No big deal... Kremlin hackers 'jumped air-gapped networks' to pwn US power utilities The US Department of Homeland Security is once again accusing Russian government hackers of penetrating America's critical infrastructure. Uncle Sam's finest reckon Moscow's agents managed to infiltrate computers networks within US electric utilities – to the point where the miscreants could have virtually pressed the off …
There is no more detail right now – just a strategic exclusive briefing by Homeland Sec officials with the WSJ.
[ Edit: There's more detail here ]
Presumably the equipment suppliers have access to the utilities' networks so they can provide remote support. That's one way in. The other way is to hack vendors, infect devices, wait for them to be shipped to power plants. Phone home, somehow.
Relevant bits from the Journal:
"The Russian hackers, who worked for a shadowy state-sponsored group previously identified as Dragonfly or Energetic Bear, broke into supposedly secure, 'air-gapped' or isolated networks owned by utilities with relative ease by first penetrating the networks of key vendors who had trusted relationships with the power companies, said officials at the Department of Homeland Security.
"The cyber-attack, which surfaced in the U.S. in the spring of 2016 and continued throughout 2017, exploited relationships that utilities have with vendors who have special access to update software, run diagnostics on equipment and perform other services that are needed to keep millions of pieces of gear in working order.
"The attackers began by using conventional tools—spear-phishing emails and watering-hole attacks, which trick victims into entering their passwords on spoofed websites—to compromise the corporate networks of suppliers, many of whom were smaller companies without big budgets for cybersecurity.
"Once inside the vendor networks, they pivoted to their real focus: the utilities. It was a relatively easy process, in many cases, for them to steal credentials from vendors and gain direct access to utility networks."
C.
I was thinking "Isn't this exactly how STUXNET was infected into the Iranian nuclear programme?
Who thought US companies would be so dumb to fall for this?*
*Kidding. If a nation state started laying explosives around the infrastructure of another nation state this would be called an act of war. It is time alien code running on strategic servers was viewed in the same way.
Probably the same way those attacks always seem to go. Either the system is only air gapped 99% of the time (i.e. they have to temporarily connect it for vendor service/diagnosis) or they use USB devices as their sneakernet medium. Yes, it would be stupid to have autorun enabled on those air gapped machines, but often you see TERRIBLE security settings on air gapped machines because "they're safe from hackers, so why bother?"
With enough resources you can compromise the USB key itself to attack the system
Don't you need to modify hardware to do that? If it is even theoretically possible for software to remotely hack a USB flash storage device connected to a standard PC to make it act like a keyboard when connected to a different standard PC, color me shocked (and I'd like a link, please)
If you can leave USB keys laying around the parking lot and they're dumb enough to use that in the air gapped system, then they probably have so many other security failures you don't need this attack. If you're able to do a black bag job and break in to swap out the USB keys they use on the air gapped systems with one that's been modified, then you might as well just go directly to the air gapped system and do what you please.
@DougS,
There was a research paper a while back where they were able to re-program the microcontroller in some USB flash drives to turn them into a keyboard emulator.
What do you know, it was on El Reg...
https://www.theregister.co.uk/2014/07/31/black_hat_hackers_drive_truck_through_hole_in_usb_security/
https://www.bunniestudios.com/blog/?p=3554
Here's your link, other Doug. Bunnie and Xobs figured out how long ago, but didn't go too far into the black hat part so as to stay out of jail. But if you know computers, and know that USB sticks and SD cards can indeed be programmed with the right code (knocking sequence) then the rest follows.
Um. If somebody/anybody has remote access to a network, then it is not "air-gapped".
A properly air-gapped environment has absolutely no communications connections with any other environment, and is completely self-contained in one location.
Anything else should probably be described as "firewalled" (assuming that there are firewalls in place!)
Hang on a tick. You could try crossing an air-gapped network by infecting a software package destined for it before it's taken across the gap, but then what?
Basic security (granted, that's a bit of an assumption) would require that you check everything coming in from outside, even a vendor's network. A simple checksum calculation would show if a package has been tampered with. For that to pass, the correct checksum would have to be replaced by that of the compromised package.
OK, that might be achievable. But once you've installed your malware, how do you pass commands to it?
TBH, this reads like Cold War reds under the bed. Time to set up camp at Greenham Common again?
asic security (granted, that's a bit of an assumption) would require that you check everything coming in from outside, even a vendor's network. A simple checksum calculation would show if a package has been tampered with. For that to pass, the correct checksum would have to be replaced by that of the compromised package.
A simple checksum would be easy to spoof, but if checksum was HMAC'd or encrypted, then less so
I noticed this.... BUT
"We're told, and can well believe, that the equipment makers and suppliers have special access into the utilities' networks in order to provide remote around-the-clock support and patch deployment"
So... not air-gapped then if suppliers could log in to provide remote support?
Ok try this:
Infect vendors networks
Conntect Laptop to network
Laptop infected
Take laptop on service call to air gaped network & plugin
Air gaped network infected
Malware delivers payload/slurps info
Passed info back to laptop
Take laptop back to vendor and plug into network
Data sent home
Simples?
Gaining access to unrelated systems in order to know about the social graph of the target.
You then use that information to pose as a trusted partner, e.g. the vendor of the software, and send "updates" or office documents with which you can infiltrate the system.
This can be done via e-mail or, depending on the typical way software updates are distributed, postal mail. If your vendor sends you software updates via mail, sending a fake update which looks the same as a real one won't raise any suspicion and it will be installed.
BTW probably _all_ secret services do that kind of thing.
Yeah, but they used to be commies and they're probably still commies really so they're the bad guys and they were infecting US computers with malware and everyone knows that is an ACT OF WAR.
Stuxnet was just a prank that got a little out of hand but it didn't do any harm and even if it did those eye-ranians are bad guys and they deserved it and they were going to attack us so we retaliated in self defence first.
The US will have their NSA equivalent (or whichever agency it is).
They will know how to properly secure such things. No one will ask them, no one will listen to their answers if they do.
It'll be too expensive to implement. I.E any cost higher than the current one.
BBbbbbut sir...
What about all the k1dd13 college funds, pensions, retirement boats and timeshares in the Caribbean?
If the networks are properly secured and there is no more Red Bear threat there will be no jobs for the people who draft these announcements.
On a more serious note, this is more believable than the usual crap fed by the 3 letters to the press including the air-gapped story. While the networks are air-gapped at the utility, they quite often have remote out-of-band or private network access from the vendor which is supposed to be accessing it from an air gapped machine. Quite clearly they do not. That is believable (same as using vendors as a vector).
I'll bet some of these "air gapped" systems have a modem or possibly a leased line connected to a private network (the beancounter says "air gapped from the internet is good enough, right?")
Air gapped systems still need to be supported, which implies something gets access to them at some point. You could say "fine, everything that touches them has to be air gapped" but that's reductio ad absurdum.
A vendor creates a software update, intending to deliver it to the air gapped customer systems. How do they get that software update off their non-gapped developer machines onto an air gapped system in a 100% secure manner. Answer: you can't. They'd have to have 100% air gapped developer machines, which is totally infeasible.
Another issue is that too many will assume that because systems are air gapped, they're secure by default and thus don't need to be locked down, don't need good passwords, don't need patching, etc.
On a more serious note, this is more believable than the usual crap fed by the 3 letters to the press including the air-gapped story.
I'm unconvinced. First there's a logic flaw that all if there's all these holes in SCADA systems, why do they need this remote access yet without fixing the flaws, particularly when the TLAs are telling them there's all these issues? Second, we've been told for years that Iran/Norks/ISIS et al have staggeringly capable state sponsored hackers. If all the holes are there, and there are adversaries who don't see any downside, why haven't they been exploited? Even for the usual state sponsored nasties (Russia/China/Israel) there would be the potential for "fun" false flag attacks.
More Chicken Little shit from the TLAs, in my view. Which isn't to say that there are no problems with SCADA, merely that the current "news" is deliberate attempts to create a moral panic to justify some bureaucrat's job, or some commercially preferred course of action.
I'm unconvinced. First there's a logic flaw that all if there's all these holes in SCADA systems, why do they need this remote access yet without fixing the flaws, particularly when the TLAs are telling them there's all these issues?
=============================================================================
Do you really want to start messing around with the PDP-11 assembler code that controls a running nuclear power plant? Years after the person who understood all the issues and wrote it retired and/or died?
Some things, if working properly, should not be changed.
If you want to know how old the hardware and software at a nuclear plant may be, look at how long ago the first of that model/submodel of reactor powered up, then add a few years for testing, certification of hardware and software, retesting, etc.
I suspect that the more critical the system, the older the hardware and software is likely to be. There is a reason the space shuttles were run by 286s, generations obsolete in the outside world.
So access that is 'special' doesn't count in a not really airgapped system?
Either it has an air gap or it doesn't, remote access no matter how 'special' by definition cannot be an air gap.
General: "Okay, this is all out nukular war, launch a strike"
Minion pressing big red button: " Erm the button doesn't seem to be working Sir.
General: "I said launch a strike....... anyone got a box of matches?
I would assume it's two machines on something like GSM modems that allow access to the control system in emergencies. If it was me I'd also put a 5 second delay when the modem picks up, wrap the them in foil and put a sticker on them saying beware of the budgie, that's why I don't work with control systems.
You didn't explicitly state your bicycle was in the cellar when you found it with a flat tyre. I can't assume you didn't leave it chained up outside your house.
Even if it was stored in your cellar, the Russians could have used a needle when you popped into the corner shop the previous day to give you a slow puncture that takes time to manifest.
I think there needs to be a discussion on the meaning of "Air Gapped"
The last article throwing that phrase around seemed to imply some malware had achieved magic powers , and caused more confusion than it enlightened - and that was malware that didnt need to phone home. This hack apparently does , if the russians want to "throw switches" , so it navigates the "air gap" at will , not just once.
I think what we are learning here is that very few systems are indeed "Air gapped" . Were these power companies claiming that?
Indeed. A true air-gapped network will have no physical or ethereal (wifi) connection other networks i.e. the outside world.
Although there have been a couple of clever proof of concept ways to breach this (acoustic for example), they always initially require physical access to the "gapped" network (or components of) to install required components (malware). You can't get roll up and access a gapped network unless it has already been compromised.
A true air-gapped network can only transfer data to and from another network via physical media transfer.
Stuxnet only needed to work in one direction, it needed no command and control and it didn't need to send any data back. The perp could find out it worked via the failure and reorder rate of centrifuges and other info likely to leak out.
It's a different case.
Now, what goes around DOES come around, sooner or later. Why are they in such a panic? Even if it isn't true just now (likely) then, well, later...
And they need to whip up fear to keep their jobs. HL Mencken had a few tasty quotes on that one.
"A true air-gapped network"
OFFS, saying this is as bad as those Interns looking for the Stand Alone Internet
Terminals and this Industry calling itself the Cloud. You've marketed away your security.
Like it matters anyway since China and the CIA has backdoored every Router and Switch so....
The usual pattern for this sort of thing is that it starts when the US do this to someone else. The US counter-intelligence department then find out what their colleges on the floor above have been up to and crap their pants over the thought that someone might do the same to them. They then stage a series of leaks into the press that someone else has been doing it to them in an effort to whip up enough publicity to spur the industry into taking some preventive measures.
Prior to the news of what the Americans did to Iran with Stuxnet, there was a long series of "confidential intelligence briefings" to selected newspapers and politicians about how US utilities may be vulnerable to being hacked. A demonstration using a specially set up diesel generator (simulating a power plant) was conducted which was supposed to show how SCADA systems could be infiltrated.
The utility industry just shrugged it off, as they weren't seeing any of this in practice. And then Stuxnet hit the news and we saw that it had done exactly the sort of SCADA infiltration that the Americans had claimed was the threat to US utilities.
And then there was the big campaign using the same PR techniques over how Chinese IT gear might have back doors in it. Nobody could find these back doors, but we were assured they might be there and it was a huge national security risk. And then it turned out that the American NSA was putting back doors in Cisco kit.
I could go on with more examples, but the pattern follows a well-worn groove by now. The US hacks someone else, they crap themselves over the thought that someone might do the same to them, they start a propaganda campaign via the channel of suitably compliant major news media to whom they give an "exclusive" in return for not asking the wrong sort of questions, and industry is left to wonder "WTF?" because the story is full of holes due to so many details being held back because of course the US doesn't want the target they had actually hacked to find out what had been done.
To address the story in particular, very likely the "air gapped" systems aren't actually air gapped. The utility has an "air gap" policy, but an exception was made for remote vendor support. The vendor isn't air gapped because they're too small to have a dedicated IT security team who could plan such a thing. And true "air gapping" probably isn't practical to begin with because the vendors are software developers who need to get software updates from Microsoft and their PCs need to connect to the Internet on a regular basis to validate software licenses, etc., etc.
And if software updates from the vendors to the utilities aren't conducted on a timely basis, ordinary bugs can crash the electric network just as surely as malicious action could.
Genuine security is probably possible, but it would require a complete overhaul of the industry and the relationships with vendors and the software development environments they use, and that simply isn't going to happen any time soon.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
