Phil Neray explains why the threat of cyber attacks on industrial control systems can no longer be dismissed by the 'it’s never happened before' argument
Although many business decision-makers may be familiar with Stuxnet, the German steel mill attack, BlackEnergy malware and how a Michigan Utility got hacked with ransomware, many are still reluctant to invest more on tighter security controls to reduce the risk of cyber-attacks on their Industrial Control Systems (ICS).
The world of cyber has changed dramatically over the past 12 months. Cyber-attacks on ICS/SCADA networks and breakthrough research discoveries, have rendered the “we’re not going to spend more on ICS cybersecurity because it has never happened before,” argument, void.
At a recent conference, Richard Clarke, a former top counter-terrorism advisor who later served as the first White House cybersecurity czar pointed to numerous major disasters that were clearly predicted by experts but ignored by decision-makers. These include the sub-prime mortgage crisis of 2008, the Fukushima nuclear meltdown, the Madoff investment scandal, and several mining disasters. In each case, nobody acted on the experts’ predictions. Clarke then explained why ICS cybersecurity is similar to these disasters because the cost of dealing with the disaster is disproportionately higher than the cost of mitigating it beforehand.
The outcome of a successful cyber-attack on critical infrastructure is not something anybody wants to test. A quick look at incidents that have made it to the headlines – be it actual cyber-attacks or new vulnerabilities and campaigns – is all one needs to persuade business executives to allocate more budget to mitigate against modern ICS hacking scenarios.
Ukrainian grid attacks
Before December 2014, nobody had ever used a targeted cyber-attack to turn off electric power in the middle of a cold winter. In December 2016, it happened yet again, according to Ukrenergo, the electric utility for the Ukrainian capital of Kiev.
Attack on SWIFT global banking system
In 2015 and 2016, the SWIFT banking system was hacked three times (by North Korea), making it the first known incident of a state actor using cyber-attacks to steal funds.
NSA’s top secret cyber weapons posted on the internet
In August 2016, the National Security Agency’s (NSA) top cyber tools and techniques were posted on the Internet, giving any ‘script kiddie’ unfettered access to the world’s most sophisticated cyber weapons. Released by the Shadow Brokers was a huge cache of specialised malware, including dozens of backdoor programs and 10 zero-day exploits, two of these targeting vulnerabilities in widely-used Cisco routers.
Zombie botnet army brings down the internet
On October 21, 2016, America’s Internet was brought down by 450,000 IoT devices, which had been assembled into a massive botnet army. The unprecedented DDoS attack prevented users from accessing Twitter, Spotify, Netflix, Amazon, Tumblr, Reddit, PayPal and other sites. The attack targeted DYN’s managed DNS service, a major element of the US critical infrastructure.
Operation BugDrop: Large-scale cyber reconnaissance operation targeting Ukranian businesses
On 15 February 2017, CyberX discovered a new, large-scale cyber-reconnaissance operation targeting a broad range of targets in the Ukraine.
Because it eavesdrops on sensitive conversations by remotely controlling PC microphones – in order to surreptitiously ‘bug’ its targets – and uses Dropbox to store exfiltrated data, CyberX has named it Operation BugDrop.
CyberX has confirmed at least 70 victims successfully targeted by the operation in a range of sectors including critical infrastructure, media and scientific research.
The operation seeks to capture a range of sensitive information from its targets including audio recordings of conversations, screenshots, documents and passwords.
Unlike video recordings, which are often blocked by users, simply placing tape over the camera lens, it is virtually impossible to block your computer’s microphone without physically accessing and disabling the PC hardware.
Most of the targets are located in the Ukraine, but there are also targets in Russia and a smaller number of targets in Saudi Arabia and Austria.
Many targets are located in the self-declared separatist states of Donetsk and Luhansk, which have been classified as terrorist organisations by the Ukrainian government.
New KillDisk malware: bringing ransomware into the industrial domain
In December 2016, CyberX uncovered new evidence that the KillDisk disk-wiping malware previously used in the cyber-attacks against the Ukrainian power grid has now evolved into ransomware.
By reverse-engineering the new malware variant, the team at CyberX found that it displays a pop-up message requesting 222 Bitcoins or approximately 206,000 US dollars in return for the decryption key.
The new malware encrypts both local hard drives and any network-mapped folders that are shared across the organisation, using a combination of RSA 1028 public key and AES shared key algorithms, where each encrypted file has its own AES key.
RADIATION Campaign: unusual IIoT botnet attack
Months before Mirai malware was found to be infecting IoT devices, CyberX discovered the RADIATION Campaign. Targeting surveillance cameras commonly used in industrial environments, the RADIATION malware is much more sophisticated than Mirai because it exploits a zero-day vulnerability in IIoT devices rather than open ports and default credentials that can easily be addressed.
Since the campaign discovery, CyberX has identified 25,000 Internet-accessible devices compromised by RADIATION — and found that cyber-criminals are now providing DDOS-for-Hire services using this massive botnet army.
Phil Neray is VP Cybersecurity & Marketing at CyberX.