Published on July 26th, 2018 | by Kevin McTiernan
Hackers Compromise US Utility Control Room
The WSJ reported Monday that hackers working for Russia had gained access to the control rooms of US utility companies last year. Today, power utilities are part of the critical national infrastructure – the glue holding a society together – and that is why this event is so disturbing. Johnathan Homer, chief of industrial-control-system analysis for DHS told the WSJ, “They got to the point where they could have thrown switches” to disrupt the flow power.
The hacking group known as Dragonfly (a.k.a. “Energetic Bear”, a.k.a. “Koala”, a.k.a. “Iron Liberty”) broke into the utility companies via the utility’s third-party vendors. Symantec began to raise alerts to this group in June of 2014 and noted they have been in operation since 2011. While this group initially were observed targeting US defense and aviation companies in the US and Canada, they shifted focus to US and European energy firms in early 2013. At that time, they were stealing information on the operations of and documents relating to power utilities and distributors. Why they were doing this makes sense on this news. Symantec notes the group is well funded and suspects they are nation-sponsored. They mainly work 9AM-6PM in the UTC+4 time zone, likely placing them in eastern Europe. In March of this year, US-CERT linked Dragonfly/Energetic Bear with the Kremlin.
If hackers taking advantage of a third party to wreak havoc sounds familiar, it should. The largest hacks in recent times used the same tactic. The Target hack was via an HVAC vendor and The Home Depot hack was through stolen credentials from a third-party vendor. Many of the hacks making headlines in recent years have been directly related to financial gain (hacking POS terminals or stealing personal information for use in fraud). This one is different and follows a trend that is not making headlines or garnering the concern of the average citizen – hacking with the specific purpose of taking down critical national infrastructure. It should be top of mind and a concern for everyone, especially lawmakers.
What is Critical National Infrastructure?
Critical national infrastructure (or CNI for short) are the things that keep us functioning as a society. If you ask the question, what would happen if ____ was diminished or wasn’t available for a period, and your answer is chaos and riots, it is CNI. And, not being able to watch the latest Game of Thrones episode does not count.
Wikipedia provides a list of CNI including, shelter, energy for heating and cooling, food production and distribution, water supply, public health (hospitals and ambulances), transportation systems (fuel, rail, airports, harbors, shipping), security (police and military), electricity (generation, transmission and distribution), telecommunications and the economic sector (banking, clearing and payment services). Any prolonged disruption to the above would result in a material disruption to how our society functions. How prolonged a disruption before society breaks down depends on the service and how quickly a national government can respond. For example, shelter, water and food can be supplied to those affected by a natural disaster (like a tornado or wildfire) for a period before they naturally demand to get on with their lives. Power, telecom and banking, I would argue, have among the shortest fuse of all CNI. Imagine getting a check from work but unable to cash it or not being able to view your bank balance or withdraw funds? In the great depression, this kind of fear led to runs on banks, it wasn’t pretty.
One thing that I feel misses Wikipedia’s list is a country’s electoral system. Wherever you stand on the impact of Russian meddling in the 2016 U.S. Presidential election or even the prospect of Russian interference in the Brexit vote, the process by which we elect our government is part of the critical national infrastructure. If we feel that an attack on the validity, sanctity and results of that process has been manipulated by someone or something, it undermines our faith in the government. If the faith in government is materially diminished for a large enough swath of the population, I guarantee that you would see riots and chaos.
If you’re reading this and are thinking that the prospect of our power grid being remotely controlled by an evil villain can only exist in the laptop of a screenwriter in Hollywood, you would be wrong. In December of 2015, hackers disrupted power distribution systems to three Ukrainian power companies. Wired noted the attack was linked to the Sandworm (a.k.a. “Voodoo Bear”, a.k.a. “Telebots”) group. Sandworm does not appear to be focused on global energy, but specifically wreaking havoc in Ukraine. Sandworm is linked to Russia’s Military Intelligence Service, GRU (the same group from which many of the latest indictments come in the Mueller probe.) In 2017, malware (distributed via an update to a tax accounting package, heavily used by accountants in Ukraine) disrupted not only utilities, but banks and newspapers – the Ukrainian SBU attributed the attack to Russia. ESET linked the malware with Telebots, the same group behind the 2015 attack.
Taking out energy supplies in winter has an obvious impact, but an attack on CNI is not just a threat in winter. Temperatures are expected to reach 120° this week across the American southwest and they spiked in Japan recently at nearly 106° (an all-time high). A prolonged disruption to power (winter or summer) would impact businesses, disrupt the population, and result in not just discomfort, but possibly death. Think hackers can’t do something like that in the US? You would be wrong. In 2011, hackers intentionally broke a pump at a US water treatment plant, disrupting water to thousands of homes.
In Europe, the importance of protecting CNI is recognized as urgent. The EU’s NIS Directive calls out the importance of power, hospitals, water, telecoms, transport, etc. to the proper functioning of a society. The EU passed this legislation in 2013 and member states had until May of this year to pass domestic legislation. If what was reported in the US had happened in the UK, for example, the fines would be as much as $24M – that is a heckuva motivation to clean up sloppy security. One month ago, the U.S. House of Representatives, passed H.R. 5733, “the DHS Industrial Control Systems Capabilities Enhancement Act”. The act “amends the Homeland Security Act of 2002 to expand the responsibilities of the National Cybersecurity and Communications Integration Center to ensure that the center’s activities address the security of both information and operational technology, including industrial control systems.” It’s a good start and there’s more to add, but there is currently no push for the U.S. Senate to take up the legislation to make it law. Perhaps this latest event will motivate action?
What can CNI providers do?
First, there’s the basics. Dr. Ian Levy, Technical Director at UK’s National Cyber Security Centre (NCSC) is leading the charge in tacking the basics of cyber security in their Active Cyber Defense (ACD) programme. The goal is to tackle a range of commodity attacks. If you don’t read his blog, you should.
If you are just waking up to the threat, have the basics covered or are in the process of doing so, but are unclear about how to identify these threats before the lights go out, check out SS8’s Advanced Threat Detection solution. SS8 Advanced Threat Detection (ATD) monitors every byte from every flow on your network at key aggregation points, providing visibility to all communications on your network. ATD detects malware, identifies compromised computers and the stealthiest hackers moving around your network, all in real time. Every event is stored in our Security Analytics engine to provide years of hi-fidelity history and recursive analytics as new threat definitions arrive. The Intuitive search and visualizations provide your investigators with the insight to act. SS8’s nearly twenty-year legacy in the law enforcement and intelligence space is reflected in the optimized workflows and analytics in SS8 ATD.
If you are responsible for protecting your country’s critical national infrastructure or an critical infrastructure provider looking to keep your network safe, contact SS8 Networks or send Kevin McTiernan a message. To learn more please visit our Threat Detection solution page.