“They’re not looking to throw the switch, but they might throw the switch by accident,” Ross Rustici, Cybereason’s senior director of intelligence, told me.
The Boston-based firm wrapped up an experiment last week in which researchers set up a fake utility network and watched as hackers bearing the hallmarks of cybercriminals penetrated it in a matter of days. While the hackers showed some advanced skills, they used a few sloppy methods that raised “red flags” about their potential to inadvertently cause failures in the system, researchers concluded.
DHS, tasked with protecting U.S. critical infrastructure, has publicly devoted its attention largely to the threat from nation states. These findings paint a more complete picture for policymakers and utilities facing a rise in malicious cyber activity -- and spotlight a potential threat that hasn't been as much of a focus in public remarks by top officials.
In Washington, the focus has largely been on Russia. Officials say Russian government hackers have penetrated the business systems of U.S. nuclear power and other energy companies. And DHS said in a recent public briefing that Russian military hackers had infiltrated the control rooms of electric utilities across the country over the past year, and that the activity was part of an ongoing campaign. The adversaries appeared interested in conducting espionage and possibly laying the groundwork for future cyberattacks, officials and experts noted.
But less sophisticated nonstate actors are targeting the same systems for different reasons — some, for example, may seek to take over a system and ransom it back to the owners. And while these hackers they're nowhere near as well-resourced as nation state actors, they pose an outsized risk to utility operators, according to Cybereason.
“They’re more prone to make mistakes, and they’re trying to get into the system as quickly as possible, which is different from the groups that DHS talks about that are very slow and methodical,” Rustici told me. “A lot of nation state groups will invest time and money to practice on mock-up networks to avoid detection... Cybercriminals don’t have the time, resources or care for this because they’re looking for a quick buck.”
Many of the control systems used by power plants and other critical infrastructure are old and fragile, so a slip-up could have big effects. Two recent real-world examples shed light on how this might play out in the U.S., Rustici said. In one incident, a sophisticated hacking group’s botched attempt to lay down malware in a Saudi Arabian oil and gas plant caused equipment to shut down until operators could manually flip switches and bring it back online. In another, hackers caused a smelter in a German steel mill to overload and destroy itself in what may have been collateral damage from a cyber-intrusion gone awry.
Those types of errors are “far more likely to be made by a cybercriminal than nation state actors,” Rustici said. In a worst-case scenario, he added, a similar mistake could cause a cascade of failures that causes outages in multiple facilities.
The good news is that cybercriminals are a lot more skittish than nation state actors, Rustici said. Basic cyber-hygiene and diligent threat monitoring can go a long way in scaring them off. The threat from cybercriminals “is larger than we generally focus on, but also in some ways it’s more manageable,” he said. “If you can deter cybercriminals from being successful you go a long way in making the lives of [more sophisticated] actors a lot harder. You may not prevent the intrusion entirely but you’ll make them work harder for it.”
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
PINGED: “President Trump asserted early Wednesday, without citing evidence, that Hillary Clinton’s emails were hacked by China, and he said the Justice Department and FBI risked losing their credibility if they did not look into the matter,” The Washington Post’s John Wagner reported. “Writing on Twitter, Trump alleged that much of the former secretary of state’s email that was hacked contained classified information and called it ‘a very big story.’”
Trump’s tweets came after the Daily Caller, citing “two sources briefed on the matter,” reported that a Chinese-owned firm operating in the Washington area hacked Clinton’s private server while she served as secretary of state and obtained almost all of her emails. Hua Chunying, spokeswoman for the Chinese Foreign Ministry, said during a daily news briefing in Beijing that China has heard such accusations before. “This isn’t the first time we’ve heard similar kinds of allegations,” Hua said, as quoted by Reuters.
PATCHED: While tech companies face increasing scrutiny over data privacy, Yahoo continues to scan user emails. “Yahoo’s owner, the Oath unit of Verizon Communications Inc., has been pitching a service to advertisers that analyzes more than 200 million Yahoo Mail inboxes and the rich user data they contain, searching for clues about what products those users might buy, said people who have attended Oath’s presentations as well as current and former employees of the company, ” the Wall Street Journal's Douglas MacMillan, Sarah Krouse and Keach Hagey reported on Tuesday. “Oath said the practice extends to AOL Mail, which it also owns. Together, they constitute the only major U.S. email provider that scans user inboxes for marketing purposes.”
PWNED: “An apparent Iranian influence operation targeting internet users worldwide is significantly bigger than previously identified, Reuters has found, encompassing a sprawling network of anonymous websites and social media accounts in 11 different languages,” Jack Stubbs and Christopher Bing of Reuters reported on Tuesday. “Facebook and other companies said last week that multiple social media accounts and websites were part of an Iranian project to covertly influence public opinion in other countries. A Reuters analysis has identified 10 more sites and dozens of social media accounts across Facebook, Instagram, Twitter and YouTube.”
The sites and social media accounts that Reuters found are part of a group called International Union of Virtual Media that carries content from Iranian state media and other pro-Iran sources. IUVM often conceals the fact that the content comes sources affiliated with Iranian authorities. “IUVM uses its network of websites - including a YouTube channel, breaking news service, mobile phone app store, and a hub for satirical cartoons mocking Israel and Iran’s regional rival Saudi Arabia - to distribute content taken from Iranian state media and other outlets which support Tehran’s position on geopolitical issues,” Stubbs and Bing wrote. “Reuters recorded the IUVM network operating in English, French, Arabic, Farsi, Urdu, Pashto, Russian, Hindi, Azerbaijani, Turkish and Spanish.”
— “Fiserv, Inc., a major provider of technology services to financial institutions, just fixed a glaring weakness in its Web platform that exposed personal and financial details of countless customers across hundreds of bank Web sites, KrebsOnSecurity has learned,” computer security reporter Brian Krebs wrote on Tuesday. A bank customer could have exploited the vulnerability to ultimately monitor other users' daily transaction activity, according to Krebs, who used to work as a reporter for The Washington Post. Fiserv said it patched the weakness after being notified about it.
“Fiserv said in a statement that the problem stemmed from an issue with ‘a messaging solution available to a subset of online banking clients,’” Krebs reported. “Fiserv declined to say exactly how many financial institutions may have been impacted overall. But experts tell KrebsOnSecurity that some 1,700 banks currently use Fiserv’s retail (consumer-focused) banking platform alone.” Krebs wrote that security researcher Kristian Erik Hermansen first informed him about the vulnerability two weeks ago and described how it could be used to monitor transactions. “I shouldn’t be able to see this data,” Hermansen told Krebs. “Anytime you spend money that should be a private transaction between you and your bank, not available for everyone else to see.”
— “Instagram is adding three new tools to prevent the spread of misinformation on the platform,” the Hill's Tal Axelrod reported. “ ‘We’ve been focused on the safety of our platform since the very beginning, and today’s updates build upon our existing tools, such as our spam and abusive content filters and the ability to report or block accounts,’ Instagram co-founder and chief technology officer Mike Krieger said in a press release on Tuesday.”
— More cybersecurity news from the private sector:
—Motherboard's Lorenzo Franceschi-Bicchierai reported another example of spyware companies that are hacked or leave data exposed online. “The hacker, who only goes by the initials L.M., told Motherboard in February that he gained access to the servers of TheTruthSpy, a company that sells an Android and iOS spy app to consumers,” Franceschi-Bicchierai wrote on Tuesday. “The hacker was able to steal logins and passwords, pictures, audio recordings intercepted from victim’s phones, text messages, location information, and social media chats, among other data.” TheTruthSpy has presented its services as a way for consumers to spy on spouses. The hacker said he no longer has access to the company's servers because they have been updated.
Motherboard reported that it verified the breach this week after receiving a sample of usernames and log-in credentials from the hacker. Moreover, the hacker said users of TheTruthSpy app kept the same passwords for other online accounts. “This data is very dangerous. You can know everything about any person, and also you know the attacker identity. It is very easy to ransomware them, and gain a lot of dirty money,” the hacker told Franceschi-Bicchierai.
— “Leading human rights groups are calling on Google to cancel its plan to launch a censored version of its search engine in China, which they said would violate the freedom of expression and privacy rights of millions of internet users in the country,” the Intercept's Ryan Gallagher reported. “A coalition of 14 organizations — including Amnesty International, Human Rights Watch, Reporters Without Borders, Access Now, the Committee to Protect Journalists, the Electronic Frontier Foundation, the Center for Democracy and Technology, PEN International, and Human Rights in China — issued the demand Tuesday in an open letter addressed to the internet giant’s CEO, Sundar Pichai.”
- Air Force Information Technology & Cyberpower Conference in Montgomery, Ala.
- Cyber Security Summit: in Chicago.
- North Carolina Digital Government Summit in Raleigh through tomorrow.
- 9th annual Billington CyberSecurity Summit in Washington on Sept. 6.
Puerto Rico governor revises Hurricane Maria's death toll to 2,975:
Trump slams Google for “RIGGED” results:
Seven times world leaders made headlines with their dance moves: