18 September 2017

Hackers Gain Direct Access To The U.S. Power Grid; ‘Resulted In Gaining Hands-On Access To Power Grid Operations – Enough Control That Hackers Could Have Induced Blackouts On American Soil At Will’ — Maybe


Hackers have gained direct access to the power grid in both the United States and Europe, according to numerous media reports on both continents. Andy Greenberg, writing in the September 6, 2017 edition of WIRED.com, warns that this latest breach of U.S. critical infrastructure is particularly worrisome, because “a series of recent hacker attacks not only compromised energy companies in the U.S. and Europe; but, also resulted in intruders gaining hands-on access to power grid operations — enough control that they could have induced blackouts on American soil — at will,” this according to a new report by the cyber security firm, Symantec. 

Symantec this week released the results of their investigation into the hacking of the U.S. and European power grids earlier this summer and found that the hacking effort was not a random, one-off event; but, was a “campaign of attacks by a group calling itself, DragonFly 2.0, which Symantec says targeted dozens of energy companies in the spring and summer of this year,” Mr. Greenberg wrote. “In more than 20 cases, Symantec says the hackers successfully gained access to the target companies’ [critical] networks. And, at a handful of U.S. power firms; and at least one company in Turkey — none of which Symantec will name — their forensic analysis found that the hackers obtained what they call operational access: control of the interfaces engineers use to send actual commands to equipment like circuit breakers, giving them the ability to stop the flow of electricity into U.S. homes and businesses,” Mr. Greenberg wrote.

“There’s a difference in being a step away from conducting sabotage and actually being in a position to conduct sabotage…..being able to flip the switch on power generation,” said Eric Chien, a Symantec security analyst. “We’re now talking about on-the-ground technical evidence this could happen in the U.S., and there’s nothing left standing in the way except the motivation of some actor out there in the world,” he added.

“Never before have hackers been shown to have that level of control of American power company systems,” Mr. Chien told WIRED.com. “The only comparable situations,” he says, “have been the repeated hacker attacks on the Ukrainian power grid that twice caused power outages in the country in the country in late 2015 and 2016, the first known hacker-induced blackouts,” Mr. Greenberg wrote.

The Usual Suspects

Cyber “security firms like FireEye and Dragos have pinned those Ukrainian attacks on a hacker group known as Sandworm, believed to be based in Russia,” Mr. Greenberg wrote. “But, Symantec stopped short of blaming the more recent attacks on any country, or even trying to explain the hacker’s motives,” he added, Mr. Chien told WIRED.com that “the company has found no connections between Sandworm and the intrusions it has tracked. Nor has it directly connected the DragonFly 2.0 campaign to the string of intrusions into U.S. power companies — including a Kansas nuclear facility — known as Palmetto Fusion, which unnamed officials revealed in July and later tied to Russia.”

Mr. “Chien does note, however, that the timing and public descriptions of Pametto Fusion hacking campaigns match-up with its DragonFly findings,” Mr. Greenberg wrote. “It’s highly unlikely this is not just coincidental,” Chien contends. “But, he adds that while the Palmetto Fusion intrusions included a breach of a nuclear power plant, the most serious DragonFly intrusions Symantec tracked, penetrated on non-nuclear energy companies, which have less strict separations of their Internet-connected IT networks and controls,” Mr. Greenberg noted. 

For the full article, I refer you to the September 6, 2017 edition of WIRED.com. Not surprisingly, the technique involved in many of the successful — initial penetrations of networks — involved “spear-phishing emails that tricked victims into opening a malicious attachment.” “Those attacks were designed to harvest [log-on/network] credentials,” — and thus gain remote access to their devices and network, according to WIRED.com. “And, in the most successful of those cases, including several instances in the U.S. and one in Turkey, the attackers penetrated deep enough to screenshot the control panels for their targets’ grid operations — what Symantec believes was a final step in [pre] positioning themselves to sabotage those systems at will,” or at a moment/time of their choosing, Mr. Greenberg wrote. “That’s exactly what you’d do if you were to attempt sabotage,” Mr. Chien warned. “You’d take these sorts of screenshots to understand what you had to do next, like literally which switch to flip.”

Dan Goodin, writing on the September 6, 2017 edition of the security website, Ars Technica, called these unauthorized penetrations “a dramatic escalation” in cyber hacking/espionage against the United States and Europe, and I think he is right. Of note, in 2014, Symantec warned that the DragonFly hacking group was “aggressively establishing [digital] beachheads, in a limited [but critical] number of target networks.”

Having said all the above, Robert Lee, Founder and CEO of Dragos Security, as well as several of his peer competitors in this domain, “downplayed the likelihood of the operational network compromises being used to cause blackouts, or take out part of the [U.S.] electrical grid,” Mr. Goodin wrote. In an email post to Ars Technica, Mr. Chien wrote that “”manual attacks in the U.S. are more difficult [than in Ukraine and others countries in Europe] — [in part] based on sheer size. “In order to cause an [negative] effect, something, or someone, would need to ‘flip the switch,’ deploy a ‘crash’ device/s, etc.; but, we don’t believe there are any technical hurdles in doing so.”

Symantec concluded, “What is clear, is that DragonFly is a highly experienced threat actor, capable of compromising numerous organizations [including those considered critical infrastructure], stealing information, and gaining access to key systems. What it plans to do with all this intelligence has yet to become clear; but its capabilities extend to materially disrupting targeted organizations….should it chose to do so.”

I think it is safe to say that when there is another major conflict, cyber will be a significant component of any threat actor’s kit-bag of weapons to be employed — on a wide scale. With the U.S. the most dependent on the Internet and networks, you have to assume that taking down our digital infrastructure will be a key goal of any adversary. V/R, RCP

No comments: