Stories
Slash Boxes
Comments

SoylentNews is people

Log In

Log In

Create Account  |  Retrieve Password


posted by janrinok on Saturday March 23, @12:42PM   Printer-friendly
from the weakest-link dept.

https://arstechnica.com/security/2024/03/critical-us-water-systems-face-disabling-cyberattacks-white-house-warns/

The Biden administration on Tuesday warned the nation's governors that drinking water and wastewater utilities in their states are facing "disabling cyberattacks" by hostile foreign nations that are targeting mission-critical plant operations.

"Disabling cyberattacks are striking water and wastewater systems throughout the United States," Jake Sullivan, assistant to the president for National Security Affairs, and Michael S. Regan, administrator of the Environmental Protection Agency, wrote in a letter. "These attacks have the potential to disrupt the critical lifeline of clean and safe drinking water, as well as impose significant costs on affected communities."

[...] The letter extended an invitation for secretaries of each state's governor to attend a meeting to discuss better securing the water sector's critical infrastructure. It also announced that the EPA is forming a Water Sector Cybersecurity Task Force to identify vulnerabilities in water systems. The virtual meeting will take place on Thursday.

"EPA and NSC take these threats very seriously and will continue to partner with state environmental, health, and homeland security leaders to address the pervasive and challenging risk of cyberattacks on water systems," Regan said in a separate statement.

Related stories on SoylentNews:
An Online Dump of Chinese Hacking Documents Offers a Rare Window Into Pervasive State Surveillance - 20240229
US Says China's Volt Typhoon Is Readying Destructive Attacks - 20240216
The Internet Enabled Mass Surveillance. A.I. Will Enable Mass Spying - 20231206
Teens With "Digital Bazookas" Are Winning the Ransomware War, Researcher Laments - 20231116
How China Gets Free Intel on Tech Companies' Vulnerabilities - 20230913
Microsoft Links Russia's Military to Cyberattacks in Poland and Ukraine - 20221113
U.S. Charges Four Russian Government Workers With Hacking Energy Sector - 20220327
Microsoft Warns of Destructive Disk Wiper Targeting Ukraine - 20220118
Breached Water Plant Employees Shared Same Password, No Firewall - 20210211
DOJ: Chinese Hackers Stole "Hundreds of Millions of Dollars" of Secrets - 20200722
Chinese Digital Spying is Becoming More Aggressive, Researchers Say - 20200326
Vietnam's Battalions of 'Cyber-Armies' Silencing Online Dissent - 20200117
A New Hardware Implant Shows How Easy It May be to Hide Malicious Chips - 20191013
Congress Mobilizes on Cyber Threats to Electric Grid - 20190715
How a Hacker Network Turned Stolen Press Releases into $100 Million - 20180826
U.S. State and Local Governments Receive Malware-Containing CDs Mailed from China - 20180731
Ukrainian DNC Hack-Author has Turned Himself in and is Cooperating with FBI - 20170816
FIN7 'Cyber-Mafia' Group Giving Heartburn to the U.S. Restaurant Industry - 20170528
Interview with Cybersecurity Expert Jeffrey Carr about Crowdstrike's Russian Hacking Claims - 20170417
Hacker Rigged Elections in Nine Latin American Countries - 20170308
Chinese Businessman Pleads Guilty to Conspiring to Hack US Defense Contractors - 20160326
China Hacks on US Continue, Facebook to Warn Users About Potential State-sponsored Attacks - 20151019
CIA Officers Pulled from China Because of OPM Breach - 20151002
North Korean Defector Warns that Hackers Could Kill - 20150530


Original Submission

Related Stories

North Korean Defector Warns that Hackers Could Kill 26 comments

Prof. Kim Heung-Kwang has told BBC Click that North Korea has trained 6,000 military hackers capable of attacks that could destroy critical infrastructure or even kill people:

For 20 years Prof Kim taught computer science at Hamheung Computer Technology University, before escaping the country in 2004. While Prof Kim did not teach hacking techniques, his former students have gone on to form North Korea's notorious hacking unit Bureau 121. The bureau, which is widely believed to operate out of China, has been credited for numerous hacks. Many of the attacks are said to have been aimed specifically at South Korean infrastructure, such as power plants and banks.

Speaking at a location just outside the South Korean capital, Prof Kim told the BBC he has regular contact with key figures within the country who have intimate knowledge of the military's cyber operation. "The size of the cyber-attack agency has increased significantly, and now has approximately 6,000 people," he said. He estimated that between 10% to 20% of the regime's military budget is being spent on online operations. "The reason North Korea has been harassing other countries is to demonstrate that North Korea has cyber war capacity," he added. "Their cyber-attacks could have similar impacts as military attacks, killing people and destroying cities."

Speaking more specifically, Prof Kim said North Korea was building its own malware based on Stuxnet - a hack attack, widely attributed to the US and Israel, which struck Iranian nuclear centrifuges before being discovered in 2010. "[A Stuxnet-style attack] designed to destroy a city has been prepared by North Korea and is a feasible threat," Prof Kim said. Earlier this year, the South Korean government blamed North Korea for a hack on the country's Hydro and Nuclear Power Plant. "Although the nuclear plant was not compromised by the attack, if the computer system controlling the nuclear reactor was compromised, the consequences could be unimaginably severe and cause extensive casualties," Prof Kim said.


Original Submission

CIA Officers Pulled from China Because of OPM Breach 10 comments

The employee records from the Central Intelligence Agency (CIA) were not included in the data cache from the Office of Personnel Management (OPM) hack, according to government officials. However, that doesn't mean the CIA has been unaffected by the breach. The Washington Post reports that according to unnamed current and former US officials, the CIA pulled "a number of officers" from the US Embassy in Beijing as a precautionary measure following the breach—precisely because their names would not appear in State Department personnel files believed to have been obtained by Chinese intelligence operatives.

The question of how to respond to the OPM breach was raised yet again during testimony by intelligence and defense officials on September 29 before the Senate Armed Services Committee. The hearing on "United States Cybersecurity policy and threats" delved into the distinction being made by the Obama administration between electronic economic espionage and the hacking of government agencies and why the breach at the OPM was not considered an attack warranting a proportionate response from the US. No US official has gone on the record to attribute the OPM breach to China.


Original Submission

China Hacks on US Continue, Facebook to Warn Users About Potential State-sponsored Attacks 4 comments

CNet reports:

Seven US companies have been attacked by government-associated Chinese hackers in the three weeks since the US and China announced a pact that banned government spying on companies, a US security firm said Monday.

The hacks by "actors we have affiliated with the Chinese government" targeted five technology companies and two pharmaceutical companies, US security company CrowdStrike said in a blog post. The first of these occurred the day after the two countries struck a landmark pact in which they agreed not to spy on one another to steal business secrets. They "are continuing to this day", the company said.

Computer world reports:

Facebook will now warn people if it has a strong suspicion an account is being targeted by a nation-state.

The social networking service already takes steps to secure accounts that may have been compromised but has decided to directly alert users of the type of attack that's under way, wrote Alex Stamos, Facebook's chief security officer.

Since state-sponsored attacks can be more sophisticated "having an account compromised in this manner may indicate that your computer or mobile device has been infected with malware," he wrote.


Original Submission #1Original Submission #2

Chinese Businessman Pleads Guilty to Conspiring to Hack US Defense Contractors 10 comments

An extradited businessman has pleaded guilty to conspiring to hack US defense contractors and send export-controlled data to China:

A businessman from China pleaded guilty on Wednesday to conspiring to hack into the computer networks of major US defense contractors including Boeing Co, the US Department of Justice said in a statement. Su Bin, 50, faces up to five years in jail for allegedly conspiring with two other people in China to obtain sensitive military information and export it illegally. Su's attorney Robert Anello said in an email: "In resolving this matter Su Bin hopes to move on with his life."

According to US government court filings, Su began working in 2008 to target US companies. In 2010, he emailed a file to an unnamed individual in China which contained information about Boeing's C-17 military transport aircraft. Su also helped his co-conspirators decide which company employees to target, and translated documents from English to Chinese. Arrested in Canada in 2014, Su ultimately consented to US extradition, the Justice Department said. Canadian media reported in January that two Chinese soldiers conspired with Su to obtain blueprints for F-35s and other jets.

The F-35 design documents are a trap!


Original Submission

Hacker Rigged Elections in Nine Latin American Countries 21 comments

Submitted via IRC for Runaway1956

It was just before midnight when Enrique Peña Nieto declared victory as the newly elected president of Mexico. Peña Nieto was a lawyer and a millionaire, from a family of mayors and governors. His wife was a telenovela star. He beamed as he was showered with red, green, and white confetti at the Mexico City headquarters of the Institutional Revolutionary Party, or PRI, which had ruled for more than 70 years before being forced out in 2000. Returning the party to power on that night in July 2012, Peña Nieto vowed to tame drug violence, fight corruption, and open a more transparent era in Mexican politics.

Two thousand miles away, in an apartment in Bogotá's upscale Chicó Navarra neighborhood, Andrés Sepúlveda sat before six computer screens. Sepúlveda is Colombian, bricklike, with a shaved head, goatee, and a tattoo of a QR code containing an encryption key on the back of his head. On his nape are the words "</head>" and "<body>" stacked atop each other, dark riffs on coding. He was watching a live feed of Peña Nieto's victory party, waiting for an official declaration of the results.

When Peña Nieto won, Sepúlveda began destroying evidence. He drilled holes in flash drives, hard drives, and cell phones, fried their circuits in a microwave, then broke them to shards with a hammer. He shredded documents and flushed them down the toilet and erased servers in Russia and Ukraine rented anonymously with Bitcoins. He was dismantling what he says was a secret history of one of the dirtiest Latin American campaigns in recent memory.

Source: https://www.bloomberg.com/features/2016-how-to-hack-an-election/


Original Submission

Interview with Cybersecurity Expert Jeffrey Carr about Crowdstrike's Russian Hacking Claims 2 comments

Dan Wright and Joanne Leon of Shadowproof interview cybersecurity expert Jeffrey Carr about Crowdstrike's controversial claims on successfully identifying Russia as the actor that hacked the Democratic National Committee:

The evidence has always been thin despite U.S. intelligence agencies ultimately supporting the claim.

Carr discusses Crowdstrike's history of bad calls, including having to recently rewrite a report on alleged Russian hacking in Ukraine. The Ukrainian government as well as other cybersecurity experts heavily disputed Crowdstrikes[sic] initial claims.

[...] For firms like Crowdstrike, there's no financial downside in pretending to be able to attribute a hack as the nature of cyber makes it hard to prove or disprove an attribution. Additionally, each report serves as marketing material for future clients.


Original Submission

FIN7 'Cyber-Mafia' Group Giving Heartburn to the U.S. Restaurant Industry 7 comments

Chris Bing from CyberScoop notes:

"A sophisticated hacking group with suspected ties to cybercrime gangs operating in Eastern Europe is now actively targeting and breaching prominent brand-name restaurants in the U.S. More than 20 U.S.-based hospitality companies — the sector that includes hotels and restaurants — have been successfully hacked by FIN7 since the summer of 2016..." https://www.cyberscoop.com/chipotle-hack-fin7-carbanak-baja-fresh-ruby-tuesday/ (Javascript required.)

FIN7 is also linked to the Carbanak APT https://en.wikipedia.org/wiki/Carbanak and was accused a string of bank cyber-heists possibly totalling US $1 billion: https://threatpost.com/carbanak-ring-steals-1-billion-from-banks/111054/ https://securelist.com/blog/research/68732/the-great-bank-robbery-the-carbanak-apt/

This group has been described as "the first international cybermafia, a group of cybercriminals from Russia, Ukraine and other parts of Europe and China." and are suspected to have been involved with an SEC impersonation email campaign:

"In the phishing emails, FIN7 spoofed the sender email address as "EDGAR filings@sec.gov" in an email with an attachment reading disguised as a word doc entitled "Important_Changes_to_Form10_K.doc" " -http://www.readingeagle.com/business-weekly/article/scam-report-phishing-emails-target-executives-for-information.

Two other methods are also said to have been used in their attacks: fileless malware https://threatpost.com/hard-target-fileless-malware/125054/ and fake windows compatibility patches http://www.pcworld.com/article/3194523/security/financial-cybercrime-group-abuses-windows-app-compatibility-feature.html.


Original Submission

Ukrainian DNC Hack-Author has Turned Himself in and is Cooperating with FBI 42 comments

The New York Times reports In Ukraine, a Malware Expert Who Could Blow the Whistle on Russian Hacking :

KIEV, Ukraine — The hacker, known only by his online alias "Profexer," kept a low profile. He wrote computer code alone in an apartment and quietly sold his handiwork on the anonymous portion of the internet known as the Dark Web. Last winter, he suddenly went dark entirely.

Profexer's posts, already accessible only to a small band of fellow hackers and cybercriminals looking for software tips, blinked out in January — just days after American intelligence agencies publicly identified a program he had written as one tool used in the hacking of the Democratic National Committee.

But while Profexer's online persona vanished, a flesh-and-blood person has emerged: a fearful man who the Ukrainian police said turned himself in early this year, and has now become a witness for the F.B.I.

It's an in-depth review of several people, hacking groups, Russian organizations, and delves into hidden sites where malware can be bought and sold. In this case, it is claimed that Profexer wrote a program to exfiltrate information from a hacked machine, made a free copy available, but charged for updates/training. The claim is that Russia made use of his program, among others, and then practiced using it on Ukraine. Images of servers used in Ukraine voting are being reviewed.


Original Submission

U.S. State and Local Governments Receive Malware-Containing CDs Mailed from China 42 comments

State Govts. Warned of Malware-Laden CD Sent Via Snail Mail from China

Here's a timely reminder that email isn't the only vector for phishing attacks: Several U.S. state and local government agencies have reported receiving strange letters via snail mail that include malware-laden compact discs (CDs) apparently sent from China, KrebsOnSecurity has learned.

This particular ruse, while crude and simplistic, preys on the curiosity of recipients who may be enticed into popping the CD into a computer. According to a non-public alert shared with state and local government agencies by the Multi-State Information Sharing and Analysis Center (MS-ISAC), the scam arrives in a Chinese postmarked envelope and includes a "confusingly worded typed letter with occasional Chinese characters."

Please insert in election computer.

Also at TechCrunch and Engadget.


Original Submission

How a Hacker Network Turned Stolen Press Releases into $100 Million 12 comments

Submitted via IRC for SoyCow4408

At a Kiev nightclub in the spring of 2012, 24-year-old Ivan Turchynov made a fateful drunken boast to some fellow hackers. For years, Turchynov said, he'd been hacking unpublished press releases from business newswires and selling them, via Moscow-based middlemen, to stock traders for a cut of the sizable profits.

[...] Newswires like Business Wire are clearinghouses for corporate information, holding press releases, regulatory announcements, and other market-moving information under strict embargo before sending it out to the world. Over a period of at least five years, three US newswires were hacked using a variety of methods from SQL injections and phishing emails to data-stealing malware and illicitly acquired login credentials. Traders who were active on US stock exchanges drew up shopping lists of company press releases and told the hackers when to expect them to hit the newswires. The hackers would then upload the stolen press releases to foreign servers for the traders to access in exchange for 40 percent of their profits, paid to various offshore bank accounts. Through interviews with sources involved with both the scheme and the investigation, chat logs, and court documents, The Verge has traced the evolution of what law enforcement would later call one of the largest securities fraud cases in US history.

Source: https://www.theverge.com/2018/8/22/17716622/sec-business-wire-hack-stolen-press-release-fraud-ukraine


Original Submission

Congress Mobilizes on Cyber Threats to Electric Grid 16 comments

Congress mobilizes on cyber threats to electric grid:

Lawmakers are zeroing in on the potential for foreign cyber attacks to take down the U.S. electric grid, with members in both chambers pushing hearings and a flurry of bills to address the issue.

Congressional interest in the issue is growing following reports that Iran has stepped up its cyber attacks against U.S. critical infrastructure, and as Trump administration officials cite threats from Russia and China against the electric grid.

A House Energy and Commerce subcommittee focused on threats to the grid during a hearing on Friday, as lawmakers look to get ahead of the issue.

[...] [Assistant secretary of the Department of Energy's (DOE) Office of Cybersecurity, Energy Security, and Emergency Response (CESER). Karen] Evans highlighted the 2019 Worldwide Threat Assessment published by the Office of the Director of National Intelligence (ODNI) earlier this year on the threat.

The assessment found that Russia not only has the ability to execute cyber attacks against the U.S. electric grid, but is also "mapping our critical infrastructure with the long-term goal of being able to cause substantial damage."

On China, the ODNI warned that the country "has the ability to launch cyber attacks that cause localized, temporary disruptive effects on critical infrastructure."

A New Hardware Implant Shows How Easy It May be to Hide Malicious Chips 16 comments

More than a year has passed since Bloomberg Businessweek grabbed the lapels of the cybersecurity world with a bombshell claim: that Supermicro motherboards in servers used by major tech firms, including Apple and Amazon, had been stealthily implanted with a chip the size of a rice grain that allowed Chinese hackers to spy deep into those networks. Apple, Amazon, and Supermicro all vehemently denied the report. The NSA dismissed it as a false alarm. The Defcon hacker conference awarded it two Pwnie Awards, for "most overhyped bug" and "most epic fail." And no follow-up reporting has yet affirmed its central premise.

But even as the facts of that story remain unconfirmed, the security community has warned that the possibility of the supply chain attacks it describes is all too real. The NSA, after all, has been doing something like it for years, according to the leaks of whistle-blower Edward Snowden. Now researchers have gone further, showing just how easily and cheaply a tiny, tough-to-detect spy chip could be planted in a company's hardware supply chain. And one of them has demonstrated that it doesn't even require a state-sponsored spy agency to pull it off—just a motivated hardware hacker with the right access and as little as $200 worth of equipment.

"It's not magical. It's not impossible. I could do this in my basement."

Monta Elkins, FoxGuard

Vietnam's Battalions of 'Cyber-Armies' Silencing Online Dissent 32 comments

Al Jazeera:

Vietnam's Force 47 is run by the Ministry of Public Security (MPS) to hack anti-government websites and spread pro-government messages online, and is believed to be at least 10,000-strong.

Anh Chi, the pen name of 46-year-old Nguyen Chi Tuyen, knows the ministry's tactics well. He has created videos criticising Force 47, and has expressed concern about the impact of a new cyber-law that came into effect at the beginning of the month.

The deadly January 9 incident in Dong Tam is a case in point.

According to the authorities, three police officers and 84-year-old village leader Le Dinh Kinh were killed after local residents clashed with police in the early hours of that day.

The dispute, over agricultural land next to a military airport, shocked the country. But afterwards, Vietnam's cyber-army, also known as Force 47, was deployed to counter the content on social media platforms deemed critical of the way the authorities handled the situation.

"Facebook is the main source of independent news now in Vietnam," said Trinh Huu Long, a co-founder of Legal Initiatives for Vietnam.

"The government has been working with Facebook to try to control content posted by dissidents and independent voices," he added.

Vietnam is said to be following China's lead in policing its citizens speech online. Is this going to become the global norm?


Original Submission

Chinese Digital Spying is Becoming More Aggressive, Researchers Say 7 comments

Chinese digital spying is becoming more aggressive, researchers say:

FireEye, a US cybersecurity firm, says that it has seen a concerning spike in activity from what appears to be a Chinese hacking group called APT41. The attacks are being deployed against companies in the US, Canada, the UK and several other counties, which is atypical of Chinese hackers' typical strategy of focusing on a few particular targets. According to FireEye's report, the group is exploiting software flaws in applications and hardware developed by Cisco, Citrix and others to gain access to target companies' networks and download files via FTP, among other strategies. According to the firm, the attacks began on January 20th, dipped during the Chinese New Year celebrations and COVID-19 quarantine measures and are now back at full scale, affecting 75 of FireEye's customers.

[...] Chinese government contractors carrying out cyber attacks is nothing new, but the scope of these current initiatives is concerning. Companies in about 20 countries are being targeted, and APT41 is carrying out subsequent attacks frequently: "This activity is one of the most widespread campaigns we have seen from China-nexus espionage actors in recent years," says FireEye. "This new activity from this group shows how resourceful and how quickly they can leverage newly disclosed vulnerabilities to their advantage." Whether the attackers are purposely taking advantage of a reduced cybersecurity workforce during the coronavirus pandemic or the timing is just a coincidence remains to be determined.


Original Submission

DOJ: Chinese Hackers Stole "Hundreds of Millions of Dollars" of Secrets 30 comments

DOJ: Chinese hackers stole "hundreds of millions of dollars" of secrets

Two state-sponsored hackers in China targeted US businesses in a "sophisticated and prolific threat" for more than 10 years, both for financial gain and to steal trade secrets, the Department of Justice said today.

The 11-count indictment (PDF), which was made public today, alleges Li Xiaoyu and Dong Jiazhi worked with China's Ministry of State Security (MSS) and other agencies to hack into "hundreds of victim companies, governments, non-governmental organizations, and individual dissidents, clergy, and democratic and human rights activists in the United States and abroad."

Li and Dong were allegedly infiltrating networks of businesses in a wide array of sectors, including "high tech manufacturing; civil, industrial, and medical device engineering; business, educational, and gaming software development; solar energy; and pharmaceuticals," as well as defense contractors, since at least September 2009. In recent months, prosecutors allege, the two were seeking ways in to "the networks of biotech and other firms publicly known for work on COVID-19 vaccines, treatments, and testing technology" in at least 11 countries, including the US.

The indictment does not name the firms in question, only saying that "on or about January 25 and 27," Li was trying to break into networks at a Maryland biotech firm and a Massachusetts biotech firm, both of which were publicly known by that point to be working on COVID-19 vaccines. Matching up the timelines, the targets seem to have been Novavax, based in Gaithersburg, Maryland, and Moderna, based in Cambridge, Massachusetts.


Original Submission

Breached Water Plant Employees Shared Same Password, No Firewall 39 comments

Breached water plant employees used the same TeamViewer password and no firewall:

The Florida water treatment facility whose computer system experienced a potentially hazardous computer breach last week used an unsupported version of Windows with no firewall and shared the same TeamViewer password among its employees, government officials have reported.

After gaining remote access [...] the unknown intruder increased the amount of sodium hydroxide—a caustic chemical better known as lye—by a factor of 100. The tampering could have caused severe sickness or death had it not been for safeguards the city has in place.

According to an advisory from the state of Massachusetts, employees with the Oldsmar facility used a computer running Windows 7 to remotely access plant controls known as a SCADA—short for “supervisory control and data acquisition”—system. What’s more, the computer had no firewall installed and used a password that was shared among employees for remotely logging in to city systems with the TeamViewer application.

Massachusetts officials wrote:

The unidentified actors accessed the water treatment plant’s SCADA controls via remote access software, TeamViewer, which was installed on one of several computers the water treatment plant personnel used to conduct system status checks and to respond to alarms or any other issues that arose during the water treatment process. All computers used by water plant personnel were connected to the SCADA system and used the 32-bit version of the Windows 7 operating system. Further, all computers shared the same password for remote access and appeared to be connected directly to the Internet without any type of firewall protection installed.

[....] The revelations illustrate the lack of security rigor found inside many critical infrastructure environments.

It was a 32-bit computer; so they wisely had Windows 7 instead of XP.

See also:
recent SoylentNews article about this, attempt to poison the water supply of residents in Oldsmar, Forida.


Original Submission

Microsoft Warns of Destructive Disk Wiper Targeting Ukraine 16 comments

Microsoft Warns of Destructive Disk Wiper Targeting Ukraine

Microsoft warns of destructive disk wiper targeting Ukraine:

[...] "All data on the computer is being destroyed, it is impossible to recover it," said a message, written in Ukrainian, Russian, and Polish, that appeared late last week on at least some of the infected systems. "All information about you has become public, be afraid and expect the worst."

[...] Around the same time, Microsoft wrote in a post over the weekend, "destructive" malware with the ability to permanently destroy computers and all data stored on them began appearing on the networks at dozens of government, nonprofit, and information technology organizations, all based in Ukraine. The malware—which Microsoft is calling Whispergate—masquerades as ransomware and demands $10,000 in bitcoin for data to be restored.

But Whispergate lacks the means to distribute decryption keys and provide technical support to victims, traits that are found in virtually all working ransomware deployed in the wild. It also overwrites the master boot record—a part of the hard drive that starts the operating system during bootup.

"Overwriting the MBR is atypical for cybercriminal ransomware," members of the Microsoft Threat Intelligence Center wrote in Saturday's post. "In reality, the ransomware note is a ruse and that the malware destructs MBR and the contents of the files it targets. There are several reasons why this activity is inconsistent with cybercriminal ransomware activity observed by MSTIC."

Over the weekend, Serhiy Demedyuk, deputy head of Ukraine's National Security and Defense Council, told news outlets that preliminary findings from a joint investigation of several Ukrainian state agencies show that a threat actor group known as UNC1151 was likely behind the defacement hack. The group, which researchers at security firm Mandiant have linked to the government of Russian ally Belarus, was behind an influence campaign named Ghostwriter.

Ghostwriter worked by using phishing emails and theft domains that spoof legitimate websites such as Facebook to steal victim credentials. With control of content management systems belonging to news sites and other heavily trafficked properties, UNC1151 "primarily promoted anti-NATO narratives that appeared intended to undercut regional security cooperation in operations targeting Lithuania, Latvia, and Poland," authors of the Mandiant report wrote.

Politics: U.S. Charges Four Russian Government Workers With Hacking Energy Sector 56 comments

U.S. charges 4 Russian government workers with hacking energy sector:

The U.S. Justice Department fired another legal salvo against Russia on Thursday, announcing indictments against four Russian government employees for an alleged hacking campaign targeting the energy sector that lasted for years and targeted computers in 135 countries.

An indictment in U.S. District Court for the District of Columbia charges that Evgeny Viktorovich Gladkikh, who worked at a Russian Ministry of Defense research institute, conspired with others to damage critical infrastructure outside the United States, causing emergency shutdowns at one foreign facility. Thosecharged in the indictment, under seal since June 2021, also allegedly tried to hack the computers of a U.S. firm that managed similar facilities in the United States.

A separate indictment filed in Kansas alleges that a hacking campaign launched by Russian's federal security service, or FSB, targeted computers at hundreds of energy-related entities around the world. That indictment was also filed under seal last summer.

Microsoft Links Russia's Military to Cyberattacks in Poland and Ukraine 30 comments

The hacking group Microsoft ID'd is among the world's most cutthroat and skilled

Microsoft on Thursday fingered Russia's military intelligence arm as the likely culprit behind ransomware attacks last month that targeted Polish and Ukrainian transportation and logistics organizations.

If the assessment by members of the Microsoft Security Threat Intelligence Center (MSTIC) is correct, it could be cause for concern for the US government and its European counterparts. Poland is a member of NATO and a staunch supporter of Ukraine in its bid to stave off an unprovoked Russian invasion. The hacking group the software company linked to the cyberattacks—known as Sandworm in wider research circles and Iridium in Redmond, Washington—is one of the world's most talented and destructive and is widely believed to be backed by Russia's GRU military intelligence agency.

Sandworm has been definitively linked to the NotPetya wiper attacks of 2017, a global outbreak that a White House assessment said caused $10 billion in damages, making it the most costly hack in history. Sandworm has also been definitively tied to hacks on Ukraine's power grid that caused widespread outages during the coldest months of 2016 and again in 2017.

Last month, Microsoft said that Poland and Ukraine transportation and logistics organizations had been the target of cyberattacks that used never-before-seen ransomware that announced itself as Prestige. The threat actors, Microsoft said, had already gained control over the victim networks. Then in a single hour on October 11, the hackers deployed Prestige across all its victims.

Once in place, the ransomware traversed all files on the infected computer's system and encrypted the contents of files that ended in .txt, .png, gpg, and more than 200 other extensions. Prestige then appended the extension .enc to the existing extension of the file. Microsoft attributed the attack to an unknown threat group it dubbed DEV-0960.

On Thursday, Microsoft updated the report to say that based on forensic artifacts and overlaps in victimology, tradecraft, capabilities, and infrastructure, researchers determined DEV-0960 was very likely Iridium.


Original Submission

How China Gets Free Intel on Tech Companies’ Vulnerabilities 10 comments

https://arstechnica.com/security/2023/09/how-china-gets-free-intel-on-tech-companies-vulnerabilities/

For state-sponsored hacking operations, unpatched vulnerabilities are valuable ammunition. Intelligence agencies and militaries seize on hackable bugs when they're revealed—exploiting them to carry out their campaigns of espionage or cyberwar—or spend millions to dig up new ones or to buy them in secret from the hacker gray market.

But for the past two years, China has added another approach to obtaining information about those vulnerabilities: a law that simply demands that any network technology business operating in the country hand it over. When tech companies learn of a hackable flaw in their products, they're now required to tell a Chinese government agency—which, in some cases, then shares that information with China's state-sponsored hackers, according to a new investigation. And some evidence suggests foreign firms with China-based operations are complying with the law, indirectly giving Chinese authorities hints about potential new ways to hack their own customers.

Today, the Atlantic Council released a report—whose findings the authors shared in advance with WIRED—that investigates the fallout of a Chinese law passed in 2021, designed to reform how companies and security researchers operating in China handle the discovery of security vulnerabilities in tech products.
[...]
The report's authors combed through the Chinese government's own descriptions of that program to chart the complex path the vulnerability information then takes: The data is shared with several other government bodies, including China's National Computer Network Emergency Response Technical Teams/Coordination Center, or CNCERT/CC, an agency devoted to defending Chinese networks. But the researchers found that CNCERT/CC makes its reports available to technology "partners" that include exactly the sort of Chinese organizations devoted not to fixing security vulnerabilities but to exploiting them. One such partner is the Beijing bureau of China's Ministry of State Security, the agency responsible for many of the country's most aggressive state-sponsored hacking operations in recent years, from spy campaigns to disruptive cyberattacks. And the vulnerability reports are also shared with Shanghai Jiaotong University and the security firm Beijing Topsec, both of which have a history of lending their cooperation to hacking campaigns carried out by China's People Liberation Army.


Original Submission

Teens With “Digital Bazookas” Are Winning the Ransomware War, Researcher Laments 19 comments

https://arstechnica.com/security/2023/11/teens-with-digital-bazookas-are-winning-the-ransomware-war-researcher-laments/

What do Boeing, an Australian shipping company, the world's largest bank, and one of the world's biggest law firms have in common? All four have suffered cybersecurity breaches, most likely at the hands of teenage hackers, after failing to patch a critical vulnerability that security experts have warned of for more than a month, according to a post published Monday.

[...] All four companies have confirmed succumbing to security incidents in recent days, and China's ICBC has reportedly paid an undisclosed ransom in exchange for encryption keys to data that has been unavailable ever since.

[...] After the CitrixBleed exploit grants initial remote access through software known as Virtual Desktop Infrastructure, LockBit escalates its access to other parts of the compromised network using tools such as Atera, which provides interactive PowerShell interfaces that don't trigger antivirus or endpoint detection alerts. This access remains even after CitrixBleed is patched unless administrators take special actions.


Original Submission

The Internet Enabled Mass Surveillance. A.I. Will Enable Mass Spying 30 comments

Spying has always been limited by the need for human labor. A.I. is going to change that:

Spying and surveillance are different but related things. If I hired a private detective to spy on you, that detective could hide a bug in your home or car, tap your phone, and listen to what you said. At the end, I would get a report of all the conversations you had and the contents of those conversations. If I hired that same private detective to put you under surveillance, I would get a different report: where you went, whom you talked to, what you purchased, what you did.

Before the internet, putting someone under surveillance was expensive and time-consuming. You had to manually follow someone around, noting where they went, whom they talked to, what they purchased, what they did, and what they read. That world is forever gone. Our phones track our locations. Credit cards track our purchases. Apps track whom we talk to, and e-readers know what we read. Computers collect data about what we're doing on them, and as both storage and processing have become cheaper, that data is increasingly saved and used. What was manual and individual has become bulk and mass. Surveillance has become the business model of the internet, and there's no reasonable way for us to opt out of it.

Spying is another matter. It has long been possible to tap someone's phone or put a bug in their home and/or car, but those things still require someone to listen to and make sense of the conversations. Yes, spyware companies like NSO Group help the government hack into people's phones, but someone still has to sort through all the conversations. And governments like China could censor social media posts based on particular words or phrases, but that was coarse and easy to bypass. Spying is limited by the need for human labor.

A.I. is about to change that.

[...] We could limit this capability. We could prohibit mass spying. We could pass strong data-privacy rules. But we haven't done anything to limit mass surveillance. Why would spying be any different?

Related:


Original Submission

US Says China's Volt Typhoon Is Readying Destructive Attacks 13 comments

Arthur T Knackerbracket has processed the following story:

The US government today confirmed China's Volt Typhoon crew comprised "multiple" critical infrastructure orgs' IT networks in America – and Uncle Sam warned that the Beijing-backed spies are readying "disruptive or destructive cyberattacks" against those targets.

The Chinese team remotely broke into IT environments — primarily across communications, energy, transportation systems, and water and wastewater system sectors — in the continental and non-continental United States and its territories, including Guam.

"Volt Typhoon's choice of targets and pattern of behavior is not consistent with traditional cyber espionage or intelligence gathering operations, and the US authoring agencies assess with high confidence that Volt Typhoon actors are pre-positioning themselves on IT networks to enable lateral movement to OT assets to disrupt functions," a dozen Five Eyes government agencies warned on Wednesday. 

[...] According to the US agencies, Volt Typhoon will likely use any network access it can get to pull off disruptive attacks against American systems and equipment in the event of geopolitical tensions or military conflicts.

[...] While the threat to American critical infrastructure appears to be the highest, should US facilities be disrupted, "Canada would likely be affected as well, due to cross-border integration," according to CCCS. 

Australian and New Zealand critical infrastructure could be vulnerable as well.

In addition to sounding the alarm, the government bodies issued a long list of technical details, TTPs observed in the digital break-ins, and detection recommendations and best practices. 

Plus, there's three actions that owners and operators should take "today" to mitigate the threat.

These include: Apply patches for internet-facing systems with priority given to appliances that Volt Typhoon likes to exploit. 

Second: Turn on phishing-resistant multi-factor authentication (MFA).

And finally, ensure that logging is turned on for applications, access and security logs, and store these logs in a centralized system.


Original Submission

An Online Dump of Chinese Hacking Documents Offers a Rare Window Into Pervasive State Surveillance 3 comments

Chinese police are investigating an unauthorized and highly unusual online dump of documents from a private security contractor linked to the nation's top policing agency and other parts of its government — a trove that catalogs apparent hacking activity and tools to spy on both Chinese and foreigners:

Among the apparent targets of tools provided by the impacted company, I-Soon: ethnicities and dissidents in parts of China that have seen significant anti-government protests, such as Hong Kong or the heavily Muslim region of Xinjiang in China's far west.

The dump of scores of documents late last week and subsequent investigation were confirmed by two employees of I-Soon, known as Anxun in Mandarin, which has ties to the powerful Ministry of Public Security. The dump, which analysts consider highly significant even if it does not reveal any especially novel or potent tools, includes hundreds of pages of contracts, marketing presentations, product manuals, and client and employee lists.

[...] The hacking tools are used by Chinese state agents to unmask users of social media platforms outside China such as X, formerly known as Twitter, break into email and hide the online activity of overseas agents. Also described are devices disguised as power strips and batteries that can be used to compromise Wi-Fi networks.

[...] "We see a lot of targeting of organizations that are related to ethnic minorities — Tibetans, Uyghurs. A lot of the targeting of foreign entities can be seen through the lens of domestic security priorities for the government," said Dakota Cary, a China analyst with the cybersecurity firm SentinelOne.

Also at WaPo, NYT, and The Guardian.

Originally spotted on Schneier on Security

Related: The Internet Enabled Mass Surveillance. A.I. Will Enable Mass Spying


Original Submission

This discussion was created by janrinok (52) for logged-in users only, but now has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
  • (Score: 4, Interesting) by drussell on Saturday March 23, @12:47PM (28 children)

    by drussell (2678) on Saturday March 23, @12:47PM (#1349963) Journal

    Why in earth would a PLC involved with water plant operations be connected to the internet?

    • (Score: 2, Offtopic) by canopic jug on Saturday March 23, @12:55PM (14 children)

      by canopic jug (3949) Subscriber Badge on Saturday March 23, @12:55PM (#1349964) Journal

      And why would m$ products be in production environments, let alone networked production environments?

      --
      Money is not free speech. Elections should not be auctions.
      • (Score: 4, Interesting) by drussell on Saturday March 23, @02:10PM (9 children)

        by drussell (2678) on Saturday March 23, @02:10PM (#1349968) Journal

        Why are you talking about Windows and TCO? This has nothing to do with Microsoft; we're talking about the logic controllers that operate equipment in industrial settings.

        Don't get me wrong, I'm no fan of Microsoft or their poor quality software, but that's not the issue being discussed in this article.

        • (Score: 2) by aafcac on Saturday March 23, @02:35PM (3 children)

          by aafcac (17646) on Saturday March 23, @02:35PM (#1349970)

          Yes, whether or not it's an MS product is at best a secondary issue here. Why are these being run over the internet? And is this a matter of them being run over an improperly secured VPN, or is there something even dumber going on.

          IMHO, it makes precisely no sense to run such security sensitive systems over a public internet, even with a VPN being involved. Given the number of people that could be sickened, it seems like there should be a better way of dealing with it.

          • (Score: 2) by drussell on Saturday March 23, @03:12PM (2 children)

            by drussell (2678) on Saturday March 23, @03:12PM (#1349974) Journal

            It's a PLC. It doesn't "run" over the internet. Do you even understand what a PLC is?

            You might want to perhaps monitor (or perhaps even control) some aspects of your system from a remote location, but you don't do this by directly connecting the damn PLC itself directly to the internet!!

            • (Score: 4, Informative) by GloomMower on Saturday March 23, @03:44PM (1 child)

              by GloomMower (17961) on Saturday March 23, @03:44PM (#1349978)

              There are many PLC's with ethernet. Or devices that are on the internet connected to a PLC through serial or RS485.

              don't do/shouldn't do not can't do.

              I'm pretty sure stuxnet infected the computers that connected to the plc. More and more system are not air gaped, it is too darn convenient for optimization of usage, and man-hour reduction.

              • (Score: 2) by drussell on Saturday March 23, @03:52PM

                by drussell (2678) on Saturday March 23, @03:52PM (#1349981) Journal

                Of course most modern PLCs have ethernet ports, not just serial ports, but ethernet interface ≠ connected to internet!!

        • (Score: 1, Informative) by canopic jug on Saturday March 23, @04:53PM (4 children)

          by canopic jug (3949) Subscriber Badge on Saturday March 23, @04:53PM (#1349988) Journal

          Why are you talking about Windows and TCO?

          The inner layer might be microcontrollers, but over the decades they have been networked and connected to Internet-facing Windoze systems, for the convenience of nation state attackers. Thus Windoze is part of the mix.

          The layer of industrial microcontrollers connected to the sensors, valves, and pumps is, obviously not Windoze. It can't be. Those devices have to work or people would notice. However, in the layers above that, the ones connected to the open Internet, you will find Windoze all too often [unitronics.com]. Thus the problems of the total cost of ownership [soylentnews.org] for Windoze are relevant as these breaches are not externalities but an integral, unavoidable component in foolishly placing Windoze in Internet-facing production environments while giving said same Windoze boxes direct access to industrial control systems.

          --
          Money is not free speech. Elections should not be auctions.
          • (Score: 4, Insightful) by Anonymous Coward on Saturday March 23, @06:17PM (3 children)

            by Anonymous Coward on Saturday March 23, @06:17PM (#1349996)

            Listen, I love to hate on Windows (and Microsoft) as much as the next soylentil around here, but using terms like 'windoze' does not make our side come across as particularly 'adult'. Secondly: redirecting everything even remotely related to vulnerabilities to microsoft, even though they are not the focus of the point attempting to be made in the article, deflects the blame from those who deserve it and where it could actually help by shining light, to a place (that also deserves it) that has no control over the main complaint in the article and thus makes zero difference.
            So please, knock it out and behave a bit more like an adult. You're making us serious people look like clowns by association.

            • (Score: 4, Touché) by Tork on Saturday March 23, @07:51PM (1 child)

              by Tork (3914) Subscriber Badge on Saturday March 23, @07:51PM (#1350003)

              ...but using terms like 'windoze' does not make our side come across as particularly 'adult'.

              Quoted for agreement. I don't know about the AC but I'm a green-site refugee and despite my daily headaches with Windows I still found too many people on that site, many using the same terminology canopic jug is, brought up MS tropes even where they weren't relevant because it earned karma.

              I'm not saying canopic jug isn't right, mainly I'm sticking my nose in because the redundant moderation was hasty.

              --
              🏳️‍🌈 Proud Ally 🏳️‍🌈
              • (Score: 4, Interesting) by canopic jug on Sunday March 24, @05:40AM

                by canopic jug (3949) Subscriber Badge on Sunday March 24, @05:40AM (#1350069) Journal

                [...] I'm a green-site refugee and despite my daily headaches with Windows [...]

                More noticeably I see that defending m$, Windows, and Bill against all criticism, especially legitimate criticism, is also has become a trope, particularly on censorious sites like the two orange ones. I can't say about the green site, but it too was like that when I last logged in there it so very long ago. Whining about common writing styles is one way to distract from the actual topic, a topic which hurts m$ and its minions.

                Back to the topic at hand and leaving the debate about style aside, here, on SN, the fine article linked to in the very summary at the top includes mention by name of Unitronics [unitronics.com] which is most clearly a Windows problem. It is even named as a factor (aka problem) in the Florida, Pennsylvania, and other state water treatment facility breaches.

                The Windows deployments there and elsewhere did not occur spontaneously. Those misfit products were ordered purchased and ordered deployed by real people with names and addresses. If the US were serious about the network security problems surrounding water treatment, they could be solved quite quickly by any number of approaches, some faster some slower. But slow or fast, solving them is possible. If someone were to drill holes all over or blast a dam, the feds would swoop in probably even at the planning stage. If someone were to build a dam with knowingly substandard methods or materials or design, the feds would swoop in, probably even at the planning stage. Yet, although water treatment and management is essential, critical national infrastructure all knowledge and best practices are thrown out because of Windows and M$ exceptionalism. The products are not fit for purpose and everyone knows it, and those products have been that way for so many decades one can accurately say it is by design. However, since the pivot to politics and lobbying by M$ since back around the turn of the century, no one is allowed to say it or call them out. The government's announcements of memos, letters, and press releases are not going to solve the widespread managerial problems which lead to nation-crippling Windows deployments. Sending fines, jail sentences, or polished boots will.

                --
                Money is not free speech. Elections should not be auctions.
            • (Score: -1, Redundant) by Anonymous Coward on Sunday March 24, @04:48AM

              by Anonymous Coward on Sunday March 24, @04:48AM (#1350060)

              Fuck off.

      • (Score: 3, Informative) by RS3 on Sunday March 24, @04:39AM (2 children)

        by RS3 (6367) on Sunday March 24, @04:39AM (#1350056)

        Most PLCs, certainly the many brands and models I've worked with, have no UI. They have various digital and analog electrical inputs and outputs, so various switches, indicators (lamps), meters, etc., can be connected. In many applications control by switches, knobs, lights, etc. is good enough.

        But in many cases you need a higher level UI. There are many touchscreen modules on the market which "talk" to a PLC through some kind of data connection, be it serial, including RS485, USB, DeviceNet, several other variations of serial ports, and of course Ethernet has become the mainstay. In fact many sensors and control devices, including motor controllers (sometimes called "drives") are being controlled through Ethernet.

        The touchscreen modules often run Windows CE- the "embedded" versions of Windows, which are really quite stripped down, can be bloated up with stuff if needed, including software with libraries and modules that "talk" to the PLC.

        There exist touchscreen modules that run on other OSes including Linux, and there's pretty strong Linux support for many PLCs.

        In most cases it's somewhere between ignorance and laziness where all the Ethernet ports are all connected to one network segment, which is usually connected to Internet (through router / gateway / firewall).

        As you might imagine, those touchscreen modules running Windows CE may want, or need, to connect to the Internet for many reasons. That doesn't mean they open any incoming service ports, but it shows how they could be vulnerable.

        And it comes down to pretty much the main reason we all have and deal with the far too many vulnerabilities: people love to add features and functionality, but deprioritize security, if they consider it at all.

        Remote monitoring and control of industrial processes is a very good useful thing. I think, at the very least, people should use a good VPN if they're going to use the Internet for remote monitoring.

        • (Score: 4, Informative) by canopic jug on Sunday March 24, @06:09AM (1 child)

          by canopic jug (3949) Subscriber Badge on Sunday March 24, @06:09AM (#1350072) Journal

          Most PLCs, certainly the many brands and models I've worked with, have no UI. They have various digital and analog electrical inputs and outputs, so various switches, indicators (lamps), meters, etc., can be connected. In many applications control by switches, knobs, lights, etc. is good enough.

          But in many cases you need a higher level UI. There are many touchscreen modules on the market which "talk" to a PLC through some kind of data connection, be it serial, including RS485, USB, DeviceNet, several other variations of serial ports, and of course Ethernet has become the mainstay. In fact many sensors and control devices, including motor controllers (sometimes called "drives") are being controlled through Ethernet.

          I've seen enough evidence, even though looking at it from the outside: The method for controlling water treatment systems which I saw demoed to me used RS485, if I recall correctly, but that was more than 20 years ago. The designer was under increasing management pressure at that time to connect the control systems to the Internet via Windows computers. That was something he refused to do and, as a consultant, was in a position to refuse. Times and situations change. People move on.

          Now components with M$ requirements [epa.gov] are called out by name and are apparently common if not pervasive. Industrial control is serious business (in both meanings) but connecting the industrial control systems to the Internet via infamously insecure products in an even more insecure way is making those serious people look like clowns.

          --
          Money is not free speech. Elections should not be auctions.
          • (Score: 3, Insightful) by RS3 on Sunday March 24, @03:30PM

            by RS3 (6367) on Sunday March 24, @03:30PM (#1350104)

            Yeah, at this point pretty much everyone who isn't super hands-on with details of technology thinks it's just the thing to do to connect everything to the Internet. TBF, subsystem / component designers usually include Internet connectivity in the feature / functionality brag list. Then they pass the buck saying it's someone else's job to secure everything.

            My most recent full-time job was at a small-ish food factory- maybe 200 employees. There was no IT person. They contracted out for IT services (total joke / waste of $). There were several very savvy people who did much IT work. One of the most awesome and smartest people I've ever met was many roles there, including he did much IT work. He had a degree in CS, but wore many hats well. The _only_ thing he was very wrong about: he and others had plugged all PLC / SCADA systems into a building-wide Ethernet. Many times he said the production machines (PLCs) were "air-gapped". Hmmm, then why could I run nmap and see most of the PLCs through WiFi? It's possible someone plugged in an Ethernet jumper between some of the Ethernet switches. Things weren't documented, were somewhat physically locked, and many years of learning the hard way taught me to just leave it alone, play dumb. Normally I'm wired for proactive action, but people always seem to have "reasons" for why I shouldn't touch things (in spite of me alone more than doubling the company's productivity) and I'm conflict-averse so again I've learned to back off and do other things.

            Much bigger-picture problem of non-existing management. IMHO, good management would identify all talents in everyone, and apportion things based on needs, prioritizing, efficiency, productivity, etc. IE, I had, by far, the most general IT / networking talent, but was relegated to other roles. If I had stayed there I would have done more to inventory everything, including Etherenet stuff, then present a comprehensive plan to give everyone a full SCADA system of the entire production.

            Yes, various forms of RS458 have been used for many control and monitoring systems for many many years. There have been many adaptations, including CAN bus [wikipedia.org]. RS485 is the basis for DMX512 which is used to control stage / show lighting systems, pyrotechnics, etc. For years Allen-Bradley (now owned by Rockwell Automation) PLCs used DeviceNet [wikipedia.org] which is based on CAN bus.

            Another angle, or cake layer, is that most people can only handle so much complexity. Most people I've met / worked with in the PLC world are quite intelligent, and dealing with much complexity in the PLC world, struggling to keep up with the ever-changing PLC platforms, and have no bandwidth to deal with increasing IT complexity. IE, IT generalists and IT security specialists are needed to work with PLC people. Of course big corporations can afford such staff, but tiny producers can't afford such staff. 3rd-party providers are very expensive, might do some things well, but maybe won't do a comprehensive design. Someone onsite might make some changes, then expensive contractor gets even more expensive trying to figure out what's happened (and I've seen this many many times). It all starts to get into costs and economics and management and business-speak BS. Meanwhile, as too often, IT and IT security gets ignored until there's a break-in and panic.

            Thanks for that interesting link, btw.

      • (Score: 2) by RS3 on Sunday March 24, @04:58AM

        by RS3 (6367) on Sunday March 24, @04:58AM (#1350062)

        I forgot to mention SCADA, as "Thesis" does below. Generally the software that runs on the touchscreen is considered SCADA, which can also run on PCs, hence the possibility of connecting a PLC to a PC somewhere else, possibly far away.

    • (Score: -1, Troll) by aafcac on Saturday March 23, @01:50PM (8 children)

      by aafcac (17646) on Saturday March 23, @01:50PM (#1349966)

      A combination of it being cheaper and it allowing whatever President is in charge at the time to rationalize further erosion of our civil liberties in order to get the bad guys. Things being leaked via the internet that shouldn't be connected to the internet has been an issue for decades at this point. There's no justification for it.

      • (Score: 0, Insightful) by Anonymous Coward on Saturday March 23, @02:33PM (7 children)

        by Anonymous Coward on Saturday March 23, @02:33PM (#1349969)

        It's nice to know that we haven't prevented dumb people from modding around here.

        • (Score: 5, Insightful) by drussell on Saturday March 23, @02:56PM (6 children)

          by drussell (2678) on Saturday March 23, @02:56PM (#1349972) Journal

          It's nice to know that we haven't prevented dumb people from modding around here.

          The comment in question is currently scored +1 Troll

          While I would say it is probably actually more like Flamebait, a comment like this:

          A combination of it being cheaper and it allowing whatever President is in charge at the time to rationalize further erosion of our civil liberties in order to get the bad guys.

          ... is absurd on it's face. Poster apparently believes that the designers / implementers of the water plant intentionally implemented it in such a was as to be easily vulnerable to attack so that the government would be able to use the occurrence of such an attack as an excuse to implement policies which further curtail civillians' civil liberties?! Really?

          Additionally, why would it be "cheaper" to have a PLC connected to the internet? Cheaper how, in what way?

          Too bad there isn't a -1 Absurd mod. That would be highly appropriate, IMHO.

          • (Score: 3, Troll) by EJ on Saturday March 23, @04:17PM (3 children)

            by EJ (2452) on Saturday March 23, @04:17PM (#1349986)

            I'm not reading the rest of the posts, but it is cheaper because you can have one guy in India monitoring multiple plants for $0.50/hr instead of having to pay for someone to work at the physical site.

            • (Score: 2, Troll) by drussell on Saturday March 23, @09:45PM (2 children)

              by drussell (2678) on Saturday March 23, @09:45PM (#1350008) Journal

              That may be the way the telephone company operates their customer service these days, but do you actually have any evidence that your local water utility is being run and monitored by some schmoo in a cubicle in India?!

              I'm pretty sure that's not a thing!!

              Offshoring hundreds or thousands of call-centre jobs for customer "service" is one thing, but the couple of operations dudes wandering around the local water filtration facility, power station or sewage treatment plant monitoring things plus a few maintenance and engineering staff are probably not being magically outsourced offshore. 🙄

              Anything that requires "$0.50/hr monitoring" is already being taken care of by the PLC itself. Nobody is sitting there, just actively watching some level gauge.

              Water level in tank X gets above level A, open valve Y until level is below setpoint B. If limit switch L,M,N,O,or P is reached at any time, shut down that subsystem and show an alert on the maintenance crew anomaly display panel or whatever. It's all still basically just ladder logic, perhaps with a cellphone dialer at the end in a pinch, I guess...

              • (Score: 2, Interesting) by EJ on Sunday March 24, @01:17AM

                by EJ (2452) on Sunday March 24, @01:17AM (#1350026)

                Reading comprehension is a fundamental skill.

                My response was only to the question of how it COULD make things cheaper.

              • (Score: 2, Interesting) by wArlOrd on Sunday March 24, @10:29PM

                by wArlOrd (2142) on Sunday March 24, @10:29PM (#1350140)

                Sunday, May 8, 1988, a fire broke out in the main switching room of the Hinsdale Central Office of Illinois Bell

                Who was on site to notice?

          • (Score: 1, Offtopic) by canopic jug on Sunday March 24, @06:26AM (1 child)

            by canopic jug (3949) Subscriber Badge on Sunday March 24, @06:26AM (#1350075) Journal

            Poster apparently believes that the designers / implementers of the water plant intentionally implemented it in such a was as to be easily vulnerable to attack

            Yet, that is, in practice, what is actually happening. The egregious design of Windows and the shoddy workmanship have both been known for decades and is common knowledge. The difference is whether bad engineering is acceptable or not, and to whom it is or isn't, and whether security is part of design or merely and after market add-on provided by expensive snakeoil^w third party packages. But to deploy or maintain m$ products in a Internet-facing production environment in 2024 is to intentionally deploy systems which are easily vulnerable to actual compromise, not just log futile, ineffective attacks.

            so that the government would be able to use the occurrence of such an attack as an excuse to implement policies which further curtail civillians' civil liberties?! Really?

            That's the outcome not the reason. The government does take advantage of each attack as an excuse to implement policies which curtail citizens' civil liberties. The PATRIO Act is the quintessential example of that. Take a step back and notice that the PATRIOT Act I was all written and ready and waiting on the shelf for an opportunity to push it through congress unexamined. If you need a detailed walk through with other examples, check out the book Shock Doctrine by Naomi Klein [naomiklein.org] or other analysis of disaster capitalism.

            That some groups inside the borders perceive selfish benefit from these incidents gets in the way of straightening things out.

            --
            Money is not free speech. Elections should not be auctions.
            • (Score: 1, Redundant) by canopic jug on Monday March 25, @07:07PM

              by canopic jug (3949) Subscriber Badge on Monday March 25, @07:07PM (#1350313) Journal

              Good, I hit a nerve by pointing out that the government takes advantage of each major attack as an excuse to implement policies [theguardian.com], such as the PATRIOT Act [naomiklein.org], which curtail citizens' civil liberties.

              However, I would be remiss in neglecting the role of private companies and their lobbyists in all that. They draft contingency plans to have schemes for control and profit ready when the relevant, exploitable disasters strike [thenation.com]. In this case, it is Windows-connected water treatment plants which provide the opening (pun intended) for such schemes. The lowest layers of those plants are not going to be running Windows. They can't because people would notice the immediate failure. However, upper layers do and that's where things fall over because in Windows, security is a hasty afterthought and not considered part of the design process [expertinsights.com].

              One more time: the PLCs are not running Windows, but the layers above, where the compromises are taking place, most definitely are. It's in the system requirements description in their marketing brochures.

              --
              Money is not free speech. Elections should not be auctions.
    • (Score: 4, Insightful) by quietus on Saturday March 23, @06:01PM

      by quietus (6328) on Saturday March 23, @06:01PM (#1349992) Journal

      For the same reason all other infrastructure is connected to the Internet: because the number of technical specialists who know what they are doing is severely limited in comparison to the number of infrastructure items that need to be managed.

      To prevent you having to type your next reply: yes, I agree completely that this should be an out-of-band connection, separate from the Internet (e.g. plain old telephony & dial-up modem).

      To that, the answer is ... [drum-roll] ... silo's. As in: every industry sits in its own silo, not looking at what has happened to other industries. As a relevant example, the networking world had to relearn the lessons learned in the 60s-70s by. telco's with their phreaker problem: use a separate line for command-and-control. Took them until the 2000s before the realisation dawned.

      Not so bad, if you realize that, according to rumor (cough..2600..cough) you could still call internationally for free (i.e. phreaking) from select airports in the United States.

      Plus ca change, plus ca reste.

    • (Score: 3, Insightful) by Thexalon on Saturday March 23, @06:01PM (1 child)

      by Thexalon (636) on Saturday March 23, @06:01PM (#1349993)

      Presumably, one reason would be to help plant staff manage things during the stage in the pandemic where leaving your home was considered dangerous, or to be able to help out in emergencies without having to go into the office in the middle of the night. A not-totally-unreasonable desire that unfortunately has to contend with bad software and the fact that water systems are more of a target of bad guys than you might think.

      --
      The only thing that stops a bad guy with a compiler is a good guy with a compiler.
      • (Score: 4, Insightful) by drussell on Saturday March 23, @09:51PM

        by drussell (2678) on Saturday March 23, @09:51PM (#1350010) Journal

        Nobody operating a seriously essential service like running the water filtration and pumping station was ever told not to go to the plant to perform their job, at any point, be it middle of the night or otherwise.

        That's absolutely ridiculous. That was never considered too "dangerous."

        You still don't connect the actual PLC to the internet, for fuck sakes!

    • (Score: 3, Interesting) by krishnoid on Saturday March 23, @06:11PM

      by krishnoid (1156) on Saturday March 23, @06:11PM (#1349995)

      I post this a lot, but ... it describes the problem [youtu.be] with networking and infrastructure better than I can.

  • (Score: 2, Interesting) by Anonymous Coward on Saturday March 23, @03:36PM (1 child)

    by Anonymous Coward on Saturday March 23, @03:36PM (#1349977)

    https://www.theregister.com/2024/03/22/boffins_tucktotruck_worm/ [theregister.com]

    Another attack surface that seems to not involve Microsoft? Who thought it was a good idea to give truck monitoring systems access to the full CAN bus...and also give it Wi-Fi?

    If I owned a big rig I wouldn't be parking in busy truck stops just now, until I figured out how to disable the Wi-Fi.

  • (Score: 2, Touché) by DrkShadow on Saturday March 23, @04:06PM

    by DrkShadow (1404) on Saturday March 23, @04:06PM (#1349984)

    Good thing we wast .. that is, *spent* all that money to replace all that Chinese networking kit! I mean, all that Chinese-made networking kit was just giving them backdoors into our infrastructure. Whew, glad that problem is solved!

    Er.. wait..

  • (Score: 5, Informative) by Thesis on Sunday March 24, @12:19AM (2 children)

    by Thesis (524) on Sunday March 24, @12:19AM (#1350022)

    I will try to simplify things for folks here who may not be knowledgeable, when it comes to Utility Systems.

    Drinking water plants must me manned onsite when in operation. This is Federal and in many cases, State regulation. Many levels of licensure and permitting is mandatorily involved.

    The vast majority of drinking water, waste water plants, and electrical generation plants are controlled via SCADA (Supervisory Control and Data Acquisition). SCADA is the brains that makes it all work, by communicating to the PLCs, which control the actuators on valves, chemical feed systems, switches and such via an internal network.

    Most (not all) available SCADA systems for utilities are Windows based. Those solutions are cheaper and easier to support for a utility than open source systems.

    Now for the real problem... Most managers for the SCADA systems software, and the Utilities, have been pushing for years to have the ability to monitor and control systems from off site. There is your internet connection, and your direct vector for infection/infiltration.

    Smart folks have SCADA systems completely physically disconnected from any external network. I know of one water system personally that lost everything but the SCADA systems via ransomware. The only saving grace for them was that SCADA systems were on thier own physical network. Most Utilites are not setup that way...

    SCADA systems are used in many large and small scale industrial settings as well, not just in Utilities. Food for thought.

    • (Score: 4, Insightful) by krishnoid on Sunday March 24, @01:46AM

      by krishnoid (1156) on Sunday March 24, @01:46AM (#1350031)

      Read-only monitoring, sure, maybe that's more reasonable for external Internet access. But control -- perhaps that should at least be through a message-passing gateway rather than via direct access, at least so that (e.g.) automatic notifications can accompany any changes, so everyone can know who-what-when-where-why an externally-originated change is being made.

    • (Score: 0) by Anonymous Coward on Sunday March 24, @01:57AM

      by Anonymous Coward on Sunday March 24, @01:57AM (#1350036)

      Could use VPNs.

      e.g. outsider VPNs in to a restricted network and from that network has limited and monitored access to the servers that provide the dashboards etc for the PHBs.

      From what I see while some of these software runs on Windows, they could have the same problems if they were on Linux instead, so it's not really a Windows problem.

      For example - some of those systems were exposed to the Internet on a default port with default passwords. Doesn't take a genius hacker to pwn those.

  • (Score: 2) by VLM on Monday March 25, @06:26PM

    by VLM (445) on Monday March 25, @06:26PM (#1350305)

    One assumption is there's 'the' plant. In my city, there is indeed literally "the" big wastewater plant down by the river, but we have something like 7 wells distributed for various geographic reasons. Lots of crowing about how the plant should be staffed so no remote access is required, but in the real world we're not going to staff each individual pump 24x7. Its actually infinitely worse, because we have IIRC 5 water towers of various size and uncountable remotely controllable valves and pressure monitoring gauges and flow rate meters in random little huts around the city. I've seen the GIS diagram I have a friend working there. It would take about 1% of the population of the city just to operate every little pump and valve and gauge by 24x7 humans over radio or something. In the old days, the system was a lot simpler but wasted a lot more water and energy and required more repairs and took a lot longer to find and fix problems.

    Another assumption is PLC stuff is mostly direct control. True, if you have RS-232 connection to a VFD over the internet (why?) you could trivially reprogram the motor controller to command a 3-phase motor to run a large centrifugal pump in reverse and that'll usually destroy the seals pretty rapidly and permanently and expensively. Most likely the demarc or API or UI of the system is the PLC outputs 0-10V and the VFD motor controller runs the pump 0-100% speed. Even more likely the pump controls itself, and 0-10 volts from the PLC results in 1 to 101 PSI at the regulator output. The best you can hope for with remote access is shutting off the pump to inconvenience and piss off people. Very few industrial designs include some kind of cartoonish "self destruct" pushbutton.

    Another assumption is interdepartmental trust. "Lock out tag out" comes from the industrial world, like these PLCs. Nobody trusts the operators enough to not press "start" on the hydraulic press or oven or the ain't crew or electricians or whatever techs attach physical locks to save their lives. This mentality permeates PLC design. The operators usually can't do as much as the fearmongers like to claim. Much like an emergency shutdown button on an assembly line, its far more likely you can shut stuff off than blow stuff up. Not to say there's no threat, if "the usual suspects" wanted to burn down a city they don't need to make all the water pumps explode they merely need to flick all of them into maintenance mode at the same time. The usual fear monger stories are not terribly likely. Nobody trusts anybody out in the real world and if the ops dept could F something up at 2am they probably would just because they're untrustworthy so the system is designed so they can't. And they're experts on how this stuff works so if they can't F stuff up, some random hacker doesn't stand a chance. Likewise nobody trusts engineering so ops will not wire up a "self destruct" type of design too many engineers have missed a unit conversion or something, so the "API" between hardware and the PLC is probably not 0-10 volts being "explode around 0v, work around 5v, explode around 10v" the API tends to be more like "run 10% slow at 0V, dead on at 5V, run 10% fast at 10V" and the bean counters can hyperoptimize to run 5.6789% low or whatever they calculate.

    The final assumption is most of the remote stuff is control not monitor. Most of the ops dept calls when I was an engineer on call at a public utility were along the lines of advice not me doing something. Technically being able to "hack" into the local power company and read the temperature of transformer #242 is a "major hack" in an abstract sense or effort required sense, but you can't actually DO anything with that read-only data. And even if I had RW there's not much I can write remotely. I could bypass the cooling fan to remotely request to run full blast which will waste some power and/or wear it out faster. And, um... that's about it. I can't shut off the fan because the hardware thermostat will run it anyway. I can't bypass the lockout-tagout shutdown remotely because if that were possible and OSHA found out they would execute everyone by firing squad (OSHA is kinda strict, all their rules having been written in blood...).

(1)