Issue link: https://securitytechnologyexecutive.epubxp.com/i/917121
10 SECURIT Y TECHNOLOGY E XECUTIVE • November/December 2017 • www. SecurityInfoWatch.com TECH TRENDS By Ray Coulombe • ray@SecuritySpecifiers.com Ray Coulombe i s F o u n d e r a n d M a n a g i n g D i r e c t o r o f S e c u r i t y S p e c i f i e r s . c o m a n d R e p s F o r S e c u r i t y . c o m . R a y c a n b e r e a c h e d a t r a y @ S e c u r i t y S p e c i f i e r s . c o m , t h r o u g h L i n k e d I n a t w w w. l i n k e d i n . c o m / i n / r a y c o u l o m b e o r f o l l o w e d o n Tw i t t e r @ R a y C o u l o m b e . R ecently, it was reported that North Korea was exploring ways to penetrate our elec- trical grid – most likely to position the country to launch a preemptive or retalia- tory cyber-attack. The article, available at www.securityinfowatch.com/12374400, describes a spear phishing attack sent to people in the electric utility industry that used fake fundraiser invita- tions containing malware. The story suggests that this was the first such attempt by the North Koreans, although this technique has been used previously by Russian hackers. As a refresher, spear phishing is the fraudulent practice of sending emails ostensibly from a known or trusted sender in order to induce targeted individu- als to reveal confidential information. It is difficult for me to believe this was North Korea's first attempt; in fact, their cyber warfare capability has been clear for some time and gained notoriety after the Sony hack. If the Russians have the capability to take down a power grid, it is not an unreasonable assumption that North Korea has access to many of the same tools. It is helpful to look at a recent set of events to understand how this can work, and a 2015 directed cyberattack on the Ukrainian power grid provides a good example. The attack cut power to 225,000 customers, followed by a smaller one a year later in Dec. 2016 in Kiev. For integrators who help protect critical infrastruc- ture, this is must-read and must-understand stuff; for integrators who service less regulated but still cyber- vulnerable clients, it should serve as an illustration of their responsibilities to help clients craft effective cybersecurity best practices. Phishing Attack Leads to SCADA Exploit The first steps in the Dec. 2015 attack in Ukraine were taken the previous spring with a spear-phishing campaign targeting IT staff and system administrators working for Ukrainian power distribution companies. A malicious Word document contained in the email, if opened, would display a popup asking users to enable macros in the document. The macros were designed to infect the target machine with a malware program called BlackEnergy3 and open a backdoor. One infected, program enabled the hackers to establish a foothold and utilize keystroke loggers to Hacking the Lights Out What integrators can learn from recent worldwide power grid cyberattacks perform login credential theft, and over the course of a few months, they conducted extensive reconnais- sance by mapping networks and obtaining access to user accounts. Among the stolen worker credentials were those for VPNs used to remotely log in to the Supervisory Control and Data Acquisition (SCADA) network – used to monitor and control utility plants and related equipment. Hackers also reconfigured UPS systems to prevent them from coming back online once they were disabled. On the day of the attack, the hackers entered the SCADA networks with the hijacked VPNs and sent commands to disable the reconfigured UPS systems; then, they launched a telephone denial-of- service (TDOS) attack against customer call centers to prevent calls reporting the outage. The combined attacks left the utility blind to what was happening. Next, the hackers overwrote firmware with mali- cious programs on substation serial-to-Ethernet converters – designed to communicate serially (e.g. RS-232) from the SCADA network to the substation control systems. Without working converters, opera- tors were unable to send remote commands to close the breakers to restore power – requiring them to travel to substations to physically close them. After they had completed all of this, hackers then used a piece of malware called KillDisk to wipe files from operator stations to crash and to render them inoperable. Because the malware also overwrites the master boot record, infected computers could not reboot. For further analysis on the attack from SANS and E-ISAC (Electricity Information Shar- ing and Analysis Center), visit www.nerc.com/pa/ CI/ESISAC/Documents/E-ISAC_SANS_Ukraine_ DUC_18Mar2016.pdf. All this from an employee opening a single mal- ware-infected email attachment! U.S. Power Grid Vulnerabilities Experts suggest that control systems in Ukraine were more secure than some in the U.S., because they were segmented via firewall from the control center busi- ness networks. The SCADA network, however, had no requirement for two-factor authentication for workers logging in remotely – which enabled the attackers to use hijacked credentials to gain crucial access to the systems controlling the breakers. While Ukrainian operators had to manually reset breakers, some U.S. systems do not have this ability. Continued on page 14