible to patch on a whim, therefore a comprehensive, multi-layered, multi-faceted security strategy is what is vital in ensuring all of the above.

While, for example, data centers are concerned with reliability and uptime, virtualization generally allows network operations to continue unhindered while applying a patch on one system. Essentially, using standardized tools, it is easy to temporarily migrate a virtual machine to different hardware, apply security and operating system patches, then move the VM back. This is almost unheard of in the electric power industry.

It is going to take some time before this problem is solved, unless someone comes up with a unique yet useful idea overnight.

The Daily Beast has an interesting article discussing how North Korea may be developing malware capable of shutting down portions of the US power grid:

But in September, Dragos picked up a new adversary, code-named “Covellite,” that appears to be trying to join that club. Covellite has been targeting electric utilities in the U.S., Europe, and parts of East Asia with spear-phishing attacks that employ code and infrastructure eerily similar to that used by the so-called Lazarus Group, the most destructive and outright criminal of the state-sponsored hacking gangs. Dragos doesn’t link attacks to specific nation-states, but the U.S. government has publicly identified the Lazarus Group as North Korea.

If Kim Jong Un is trying to duplicate Russia’s electricity-killing capability, he’s in an early reconnaissance stage—Covellite hasn’t shown any particular expertise in the arcana of industrial-control systems. But Dragos’ Joe Slowik says it’s a worrying development. “From a risk standpoint, that actor could be really interesting,” says Slowik. “Particularly if things on the Korean Peninsula get worse.”

It should come as no surprise to see North Korea attempting to develop the same type of cyber weaponry other major nation state players are leveraging. The recently semi-cozy relationship between Russia and North Korea could be a factor in a focal change for the country.

Generally North Korea conducts cyber attacks primarily for financial gain due to the global sanctions imposed against the nation, as well as the country having been cut off from the world banking system. Additionally, the tensions between Trump and Kim Jong Un are likely pieces of a strategic puzzle being developed in Pyongyang, leading North Korea to pursue more destructive cyber weapons than mere ransomware and other forms of financial generation.

The Telegraph is reporting how experts are warning UK residents that smart meters could expose British homes to cyber attacks:

The intelligence agency GCHQ is said to have raised concerns over the security of the meters, which could enable hackers to steal personal details and defraud consumers by tampering with their bills, it is alleged.

The Government wants every home in the country to have a smart meter, but only 8 million out of 27 million households have so far signed up to the £11 billion scheme.

They are designed to help consumers keep on top of their energy use and send meter readings electronically to suppliers, removing the need for visits to people’s houses to read their meters.

However, the rollout of a second generation of smart meters, known as SMETS 2, has been delayed because of worries about security.

Smart Meters are a tough proposition. They offer convenience for consumer and electricity suppliers alike, but the history of how the power industry has adopted connected technology is not comforting when considering cyber security. It is a good idea to delay the deployment of smart meters to take a good, strong look at the plan to ensure it is leveraging strong encryption, has no known backdoors, and is utilizing well established and peer reviewed standards.

Unfortunately, all too often, the electric power industry allows vendors to dictate the solution rather than the industry working together to agree on a secure, smart, resilient solution to this very challenging issue. Hopefully smart meters will help the industry take a step back and reevaluate their strategy, potentially refocusing on a better way of deploying and implementing smart meters.

The International Business Times reports:

A powerful malware, dubbed Triton or Trisis, which allows hackers to gain remote access to energy facilities’ safety systems, has reportedly been accidentally leaked online for anyone to download. The malware is considered by some experts to be a next-generation cyberweapon and has already been used in December 2017 to shut down an oil and gas facility in the Middle East.

According to research from multiple cybersecurity firms including FireEye, Dragos, Symantec and Trend Micro, the malware is likely created by a nation-state and targets safety systems of industrial control systems (ICS). Triton specifically targets the safety instrument system (SIS) produced by Schneider Electric’s Triconex.

Triton can reportedly allow hackers to dismantle safety systems that can lead to the breakdown of machinery or even cause explosions. Quoting three anonymous sources, Cyberscoop reported that the malware’s framework was inadvertently posted to VirusTotal inadvertently by Schneider Electric. The malware has reportedly been publicly available since 22 December and could even have been downloaded by anyone.

How does such dangerous malware accidentally leak online? Someone was either extremely careless, or there was nothing accidental about this at all.

Successful attacks against critical infrastructure operators may very well prove devastating in the event of an actual global military conflict. Malware like Triton and others are not just used for gaining access to systems, but are military-grade tools developed by nation states.