Submitted via IRC for SoyCow4408
Hackers behind dangerous oil and gas intrusions are probing US power grids
In a new troubling escalation, hackers behind at least two potentially fatal intrusions on industrial facilities have expanded their activities to probing dozens of power grids in the US and elsewhere, researchers with security firm Dragos reported Friday.
The group, now dubbed Xenotime by Dragos, quickly gained international attention in 2017 when researchers from Dragos and the Mandiant division of security firm FireEye independently reported Xenotime had recently triggered a dangerous operational outage at a critical-infrastructure site in the Middle East. Researchers from Dragos have labeled the group the world's most dangerous cyber threat ever since.
The most alarming thing about this attack was its use of never-before-seen malware that targeted the facility's safety processes. Such safety instrumented systems are a combination of hardware and software that many critical infrastructure sites use to prevent unsafe conditions from arising. When gas fuel pressures or reactor temperatures rise to potentially unsafe thresholds, for instance, an SIS will automatically close valves or initiate cooling processes to prevent health- or life-threatening accidents.
In April, FireEye reported that the SIS-tampering malware, known alternately as Triton and Trisis, was used in an attack on another industrial facility.
Now, Dragos is reporting that Xenotime has been performing network scans and reconnaissance on multiple components across the electric grids in the US and in other regions. Sergio Caltagirone, senior VP of threat intelligence at Dragos, told Ars his firm has detected dozens of utilities—about 20 of them located in the US—that have been subjected to Xenotime probes since late 2018. While the activities indicate only an initial exploration and there's no evidence the utilities have been compromised, he said the expansion was nonetheless concerning.
"The threat has proliferated and is now targeting the US and Asia Pacific electric utilities, which means that we are no longer safe thinking that the threat to our electric utilities is understood or stable," he said in an interview. "This is the first signal that threats are proliferating across sectors, which means that now we can't be certain that a threat to one sector will stay in that sector and won't cross over."
[...] While none of the electric utility targeting events has resulted in a known, successful intrusion into victim organizations to date, the persistent attempts, and expansion in scope is cause for definite concern. XENOTIME has successfully compromised several oil and gas environments which demonstrates its ability to do so in other verticals. Specifically, XENOTIME remains one of only four threats (along with ELECTRUM, Sandworm, and the entities responsible for Stuxnet) to execute a deliberate disruptive or destructive attack.
XENOTIME is the only known entity to specifically target safety instrumented systems (SIS) for disruptive or destructive purposes. Electric utility environments are significantly different from oil and gas operations in several aspects, but electric operations still have safety and protection equipment that could be targeted with similar tradecraft. XENOTIME expressing consistent, direct interest in electric utility operations is a cause for deep concern given this adversary's willingness to compromise process safety – and thus integrity – to fulfill its mission.
Related Stories
From the IEEE, an algorithm that creates "background noise" during data transmission that alerts officials to hacking:
Some of the most important industrial control systems (ICSs), such as those that support power generation and traffic control, must accurately transmit data at the milli- or even mirco-second range. This means that hackers need interfere with the transmission of real-time data only for the briefest of moments to succeed in disrupting these systems. The seriousness of this type of threat is illustrated by the Stuxnet incursion in 2010, when attackers succeeded in hacking the system supporting Iran's uranium enrichment factory, damaging more than 1000 centrifuges.
Now a trio of researchers has disclosed a novel technique that could more easily identify when these types of attacks occur, triggering an automatic shutdown that would prevent further damage.
The problem was first brought up in a conversation over coffee two years ago. "While describing the security measures in current industrial control systems, we realized we did not know any protection method on the real-time channels," explains Zhen Song, a researcher at Siemens Corporation. The group began to dig deeper into the research, but couldn't find any existing security measures.
[...] The approach involves the transmission of real-time data over an unencrypted channel, as conventionally done. In the experiment, a specialized algorithm in the form of a recursive watermark (RWM) signal is transmitted at the same time. The algorithm encodes a signal that is similar to "background noise," but with a distinct pattern. On the receiving end of the data transmission, the RWM signal is monitored for any disruptions, which, if present, indicate an attack is taking place. "If attackers change or delay the real-time channel signal a little bit, the algorithm can detect the suspicious event and raise alarms immediately," Song says.
Critically, a special "key" for deciphering the RWM algorithm is transmitted through an encrypted channel from the sender to the receiver before the data transmission takes place.
Tests show that this approach works fast to detect attacks. "We found the watermark-based approach, such as the RWM algorithm we proposed, can be 32 to 1375 times faster than traditional encryption algorithms in mainstream industrial controllers. Therefore, it is feasible to protect critical real-time control systems with new algorithms," says Song.
Originally spotted on The Eponymous Pickle.
Previously:
Cyber Threats from the US and Russia are Now Focusing on Civilian Infrastructure
Hackers Behind Dangerous Oil and Gas Intrusions are Probing US Power Grids
Stuxnet-Style Code Signing is More Widespread Than Anyone Thought
(Score: 0) by Anonymous Coward on Tuesday June 18 2019, @08:28AM
(Score: 4, Insightful) by Anonymous Coward on Tuesday June 18 2019, @10:48AM (7 children)
There was a time, alas, long ago, where everyone who knew anything about technology including people like Bill Joy said things like, 'maybe we should establish a treaty framework to prevent the escalation of internet warfare.' Or maybe 'hm this would be a good use for the united nations.'
He was laughed at by the entire American military and political establishment who thought, 'certainly we will win such a conflict with our huge balls and ability to silence journalists.'
Now in 2019, the entire nsa and cia toolkits have been leaked, repurposed, and redirected. At us. Everyone.
Now in 2019, no networked computer is safe from constant, 24 hour a day, cracking attempts. No infrastructure is safe, no baby monitor is safe, no thermostat is safe, everyone can be attacked at any time excepting perhaps bush people in the sahara. And even they are under some hellfire armed drone and suspected of being long term deep cover agents.
Meanwhile John Bolton drops mega-chest-pounding threats against Russia and the entire world, 'we will pwn you! hard! all night long!', even though he has the intellectual capacity of a struggling middle school civics teacher.
Clown World Alert, the people who are supposed to be keeping us safe with an unlimited budget are just fuckups who will endanger all of us for the chance to be proud of shutting down random traffic lights in Siberia.
Welcome to 2019, everyone is a combatant but most of us aren't getting paid, rather the opposite, so I hope you enjoy paying your taxes to support attacks on yourself. Maybe you should reconsider what you do with your money.
(Score: 1, Informative) by Anonymous Coward on Tuesday June 18 2019, @12:59PM (1 child)
My tax dollars already are being spent on murdering noncombatant civilians in various Middle Eastern countries, so thank you for your concern.
(Score: 0) by Anonymous Coward on Wednesday June 19 2019, @05:45PM
And mine are already being spent sponsoring the welfare-livelihood of murderous immigrant civilians in various counties within my country.
(Score: 1, Informative) by Anonymous Coward on Tuesday June 18 2019, @01:05PM (2 children)
You the people voted those clowns into power, and you the people also profit for lives from their political adventures and planetary resource grabs. Your responsibility is undeniable.
(Score: 1, Offtopic) by DeathMonkey on Tuesday June 18 2019, @05:48PM (1 child)
The ELECTORAL COLLAGE voted to put the clown who appointed Bolton. "The People" preferred Clinton by 3 million votes.
(Score: 1, Touché) by Anonymous Coward on Tuesday June 18 2019, @06:01PM
How cute. The monkey makes an effort to spell.
Too bad our country is not the United People of America, but the United States of America. Our constitution, you know those words on paper written by dead white men long ago that defines how our country works, requires that states choose and send delegates to the electoral *college*, who will perform the actual election of the President.
(Score: 0) by Anonymous Coward on Tuesday June 18 2019, @02:30PM (1 child)
The essence of being an American: Run roughshod over others, but whine when others do to you.
(Score: 1, Troll) by realDonaldTrump on Friday June 21 2019, @05:05AM
You say that like it's something bad, like there's something wrong with it. There’s nothing wrong with American dominance. On Earth, in Space, or in the Cyber World. It's what makes our Country Great!!!!
(Score: 1) by idetuxs on Tuesday June 18 2019, @11:09AM (1 child)
https://www.bbc.com/news/world-latin-america-48652686 [bbc.com]
Related?
(Score: 3, Insightful) by Anonymous Coward on Tuesday June 18 2019, @01:02PM
Putting critical control systems on the internet has really streamlined the process of destroying those control systems.
(Score: 0, Flamebait) by Anonymous Coward on Tuesday June 18 2019, @05:44PM (1 child)
this is what happens when suited, windows-using, whores run the grid. let the chips fall where they may.
(Score: 0) by Anonymous Coward on Tuesday June 18 2019, @11:10PM
with enough LSD you can take over the minds of simpler (think less neuron) lifeforms. some say this was the real reason for cia ultra experiments. once you have a lifeform under your control you can direct it thru one of those cooling slits and let it walk over badly isolated line and neutral conductor/cables, triggering a short and fried remote controlled buddy. problem they never solved is the return of the conciousnes from the dead animal back to the LSD user ...