Security

The looming cyberthreat to America’s backbone

File photo.

File photo.  (REUTERS/Kacper Pempel )

Recently a series of high-profile attacks hit U.S. infrastructure - computer networks at the White House, the State Department and U.S. Postal Service systems were compromised by hackers.

Security experts speculated that the attacks were coordinated by groups of hackers backed by a foreign government, probably one of the state-sponsored crews that is targeting U.S. critical infrastructure.

Last week National Security Agency Director Admiral Michael Rogers, reporting to the House of Representatives Intelligence Committee, confirmed the concrete risk of a major cyber attack against vital national systems.

The official expressed a serious concern about the offensive capabilities of foreign state-sponsored hackers.

“What concerns us is that access, that capability can be used by nation-states, groups or individuals to take down that capability,” he said.

Rogers referred to China as one of the most aggressive governments that has the resources and the knowledge to compromise U.S. infrastructure. Other countries are investing a great deal of effort to improve their cyber capabilities and, among them, one or probably two other states also represent a concrete menace for the U.S., warned the NSA chief.

It’s not difficult for security experts to imagine which countries Rogers was alluding to - Russia and North Korea are the most feared opponents in the cyber space, along with the China.

The NSA director also warned that hackers could serve a sophisticated malware designed to surgically hit U.S. critical infrastructure with serious repercussions on the population.

Foreign hackers, for example, could hit U.S. power utilities, telecommunication networks, financial companies and energy firms - services that represent the backbone of the Nation.

U.S. intelligence is particularly concerned by a long series of attacks that targeted the energy industry. Government sources recently reported that the Department of Homeland Security (DHS) discovered that Russian hackers have infiltrated critical U.S. infrastructure.

The U.S. Computer Emergency Readiness Team (US-CERT) reported 79 cyber attacks against energy companies in the fiscal year 2014, but experts believe that the majority of the offensives went undetected due to the high sophistication level of the tools and techniques adopted by the attackers.

Every day critical U.S. infrastructure has been hit by thousands of attacks run by state-sponsored hackers, cyber criminals and hacktivists for both cyber espionage and sabotage.

State hacking campaigns are difficult to uncover because, in most cases, Advanced Persistent Threats (APTs), or particularly stealthy hacking methods, can operate in the shadows for years before being discovered. 

The security firm FireEye has identified 50 different types of malware that were used to target companies operating in the energy industry in 2013 - spyware and Remote Access Tools (RATs) are among the malicious code most used to target energy/utilities. In July, a new variant of Havex RAT was used by hackers to scan Supervisory Control and Data Acquisition (SCADA) systems that are the core components in the control of any industrial process.

In June experts at security specialist F-Secure discovered another hacker campaign based on the same malware, the Havex RAT, that compromised nearly 1,000 energy companies across the U.S. and Europe.

In late October, US-CERT issued an Alert (ICS-ALERT-14-281-01A) related to an ongoing sophisticated malware campaign compromising Industrial Control Systems (ICS) with malicious code dubbed BlackEnergy.

BlackEnergy was authored by a Russian coder and originally used for Distributed Denial of Service (DDoS) attacks, bank frauds and spam distribution. The latest variant was used by bad actors worldwide in targeted attacks on government entities and private companies, including the European Parliament in Brussels

Last month NSA director Rogers cited the effects of major cyberattacks against the energy industry during a power grid security conference in San Antonio, Texas. Energy and power infrastructure, he warned, were not designed to be resilient to today’s cyber attacks.

“Power… is one of the segments that concerns me the most,” he said, according to a transcript obtained by CNN Money.

The U.S. Government started a series of initiatives to tighten security for companies operating in the energy industry - the DHS, FBI, national energy providers and utility companies are participating to a series of meeting to discuss cyberthreats and strengthen infrastructure.

In reality, energy companies across the globe are experiencing significant cyber attacks.  One of the most noteworthy incidents in the sector, for example, hit petroleum producer Saudi Aramco in 2012 -  nearly 30,000 computers in the company’s network were infected by the Shamoon malware.

Security experts speculated that Shamoon was a cyber weapon designed by Iranian cyber units to hit the energy industry. However, Saudi Aramco is not the only energy company compromised by a cyber attack - Qatar’s RasGas was targeted in the same year.

In August, one of the biggest cyber attacks ever to happen in Norway hit nearly 300 oil and energy companies. While the names of the targeted firms were not disclosed, official sources reported that the hacking campaign was timed to coincide with the Offshore Northern Seas exhibition in the country’s oil capital of Stavanger. The meeting was attended by oil and gas industry executives from every part of the world.

The Local website reported that 50 companies in the oil industry were compromised with another 250 at risk, including Statoil, the country’s largest oil company. The attackers used a classic spear phishing campaign to trick people into opening malicious email attachments.

Given the extent of these attacks, both in the U.S. and overseas, it’s clear that security of energy infrastructure is a shared problem that has to be addressed with high priority. If this doesn’t happen, a significant incident will result in catastrophic consequences.

Pierluigi Paganini is the author of the book “The Deep Dark Web” and founder of the Security Affairs blog.