- Security TWENTY
- Women in Security
Ambitious hackers are moving beyond business and onto national infrastructure, writes Lewis Henderson, VP of Product at Glasswall Solutions.
The Sandworm Gang may not be a household name, but they likely should be. The outfit of hackers, believed by some to be based in Russia, set an alarming milestone last December as they launched the world’s first publicly confirmed hacker-caused power outage. The results, for those affected, were devastating. After the systems of three regional operators in Ukraine were infected with the BlackEnergy malware, hundreds of thousands of homes were left without electricity, including half of the households in the Ivano-Frankivsk Oblast.
Previous, similar attacks have also been attributed to this group, including several attacks targeting government agencies in Ukraine and Poland and a breach targeting the North Atlantic Treaty Organisation in 2014. Due to strained relations between Ukraine and Russia, certain authorities accused Moscow of being behind the Sandworm Gang, though any links are still unproven.
Just weeks after the blackout in Ukraine, Israeli Energy Minister Yuval Steinitz shocked attendees of the CyberTech 2016 computer security conference with news that the nation’s Electricity Authority had been the target of a “severe” malware attack. Though Steinitz was adamant that the attack did not result in any power outages, The Times of Israel reported that some of the authority’s computer systems had to be shut down for two days following the attack. More recently, California’s Hollywood Presbyterian Medical Centre made headlines around the world when news broke out that it had given in to a vicious ransomware attack. A group of unknown hackers held the hospital’s computer systems hostage, demanding 40 bitcoins (£12,050) in return for a digital key that would allow operators to regain control of the systems. The 434-bed hospital quickly agreed to pay the ransom, fearing the consequences of what may have occurred otherwise.
Similar events continue to add up across the globe, with the parliament of Western Australia announcing a Trojan virus had made many of their computers and phones inoperable. Data breaches continue to occur across Japan’s national infrastructure organisations as well, putting valuable private data in the hands of unknown, presumably state-sponsored, hacking groups.
The world of cybercrime expands incrementally each day, leading to the current state of affairs in which even national infrastructure organisations are vulnerable to the growing sophistication of hackers. To newsreaders around the world, and especially the hundreds of thousands of victims in Ukraine, the ability of hackers to worm their way into critical infrastructure and even cause mass blackouts is understandably shocking. To those with a deep familiarity of the cybersecurity field, this handful of recent events, while still incredibly alarming, may not come as such as a surprise.
Many governmental agencies have a legacy of using outdated cybersecurity measures and operating systems, such as Windows XP, that are no longer supported by manufacturers. Though it is no doubt a bold statement, no government is highly motivated to make any significant changes to the status quo when addressing the risks associated with Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition (SCADA) systems. Speed of innovation isn’t a driving factor as in general IT – once something is deemed functional and reliable, it is rarely changed. More alarmingly to the IT Cyber Security layman, malware running on ICS networks is often tolerated, provided it does not disrupt operations, which does not fit the logic generally used in IT.
Most disturbingly, there is minimal legislation to drive cyber risk reduction to protect ICS. The question must be asked, is this intentional government policy to allow some the world’s largest organisations the freedom to operate with fewer restrictions?
Within the commercial sector, many businesses are beginning to take heed of the evolving threat posed by hackers, though many still face the disastrous consequences of data breaches, which are increasingly being launched via email through file-based attacks. Across all businesses, roughly 94 per cent of successful data breaches are the result of file-based attacks, and the figures continue to grow each year.
While enterprises risk losing vast amounts of money and the goodwill of their customers, national infrastructure organisations who don’t have adequate security measures in place are potentially putting the livelihoods – and even lives – of their citizens at risk. In many cases, cybercriminals are using increasingly more effective social engineering to make their way into crucial systems because organisations are unwittingly giving the information away. To bolster their social engineering operations, hackers also utilise advanced intelligence gathering tactics that can include acquiring seemingly benign metadata from a number of sources, such as files found on official websites that have not been sanitised or documents intercepted during exchange in order to identify information such as user IDs, server paths, software versions and even employee reference data. This activity helps the hacker profile employees, supply chains, internal workflows, processes and procedures, and is an information leak that Glasswall discovers on a regular basis during its discovery phase.
By acquiring this information, hackers can then forge a series of convincing emails to an employee, posing as a trusted regular contact and tricking the employee into opening a malware-laden document or clicking on a link designed to place a zero day exploit into the organisation’s system, which is then timed to execute at a later date. In order to mitigate this specific vector, organisations must ensure they prevent data leakage caused by poor internal processes and weak management protocols, keeping private information away from would-be exploiters.
Due to the advancing capabilities of hackers and the ever decreasing adequacy of traditional perimeter security solutions, national infrastructure operators must turn towards innovation to solve the cyber security gaps that will only grow wider over time. Any change is fraught with unique challenges, but cyber security needs to be tackled head on if the organisations responsible for supplying our clean water, electricity and fuel can be trusted as proactively tackling this complicated problem.
The attack on Ukraine’s power grid could be seen as a proverbial floodgate, unleashing a slew of similar attacks, such as the one Israel recently faced, on unprepared infrastructure organisations. Whether this will be the case has yet to be seen, though the big question remains – what is the worst thing a person or group could do to a critical asset if they possessed the intent, access and knowledge to perform a malicious act? Keeping in mind the knowledge of what is now possible, these organisations would be wise to adopt a solution that can guarantee they don’t become the next target of the new face of cybercrime.