Hackers’ New Frontier: The Grid
WHY YOU SHOULD CARE
Consumer data breaches get most of the press, but hackers who target energy infrastructure could be even worse.
For bank customers, it doesn’t get much scarier than last week’s confirmation that hackers had accessed the data files of some 76 million JPMorgan Chase customers. Or does it?
Welcome to the fast-evolving world of online espionage. Many attacks don’t receive the headlines that the fiasco at Target got last year, but they are nerve-crushing nonetheless. In this arena, a wide range of cyberassailants and campaigns have attempted to infiltrate infrastructure systems, including gas lines and power grids. For them, the game isn’t about collecting credit card numbers; it’s about a kind of industrial espionage that keeps corporate security pros up all night.
Last year Hans-Joachim Popp, chief information officer at Germany’s national aeronautics and space research center, got a heart-stopping call. It was the country’s secret service, informing him that his organization’s networks had been compromised. Details were sketchy, but German experts believe a Chinese hacker group with the name Putter Panda — linked by analysts and Washington to the Chinese army — was trying to steal radar, imagery and satellite technology in line with similar attacks in Germany. Yet there’s no definitive proof of what happened, and there may never be.
“We were completely stunned,” Popp recalled. “We thought we were prepared … but this was so sophisticated.”
Popp was shocked that the best commercial anti-virus software the center had didn’t detect the malicious software, and that state actors — the police, government agencies and the secret service — couldn’t help. “It didn’t show up in our elaborate monitoring systems.”
A crimeware methodology — it’s how Russian criminals roll.
Last year alone, the U.S. Industrial Control Systems Cyber Emergency Response Team, a government body that monitors cyberattacks and coordinates countermeasures, said it responded to 257 cyberthreats across “critical infrastructure.” That’s up from 140 in 2011. Europe collates comparable data only for telcos, but experts say infrastructure attacks are up across the board.
Arne Schönbohm, the German Cyber Security Council’s president, said criminal sophistication, globalization — which leaves foreign subsidiaries outside domestic protection — and “big data” use present new opportunities. “We’re confident we have good defense mechanisms, but the attacks are constantly changing. We must constantly update,” he said. “It’s a race.”
By tapping into corporate or government systems, the hackers can find information that can be sold to competitors or be useful to countries. Some Western experts say they now believe Russia is behind some of these attacks, replacing China as the West’s cyber bête noire. Both countries have long denied such charges.
Some of the attacks follow “a crimeware methodology — it’s how Russian criminals roll,” said Sean Sullivan of F-Secure, a security consultancy based in Helsinki. Caroline Baylon, research associate at Chatham House, a London think tank, added, “There’s very close relations between Moscow and cybercriminal gangs.” Others are less convinced who’s meddling.
Talking about it and exchanging information is the only way to fight back.
Whoever is behind them, the attacks and assailants have been given some colorful names by security firms, including Icefog, Gameover Zeus, NetTraveler and MiniDuke. One of the most notorious, Energetic Bear, has been especially active, recently hitting some 2,800 targets, according to Kaspersky Lab, a Russian cybersecurity firm with a global presence. Initial targets were grid operators, generators, pipeline owners and energy software sellers, but now also include pharmaceutical, construction, education and IT companies. Most victims were in the U.S., Spain, Japan, Germany, France, Italy, Turkey, Ireland, Poland and China, Kaspersky Lab said, dubbing the attack “Crouching Yeti.”
“In terms of victim profiles, we haven’t seen such a broad set of attacks on industrial organizations,” said Kurt Baumgartner of Kaspersky.
One infamous attack in 2010, called Stuxnet, was designed to paralyze Iran’s nuclear program. But Energetic Bear appeared to be about espionage, not sabotage. Infiltration started with phishing emails that contained downloads. Attackers then installed “watering holes” as websites were manipulated and visitors redirected to exploiting sites, leaving their browsers compromised. A final step infiltrated software bundles from industrial control system software vendors.
Can any of this activity be stopped? Surveys indicate that many firms are spending more on defense. But most companies that have been hit are reluctant to speak. For their part, countries are acting as well — Britain, for example, has established the Cyber Security Information Sharing Partnership, part of a global network for industry-government coordination. Europol’s European Cybercrime Centre launched in 2013, and Brussels is pushing a law to improve exchanges and legal cooperation.
At the German Cyber Security Council, Schönbohm said experts had “a good clue who’s behind 60 to 70 percent of the crime.” But he also said that less than 10 percent would ever end up in court.
Back at the German space research center, Popp is more hopeful, saying cooperation is key. “The issue is still taboo,” he said. “Talking about it and exchanging information is the only way to fight back. It’ll take time, but we’ll join forces against the attackers.”
Matthew Saltmarsh is a London-based writer and communications professional. He has worked in journalism for almost two decades and was previously a staff writer at the International New York Times in Paris.