Cyber Warfare Is The Future - Has Our Power Grid Already Been Hacked?
By Daisy Luther/Organic Prepper September 26, 2017
Share this article:
A report by internet security experts, Symantec, says that
a hacking group called Dragonfly 2.0 has gained access to 20 power
company networks. The American power grid has been hacked, but for some
reason, the culprits restrained themselves from taking down the power
like they did in Ukraine recently.
a hacking group called Dragonfly 2.0 has gained access to 20 power
company networks. The American power grid has been hacked, but for some
reason, the culprits restrained themselves from taking down the power
like they did in Ukraine recently.
The targets
were in the United States, Turkey, and Switzerland. According to
Symantec, the hackers did gain access to the interface they would need
to control the power equipment, with which they could cause a widespread
blackout. Eric Chien, a Symantec security analyst, told Wired:
were in the United States, Turkey, and Switzerland. According to
Symantec, the hackers did gain access to the interface they would need
to control the power equipment, with which they could cause a widespread
blackout. Eric Chien, a Symantec security analyst, told Wired:
"There's
a difference between being a step away from conducting sabotage and
actually being in a position to conduct sabotage ... being able to flip
the switch on power generation. We're now talking about on-the-ground
technical evidence this could happen in the US, and there's nothing left
standing in the way except the motivation of some actor out in the
world."
a difference between being a step away from conducting sabotage and
actually being in a position to conduct sabotage ... being able to flip
the switch on power generation. We're now talking about on-the-ground
technical evidence this could happen in the US, and there's nothing left
standing in the way except the motivation of some actor out in the
world."
While we were all focused on the
natural disasters like wildfires and hurricanes looming over us, this
report went all but unnoticed by the mainstream and alternative media
alike.
natural disasters like wildfires and hurricanes looming over us, this
report went all but unnoticed by the mainstream and alternative media
alike.
A power grid attack could shut down
commerce and destroy our already precarious financial system. It could
take down our medical system. If the damage was long-lasting, chaos
would erupt and it wouldn't take long for the death toll to skyrocket,
so dependent are we on power at the flip of a switch.
commerce and destroy our already precarious financial system. It could
take down our medical system. If the damage was long-lasting, chaos
would erupt and it wouldn't take long for the death toll to skyrocket,
so dependent are we on power at the flip of a switch.
How did the hackers get in?
Remember
how John Podesta ended up being the victim of a phishing scheme that
allowed the Clinton campaign to be hacked? This was pretty much the same
thing. The Symantec report explains that this has been going on for a
couple of years now, but that activity has sharply increased this year:
how John Podesta ended up being the victim of a phishing scheme that
allowed the Clinton campaign to be hacked? This was pretty much the same
thing. The Symantec report explains that this has been going on for a
couple of years now, but that activity has sharply increased this year:
Symantec
has strong indications of attacker activity in organizations in the
U.S., Turkey, and Switzerland, with traces of activity in organizations
outside of these countries. The U.S. and Turkey were also among the
countries targeted by Dragonfly in its earlier campaign, though the
focus on organizations in Turkey does appear to have increased
dramatically in this more recent campaign.
has strong indications of attacker activity in organizations in the
U.S., Turkey, and Switzerland, with traces of activity in organizations
outside of these countries. The U.S. and Turkey were also among the
countries targeted by Dragonfly in its earlier campaign, though the
focus on organizations in Turkey does appear to have increased
dramatically in this more recent campaign.
As
it did in its prior campaign between 2011 and 2014, Dragonfly 2.0 uses a
variety of infection vectors in an effort to gain access to a victim's
network, including malicious emails, watering hole attacks, and
Trojanized software.
it did in its prior campaign between 2011 and 2014, Dragonfly 2.0 uses a
variety of infection vectors in an effort to gain access to a victim's
network, including malicious emails, watering hole attacks, and
Trojanized software.
The earliest activity
identified by Symantec in this renewed campaign was a malicious email
campaign that sent emails disguised as an invitation to a New Year's Eve
party to targets in the energy sector in December 2015.
identified by Symantec in this renewed campaign was a malicious email
campaign that sent emails disguised as an invitation to a New Year's Eve
party to targets in the energy sector in December 2015.
The
group conducted further targeted malicious email campaigns during 2016
and into 2017. The emails contained very specific content related to the
energy sector, as well as some related to general business concerns.
Once opened, the attached malicious document would attempt to leak
victims' network credentials to a server outside of the targeted
organization.
group conducted further targeted malicious email campaigns during 2016
and into 2017. The emails contained very specific content related to the
energy sector, as well as some related to general business concerns.
Once opened, the attached malicious document would attempt to leak
victims' network credentials to a server outside of the targeted
organization.
In July, Cisco blogged about
email-based attacks targeting the energy sector using a toolkit called
Phishery. Some of the emails sent in 2017 that were observed by Symantec
were also using the Phishery toolkit (Trojan.Phisherly), to steal
victims' credentials via a template injection attack. This toolkit
became generally available on GitHub in late 2016,
email-based attacks targeting the energy sector using a toolkit called
Phishery. Some of the emails sent in 2017 that were observed by Symantec
were also using the Phishery toolkit (Trojan.Phisherly), to steal
victims' credentials via a template injection attack. This toolkit
became generally available on GitHub in late 2016,
As
well as sending malicious emails, the attackers also used watering hole
attacks to harvest network credentials, by compromising websites that
were likely to be visited by those involved in the energy sector.
well as sending malicious emails, the attackers also used watering hole
attacks to harvest network credentials, by compromising websites that
were likely to be visited by those involved in the energy sector.
The
stolen credentials were then used in follow-up attacks against the
target organizations. In one instance, after a victim visited one of the
compromised servers, Backdoor.Goodor was installed on their machine via
PowerShell 11 days later. Backdoor.Goodor provides the attackers with
remote access to the victim's machine...
stolen credentials were then used in follow-up attacks against the
target organizations. In one instance, after a victim visited one of the
compromised servers, Backdoor.Goodor was installed on their machine via
PowerShell 11 days later. Backdoor.Goodor provides the attackers with
remote access to the victim's machine...
...Symantec
also has evidence to suggest that files masquerading as Flash updates
may be used to install malicious backdoors onto target networks--perhaps
by using social engineering to convince a victim they needed to
download an update for their Flash player. Shortly after visiting
specific URLs, a file named "install_flash_player.exe" was seen on
victim computers, followed shortly by the Trojan.Karagany.B backdoor.
also has evidence to suggest that files masquerading as Flash updates
may be used to install malicious backdoors onto target networks--perhaps
by using social engineering to convince a victim they needed to
download an update for their Flash player. Shortly after visiting
specific URLs, a file named "install_flash_player.exe" was seen on
victim computers, followed shortly by the Trojan.Karagany.B backdoor.
Typically, the attackers will install one or two
backdoors onto victim computers to give them remote access and allow
them to install additional tools if necessary. Goodor, Karagany.B, and
Dorshel are examples of backdoors used, along with Trojan.Heriplor.
backdoors onto victim computers to give them remote access and allow
them to install additional tools if necessary. Goodor, Karagany.B, and
Dorshel are examples of backdoors used, along with Trojan.Heriplor.
The moral of this story? Be careful what you do online.
This was a recon mission.
So,
they got in but why didn't they do anything? According to one expert,
they were just in there looking around. John Hultquist, a researcher for
FireEye security, said of another such intrusion, "In our experience
groups that have solely targeted energy like this have been carrying out
reconnaissance for attack,"
they got in but why didn't they do anything? According to one expert,
they were just in there looking around. John Hultquist, a researcher for
FireEye security, said of another such intrusion, "In our experience
groups that have solely targeted energy like this have been carrying out
reconnaissance for attack,"
According to the report by Symantec:
The
Dragonfly group appears to be interested in both learning how energy
facilities operate and also gaining access to operational systems
themselves, to the extent that the group now potentially has the ability
to sabotage or gain control of these systems should it decide to do
so.
Dragonfly group appears to be interested in both learning how energy
facilities operate and also gaining access to operational systems
themselves, to the extent that the group now potentially has the ability
to sabotage or gain control of these systems should it decide to do
so.
Back in July of this year, hackers got
into an American nuclear power plant in Kansas. On the bright side, they
were just into the business side of the Wolf Creek nuclear power plant
near Burlington, Kansas, and did not obtain access to the controls. But
it's still pretty unsettling that they'd even get that close.
into an American nuclear power plant in Kansas. On the bright side, they
were just into the business side of the Wolf Creek nuclear power plant
near Burlington, Kansas, and did not obtain access to the controls. But
it's still pretty unsettling that they'd even get that close.
If
someone was able to get into the control section, not only could they
cause a power outage, but they could potentially disable the nuclear
safeguards. Eric Chien suspects that while this hack was originally
blamed on the Russians (because, really, what isn't blamed on the
Russians?) that the Dragonfly 2.0 hackers were the ones who were
responsible. ""It's highly unlikely this is just coincidental."
someone was able to get into the control section, not only could they
cause a power outage, but they could potentially disable the nuclear
safeguards. Eric Chien suspects that while this hack was originally
blamed on the Russians (because, really, what isn't blamed on the
Russians?) that the Dragonfly 2.0 hackers were the ones who were
responsible. ""It's highly unlikely this is just coincidental."
Symantec seems to believe this will lead to something much, much worse:
Sabotage
attacks are typically preceded by an intelligence-gathering phase where
attackers collect information about target networks and systems and
acquire credentials that will be used in later campaigns...The original
Dragonfly campaigns now appear to have been a more exploratory phase
where the attackers were simply trying to gain access to the networks of
targeted organizations.
attacks are typically preceded by an intelligence-gathering phase where
attackers collect information about target networks and systems and
acquire credentials that will be used in later campaigns...The original
Dragonfly campaigns now appear to have been a more exploratory phase
where the attackers were simply trying to gain access to the networks of
targeted organizations.
The Dragonfly 2.0
campaigns show how the attackers may be entering into a new phase, with
recent campaigns potentially providing them with access to operational
systems, access that could be used for more disruptive purposes in
future.
campaigns show how the attackers may be entering into a new phase, with
recent campaigns potentially providing them with access to operational
systems, access that could be used for more disruptive purposes in
future.
Who is behind Dragonfly?
Symantec
isn't sure who is behind the intrusions and says that many of their
actions are aimed at making it difficult to figure out.
isn't sure who is behind the intrusions and says that many of their
actions are aimed at making it difficult to figure out.
Some of the group's activity appears to be aimed at making it more difficult to determine who precisely is behind it:
The
attackers used more generally available malware and "living off the
land" tools, such as administration tools like PowerShell, PsExec, and
Bitsadmin, which may be part of a strategy to make attribution more
difficult. The Phishery toolkit became available on Github in 2016, and a
tool used by the group--Screenutil--also appears to use some code from
CodeProject.
attackers used more generally available malware and "living off the
land" tools, such as administration tools like PowerShell, PsExec, and
Bitsadmin, which may be part of a strategy to make attribution more
difficult. The Phishery toolkit became available on Github in 2016, and a
tool used by the group--Screenutil--also appears to use some code from
CodeProject.
The attackers also did not use any zero days. As with the
group's use of publicly available tools, this could be an attempt to
deliberately thwart attribution, or it could indicate a lack of
resources.
group's use of publicly available tools, this could be an attempt to
deliberately thwart attribution, or it could indicate a lack of
resources.
Some code strings in the malware were in Russian.
However, some were also in French, which indicates that one of these
languages may be a false flag.
However, some were also in French, which indicates that one of these
languages may be a false flag.
Conflicting
evidence and what appear to be attempts at misattribution make it
difficult to definitively state where this attack group is based or who
is behind it.
evidence and what appear to be attempts at misattribution make it
difficult to definitively state where this attack group is based or who
is behind it.
The report also references the possibility of a false flag.
Our power grid has been hacked.
Our
grid has been hacked. Symantec's report refuses to disclose which power
plants were compromised, but there seems to be no doubt the hackers
were able to gain access to operational control of them. And while this
has been going on for a few years now, they're getting bolder and nearly
have the pieces in place to widespread sabotage our power grid.
grid has been hacked. Symantec's report refuses to disclose which power
plants were compromised, but there seems to be no doubt the hackers
were able to gain access to operational control of them. And while this
has been going on for a few years now, they're getting bolder and nearly
have the pieces in place to widespread sabotage our power grid.
What
is clear is that Dragonfly is a highly experienced threat actor,
capable of compromising numerous organizations, stealing information,
and gaining access to key systems. What it plans to do with all this
intelligence has yet to become clear, but its capabilities do extend to
materially disrupting targeted organizations should it choose to do so.
is clear is that Dragonfly is a highly experienced threat actor,
capable of compromising numerous organizations, stealing information,
and gaining access to key systems. What it plans to do with all this
intelligence has yet to become clear, but its capabilities do extend to
materially disrupting targeted organizations should it choose to do so.
After
last December's malware attack that took down the grid in Ukraine, the
power was back on in most places within 6 hours. But...two months later,
the controls were still not fully operational. Nothing was able to be
done remotely. Someone had to manually control the breakers for months
after the attack.
last December's malware attack that took down the grid in Ukraine, the
power was back on in most places within 6 hours. But...two months later,
the controls were still not fully operational. Nothing was able to be
done remotely. Someone had to manually control the breakers for months
after the attack.
In the US, it might not go so smoothly.
That's
actually a better outcome than what might occur in the US, experts say,
since many power grid control systems here don't have manual backup
functionality, which means that if attackers were to sabotage automated
systems here, it could be much harder for workers to restore power.
actually a better outcome than what might occur in the US, experts say,
since many power grid control systems here don't have manual backup
functionality, which means that if attackers were to sabotage automated
systems here, it could be much harder for workers to restore power.
No manual controls? Yay, progress. But the Ukraine attack could have been worse.
The
fact that the hackers could have done much more damage than they did do
if only they had decided to physically destroy substation equipment as
well, making it much harder to restore power after the blackout. The US
government demonstrated an attack in 2007 that showed how hackers could
physically destroy a power generatorsimply by remotely sending 21 lines
of malicious code.
fact that the hackers could have done much more damage than they did do
if only they had decided to physically destroy substation equipment as
well, making it much harder to restore power after the blackout. The US
government demonstrated an attack in 2007 that showed how hackers could
physically destroy a power generatorsimply by remotely sending 21 lines
of malicious code.
The Ukrainian grid was hit
again with the NotPetya attack earlier this summer, a cyber attack that
quickly spread globally. It's naive to think that
again with the NotPetya attack earlier this summer, a cyber attack that
quickly spread globally. It's naive to think that
Our
power grid has been hacked, and it's naive to think that a massive
cyber attack couldn't happen to us. Cyber warfare is the war of the
future and there is more and more proof that it isn't a matter of if,
but when.
power grid has been hacked, and it's naive to think that a massive
cyber attack couldn't happen to us. Cyber warfare is the war of the
future and there is more and more proof that it isn't a matter of if,
but when.
Originally published at The Organic Prepper - reposted with permission.
Cyber Warfare Is The Future – Has Our Power Grid Already Been Hacked? – Re-Shared and administered by Aaron Halim
