The Wall Street Journal has a detailed report out today regarding a sophisticated, and successful attack by hackers into the US electric grid. The hackers could have temporarily shut off power.
The Journal claims Russia is responsible. I hate such assumptions. In the absence of hard proof, the hack could have come from China, North Korea, Israel, or even the US. Even if Russian hackers did this, there is a difference between “Russian” and “Russia”.
Please consider America’s Electric Grid Has a Vulnerable Back Door—and Russia Walked Through It.
Early victims
In the summer of 2016, U.S. intelligence officials saw signs of a campaign to hack American utilities, says Jeanette Manfra, assistant secretary of Homeland Security’s cybersecurity and communications program. The tools and tactics suggested the perpetrators were Russian. Intelligence agencies notified Homeland Security, Ms. Manfra says.
Mr. Vitello of All-Ways Excavating has no idea how the hackers got into his email account. He doesn’t recall reading CFE’s websites or clicking on tainted email attachments. Nonetheless, the intrusion was part of the Russian campaign, according to the security companies that studied the hack.
On March 2, 2017, the attackers used Mr. Vitello’s account to send the mass email to customers, which was intended to herd recipients to a website secretly taken over by the hackers.
Once Mr. Vitello realized his email had been hijacked, he tried to warn his contacts not to open any email attachments from him. The hackers blocked the message.
Sneak Attack
Hackers sent bogus emails from the account of Oregon construction contractor Mike Vitello to herd recipients to a website they had secretly taken over, called imageliners.com. Hackers then used the site to seek access to contractors that do business with U.S. power utilities.
All-Ways Excavating is a government contractor and bids for jobs with agencies including the U.S. Army Corps of Engineers, which operates dozens of federally owned hydroelectric facilities.
One [email] went to Dan Kauffman Excavating Inc., in Lincoln City, Ore., with the subject line: “Please DocuSign Signed Agreement—Funding Project.”
Office manager Corinna Sawyer thought the wording was strange and emailed Mr. Vitello: “Just received this from your email, I assume you have been hacked.”
Back came a response from the intruders who controlled Mr. Vitello’s account: “I did send it.”
Ms. Sawyer, still suspicious, called Mr. Vitello, who told her the email, like the earlier one, was fake.
Federal officials say the attackers looked for ways to bridge the divide between the utilities’ corporate networks, which are connected to the internet, and their critical-control networks, which are walled off from the web for security purposes.
The bridges sometimes come in the form of “jump boxes,” computers that give technicians a way to move between the two systems. If not well defended, these junctions could allow operatives to tunnel under the moat and pop up inside the castle walls.
In briefings to utilities last summer, Jonathan Homer, industrial-control systems cybersecurity chief for Homeland Security, said the Russians had penetrated the control-system area of utilities through poorly protected jump boxes. The attackers had “legitimate access, the same as a technician,” he said in one briefing, and were positioned to take actions that could have temporarily knocked out power.
Attack Still Ongoing
The hack started in 2016 and is still ongoing. The Journal cited many other contractors who were hacked the same way as Vitello. Here’s a recent hack.
Vello Koiv, president of VAK Construction Engineering Services in Beaverton, Ore., which does subcontracting for the Army Corps, PacifiCorp, Bonneville and Avista Corp. , a utility in Spokane, Wash., says someone at his company took the bait from one of the tainted emails, but his computer technicians caught the problem, so “it was never a full-blown event.” Avista says it doesn’t comment on cyberattacks.
Mr. Koiv says he continued to get tainted emails in 2018. “Whether they’re Russian or not, I don’t know. But someone is still trying to infiltrate our server.”
Last fall, All-Ways Excavating was again hacked.
Battlefield Prepared
Industry experts say Russian government hackers likely remain inside some systems, undetected and awaiting further orders.
“What Russia has done is prepare the battlefield without pulling the trigger,” says Robert P. Silvers, former assistant secretary for cyber policy at Homeland Security and now a law partner at Paul Hastings LLP.
Assumptions
Once again, we have assumptions that “Russia is Responsible”. The excuse: “The tools and tactics suggested the perpetrators were Russian.”
It’s a bit of a leap to go from that assumption to the WSJ headline.
Scary Bottom Line
Assumptions aside, someone was able to hack into companies responsible for the US electric grid, gaining technical abilities to shut it down.
Mike “Mish” Shedlock
Using social engineering to get access to computers bridging public and private networks is not a sign of devious hackers but is what used to be called: “Asking for it”. The “hack” of Ukraine utilities was also accomplished by getting access (via phishing and such) to unpatched windows XP gold edition (no security patches for 16 years) PCs straddling private and public networks, and remotely controlling programs installed on these bridge boxes. It’s a lot like forgetting to use the latch on your door which is sporting a hair pin instead of a padlock.
Well, come on. If somebody sends you a fake document for you to “sign” and you respond with your username and password, which is mostly what is described here, you have not been “hacked.” You have been “phished,” have been revealed to be an idiot and have no one to blame but yourself.
Employees who receive regular security training fall for phishing and social engineering attacks all the time. Outside contractors are even easier targets–they’ll click on anything!
The only unhackable computer is one that is not on the network. Not likely to change. Even with good security, these big systems end up with to many people that need access to maintain security, as evidenced by the story above. To keep the grid secure, the network must be kept private — as in no outside access ever. Even then, there are always spies.
Perhaps it is time for a new internet built from the ground up with security and privacy as priority. The current internet was not designed for today’s usage/purpose.
And they want to put 100,000,000 networked autonomous vehicles on the road….
The only way to defend against someone stealing a user name/password is to also require another level of authentication. Like you need a security certificate on the client computer or a security card or maybe you have to answer security questions in addition or a combo of things. Allowing access with a simple user name and password is idiotic in this day and age.
Of course that creates a new set of costs: people losing their smart cards/tokens/not being able to login from home without the same equipment/extra time typing in answers to questions…
A better solution is a simple set of scripts that would compare the data in emails/websites with the domains they should be coming from. For example, if I get an email that purports to be from docusign and there is a link in it to a different domain, it automatically goes to spam. It would be problematic at first, but vendors would adapt.
Ran across this same hack at my last place of employment. We produced pipeline monitoring equipment. Hackers sent a fake Docusign agreement to one of our internal paralegals. The document looked perfect and we get them legitimately on occasion. She clicked on it, and it asked for a userid/password combo, so of course she put in her corporate credentials. The hacker used that to log into her Microsoft Office 365 email account. That gave him access to her contact list and off we went. We (IT) immediately forced everyone off of O365 and forced a password change. Following up with contacting all of her contacts.
Is this going to turn out to be like the Russian intrusion into the Vermont power company system that, it turned out, was not even connected to the Internet?
I really want to comment on this, but would cause all kinds of problems for my husband, if I did. All I can say is that the American utility heads are woefully unprepared for this, and as it would hurt the bottom line for shareholders, doubtful they’d ever truly fund a stopage to hackers.
Why do contractors have “system access” to electric grid?
Why does anybody have “system access” to electric grid?
It is like information security 101 that there should be NO system access to the electric grid from internet.
A lot easier said than done. Far flung electric grid components need to communicate as well. The power cos are attempting to minimize the number of junctions between the two nets, and harden what is there, already.
This, like many/most other significant attacks, largely worked by tricking humans. Against that, the only real security, is increasing the number of maximally independent humans which need to OK something before it can take place. Tricking several independent, perhaps always rotating, people simultaneously, is a lot tougher than tricking two guys who work for the same small contractor in Oregon and are used to very informal communications, and share a lot of built in trust.
But, the more involved security processes get, the slower response time to outgages and other problems will become. Requiring Trump’s in-person authorization to send someone a power bill, can quickly make things a bit impractical.
Anyone remember this story from 2017?
Perhaps the initial version of the news wasn’t so fake after all.
It definitely was, and so it is again.
critical systems should be using SElinux, like the NSA uses. I’d lay odds that this was another Windows system that was compromised.
All US intelligence agencies will soon be using the Amazon Cloud called AWS.
Stupidest decision ever…
It was office365, so it was a MS product. Corporate and government america uses MS products, so naturally a MS product would be involved.
Build a wall to keep out the hackers?
They tunneled under the moat.
Actually, yes. The utilities clearly need better firewalls.
Should call THIS the national emergency & build THAT wall.