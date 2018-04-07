Last July, the FBI and the Department of Homeland Security revealed that Russian hackers were behind cyber intrusions into the U.S. energy power grid.
While there was no threat to public safety, Russia is laying the groundwork for more damaging hacks on America. In 2015, Russia tested their cyberweapons on the Ukrainian capital of Kiev, blackening out 225,000 people.
One might wonder what is Russia’s end game for this kind of attack. To hurt us financially? To show us how vulnerable we are? In preparation for a more sinister attack? Is it to punish America for anti-Russian policies like expelling 60 Russians in response to Russia’s poisoning of a former spy in Britain with a banned chemical weapon?
Mark Orlando at Raytheon cyber security broke down the particulars of why hacking works so well in America. The main strategy is to divide targets into intended targets like the large energy companies themselves, and smaller targets like their supply chain vendors or even trade journals.
The larger and better-protected targets with entire cyber security departments are difficult to attack. So hackers target smaller companies with less secure networks. When the hackers get into those systems, they use that access to gather intelligence and set traps for the larger company.
The manufacturer that supplies ball bearings to natural gas power plant may have great access to the plant’s systems and management, maybe even password access, but would not be questioned.
This long-term strategy takes patience — just the kind of thing traditional espionage has perfected over the last century.
The traps themselves are pretty imaginative. Many are based in social media. No one suspects a cute kitten video of hiding malware. But they do. And if your co-worker is a kitten-nut, they may not hesitate to download that video without thinking that it is a trap.
“The weakness in cybersecurity are the users themselves, those that are not necessarily computer-savvy,” says Quinn Mockler, a cyber security researcher and student at Columbia Basin College. “People overall need better awareness of cyber security. Otherwise, we will be open to constant attack.”
In one example discussed by Orlando, the attackers found a harmless-looking photo on one company’s human resources site that contained valuable information for spear phishing, which is the use of customized deceptive emails designed to deliver malware.
Using resumes and other common messages, hackers referenced these control systems creating plausible, well-informed emails that fooled someone into opening a malware-laced attachment.
One trap was an invitation to a company’s New Year’s Eve party.
Another trap is called a watering-hole attack, planting malicious code in a place the targets trust, then waiting for them to come pick it up.
In the energy-sector attack, DHS and FBI found that watering holes included trade publications and informational websites for the energy industry. Hackers corrupted those sites to contain malicious content. The big targets saw no reason to suspect anything was wrong.
“It’s a low-complexity, low-effort, high-yield attack,” Orlando says.
Much of the malware was designed to capture user credentials and digital identities of authorized users. Credential harvesting includes usernames and passwords, hashes or a computer’s digital signature, often stolen through tricking someone at a false login page for a familiar site. Very difficult to detect.
Requiring multiple modes of authentication to sign in, such as a thumbprint or a security token code, is the best way to thwart this type of attack.
Data diodes, air gaps, field programmable gate arrays — all the sophisticated approaches that the nuclear industry uses — eventually need to be part of everyone’s cyber defense.
The main lesson from these attacks is your network includes not just yours, but your trusted partners and your suppliers. Everyone needs to monitor computer networks for unusual activity, install security patches regularly, develop a response plan to disclose breaches and limit damage, and communicate on cyber security up and down their supply chain.
The daunting new reality is that a company's cyber defenses are only as strong as those connected to it.
Jim Conca is a longtime resident and scientist in the Tri-Cities, a trustee of the Herbert M. Parker Foundation, and a science contributor to Forbes at forbes.com/sites/jamesconca.
