Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Government Security United States Politics Technology

Russian Hackers Reach US Utility Control Rooms, Homeland Security Officials Say (wsj.com) 371

"Russian hackers [...] broke into supposedly secure, "air-gapped" or isolated networks owned by utilities (Warning: source may be paywalled; alternative source) with relative easy by first penetrating the networks of key vendors who had trusted relationships with the power companies," reports The Wall Street Journal, citing officials at the Department of Homeland Security. "They got to the point where they could have thrown switches" and disrupted power flows, said Jonathan Homer, chief of industrial-control-system analysis for DHS. The hacking campaign started last year and likely is continuing. From the report: DHS has been warning utility executives with security clearances about the Russian group's threat to critical infrastructure since 2014. But the briefing on Monday was the first time that DHS has given out information in an unclassified setting with as much detail. It continues to withhold the names of victims but now says there were hundreds of victims, not a few dozen as had been said previously. It also said some companies still may not know they have been compromised, because the attacks used credentials of actual employees to get inside utility networks, potentially making the intrusions more difficult to detect.

The attackers began by using conventional tools -- spear-phishing emails and watering-hole attacks, which trick victims into entering their passwords on spoofed websites -- to compromise the corporate networks of suppliers, many of whom were smaller companies without big budgets for cybersecurity. Once inside the vendor networks, they pivoted to their real focus: the utilities. It was a relatively easy process, in many cases, for them to steal credentials from vendors and gain direct access to utility networks. Then they began stealing confidential information. For example, the hackers vacuumed up information showing how utility networks were configured, what equipment was in use and how it was controlled. They also familiarized themselves with how the facilities were supposed to work, because attackers "have to learn how to take the normal and make it abnormal" to cause disruptions, said Mr. Homer. Their goal, he said: to disguise themselves as "the people who touch these systems on a daily basis."

This discussion has been archived. No new comments can be posted.

Russian Hackers Reach US Utility Control Rooms, Homeland Security Officials Say

Comments Filter:
  • At some point... (Score:2, Insightful)

    by toonces33 ( 841696 ) on Monday July 23, 2018 @08:30PM (#56998056)

    They just ought to sever all internet connections in and out of Russia.

  • Unpossible! (Score:4, Funny)

    by amicusNYCL ( 1538833 ) on Monday July 23, 2018 @08:32PM (#56998060)

    I don't believe it. Deep state. Carter Page. Witch hunt.

    It's probably best to just end all investigations towards anything related to Russia.

    • by Rockoon ( 1252108 ) on Monday July 23, 2018 @09:32PM (#56998236)
      Doent pass the smell test.

      Hackers reached the point whee they could throw switches... but apparently didn't throw any switches. Bullshit.
    • by rsilvergun ( 571051 ) on Monday July 23, 2018 @09:39PM (#56998258)
      and maybe trolling but Trump's poll numbers didn't budge an inch even after that downright terrifying display in Helsinki. What I find especially odd is most of his supporters are old enough to have been cold warrior types. It'd be one thing if Putin wasn't ex-KGB. There wasn't much in Russia to fear (they were pretty blasted out by WWII) but their KGB seemed to know damn well what they were doing.
      • by sjbe ( 173966 ) on Tuesday July 24, 2018 @06:38AM (#56999598)

        and maybe trolling but Trump's poll numbers didn't budge an inch even after that downright terrifying display in Helsinki.

        That's because he is down to more or less just his psycho base supporters. An alarmingly large group but they support him no matter how crazy he gets. He could start a nuclear war and they would cheer him on the whole way and probably try to find some way to blame Obama or Clinton for it.

        What I find especially odd is most of his supporters are old enough to have been cold warrior types.

        His supporters are not that old as a general proposition. He has too many of them for that to be the case though certainly a fair number of them are older. Heck I'm old enough to have been around during the later decades of the cold war and the people that really lived through the middle of it are drawing social security now. Trumps supporters are more diverse than just old people.

      • by cascadingstylesheet ( 140919 ) on Tuesday July 24, 2018 @07:35AM (#56999802) Journal

        What I find especially odd is most of his supporters are old enough to have been cold warrior types. It'd be one thing if Putin wasn't ex-KGB. There wasn't much in Russia to fear (they were pretty blasted out by WWII) but their KGB seemed to know damn well what they were doing.

        What I find odd is that the old white leaders of the Dems today were all giving Russia big wet sloppy kisses while Putin was still KGB and while Russia literally was a communist dictatorship with gulags and everything.

      • by rtb61 ( 674572 ) on Tuesday July 24, 2018 @09:29AM (#57000358) Homepage

        My mind baulks at how anyone can control anything across an true air gapped network. Unless the people controlling it are fucking morons and left wireless gear in there. Also doesn't matter what the fuck the attack, air gapped is meant to be gapped, nothing goes onto it that hasn't been scanned, you only plug in clean computer without wireless anything, all applications checked, all data checked. Work hard enough to create a proper airgapped network nothing gets on, the only way something gets on is down to people, incompetence, bribe and at budget time 'FALSE FLAG'. Don't thing they would do it on purpose, nothing to do with blaming Russians but in the US they are now the favourites and every-fucking-thing to do with contractors wanting multi-million dollar contracts to secure networks. Hundreds of millions of dollars in contracts, would they fuck up networks on purpose to get paid millions to secure them, hmm, let me think, yes abso-fucking-lutely.

      • by amicusNYCL ( 1538833 ) on Tuesday July 24, 2018 @01:15PM (#57001828)

        Trump's poll numbers didn't budge an inch even after that downright terrifying display in Helsinki.

        I know. I don't know if everything is to be blamed on Russia or not, but I know one of their goals is to divide the US. If people can watch a president talk all tough on Twitter, then show up and fold like a cowardly wet paper towel, sell out our country, and talk about how strong our greatest adversary is, and still like the president, then I'm inclined to believe that Russia's machine is doing its job.

        It'd be one thing if Putin wasn't ex-KGB.

        "There is no such thing as a former KGB man." - Vladimir Vladimirovich Putin, responding to Prime Minister Sergei Stepashin, who called himself a former KGB officer.

        "My notion of the KGB came from romantic spy stories. I was a pure and utterly successful product of Soviet patriotic education." - Putin

  • lies (Score:4, Interesting)

    by phantomfive ( 622387 ) on Monday July 23, 2018 @08:37PM (#56998082) Journal
    It may be true or it may be not true.....But we've had false stories about nuclear reactors being hacked before, which turned out to be standard, untargeted malware, on a non-control computer. Regardless, the DHS has been trying for over a decade to get power over the Internet, including things like the "internet kill switch." The information they release is targeted and framed to convince people to give them that power. Furthermore, we know government agencies frequently lie, and it's only gotten worse as the president has set the example.
    • by CaptainDork ( 3678879 ) on Monday July 23, 2018 @08:55PM (#56998136)

      And, taking advantage of the president is the Republican party.

      We need an October Surprise.

      All the fucked up shit so far has come and gone as news.

    • Re:lies (Score:5, Insightful)

      by toonces33 ( 841696 ) on Monday July 23, 2018 @09:24PM (#56998218)

      Maybe you should read the article.

      • Re: lies (Score:2, Insightful)

        by phantomfive ( 622387 ) on Monday July 23, 2018 @10:58PM (#56998458) Journal
        The vagueness of the article only gives it more the appearance of a lie. There is no evidence there, just vague allusions and scare threats.
        • Re: lies (Score:5, Insightful)

          by AmiMoJo ( 196126 ) on Tuesday July 24, 2018 @05:10AM (#56999370) Homepage Journal

          Seems quite specific to me.

          The Russian hackers, who worked for a shadowy state-sponsored group previously identified as Dragonfly or Energetic Bear, broke into supposedly secure, âoeair-gappedâ or isolated networks owned by utilities with relative ease by first penetrating the networks of key vendors who had trusted relationships with the power companies, said officials at the Department of Homeland Security.

          We have who, where, how and by what method. Interestingly it's similar to the technique used by the US to sabotage Iranian enrichment facilities.

          • by phantomfive ( 622387 ) on Tuesday July 24, 2018 @05:26AM (#56999412) Journal
            You can say anything you want, but they haven't presented any evidence. There's not really a how, either, just some vague stuff. Compare that to the level of detail we have about stuxnet, or NSA spying, for example (which DHS also lied about fwiw)
            • by AmiMoJo ( 196126 ) on Tuesday July 24, 2018 @05:54AM (#56999490) Homepage Journal

              Is it normal for them to release evidence to the public?

              The Struxnet stuff only came out because other people got hold of it and dissected it. If you follow security blogs you can see that the same thing happens with Russian malware found in the wild. And really, it seems odd to give weight unverifiable blog posts about Struxnet, but not to somewhat reputable journalists.

    • by account_deleted ( 4530225 ) on Tuesday July 24, 2018 @10:09AM (#57000610)
      Comment removed based on user account deletion
  • by gweihir ( 88907 ) on Monday July 23, 2018 @08:38PM (#56998088)

    Hackers only break in when security sucks. Unfortunately, that is the standard-situation these days.

  • Air-Gapped (Score:5, Insightful)

    by Kobun ( 668169 ) on Monday July 23, 2018 @08:45PM (#56998116)
    You keep using that word. I don't think it means what you think it means.
    • by mikeiver1 ( 1630021 ) on Monday July 23, 2018 @09:51PM (#56998286)
      Kind of thought the very same thing. They are not air gaped if "trusted" vendors can remote into the network to access the building controls/ energy management systems from the outside. There is literally no way to stop this sort of attack short of having a completely self contained network with no outside internet connections and connected via dedicated fibres run with the high tension lines connecting the various generating plants and sub stations. So this will not happen. Get a generator and make sure you have a big propane tank to feed the beast if the Gas gets turned off too.
      • by pots ( 5047349 ) on Tuesday July 24, 2018 @02:03AM (#56998924)
        I read that and assumed that this was similar to Stuxnet - they compromised the trusted vendor, who had physical access, and when the vendor went to work on the machine they brought with them some kind of compromised software update or something. It was a compromised USB key that was used for Stuxnet.
    • by AHuxley ( 892839 ) on Monday July 23, 2018 @10:18PM (#56998350) Journal
      Air gapped could be some contractor standard. Contractors walking in and out with the work computing to other networks?
      More of a two way sneaker net than a secure computer with updates in day and hours.
    • by sit1963nz ( 934837 ) on Monday July 23, 2018 @10:56PM (#56998446)
      Air-gap is defined as being the empty space between a managers ears.
  • Shouldn't be news (Score:5, Informative)

    by Anonymous Coward on Monday July 23, 2018 @09:49PM (#56998280)

    Several years ago I was at an IT Security dinner/presentation and they laid out some of the details behind a cyberattack on an airline. The hackers didn't go after any airline networks directly. Rather, they compromised an airline parts supplier and injected malware into webpages (or documents, I forget) and eventually 'caught' an airline when someone inside the airline visited the compromised site and was themselves infected.

    I've tried to explain this to people in my industry. They don't have to be even trying to get you, just someone in your industry.

    This and the massive Target breach are why vendor, their networks, and their devices should not be trusted (from a security standpoint at least).

  • by sjames ( 1099 ) on Monday July 23, 2018 @09:54PM (#56998292) Homepage Journal

    How about ACTUALLY air-gapping the control network. If they want remote monitoring (not control), they can put a polling device on the control network. It can send all the data via a serial port with the RX connections removed to another machine on the internal network that can be reached via VPN.

    • by thegarbz ( 1787294 ) on Tuesday July 24, 2018 @02:24AM (#56998964)

      How about ACTUALLY air-gapping the control network.

      I have a better idea. Pratice good security rather than proposing something that ultimately gives you a false sense of security. As TFS points out these hackers breached supplier's machines and networks. That now gives them the ability to drop in a payload that will happily breach the air-gap next time someone makes a service call.

      The upside about air-gapping is how effective it is, the downside is that it's like a warm blanket making you feel cosy without actually fixing the core problem that your house's central heating system is broken. Companies need to practice layered security at every level. That network layout that isn't airgapped is part of security. That USB stick that vendor plugs in is part of security. That code review you aren't doing because of your over-reliance on vendors and lack of knowledge is part of security. That receptionist who buzzed him in is part of security.

      Air-gaps do nothing when vendor systems are breached because at the first sign of a problem you will kindly ask that vendor to come over to your side of the gap.

    • by jimbolauski ( 882977 ) on Tuesday July 24, 2018 @07:43AM (#56999828) Journal

      I/O is just one of the problems, the bigger one is patching. The update software has not been thoroughly reviewed before it is brought to an air gaped system. I would be surprised if virus scans were being performed on all media brought into the building.

  • Yup, here's a report from 2007.

    https://www.forbes.com/2007/08... [forbes.com]

    That nothing has been done to fix this shit is the real story.

  • by sit1963nz ( 934837 ) on Monday July 23, 2018 @10:54PM (#56998438)
    Newbie Russian hacker, he thought voltage machine was the same as voting machine.
    we are saying sorry
    do not worry, we will have it all good by November , yes.
    Please give out best to the Donald
  • by Lije Baley ( 88936 ) on Monday July 23, 2018 @11:30PM (#56998524)

    Hackers are no match for mother nature in making the power go out. Outages from storms actually kill people every year. Spend the money on more tree-trimming if you want to protect the people.

  • by Archfeld ( 6757 ) <treboreel@live.com> on Tuesday July 24, 2018 @12:46AM (#56998714) Journal

    Who gives vendors access that survives a single on-site visit ? I can remember back in the day activating vendor access ID's with a new PWD every time they were onsite, and freezing the same ID's when they left the site. They were not allowed remote access unless an engineer was onsite at the time and that remote access was physically disconnected when the incident ended and the onsite personnel left the site.

  • Comment removed (Score:4, Insightful)

    by account_deleted ( 4530225 ) on Tuesday July 24, 2018 @01:25AM (#56998822)
    Comment removed based on user account deletion
    • by tacokill ( 531275 ) on Tuesday July 24, 2018 @09:46AM (#57000460)
      Stuxnet was brought into an air-gapped Iranian facility just like this article describes. It was brought in via a Siemens PLC or controller (not sure which) that ran Siemens Step 7 OS on it.

      The industrial controls world (like Siemens operates in) is a target rich environment to say the least. This is not an industry that is used to worrying about security and hackers. Nobody should be surprised by this.
  • by VeryFluffyBunny ( 5037285 ) on Tuesday July 24, 2018 @02:07AM (#56998936)

    The article itself is incoherent nonsense written by someone who has little or no understanding of network security.

    OTOH, I do believe that Russia and China and other states are more than likely probing USA infrastructure control systems among many other things because the USA has effectively declared a cold war on those states and is developing cyber-weapons to use against them. Russia and China would be foolish not to develop countermeasures.

  • by myid ( 3783581 ) on Tuesday July 24, 2018 @02:11AM (#56998952)

    Suppose someone broke into a power company, and shut off all power to a city. Would water stop running into everyone's home in the city, because the water company's water pumps stopped working?

    A July 13 CBS news article [cbsnews.com] says

    Director of National Intelligence Dan Coats warned of an impending, potentially devastating cyberattack on U.S. systems, saying the country's digital infrastructure "is literally under attack" and warning that among state actors, Russia is the "worst offender."

    Speaking at a scheduled event at the Hudson Institute, he adopted the language of former Director of Central Intelligence George Tenet who, in the months ahead of the 9/11 attacks, warned that the "system was blinking red." Coats, citing daily attacks from Russia, China, Iran and North Korea, said, "Here we are, nearly two decades later, and I'm here to say the warning lights are blinking red again."

    It's a good idea to have an emergency supply of food and water.

  • by Qbertino ( 265505 ) <moiraNO@SPAMmodparlor.com> on Tuesday July 24, 2018 @04:27AM (#56999284)

    "Airgapped". ... Bullshit. Either your disconnected or your not. Secure setups are the ones that aren't connected, have no wireless or landline connection and nobody knows about. Anything else can be broken into by teenagers with access to shodan, the secretaries phone number and two or three raspberry pis.

  • by oh_my_080980980 ( 773867 ) on Tuesday July 24, 2018 @10:32AM (#57000726)
    Richard A. Clarke was warning people about this issue since 2002. This is nothing new. Utilities were always a major security risk since security was not considered important.
  • by orgelspieler ( 865795 ) <w0lfieNO@SPAMmac.com> on Tuesday July 24, 2018 @12:16PM (#57001398) Journal

    I worked in the power industry about 15 years ago, and there was always resistance to anything newfangled. There was one exception. The ability of the HMI (we called them MMI back then) to communicate with the outside world was seen as a godsend. You could remotely tap the datalogs and see trends in things like air intake differential pressure, oil temperatures, mag sensors. All of these things would provide us with valuable information, and it was even better if you could correlate it across multiple sites. Back then it was all read only though.

    I don't know when they started letting things get changed remotely. I'm not surprised at all. It was always a PITA to have to send a field tech out to a site to do a system update. So I guess it was only matter of time before the ability to write changes became a desirable feature. But even on an air-gapped system, if you have somebody there to make updates without proper vetting, you're still hosed. Just MITM between the mother-ship sending the update and the onsite guy with permissions to change things. It's not a real-time attack, but it could still be devastating.

  • by Rick Schumann ( 4662797 ) on Tuesday July 24, 2018 @12:19PM (#57001426) Journal
    Seriously, why is this so difficult!?

FORTUNE'S FUN FACTS TO KNOW AND TELL: A giant panda bear is really a member of the racoon family.

Working...