5 Things You Need to Know about Botnets

There’s a common denominator between the surges of phishing email that continue to plague consumers, businesses and government agencies around the globe and the social media-fueled propaganda campaigns Russia has leveraged to undermine democratic elections in Europe and the United States.

Neither would be doable without botnets as they exist today. For most people, the power and complexity of botnets is not easily comprehensible.  But now more than ever it’s vital for citizens and companies to fully grasp the role botnets play in not only the digital economy, but on a geo-political level.

1. What’s a Botnet?

A bot is a tiny piece of computer programming language implanted on a connected device by a hacker. That infected nodule’s sole purpose is to receive instructions from a command and control server. A botnet is a network of thousands of nodes, or “bots,” that answer to the same control server.

In today’s cyber environment, any company that fails to continually guard all of the computing devices on its network should expect to have some or all of them diverted into the service of a botnet at some point. When this happens, the affected company will begin donating electricity and computer processing power to whomever controls that botnet. Once control is ceded, that company should also count on the botnet operator moving laterally through the compromised network, turning other devices into bots and stealing any and all valuable data.

2. Classic Botnets

Botnets are comprised of infected PCs (they can also infect IoS machines), servers and virtual computing nodules. One of particular note – Necurs – has been around since 2012 and remains available for hire to anyone in need of  distributed processing power on a grand scale. In any given attack, Necurs might wake up and deploy up to a million “bots,” or nodes; the total number of nodes under the controller’s command is believed to be as high as 6 million.

At its birth, Necurs delivered banking trojans, then moved on to ransomware, then to distributed denial of service (DDoS) attacks, then to securities pump-and-dump scams, then back to banking trojans, says Kevin Epstein, vice president of threat operations at messaging security company Proofpoint. “Necurs is being used by financially motivated actors who follow the money,” Epstein says.

3. IoT Botnets

IoT stands for Internet of Things, and it can refer to any connected device that is not a smartphone, tablet or computer. IoT botnets attained notoriety in late 2016 when the Mirai botnet, comprised of hundreds of thousands of infected web cams, video recorders and routers, carried out a massive DDoS attack against an Internet traffic routing service called Dyn. Twitter, Amazon, Paypal and several other big-name companies were knocked off line for the better part of a day.

IoT botnets are made up of comparatively low-powered IoT nodes that can be assembled by the millions. They are better suited to repetitive tasks, such as DDoS attacks and crypto mining,  says Luke Somerville, head of special investigations at Forcepoint. “It’s organized crime so you’re dealing with evolution, most of the time, rather than revolution,” says Somerville.

Today Mirai variants continue to expand into new turf, including Mirari Okiru, which targets ARC processors (the chips embedded in cars, mobile devices, smart TVs, surveillance cameras and many more connected products) and Mirai Satori, which hijacks crypto currency mining operations,.

4. Botnet Crypto Mining

Crypto coins are “made” or mined when a complex mathematical equation is solved in the process of enabling behind-the-scenes cryptocurrency transactions. This requires tremendous computing power.

Operators of both classic and IoT botnets are well suited to crypto mining. Classic botnets, like Necurs, can crypto mine during lulls in spamming and IoT botnets, like Mirai, can direct vast numbers of devices to repetitive mining chores.

5. Botnet Stealth

Another area of criminal innovation targets the “sandboxing” defenses that some companies build to protect themselves against attack, says Jack Miller, CISO at startup SlashNext, which supplies systems to mitigate cyberthreats.

Sandboxes divert email carrying a suspicious attachment or link to a quarantined area where the payload is “clicked” to see if anything bad happens. If it does, the company gets a trace on the attacker. Criminals responded to the sandbox strategy by writing code designed to detect if a human using a mouse is clicking that payload. If the program detects sandboxing, the malware won’t execute, thus preserving the attacker’s identity.

Botnet-delivered email attacks won’t stop anytime soon, nor will the botnet-borne Russian propaganda that continues to inundate Twitter and Facebook. The situation is at a crisis level, and has been for a while. The only defense here is vigilance and a little luck. More than anything, make sure your company proactively creates a culture of good cyber hygiene, and that cybersecurity is always on the forefront of everyone’s mind–from the mailroom to the board room.  

Government Agencies Are Under Siege From Phishing Attacks. Could Your Company Be Next?

What does the U.S. Department of Defense have in common with local town councils spread out all over the United Kingdom?

On any given day, both are under siege, on the receiving end of withering cyberattacks. For instance, on a daily basis the Department of Defense detects and repels around 36 million malware-laden emails sent by a motley assortment of hackers, terrorists and foreign adversaries.

If it keeps up (and there’s no indication that the barrage will stop) the Pentagon will be sent 13 billion weaponized emails in 2018. This stunning metric was recently disclosed by David Bennett, director of operations for the Defense Information Systems Agency, in an address to the Armed Forces Communications and Electronics Association.

Meanwhile, a study released by the advocacy group Big Brother Watch reported that 395 local councils in the UK received an average of 19.5 million cyberattacks a year during the four years surveyed. That’s about 37 cyberattacks every minute, the vast majority in the form of email phishing attempts.

Criminal hacking continues to be on the rise, and social engineering is still the predominant way networks are breached and disrupted.

Humans continue to be the weakest link in any security protocol. Because of that, tricking an individual to assist in a network breach is still the most effective hack around.

Unwitting accomplices

The constant flow of phishing email at the Defense Department came as no surprise to Patrick Peterson, founder and executive chairman of messaging security firm Agari, which helps federal agencies deflect phishing campaigns.

Peterson says spoofing a federal agency or trying to infiltrate one remain the top two strategies phishing operations employ.  

“More than one-in-ten emails sent on behalf of the government is fraudulent and nearly 90 percent of federal domains have been targeted by spoofing attacks,” Peterson says. “The only vertical that fares worse is healthcare.”

The goal is simple. Lure a potential victim into opening a malicious attachment sent via email, or trick them into clicking a link that lands them on a booby-trapped webpage. Spearphishers are more methodical; they first profile their targets, then send them refined messages that often don’t even carry a malicious payload.

Instead, the spearphisher’s art is to cajole the recipient into taking steps that achieves the desired result. So-called Business Email Compromise (BEC) scams are 100 percent social engineering (i.e., trickery). A one-off message is sent to a specific employee at an opportune moment, tricking the victim into wiring funds into an account controlled the scammer. The FBI estimates BEC scams have resulted in losses of more than $5.3 billion since 2013.

Likewise the theft and selective public outing of the Democratic National Committee’s emails by Russian hackers meddling in the 2016 U.S. presidential election revolved around a few targets that gained hackers deep access to the DNC’s databases.

Go-to vulnerabilities

Human gullibility, along with our propensity to overshare online, remain hackers’ go-to vulnerabilities.  “When an attacker combines knowledge of its target with timely, relevant information in a targeted phishing email, it’s only a matter of time before someone falls victim to the phish,” says Mounir Hahad, head of threat research at Juniper Networks. “One of the lowest barriers to entry is email.”

By that measure, the relentless campaign to break into local government systems in the UK seems perfectly logical. Data is a fungible asset. Valuable data is routinely collected and stored – but not terribly well guarded — by British local authorities. That’s an attractive target for hackers.

Sensitive data generated on behalf of public officials and ordinary citizens can be monetized in many different ways. Fraud scheme variants are endless. And the use of stolen data to manipulate public sentiment and voting, as we now know thanks to the last presidential race, is on the rise.

The Big Brother study found British local authorities have been subjected to at least 98 million cyberattacks between 2013 and 2017. About one-third of the local authorities–114 of them–experienced at least one cyber security incident. Stunningly, more than half of those councils admitted that they chose not to disclose the breach publicly.

What’s truly disheartening, however, is the finding that 297 authorities, or 75% of the British councils, admitted to not providing mandatory training in cybersecurity. These inconsistencies are not endemic to the U.K. They hold true for small and mid-sized organizations across the board.

It should not be this way. Too few organizations are realizing the benefits of embracing cyber incidence response planning; and not enough have implemented effective, recurring employee training. These are baby steps; in today’s environment, organizations of all sizes and in all sectors should be taking them. It’s high time to pick up the pace.

Government Agencies Are Under Siege From Phishing Attacks. Could Your Company Be Next?

What does the U.S. Department of Defense have in common with local town councils spread out all over the United Kingdom?

On any given day, both are under siege, on the receiving end of withering cyberattacks. For instance, on a daily basis the Department of Defense detects and repels around 36 million malware-laden emails sent by a motley assortment of hackers, terrorists and foreign adversaries.

If it keeps up (and there’s no indication that the barrage will stop) the Pentagon will be sent 13 billion weaponized emails in 2018. This stunning metric was recently disclosed by David Bennett, director of operations for the Defense Information Systems Agency, in an address to the Armed Forces Communications and Electronics Association.

Meanwhile, a study released by the advocacy group Big Brother Watch reported that 395 local councils in the UK received an average of 19.5 million cyberattacks a year during the four years surveyed. That’s about 37 cyberattacks every minute, the vast majority in the form of email phishing attempts.

Criminal hacking continues to be on the rise, and social engineering is still the predominant way networks are breached and disrupted.

Humans continue to be the weakest link in any security protocol. Because of that, tricking an individual to assist in a network breach is still the most effective hack around.

Unwitting accomplices

The constant flow of phishing email at the Defense Department came as no surprise to Patrick Peterson, founder and executive chairman of messaging security firm Agari, which helps federal agencies deflect phishing campaigns.

Peterson says spoofing a federal agency or trying to infiltrate one remain the top two strategies phishing operations employ.  

“More than one-in-ten emails sent on behalf of the government is fraudulent and nearly 90 percent of federal domains have been targeted by spoofing attacks,” Peterson says. “The only vertical that fares worse is healthcare.”

The goal is simple. Lure a potential victim into opening a malicious attachment sent via email, or trick them into clicking a link that lands them on a booby-trapped webpage. Spearphishers are more methodical; they first profile their targets, then send them refined messages that often don’t even carry a malicious payload.

Instead, the spearphisher’s art is to cajole the recipient into taking steps that achieves the desired result. So-called Business Email Compromise (BEC) scams are 100 percent social engineering (i.e., trickery). A one-off message is sent to a specific employee at an opportune moment, tricking the victim into wiring funds into an account controlled the scammer. The FBI estimates BEC scams have resulted in losses of more than $5.3 billion since 2013.

Likewise the theft and selective public outing of the Democratic National Committee’s emails by Russian hackers meddling in the 2016 U.S. presidential election revolved around a few targets that gained hackers deep access to the DNC’s databases.

Go-to vulnerabilities

Human gullibility, along with our propensity to overshare online, remain hackers’ go-to vulnerabilities.  “When an attacker combines knowledge of its target with timely, relevant information in a targeted phishing email, it’s only a matter of time before someone falls victim to the phish,” says Mounir Hahad, head of threat research at Juniper Networks. “One of the lowest barriers to entry is email.”

By that measure, the relentless campaign to break into local government systems in the UK seems perfectly logical. Data is a fungible asset. Valuable data is routinely collected and stored – but not terribly well guarded — by British local authorities. That’s an attractive target for hackers.

Sensitive data generated on behalf of public officials and ordinary citizens can be monetized in many different ways. Fraud scheme variants are endless. And the use of stolen data to manipulate public sentiment and voting, as we now know thanks to the last presidential race, is on the rise.

The Big Brother study found British local authorities have been subjected to at least 98 million cyberattacks between 2013 and 2017. About one-third of the local authorities–114 of them–experienced at least one cyber security incident. Stunningly, more than half of those councils admitted that they chose not to disclose the breach publicly.

What’s truly disheartening, however, is the finding that 297 authorities, or 75% of the British councils, admitted to not providing mandatory training in cybersecurity. These inconsistencies are not endemic to the U.K. They hold true for small and mid-sized organizations across the board.

It should not be this way. Too few organizations are realizing the benefits of embracing cyber incidence response planning; and not enough have implemented effective, recurring employee training. These are baby steps; in today’s environment, organizations of all sizes and in all sectors should be taking them. It’s high time to pick up the pace.

More Than 70 Percent of Businesses Admit They’re Unprepared for a Cyberattack

A new report reveals a stunning level of apathy about cybersecurity among businesses in five nations under continuous attack by hackers.

Chicago-based insurance company Hiscox commissioned a survey of more than 4,100 organizations and found that 7 out of 10 were not prepared for a cyberattack.

This institutional lethargy persists even in the face of steadily rising cyber threats, as highlighted in consultancy Risk Based Security’s 2017 Data Breach QuickView Report  issued earlier this month. That report tallied up 5,207 breaches, and over 7.8 billion records exposed in 2017, surpassing previous high marks for both by more than 20 percent.

Indeed, some 45 percent of the executives and IT professionals who took the Hiscox poll said their organizations–based in the US, UK, Germany,  Spain and the Netherlands–experienced at least one cyberattack in the past year, while two-thirds suffered two or more attacks.

This is the back story to the never-ending parade of high-profile data breaches that hit the daily news cycle with numbing regularity. Equifax, Yahoo, Uber et. al remind us how even large enterprises–companies that spend millions on security–routinely fail at defending their networks and protecting their customers’ private information.

The Hiscox study found the costs of cybercrime ranged as high as $25 million for one U.S.  incident, and $20 million each for individual attacks in Germany and the UK, respectively. The average cost for all attacks reported by the poll takers: $229,000.

Have, Have-Nots

There’s no question cybersecurity is a complex, continually evolving challenge. Just as clearly, the substantial collective defenses put up by the business and government sectors–an annual $93 billion global market for cybersecurity products and services–isn’t enough.

To be sure, there are innovative technical solutions and best practices standards aplenty. But somehow the much-discussed combination of technology, processes and training, a combination that is known to slow cyberattacks, has not yet taken root in our collective approaches to cybersecurity.

“Despite the criticality of security, it is becoming a world of haves and have-nots,” observes Brian NeSmith, CEO of Arctic Wolf, which supplies security services to smaller businesses. “It’s a problem that cannot be solved by just buying products because it requires a level of in-depth expertise and dedicated personnel.”

On average the 4,100 companies participating in the Hiscox survey reported spending $11.2 million a year on IT, with 10.5 percent of that budget spent on cybersecurity. Smaller firms, in particular organizations with fewer than 250 employees, tended to devote a smaller proportion of their IT budgets to cybersecurity–9.8 percent on average versus 12.2 percent for larger organizations.

If you’re not flabbergasted, you should be. First of all, the idea that cybersecurity is a subset of IT is about as respectable as the idea that non-securitized mortgage derivatives are the best way to invest your child’s college fund. Cybersecurity should be the starting point, and it should have global oversight with an organization.

Network disruptions and data theft tends to be much more debilitating to small and mid-sized businesses, than to large enterprises with hefty resources.  “While their IT budgets are likely more modest, smaller firms need to make sure that an appropriate proportion of this budget is devoted to cybersecurity,” says Dan Burke, Hiscox’s head of cyber products in the U.S. “There are ways to prepare your business that don’t require a significant financial spend.”

Well-Defined Strategy

You can do something even if you own a small business. For starters, get some help crafting and implementing an effective cyber incidence response plan; also, train and encourage your employees to practice cyber hygiene.

While you’re at it, look into outsourcing some routine security tasks to a service provider. There are many out there, and service packages are steadily becoming more cost effective for smaller firms.

“Security operations center service providers offer many of the things you need for advanced threat detection and response, replacing the need to build this capability in-house,” offers Arctic Wolf’s NeSmith. “Depending on your budget and needs, going with a service may be the fastest and most cost-effective way to execute a smarter cybersecurity strategy.”

There’s no easy answer when it comes to cybersecurity. The Hiscox report is yet another reminder that we remain entrenched in an escalating war of attrition that demands our constant attention. At the moment, and for the immediate future, cyber criminals have the upper hand. This means every consumer, every employee and every company leader must take privacy and security much more seriously.

Here’s sound counsel from Hiscox’s Burke: “Businesses must have a clearly defined cybersecurity strategy in place. Elements should include a formal budgeting process, well-defined decision structures and processes, and an awareness of changing compliance requirements.

“Businesses should engage a broad range of stakeholders . . . part of this process includes having one or more roles dedicated to cybersecurity with a dedicated support team, if possible, and making sure this person is measuring the business impact of any incidents and implementing security technologies.”

Cryptocurrency Scams Are Getting Harder to Spot. Here’s What to Look For

Cryptocurrency Scams Are Getting Harder to Spot. Here’s What to Look For | Inc.com<!—->

You’re about to be redirected

We notice you’re visiting us from a region where we have a local version of Inc.com.

READ THIS ARTICLE ON

or remain on inc.com

Get Inc. Straight to Your Inbox

SIGN UP FOR TODAY’S 5 MUST READS

‘); $(‘.status’).css(‘display’, ‘flex’); $.post(‘../lib/newsletter-signup.php’, formValues, function(data) { if (data == ‘1’) { $(‘.form-messages’).html(“Thank you for signing up for Inc. Must Reads!”); document.cookie = “incNewsletterFlyinCompleted=true; expires=Fri, 1 Jan 2100 00:00:00 UTC; path=/”; setTimeout(function() { $(‘#newsletter-flyin’).remove(); }, 2000); } else if (data == ‘-1’) { $(‘.form-messages’).html(“This email address is already signed up.”); setTimeout(function() { $(‘.status’).css(‘display’, ‘none’); }, 5000); } else { $(‘.form-messages’).html(“Something went wrong…”); setTimeout(function() { $(‘.status’).css(‘display’, ‘none’); }, 2000); } }); } else { $(‘.form-messages’).html(“Please enter a valid email address”); $(‘.status’).css(‘display’, ‘flex’); setTimeout(function() { $(‘.status’).css(‘display’, ‘none’); }, 2000); } return false; }); });




CREDIT: Getty Images

As cryptocurrencies like bitcoin  surge in popularity, so do scams.

As seen in the cryptocurrency subreddit, scammers have found a way to make their website addresses (URLs) look just like the authentic URLs of some popular cryptocurrency exchange sites, like Binance and Bittrex.

Unfortunately for the unsuspecting crypto trader, using your login credentials on a scam site can lead to theft of your cryptocurrency or your regular government-minted money.

Cautious cryptocurrency traders are absolutely right to look for that green “https” tag that usually comes before a website’s URL in a browser address bar. That tag helps users identify if a website is legitimate or not. But they may want to have a closer look at the URL next time they sign into their cryptocurrency exchange.

Check out how scammers can get by your defenses, even if you think you’re being vigilant:

Usually, you can tell if a website isn’t legitimate if it doesn’t have the green “https” that comes before a website’s URL.

Reddit user “chrysotileman” posted a screenshot of a fake cryptocurrency exchange site “coinsmarkets.com.” If you’re vigilant, it’s easy to spot that it’s not a legitimate site or a legitimate entity running the site because it doesn’t have the proper certification to show that’s it’s trusted.

What you’re looking for is a green “Secure” and “https” before the website’s URL address, which is a sign that the site and company obtained the proper SSL (secure sockets layer) certificates. Obtaining an SSL certificate shows that the company behind the site is trusted.

https secure ssl

Coinsmarkets.com doesn’t have either the green “Secure” or “https” before its URL address. Instead, it has a grayed out “Not Secure” and a regular “http” before the URL.

Usually, scam sites are identified and taken down pretty quickly. If you try to visit coinsmarkets.com now, you’ll be met with an error message.

But some scammers have found ways to display the green “Secure” and “https” in the website URL address, and they make an incredibly subtle change to the site’s address.

At first glance, this URL for the popular cryptocurrency exchange Binance looks perfectly legitimate. You can clearly see the green “https” before the Binance website URL.

It isn’t clear how scammers obtain an SSL certificate, which allows them to add that re-assuring green “https” to the front of the URL. At the same time, it’s also pretty easy to get an SSL certificate from a less reputable certificate issuer.

A closer look reveals small dots under each instances of the letter “n” in the word “binance,” which shouldn’t be there.

Those two dots under the Binance URL mean that you’re not actually looking at or using the real Binance site. Instead, you’re looking at a totally different site made by scammers to look nearly identical to the Binance site.

And since the site looks familiar and the URL checks out at first glance, unsuspecting users type in their login credentials, which can then be recorded by the scammers. Once they have your account login credentials, scammers can do whatever they want in your account, including stealing your cryptocurrency and even stored USD funds.

Even if you’re vigilant, those two dots in the Binance URL are hard to notice.

Reddit user “evantbyrne” commenting on the original post said “I’ve known about this for a while and I still had difficulty spotting it in the screenshot…”

Indeed, those dots can easily pass off as specks of dust on your monitor.

In this case, scammers used the regular letter “n” with an added so-called dot diacritic, or an underdot, which is used in central European languages and Vietnamese, according to Wikipedia.

It’s far more deceiving and effective than using a number that appears similar to a letter, like using the number “1” instead of the letter “i.”

Published on: Feb 21, 2018





Why Russian Propaganda Botnets Can Hurt American Companies

The latest deployment of Russian botnets directed at American politics was truly stunning. It happened via social media. One can only hope that it will notch up the urgency for government and businesses to address the serious threat that botnets have become.

I refer to House Republicans recently spreading word about a top-secret memo that purportedly showed that Democrats were in cahoots with the FBI in the investigation of the Trump campaign on allegations of collusion with Russia and subsequent obstruction of justice. Soon after the story broke, Russian botnets unleashed what has now come to be known as the  #Releasethememo campaign, which instantly became a top trending hashtag among Russian bots and trolls on Twitter. It seems like a good guess that this botnet activity was aimed at adding validity to the memo in question by intimating a cover-up.

The most alarming aspect of this botnet activity is how good it is. It really does look legitimate to the untrained, and even semi-trained, eye. We now know Russian botnets fueled wildly conflicting polling results during the 2016 presidential race, and fabricated 6.1 million Twitter followers for then-candidate Donald Trump, but it’s starting to look like that was just a test run.

Adding legitimacy

This scale of these operations is made possible by botnets, the engines of cybercrime. A “bot'” is a computing device poised to receive and carry out instructions from a controller. A botnet is a collection of thousands of bots reporting to a single controller.

Botnets distribute email spam and phishing attacks, probe websites for weaknesses and carry out distributed denial of service (DDoS) attacks. And, increasingly, they’re becoming a lever in high-stakes political discourse.

Botnets are well-suited to creating and maintaining myriad Twitter accounts, and using social engineering tactics to assemble vast followings. “Once these seed accounts are well established, the initial propaganda tweets can rapidly gain significant exposure,” says Andrew Jones, senior sales engineer at Shape Security. “This adds legitimacy later when bots begin to subsidize any human sponsored retweets or posts related to the propaganda to attract further attention.”

Rising presence and threat

Their use in propaganda campaigns underscores how pernicious botnets can be. And this trend is on the rise. The Spamhaus Project, a nonprofit that tracks cyber threats, counted a 32% increase in active botnet controllers in 2017. Significantly, many of these controllers leveraged virtual instances of computers spun up in the cloud–computing power made available by Amazon, Google, Microsoft and other cloud services providers.

SpamHaus also found that botnets comprised of Internet of Things (IoT) devices more than doubled to 943 in 2017, up from 393 in 2016. This is particularly bad news that points to the establishment of much larger and more powerful botnets made up of infected home routers, web cams, smart TVs and the like.

Despite the nature of the threat posed by botnets, the issue is still an abstraction for most consumers and businesses. That’s understandable given the complex digital age we live in. But until public awareness is raised considerably, the impetus to do something substantive isn’t likely to get much traction. One way to do this is to point at the messenger (i.e., the propaganda machine). What is now pointed at political issues can be easily directed at a competitor in business.

If there is any good news, it is that organizations like the National Institute of Standards and Technology and the National Council of Information Sharing and Analysis Centers have been methodically striving to address the networking flaws exploited by botnets. And just this month, the National Telecommunications and Information Administration issued a report specifically addressing botnets.

NTIA is calling upon other federal agencies to seek out partnerships with private industry to implement six “principal themes” and five “complementary and supportive goals” designed to mitigate botnet threats.

Focus on the problem

Meanwhile, innovative cyber defense technologies are getting more widely leveraged every day. Shape Security, Spamhaus and many other vendors are growing by helping companies proactively detect and deflect botnet traffic.  

“Companies can challenge the bot to prove that it is a human, using various puzzles, and machine learning to determine if it is a real user,” says Rami Essaid, chief product and strategy officer at Distil Networks, another of these vendors. “All of this should happen in real-time before the bot gains access to the site.”

Someday, botnets could be ushered into obsolescence by networks designed to repel them. We’re a long way from that day. The social media platforms need to step up to the plate, and it may be necessary for Congress to add teeth to best practices protocols.

In the meantime, companies of all sizes should become well-acquainted with botnets, quantify how botnets may be hurting them, and do what’s necessary to proactively vet botnet traffic.

“There are tools and services available now that can accomplish that differentiation,” says Shape Security’s Jones. “All we need to do is make sure they’re deployed.” The first step is realizing the potential vulnerability.

Next: Hackers Target Industrial Plants and Critical Infrastructure

There was a stunning cyberattack on a critical Middle Eastern infrastructure site recently and it hasn’t gotten the public scrutiny it deserves. Triton (A.K.A. Trisis), a new strain of malware, was discovered last month via intelligence sharing reports provided by the security vendors FireEye and Dragos. The news was the latest in a series of public disclosures about progressively more sophisticated energy plant hacks.

The specter of attacks on the power grid and other systems is no longer a matter of speculation. Hackers are testing the protections for critical infrastructure, and energy plant operators need to take the threat seriously, as do the decision makers in the industrial sector at large.

Core finding

Security analysts uncovered malware designed to take over the Schneider Electric Triconex Safety Instrumented System (SIS) at an unnamed industrial site. SIS systems are routinely used in plant settings to monitor industrial processes, and shut them down if operating parameters approach a dangerous state.

Notably, it now appears that the Triton hackers inadvertently shut off the plant’s SIS system in what may have been a botched reconnaissance operation, says Phil Neray, strategy vice president at Boston-based cybersecurity vendor CyberX.

“They had hacked into the controller of the safety system, which is there to shut everything down if something goes wrong,” Neray observes.  “They evidently made a mistake and triggered the safety system to shut down the plant.”

Hacking methodology

Experts say it’s likely that the hackers initially used social engineering, perhaps a phishing ruse that prompted a plant employee to unwittingly share logon credentials to the SIS. The hackers would then have been able to embed the Triton malware in the SIS, and gain access to the system.

“Reconnaissance, pivoting, and dwelling at length within networks are common strategies for advanced hackers,” says Satya Gupta, chief technology officer at Virsec Systems, a supplier of application security systems. “Their goal certainly would have been bigger than to trip a relatively benign shutdown.”

This is a type of activity one would expect from rival nations preparing offensive and defensive strategies for cyberwar campaigns. As the attack vector becomes more defined, it gives rise to a question: How long have hackers been targeting infrastructure, and which past attacks were part of that campaign? That is unknowable, but the Triton revelation could change the way researchers view the Shamoon virus outbreaks that crippled office computers at Saudi energy companies in December 2012, and again in January 2017.

Wider implications

While stealth and misdirection are ruling principles in cyberwarfare–making attribution difficult if not impossible, it seems worth noting the Triton disclosure closed out a year in which hacking groups believed to be aligned with Russia, Iran and North Korea have been caught probing and accessing the back-office business networks of U.S. energy companies.

This flurry of activity prompted the FBI and the Department of Homeland Security to issue an amber alert warning about a wave of malware attacks targeting office workers at U.S. energy plants. Why go after office workers? Humans are always the weakest link in any security system. Industrial control systems are disconnected, or “air-gapped,” from administrative systems, and thus considered intrinsically safe–but the people who operate them are not.

Malicious hackers are very good at what they do. Increased use of cloud computing and connected mobile devices (with questionable security) has made air-gapped security obsolete, and given rise to an incipient security nightmare. The alarming accomplishment of the Triton caper was the demonstration of how a phishing attack on the IT side of the house can be leveraged to hack into the OT, or operational technology, side of the house.

“Many legacy industrial control systems were designed with ‘security by isolation,'” Gupta says. “However, with increasingly connected systems, isolation is hard to find, and it is not adequate as a security strategy.”

While there may be no reason to panic yet, this progression of energy plant probes and intrusions ought to increase the urgency for the industrial sector to begin taking proactive steps to bake security into their IT and OT systems. It’s time to address the air-gap gap.