How Prepared Is Our Electric Grid for the CrashOverride Hack?
As we (citizens at least not our complicit President Trump) contemplate cyber battles like Wikileaks, email hacks, the worst malware, and our very own Stuxnet virus we better look to our own defenses.
It does not appear confidence inspiring. Not long ago infrastructure hacks were a point of derision. Paranoia they said. That lesson stuck as a convenient money and time saving excuse to do little or nothing. Foolish thinking. I contend that in general, the advantage is the the offence in cyber battles. Defense is steps behind, in reactive not pro active mode by sheer necessity. “Zero day” is an interesting phrase. It refers to particular flaws in our devices that we are completely vulnerable to on an ongoing basis. The good guys are playing whack a mole.
What happens when Russian hackers take out an electrical grid right here and some people die?
My first evidence is found at Wired.
HOW AN ENTIRE NATION BECAME RUSSIA’S TEST LAB FOR CYBERWAR
Lee’s critical infrastructure security startup, Dragos, is one of two firms that have pored through the malware’s code; Dragos obtained it from a Slovakian security outfit called ESET. The two teams found that, during the attack, CrashOverride was able to “speak” the language of the grid’s obscure control system protocols, and thus send commands directly to grid equipment. In contrast to the laborious phantom-mouse and cloned-PC techniques the hackers used in 2015, this new software could be programmed to scan a victim’s network to map out targets, then launch at a preset time, opening circuits on cue without even having an internet connection back to the hackers. In other words, it’s the first malware found in the wild since Stuxnet that’s designed to independently sabotage physical infrastructure.
“In 2015 they were like a group of brutal street fighters. In 2016, they were ninjas.”
And CrashOverride isn’t just a one-off tool, tailored only to Ukrenergo’s grid. It’s a reusable and highly adaptable weapon of electric utility disruption, researchers say. Within the malware’s modular structure, Ukrenergo’s control system protocols could easily be swapped out and replaced with ones used in other parts of Europe or the US instead.
Following up from Ars Technica
Programmers and code writers can understand far better than I. What I can seem to get is this is a very credible threat.
Sandworm
Dragos said the people who developed Crash Override have direct ties to a hacking group called “Sandworm.” Many researchers suspect Sandworm is Russian, based on its choice of targets, technical expertise, and the specific malware the group has used over the years. In 2014, researchers with security firm iSIGHT Partners uncovered a hacking campaign that company researchers said was the work of Sandworm that targeted NATO, the Ukrainian and Polish governments, and European Industries. One of the hacking group’s calling cards was BlackEnergy, a tool that was once used in denial-of-service attacks but was later used in espionage campaigns.
A revamped version of BlackEnergy was one of two pieces of malware found on the Ukrainian computers compromised in the 2015 attack. The attackers used BlackEnergy3 to break into the corporate networks of the targeted power companies and then further encroach into the supervisory control and data acquisition systems the companies used to generate and transmit electricity. Based on the reconnaissance BlackEnergy3 performed, the attackers were able to use legitimate functionality commonly found in power distribution and transmission to trigger a failure that caused more than 225,000 people to go without power for more than six hours.