Foreign Hackers Targeting U.S. Utilities In Cyber Attacks

[vector7]

Why now?

[American Patriot]

Why is Panetta just warning us now? Because the current administration members are antiques, a throw back from the Soviet Era of Communism.

No, not that they are aware of things, they are JUST CATCHING UP TO CURRENT TECHNOLOGY.

If these people had a clue they would have gone forward with the "Cyber Warfare" units we were putting together in the 1990s.

If they had a CLUE that "3:00 AM Call that came in for Benghazi" last month would have been answered.

No, these folks are clueless and will destroy America if allowed to remain in office.

If Obama were anything like John Kennedy we'd not have had a hit on our embassy like that, after the lessons of 9-11.

[American Patriot]

Sometimes Vector, the news just does it all for me.

To illustrate my previous point, read this:

Cuban Missile Crisis holds lessons for presidential race

Opinion | Nicholas Burns

THIS STORY APPEARED IN


October 10, 2012

• 

Anxious people checked the Associated Press teletype machine in the Boston… (Jack O’Connell/Globe…)




Next week marks the 50th anniversary of the Cuban Missile Crisis — arguably the most dangerous moment in modern history.

During 13 harrowing days in October 1962, President John F. Kennedy and Soviet Premier Nikita Khrushchev squared off in a test of strategy and wills that nearly ended in a thermonuclear exchange. Hundreds of millions of people might have died in the United States and Soviet Union alone. At the height of the crisis, hardliners on both sides argued for war. Instead, Kennedy and Khrushchev, in a series of dramatic last-minute communications, opted for diplomacy and compromise to avoid the catastrophe of a nuclear conflagration.







What can Barack Obama and Mitt Romney learn from this crisis 50 years later? My Harvard colleague Graham Allison, who wrote the revolutionary account of what happened in his landmark 1971 book “Essence of Decision,” hosted a conference recently at the Kennedy School to reflect on the meaning of the crisis for us today. I took away two big lessons that inform the war and peace challenges our next president could face in an increasingly dangerous international environment.


First, success in diplomacy at the highest levels sometimes requires opening exit doors for your adversary so that he can save face and avoid the conflict ahead. Kennedy did just that in offering secretly to remove American Jupiter missiles in Turkey as a trade for the removal of Soviet nuclear weapons from Cuba. Will Romney and Obama take a similarly imaginative approach to negotiations with Iran? If we are to convince Tehran to halt its nuclear efforts and avoid a war, we may have to help its leaders find a way out — a compromise that will give it a public excuse to stop well short of a nuclear weapon.


Second, Kennedy concluded after the crisis that we had to think about the Soviet people in a fundamentally different way if we wanted to avoid nuclear Armageddon. In his greatest speech, at American University eight months after the crisis, Kennedy advocated building bridges to the Soviets, as the “human interest” of avoiding world war had to eclipse the more narrow “national interest.” He warned Americans “not to see conflict as inevitable, accommodation as impossible, and communication as nothing more than an exchange of threats.” He said we should adopt a “strategy of peace” instead. Who is better placed in our time — Obama or Romney — to find a way to move beyond our many difficulties with our modern-day rival, China, and to avoid a future conflict in the Pacific?



As we look to Nov. 6, we should measure the presidential candidates not just by their ubiquitous campaign commercials but by the qualities they possess that might make the difference between success or failure, war or peace, life or death in a future crisis. Kennedy demonstrated the value of restraint, good judgment, and courage in avoiding war in 1962. Of the two candidates this year, does Obama or Romney have the better command of history, coolness under pressure, and good sense to make the right choice for all of us when the next crisis occurs?







Obama has demonstrated some of these qualities in his adept isolation of Iran, his largely skillful handling of the Arab uprisings, and his bridge-building to allies and partners that has rebuilt US credibility in Europe, especially. Romney’s big foreign policy speech Monday illuminated the challenge he has had in making an impact in foreign policy. His back-to-the-future evocation of American leadership seems right for the Cold War but not nearly sophisticated enough for our very different 21st-century world.
This election can’t be just about which candidate gives the snappiest presentation in a debate and rattles off the most memorable one-liners. We need a strong leader to preserve our power but one who can also avoid the rash rush to war that has, too often, been our reaction to global tests since 9/11. President Kennedy was far from perfect. But his leadership 50 years ago saved us from disaster. The Cuban Missile Crisis reminds us that we must prize above all the qualities of intelligence, leadership, and wisdom in our next president.


Nicholas Burns is a professor of the practice of diplomacy and international politics at Harvard’s Kennedy School of Government. His column appears regularly in the Globe.




=======================


Now, everyone seems to just want the "Soviets" to get along. Except the Soviets. The Russians are no different today than they were 50 years ago. Fifty years ago I sat as a little boy in front of the television awed by the images of nuclear bombs exploding and knowing those people were going to drop bombs on the USA. My home.

That crisis was a defining moment in my life. I was only five years old but I remember it as clearly as if it happened a month ago. I remember Kennedy on television. I remember Walter Cronkite looking worried. I remember the "Duck and Cover" drills in Kindergarten. And I remember KNOWING without a doubt having watched those massive nuclear explosions on the black and white television set that there was NO WAY my little school, my desk or the big black board was going to save me and my classmates if one of those missiles fell on Detroit.

I also know that it was at the height of this that my life changed. Dad and Mom packed up everything we owned in the back of a car and little trailer and we left at 3 AM to move to Kentucky for the next few years. I left my classmates behind and I'm sure they never knew what happened to me. I honestly believe to this day Dad thought we were all going to be vaporized in a cloud of radioactive fire. (we moved back for a short time, a year later, about 6 months and then back to Ky again until late 1968)

Either way, I think that the Cuban Missile Crisis set several things in motion in my life.

[Phil Fiord]

If memory serves, the bill cited was not only about infrastructure anyway. Why can't congress write a Bill for a specific purpose and that's it. Not so expansive a thing with attached causes.

[American Patriot]

Because Phil, writing a small bill makes it easy to understand for the public, shows it's true meaning and spends the least amount of money.

We can't have THAT!

[vector7]

Time to wag the dog or loose some more freedoms?


Panetta says cyber attackers accessed controls for critical US infrastructure



Defense secretary bluntly warns were in 'pre-9-11 moment' that could precede catastrophic attack, hints Iran involved

UPDATED 6:33 AM EDT, October 12, 2012 | BY John Solomon

In a blunt admission designed to prod action, Defense Secretary Leon Panetta Thursday night told business executives there has been a sudden escalation of cyber terrorism and that attackers have managed to gain access to control systems for critical infrastructure.


In a speech in New York City, Panetta said the recent activities have raised concerns inside the U.S. intelligence community that cyber terrorism might be combined with other attacks to create massive panic and destruction on par with the Sept. 11, 2001 attacks.

“These attacks mark a significant escalation of the cyber threat. And they have renewed concerns about still more destructive scenarios that could unfold,” he said. “For example, we know that foreign cyber actors are probing America’s critical infrastructure networks.

“They are targeting the computer control systems that operate chemical, electricity and water plants, and those that guide transportation throughout the country,” he added. “We know of specific instances where intruders have successfully gained access to these control systems. We also know they are seeking to create advanced tools to attack these systems and cause panic, destruction, and even the loss of life.”

Current and former U.S. officials tell the Washington Guardian that U.S. investigators have growing evidence that Iran was behind a recent wave of cyber attacks, particularly those that temporarily paralyzed energy interests in two Middle East countries that are key U.S. allies.

Panetta stopped short in his speech of formally accusing Iran but left no doubt America has strong suspicions about Tehran. "Iran has also undertaken a concerted effort to use cyberspace to its advantage," he declared.

Panetta’s speech came as the Obama administration is pressing ahead with its own cyber security measures using executive powers after reaching a stalemate with congressional Republicans and their business allies over sweeping legislation to change the nation’s cybersecurity posture.

“This is a pre-9/11 moment,” Panetta told the business executives, referring to the period before the terror attacks 11 years ago when signs of a mounting threat were overlooked. “The attackers are plotting. Our systems will never be impenetrable, just like our physical defenses are not perfect. But more can be done to improve them. We need Congress, and we need all of you, to help in that effort.”


Panetta, who has been sounding alarm for month about the potential for a "Cyber Pearl Habor", gave unusually blunt description of three recent attacks --- one against U.S. financial interests and two against Middle East energy interests – that have raised the alarm. Defense officials said classified information was declassified so Panetta could give specific details about the nature of the attacks.


The defense secretary, who previously served as President Obama’s CIA director, said consecutive attacks on Saudi Arabia’s ARAMCO oil company and Qatar’s Ras Gas known launched by a virus known as Shamoon were “probably the most destructive attack that the private sector has seen to date. “

“Shamoon included a routine called a 'wiper,' coded to self-execute. This routine replaced crucial system files with an image of a burning U.S. flag. It also put additional “garbage” data that overwrote all the real data on the machine. The more than 30,000 computers it infected were rendered useless, and had to be replaced,” Panetta explained.

The defense secretary offered an assessment of possible future doomsday scenarios feared by U.S. intelligence in which cyber terrorism could be combined with waves of attacks.

“An aggressor nation or extremist group could gain control of critical switches and derail passenger trains, or trains loaded with lethal chemicals. They could contaminate the water supply in major cities, or shut down the power grid across large parts of the country.,” he said.

“The most destructive scenarios involve cyber actors launching several attacks on our critical infrastructure at once, in combination with a physical attack on our country,” he added. “Attackers could also seek to disable or degrade critical military systems and communications networks.”

[vector7]

Defense Secretary Panetta Sees a 'Pre-9/11 Moment' for Cyber Security

By Matt Egan
Published October 12, 2012
FOXBusiness

• 

Against the backdrop of a slew of recent cyber attacks against U.S. banks, Defense Secretary Leon Panetta this week warned about the cyber threat and said the U.S. may need to aggressively hit back at cyber evildoers.

The comments marked some of the clearest remarks by Panetta about the evolving and rising cyber threat, which has been on full display in recent months through a high-profile attack on Saudi Arabia’s state oil company and recent ones on U.S. banks like Bank of America (BAC) and Wells Fargo (WFC).

“A cyber attack perpetrated by nation states or violent extremist groups could be as destructive as the terrorist attack of 9/11,” Panetta said in a speech to the Business Executives for National Security meeting in New York on Thursday. “Such a destructive cyber terrorist attack could paralyze the nation.”

While he didn’t call out Iran for a specific role in any recent attack, previous reports indicate some U.S. officials blame Iran for the bank attacks and cyber security experts see Iranian fingerprints on the Saudi Aramco intrusion.

“It's no secret that Russia and China have advanced cyber capabilities. Iran has also undertaken a concerted effort to use cyberspace to its advantage,” Panetta said.

Panetta spoke out about the potential need for the U.S. to retaliate or deter a future cyber attack.

“In the past, we have done so through operations on land and at sea, in the skies and in space. In this new century, the United States military must help defend the nation in cyberspace as well,” he said.

Panetta warned that “this is a pre-9/11 moment” and said “the attackers are plotting.”

The Defense Secretary also appeared to declassify some new information, warning that intruders infiltrated computer control systems that “operate chemical, electricity and water plants and those that guide transportation throughout the country.” It’s not clear who was behind this attack.

Panetta expressed concern that an “aggressor nation or extremist group” could deploy cyber weapons to derail passenger trains, contaminate the water supply, shut down the power grid or amplify a physical attack.

Panetta also specifically addressed the denial of service (DDoS) cyber attacks of recent weeks on major lenders like J.P. Morgan Chase (JPM) and U.S. Bancorp (USB).

“These attacks delayed or disrupted services on customer websites. While this kind of tactic isn't new, the scale and speed with which it happened was unprecedented,” he said.

Likewise, Panetta detailed the Shamoon virus that infected computers in Saudi Aramco, destroying about 30,000 systems. There was a similar attack on RasGas of Qatar, another major energy company in the region, just days later.

“All told, the Shamoon virus was probably the most destructive attack that the private sector has seen to date,” Panetta said.

Panetta said the Department of Defense has developed the “world’s most sophisticated system” to detect cyber attacks but is also thinking about a response.

To prepare for this threat, Panetta said the DOD is developing new capabilities by investing $3 billion a year in cyber security because “we need to build and maintain the finest cyber force and operations.”

The DOD is also finalizing a major upgrade to its rules of engagement in cyber space and working toward building stronger partnerships, including with the private sector.

“The private sector, government, military, our allies -- all share the same global infrastructure and we all share the responsibility to protect it,” Panetta said.

The Defense secretary called on Congress to pass cyber legislation in order to ensure that information sharing is “timely and comprehensive.” He said the legislation should be like the stalled bipartisan bill co-sponsored by U.S. Sens. Joseph Lieberman and Diane Feinstein.

Panetta: Cyber threat is pre 9/11 moment



U.S. Defense Secretary Leon Panetta
October 12th, 2012
03:00 AM ET

By Pam Benson

The United States must beef up its cyber defenses or suffer as it did on September 11, 2001 for failing to see the warning signs ahead of that devastating terrorist attack, the Secretary of Defense told a group of business leaders in New York Thursday night.

Calling it a “pre-9/11 moment,” Leon Panetta said he is particularly worried about a significant escalation of attacks.

In a speech aboard a decommissioned aircraft carrier, Panetta reminded the Business Executives for National Security about recent distributed denial of service attacks that hit a number of large U.S. financial institutions with unprecedented speed, disrupting services to customers.

And he pointed to a cyber virus known as Shamoon which infected the computers of major energy firms in Saudi Arabia and Qatar this past summer. More than 30-thousand computers were rendered useless by the attack on the Saudi state oil company ARAMCO. A similar incident occurred with Ras Gas of Qatar. Panetta said the attacks were probably the most devastating to ever hit the private sector.

The secretary did not say who is believed responsible for those attacks, but senior defense officials who briefed reporters on the speech, said the United States knows, however they would not divulge the suspect.

And he warned America's critical infrastructure - its electrical power grid, water plants and transportation systems - are threatened by foreign actors.

"We know of specific instances where intruders have successfully gained access to these control systems," Panetta said. "We also know they are seeking to create advanced tools to attack those systems and cause panic, destruction and even loss of life."

For its part, Panetta said the Defense Department is "aggressively ... putting in place measures to stop cyber attacks dead in their tracks." The steps he outlined included both defensive and offensive responses.

He cited efforts to stop malicious code before it infects systems and investments in forensics to help track down who is responsible.

But defense isn't the only answer. "If we detect an imminent threat of attack that will cause significant physical destruction or kill American citizens, we need to have the option to take action to defend the nation when directed by the president," Panetta said.

Panetta also said the Defense Department is in the process of finalizing rules of engagement in cyberspace. In a telephone briefing with reports, a senior defense official would not provide any details about the proposed rules but did stress they involve what the response would be to a cyber attack on the United States "that would rise under international law to the level of armed attack."

Panetta's comments never used the word "offensive" and the senior defense officials who briefed reports about the speech under the condition of anonymity, were also reluctant to use the word. One official said it was important "to keep the maximum number of options on the table." Another official stressed the United States was prepared to take action if threatened, but added the Pentagon had previously acknowledged it has offensive cyber capabilities.

Cyber security is ultimately a team effort, and Panetta said the Defense Department was working closely with the State Department, the Department of Homeland Security, the FBI and others to protect the nation. He called on Congress to pass comprehensive cyber-security legislation now.

Over the summer, the Senate came up short when opponents of the Lieberman-Collins cyber bill blocked it from coming up for a final vote. A group of mostly Republican senators and the Chamber of Commerce opposed the bill because they believed it required too much of the private sector.

Panetta urged the business leaders to work with government to support stronger cyber defenses.

"We must share information between the government and the private sector about threats to cyberspace," Panetta said, adding everything would be done to protect civil liberties and privacy.

[Ryan Ruck]

Energy Companies Hit By Cyber Attack From Russia-Linked Group

June 30, 2014

The industrial control systems of hundreds of European and US energy companies have been infected by a sophisticated cyber weapon operated by a state-backed group with apparent ties to Russia, according to a leading US online security group.

The powerful piece of malware known as “Energetic Bear” allows its operators to monitor energy consumption in real time, or to cripple physical systems such as wind turbines, gas pipelines and power plants at will.

The well-resourced organisation behind the cyber attack is believed to have compromised the computer systems of more than 1,000 organisations in 84 countries in a campaign spanning 18 months. The malware is similar to the Stuxnet computer programme created by the US and Israel that succeeded in infecting and sabotaging Iran’s uranium enrichment facilities two years ago.

The latest attacks are a new deployment of malware that was first monitored by IT security companies at the beginning of the year.

Early infections by Energetic Bear appeared to be based solely around espionage.

Symantec, a US cyber security company, said on Monday, however, that it had identified a virulent new “attack vector” designed to give the malware control over physical systems themselves.

Symantec said the group behind Energetic Bear, who they have dubbed Dragonfly, succeeded last year in infecting three leading specialist manufacturers of industrial control systems. Dragonfly then inserted the malware covertly into the legitimate software updates those companies sent to clients.

As clients downloaded the updates, their industrial control systems become infected. Contaminated software from one of the companies was downloaded to more than 250 industrial systems.

The malware is said to have indiscriminately infected hundreds of organisations, but by filtering infections to see where it is in regular contact with its command and control servers, Symantec said it had a clear picture of where Dragonfly’s interests lie.

According to Symantec, which produces the Norton range of antivirus software, Energetic Bear is most actively in use in Spain and the US, followed by France, Italy and Germany.

(All NATO countries!)

Symantec said it believed that Dragonfly was “based in eastern Europe and has all the markings of being state-sponsored”.

Stuart Poole-Robb, a former MI6 and military intelligence officer and founder of KCS Group, a security consultancy, said: “To target a whole sector like this at the level they are doing just for strategic data and control speaks of some form of government sanction.

“These are people working with Fapsi [Russia’s electronic spying agency]; working to support mother Russia.”

Timestamps and Cyrillic text and names within the code for Energetic Bear indicate the malware’s origins are in Russia, although attributing cyber attacks is far from an exact science.

For example, Chinese hackers, who have also been involved in energy-related espionage in the past, have been known to route their attacks through Russia to provide cover for their activities.

[American Patriot]

Massive Cyber Attack Dragonfly, Compromised +1K Power Plants Worldwide
July 1, 2014 · by Fortuna's Corner · in big data, CIA, cloud computing, Critical Infrastructure Protection, Cyber War, Cybersecurity, Defense Industrial Base, DIA, espionage, spying, FBI, Intelligence Community, Internet, national security, NSA, technology & innovation, terrorism, U.S. Cyber Command, US Military · Leave a comment

Dragonfly: Massive Cyber Attack Has Compromised +1000 Power Plants Worldwide

http://www.fortunascorner.wordpress.com

The cyber security firm Symantec is reporting this morning (July 1, 2014) on their website blog, that “an ongoing cyber espionage campaign — against a range of targets — mainly in the energy sector — has given the attackers the ability to mount sabotage operations against their victims. The attackers, known to Symantec as Dragonfly, managed to compromise a number of strategically important organizations for spying purposes; and, if they had used sabotage capabilities [available] open to them, [they] could have caused [significant] damage or disruption to energy supplies in the affected countries.

Symantec notes that among the targets of Dragonfly:, were energy grid operators; major electricity generation firms; petroleum pipeline operators; and, energy industrial equipment providers. Symantec notes that the majority of victims were located in the United States, Spain, France, Italy, Germany, Poland, and Turkey.

Symantec adds that the group is well-resourced, with a range of malware tools at its disposal; and, is capable of launching attacks through a number of vectors. It’s most ambitious attack campaign saw it compromise a number of industrial control system (ICS) equipment providers, infecting their software with a remote access-type Trojan . This discovery prompted the companies to install the malware — when downloading software updates for computers running ICS equipment. These infections not only gave the attackers a beachhead in the targeted organizations network, Symantec notes, but, also gave them the means to mount sabotage operations against infected ICS computers.

The campaign follows in the footsteps of the Stuxnet cyber virus, which was the first known major malware campaign to target ICS systems. While Stuxnet was narrowly targeted at the Iranian nuclear program; and, had sabotage as its primary goal — Dragonfly appears to have a much broader focus — with espionage and persistent access as its current objective — with sabotage as a an optional capability, if required.

In addition to compromising ICS software, Dragonfly has used spam email campaigns and watering hole attacks to infect targeted organizations. According to Symantec, the group has used two primary tools, Backdoor Oldrea, and Trojan Karagany. The former, Symantec says, appears to be a custom piece of malware, either written by, or for the attackers.

Prior to the publication of this article, Symantec says it notified affected victims and relevant authorities, such as the Computer Emergency Response Centers (CERTs) that handle and respond to Internet security incidents.

Background

The Dragonfly group, also known as Energetic Bear, appears to have been in operation since at least 2011; and, may have been active even longer than that. Dragonfly initially targeted defense and aviation companies in the U.S. and Canada, before shifting its focus mainly to U.S. and European energy firms in early 2013.

The campaign against the European and American energy sector quickly expanded in scope. The group initially began sending malware in phishing emails to personnel in target firms. Later, the group added watering hole attacks to its offensive, compromising websites likely to be visited by those working in the energy sector — in order to redirect them to websites hosting an exploit kit. The exploit kit, in turn, delivered malware to the victim’s computer. The third phase of the campaign was the Trojanizing of legitimate software bundles belonging to three different ICS equipment manufacturers.

Dragonfly, Symantec notes, bears the hallmarks of a state-sponsored operation, displaying a high degree of technical capability. The group is able to mount attacks through multiple vectors, and compromise numerous third party websites in the process. Dragonfly has targeted multiple organizations in the energy sector — over a long period of time. It’s current main motive appears to be cyber espionage, with potential for sabotage a definite secondary capability/option.

Symantec says that their analysis of the compilation timestamps on the malware used by the attackers — indicate the group mostly worked between Monday – Friday, with activity mainly concentrated in a nine-hour period that correspond to a 9am – 6pm working day in the UTC +4 time zone. Based on this information, Symantec writes, it is likely the attackers are based in Eastern Europe.

Tools Employed

Dragonfly uses two main pieces of malware in their attacks, notes Symantec. Both are Remote Access Tool-type (RAT) malware — which provide the attackers with access and control of compromised computers. Dragonfly’s main malware tool, the report says is, Backdoor Oldrea, which is also known as Havex, or the Energetic Bear RAT. Oldrea acts as a back-door for the attackers to turn on the victim’s computer, allowing them to extract data and install additional malware. The gift that keeps on giving — if you will. Oldrea, Symantec contends, appears to be custom malware, either written by the group itself; or, created for it. This provides some indication of the capabilities and resources behind the Dragonfly group.

Once installed on a victim’s computer, Oldrea gathers system information, along with lists of files, programs installed, and root of available drives. It will also extract data from the computer’s Outlook address book and VPN configuration files. This data is then written to a temporary file in an encrypted format before being sent to a remote command-and-control (C and C) server controlled by the attackers.

The majority of the C and C severs appear to be hosted on compromised servers — running content management systems, indicating the attackers may have used the same exploit to gain control of each server. Oldrea has a basic control panel which allows an authenticated user to download a compressed version of the stolen data for each particular victim.

The second main tool used by Dragonfly is Trojan Karagany, according to the Symantec report. Karagany was available Symantec notes, on the underground [Internet] market. The source code for version 1 of Karagany was leaked in 2010. Symantec believes that Dragonfly may have taken this source code and modified it for its own use. This version is detected by Symantec as Trojan Karagany!gen1.

Karagany is capable of uploading stolen data, downloading new files, and running executable files on an infected computer. It is also capable of running additional plugins, such as tools for collecting passwords, taking screenshots, and cataloging documents on infected computers.

Symantec found that the majority of computers compromised by the attackers were infected with Oldrea. Karagany was used in only about 5 percent of infections. The two pieces of malware are similar in functionality and what prompts the attackers to chose one tool over the other remains unknown the company said.

Multiple Attack Vendors

The Dragonfly group has used at least three infection tactics against targets in the energy sector. The earliest method was an email campaign, which saw executives and senior employees in target companies receive emails containing a malicious PDF attachment. Infected emails had one or two subject lines: “The account” or “Settlement of delivery problem.” All emails were from a single Gmail address.

The spam campaign began in February 2013, and continued into late June 2013. Symantec identified seven different organizations targeted in this campaign. The number of emails sent to each organization ranged from one to 84.

The attackers then shifted their focus to watering hole attacks, the company said, comprising a number of energy-related websites and injecting an iframe into each which redirected vendors to another compromised legitimate website hosting the Lightsout exploit kit. Lightsout exploits either Java or Internet Explorer in order to drop Oldera or Karagany on the victim’s computer. The fact that the attackers compromised multiple, legitimate websites for each stage of the operation is further evidence that the group has strong technical capabilities Symantec said.

In September, 2013, Dragonfly began using a new version of this exploit kit known as Hello exploit kit. The landing page for this kit contains JavaScript — which fingerprints the system, identifying installed browser plugins. The victim is then redirected to a URL, which in turn determines the best exploit to use — based on the information collected.

Trojanized Software

The most ambitious attack vector used by Dragonfly, according to Symantec, was the compromise of a number of legitimate software packages. Three different ICS equipment providers were targeted; and, malware was inserted into their software bundles they had made available for download on their websites. All three companies made equipment that is used in a number of industrial sectors, including energy.

The first identified Trojanized software was a product used to provide VPN access to programmatic logic controller(PLC) type devices. The vendor discovered the attack shortly after it was mounted, but there had already been 250 unique downloads of the compromised software.

The second company to be compromised was a European manufacturer of specialist PLC-type devices. In this instance, Symantec says, a software package containing a driver for one of its devices was compromised. Symantec estimates that the Trojanized software was available for download for at least six weeks in June and July of 2013.

The third firm attacked was a European company which develops systems to manage wind turbines, biogas plants, and other energy infrastructure. Symantec believes that compromised software may have been available for download for approximately ten days in April, 2014.

The Dragonfly group is technically adept and able to think strategically. Given the size of some of its targets, the group found a “soft underbelly” by compromising suppliers, which are invariably smaller, less protected companies.

Protection

Symantec notes that is has the following detections in place, that will protect customers running up to date versions of their products from the malware used in these attacks: Antivirus detections and Intrusion Prevention Signatures.

Obviously, there are other cyber security firms such as FireEye, Palo Alto Networks, Fortinet, Barracuda Networks, etc. that also likely have the requisite cyber security tools, technology and techniques to combat and mitigate these kinds of attacks. While the information that the attackers gained was not used in an offensive way — that we are aware of — this kind of data is important for an adversary who is “mapping” the IT “battlefield” and keeping this information in their kit-bag of tricks. No doubt they are also learning what worked and what didn’t and improving on their techniaues, tactics and procedures. V/R, RCP

[Ryan Ruck]

This fits in line with when the first article in this thread was posted. Was that a trial run of what this new article discusses?

'Trojan Horse' Bug Lurking in Vital US Computers Since 2011

November 6, 2014

A destructive “Trojan Horse” malware program has penetrated the software that runs much of the nation’s critical infrastructure and is poised to cause an economic catastrophe, according to the Department of Homeland Security.

National Security sources told ABC News there is evidence that the malware was inserted by hackers believed to be sponsored by the Russian government, and is a very serious threat.

The hacked software is used to control complex industrial operations like oil and gas pipelines, power transmission grids, water distribution and filtration systems, wind turbines and even some nuclear plants. Shutting down or damaging any of these vital public utilities could severely impact hundreds of thousands of Americans.

DHS said in a bulletin that the hacking campaign has been ongoing since 2011, but no attempt has been made to activate the malware to “damage, modify, or otherwise disrupt” the industrial control process. So while U.S. officials recently became aware the penetration, they don’t know where or when it may be unleashed.

DHS sources told ABC News they think this is no random attack and they fear that the Russians have torn a page from the old, Cold War playbook, and have placed the malware in key U.S. systems as a threat, and/or as a deterrent to a U.S. cyber-attack on Russian systems – mutually assured destruction.

The hack became known to insiders last week when a DHS alert bulletin was issued by the agency’s Industrial Control Systems Cyber Emergency Response Team to its industry members. The bulletin said the “BlackEnergy” penetration recently had been detected by several companies.

DHS said “BlackEnergy” is the same malware that was used by a Russian cyber-espionage group dubbed “Sandworm” to target NATO and some energy and telecommunications companies in Europe earlier this year. “Analysis of the technical findings in the two reports shows linkages in the shared command and control infrastructure between the campaigns, suggesting both are part of a broader campaign by the same threat actor,” the DHS bulletin said.

The hacked software is very advanced. It allows designated workers to control various industrial processes through the computer, an iPad or a smart phone, sources said. The software allows information sharing and collaborative control.

[American Patriot]

I mentioned cyberwarfare a couple of days ago along with the article on Putin "not having a real clue" and "living for the minute".

Of course we all kind of pooh-pooh such statements coming from former soviet aids, but in reality, Putin might be driving the train be he ain't putting the fuel in the vehicle. That would be the Politburo of the old Soviet Union. Remember that those people are still there, many of them, at least the younger people who are now older.

I don't believe for a second Putin hasn't thought out the future, and he's saying nuclear war is inevitable. That's a blatant threat to the West. "YOu do something we don't like, we'll hit you with nukes".

People like Obama would be scared of this. Hell, most of Congress is terrified of it.

But a cyber attack, plus perhaps an emp event would smack America harder than a direct nuclear war if you ask me.

[Ryan Ruck]

Cyberattack Pings Data Systems of At Least Four Gas Networks

April 4, 2018

At least four U.S. pipeline companies have seen their electronic systems for communicating with customers shut down over the last few days, with three confirming it resulted from a cyberattack.

On Tuesday, Oneok Inc., which operates natural gas pipelines in the Permian Basin in Texas and the Rocky Mountains region, said it disabled its system as a precaution after determining that a third-party provider was the “target of an apparent cyberattack."

A day earlier, Energy Transfer Partners LP, Boardwalk Pipeline Partners LP, and Chesapeake Utilities Corp.’s Eastern Shore Natural Gas reported communications breakdowns, with Eastern Shore saying its outage occurred on March 29. The Department of Homeland Security, which said Monday it was gathering information about the attacks, had no immediate comment Tuesday.

“We do not believe any customer data was compromised,” said the Latitude Technologies unit of Energy Services Group, which Energy Transfer and Eastern Shore both identified as their third-party provider. “We are investigating the re-establishment of this data,” Latitude said in a message to customers.

The company wasn’t ready to make a statement or discuss the details of the service disruption yet, Carla Roddy, marketing director at Energy Services Group, said in a brief interview at the company’s headquarters in Norwell, Massachusetts.

The attacks follow a U.S. government warning in March that Russian hackers are conducting an assault on the U.S. electric grid and other targets. Last month, Atlanta’s government was hobbled by a ransomware attack.

Computer to Computer

The electronic systems help pipeline customers communicate their needs with operators, using a computer-to-computer exchange of documents. Energy Transfer said the electronic data interchange system provided by Latitude was back up and working Monday night. The business wasn’t otherwise affected, spokeswoman Vicki Granado said in an email.

Eastern Shore Natural Gas’s Latitude system was restored on Monday as well, the company said in a notice to customers. In addition to providing EDI services, Latitude also hosts websites used by about 50 pipelines for posting notices to customers. At least some of the websites went down on March 29 and didn’t start returning until Monday, according to Dan Spangler, pipeline manager for data provider Genscape Inc. in Boulder, Colorado.

“Although all of the sites are back up now, many of them are still missing” data for March 30 and April 1, he said. “Other than Energy Transfer pipes and the pipelines hosted by Latitude, we haven’t seen any issues with gas data.”

The shutdowns are “not operationally serious in the sense that it’s stopping the natural gas from moving, but it is serious because it’s causing these companies to use workarounds for communication,” said Rae McQuade, president of the North American Energy Standards Board in Houston, which is responsible for developing industry standards.

“If somebody is running a business that has some kind of critical asset to it -- pipelines, energy, finance -- those networks are going to be targets; those networks have been targets,” said John Harbaugh, chief operating officer at R9B, a Colorado Springs, Colorado, cybersecurity solutions provider.

Many of the 3 million miles of pipelines that spread across America rely on third-party companies for their electronic communication systems, Andy Lee, senior partner at Jones Walker LLP in New Orleans, said by telephone Tuesday. In turn, they depend on those companies to provide security for those systems from attacks.

Latitude is “very well known in the industry,” the energy board’s McQuade said. “They have a lot of clients, they are very well respected.”

The systems are gaining attention from hackers because they’ve proven to be "low-hanging" fruit that creates an opportunity for ransomware or to sell the information on the dark web, Lee said.

Entry Points

While the EDI systems may be entry points for hackers, they are likely not the ultimate target, said Jim Guinn, managing director and global cybersecurity leader for energy, utilities, chemicals and mining at Accenture Plc, a technology consulting company.

“There is absolutely nothing of intrinsic value for someone to infiltrate the EDI other than to navigate a network to do something more malicious," Guinn said by telephone Tuesday. "All bad actors are looking for a way to get into the museum to go steal the Van Gogh painting."

He also said there is nothing inherently different about oil and gas EDI systems.

Not First Time

This isn’t the first time U.S. pipelines have been targeted. In 2012, a federal cyber response team said in a note that it had identified a number of “cyber intrusions” targeting natural gas pipeline sector companies. The group, the Industrial Control Systems Cyber Emergency Response Team, is a division of Homeland Security.

“It’s important to recognize that this does not appear to be an attack on an operational system,” said Cathy Landry, a spokeswoman for the Interstate Natural Gas Association of America. “An attack on a network certainly is inconvenient and can be costly, and something any company – whether a retailer, a bank or a media company -- wants to avoid, but there is no threat to public safety or to natural gas deliveries.”

She said she “cannot speak for any of the companies specifically about what may or may not have happened to their systems.”

[Malsua]

These folks need to return to old school shit that wasn't hackable.

Yes, I'm talking about dial-up, point to point comms over POTS. There's simply no hacking that. Oh, someone may be able to listen in if they are exceptionally gifted, but they couldn't change anything.

Toss on some end-to-end encryption with one-time passwords for initiating comms and no one is touching that shit.

The internet is not secure so use something else.

[Ryan Ruck]

If we were serious about utility cybersecurity, we'd have a version of the Defense Information System Network for utilities exclusively.

Only thing is, no telling how secure DISN really is if there's Chinese networking gear with backdoors installed on it.

[Ryan Ruck]

Hmm... Krebs doesn't seem to have a precise answer as to the cause.

Who’s Behind Monday’s 14-State 911 Outage?

September 29, 2020

Emergency 911 systems were down for more than an hour on Monday in towns and cities across 14 U.S. states. The outages led many news outlets to speculate the problem was related to Microsoft‘s Azure web services platform, which also was struggling with a widespread outage at the time. However, multiple sources tell KrebsOnSecurity the 911 issues stemmed from some kind of technical snafu involving Intrado and Lumen, two companies that together handle 911 calls for a broad swath of the United States.

On the afternoon of Monday, Sept. 28, several states including Arizona, California, Colorado, Delaware, Florida, Illinois, Indiana, Minnesota, Nevada, North Carolina, North Dakota, Ohio, Pennsylvania and Washington reported 911 outages in various cities and localities.

Multiple news reports suggested the outages might have been related to an ongoing service disruption at Microsoft. But a spokesperson for the software giant told KrebsOnSecurity, “we’ve seen no indication that the multi-state 911 outage was a result of yesterday’s Azure service disruption.”

Inquiries made with emergency dispatch centers at several of the towns and cities hit by the 911 outage pointed to a different source: Omaha, Neb.-based Intrado — until last year known as West Safety Communications — a provider of 911 and emergency communications infrastructure, systems and services to telecommunications companies and public safety agencies throughout the country.

Intrado did not respond to multiple requests for comment. But according to officials in Henderson County, NC, which experienced its own 911 failures yesterday, Intrado said the outage was the result of a problem with an unspecified service provider.

“On September 28, 2020, at 4:30pm MT, our 911 Service Provider observed conditions internal to their network that resulted in impacts to 911 call delivery,” reads a statement Intrado provided to county officials. “The impact was mitigated, and service was restored and confirmed to be functional by 5:47PM MT. Our service provider is currently working to determine root cause.”

The service provider referenced in Intrado’s statement appears to be Lumen, a communications firm and 911 provider that until very recently was known as CenturyLink Inc. A look at the company’s status page indicates multiple Lumen systems experienced total or partial service disruptions on Monday, including its private and internal cloud networks and its control systems network.

In a statement provided to KrebsOnSecurity, Lumen blamed the issue on Intrado.

“At approximately 4:30 p.m. MT, some Lumen customers were affected by a vendor partner event that impacted 911 services in AZ, CO, NC, ND, MN, SD, and UT,” the statement reads. “Service was restored in less than an hour and all 911 traffic is routing properly at this time. The vendor partner is in the process of investigating the event.”

It may be no accident that both of these companies are now operating under new names, as this would hardly be the first time a problem between the two of them has disrupted 911 access for a large number of Americans.

In 2019, Intrado/West and CenturyLink agreed to pay $575,000 to settle an investigation by the Federal Communications Commission (FCC) into an Aug. 2018 outage that lasted 65 minutes. The FCC found that incident was the result of a West Safety technician bungling a configuration change to the company’s 911 routing network.

On April 6, 2014, some 11 million people across the United States were disconnected from 911 services for eight hours thanks to an “entirely preventable” software error tied to Intrado’s systems. The incident affected 81 call dispatch centers, rendering emergency services inoperable in all of Washington and parts of North Carolina, South Carolina, Pennsylvania, California, Minnesota and Florida.

According to a 2014 Washington Post story about a subsequent investigation and report released by the FCC, that issue involved a problem with the way Intrado’s automated system assigns a unique identifying code to each incoming call before passing it on to the appropriate “public safety answering point,” or PSAP.

“On April 9, the software responsible for assigning the codes maxed out at a pre-set limit,” The Post explained. “The counter literally stopped counting at 40 million calls. As a result, the routing system stopped accepting new calls, leading to a bottleneck and a series of cascading failures elsewhere in the 911 infrastructure.”

Compounding the length of the 2014 outage, the FCC found, was that the Intrado server responsible for categorizing and keeping track of service interruptions classified them as “low level” incidents that were never flagged for manual review by human beings.

The FCC ultimately fined Intrado and CenturyLink $17.4 million for the multi-state 2014 outage. An FCC spokesperson declined to comment on Monday’s outage, but said the agency was investigating the incident.

Which also, as Krebs mentions, happened at about the same time as there was a large disruption at Microsoft with Azure/Office 365.

Microsoft 365 Services Are Coming Back After Major Outage

September 28, 2020

Microsoft 365 was hit with a significant outage late Monday that affected users' access to multiple services, including Outlook.

By late evening, services appeared to be largely restored: Microsoft tweeted at 9:21 p.m. ET that "most users should be experiencing relief." The company added that it was "continuing to see significant improvement for affected services."

Earlier, the company indicated affected services included Outlook.com, Office.com, Power Platform, Dynamics365, and Microsoft Teams including Teams Live Event.

According to Down Detector, a website that tracks internet outages, users reported issues with logging in, server connection and Outlook. The downtime began around 5 pm ET for Office 365, according to the site.

Microsoft initially attributed the outage to a recent change to the platform, but later indicated it was "not observing an increase in successful connections after rolling back a recent change. We're working to evaluate additional mitigation solutions while we investigate the root cause."

A Microsoft spokesperson later told CNN Business that "at this time, we've seen no indication that this is the result of malicious activity."

[Ryan Ruck]

And another at the same time as the others...

Major Hospital System Hit With Cyberattack, Potentially Largest In U.S. History

Computer systems for Universal Health Services, which has more than 400 locations, primarily in the U.S., began to fail over the weekend.

September 28, 2020

A major hospital chain has been hit by what appears to be one of the largest medical cyberattacks in United States history.

Computer systems for Universal Health Services, which has more than 400 locations, primarily in the U.S., began to fail over the weekend, and some hospitals have had to resort to filing patient information with pen and paper, according to multiple people familiar with the situation.

Universal Health Services did not immediately respond to requests for comment, but posted a statement to its website that its company-wide network “is currently offline, due to an IT security issue. One person familiar with the company’s response efforts who was not authorized to speak to the press said that the attack “looks and smells like ransomware.”

Ransomware is a type of malicious software that spreads across computer networks, encrypting files and demanding payment for a key to decrypt them. It’s become a common tactic for hackers, though attacks of this scale against medical facilities aren’t common. A patient died after a ransomware attack against a German hospital in early September required her to be moved to a different hospital, leading to speculation that it may be the first known death from ransomware.

Hackers seeking to deploy ransomware often wait until the weekend, when a company is likely to not have as many technical staff members present.

Two Universal Health Services nurses, who requested to not be named because they weren’t authorized by the company to speak with the media, said that the attack began over the weekend and had left medical staff to work with pen and paper.

One of the nurses, who works in a facility in North Dakota, said that computers slowed and then eventually simply would not turn on in the early hours of Sunday morning. “As of this a.m., all the computers are down completely,” the nurse said.

Another registered nurse at a facility in Arizona who worked this weekend said “the computer just started shutting down on its own.”

“Our medication system is all online, so that's been difficult,” the Arizona nurse said.

While many patient charts at that facility are on paper, medication information is maintained online, though it’s backed up at the end of each day, the nurse said.

“We had those up to date as of the 26th,” the person said.

“Now we had to hand-label every medication,” the nurse said. “It's all improv.”

Ransomware can devastate hospitals. In 2017, a ransomware strain called WannaCry, created by hackers working for the North Korean government, spread across the world and infected the U.K.'s National Health System even though it wasn't a direct target. The attack disrupted at least 80 medical facilities, though there were no publicly reported deaths associated with the incident.

Kenneth White, a computer security engineer with more than a decade of experience working with hospital networks, said that the delays caused by ransomware attacks can have dire consequences for patients.

“When nurses and physicians can't access labs, radiology or cardiology reports, that can dramatically slow down treatment, and in extreme cases, force re-routing for critical care to other treatment centers," he said. "When these systems go down, there is the very real possibility that people can die."