Power grid hackers probably got inside by attacking PCs, says researcher
'Plenty of PCs have been compromised' in different industries, critical or not, says Roger Thompson
Computerworld - The hackers who reportedly planted malware on key parts of the U.S. electrical grid, perhaps with the intent to cripple the country's power infrastructure, most likely gained access like any other cybercriminal -- by exploiting a bug in software such as Windows or Office, a security researcher said today.
"Any computer connected to the Internet is potentially vulnerable," said Roger Thompson, chief research officer at AVG Technologies USA Inc. "Getting to the actual infrastructure devices directly -- that's always possible, but a whole lot less likely. In any industry, critical or not, there are always plenty of PCs that have been compromised."
According to a report earlier today in The Wall Street Journal, unnamed national security sources said that hackers from China, Russia and elsewhere have penetrated the U.S. power grid, extensively mapped it, and installed malicious tools that could be used to further attack not only the electrical infrastructure, but others as well, including water and sewage systems.
The discoveries were made by U.S. intelligence agencies, not the utilities' security teams, the Journal said.
"I'm a bit bothered by all the anonymous sources [in the Journal story]: one unnamed source here and another unnamed source there," said Thompson. "But I think there's a high likelihood that it has a strong basis in fact. Any infrastructure device that's connected to the Net is potentially hackable."
It's more likely, he added, that the power-grid hackers exploited the same kinds of vulnerabilities -- but not the exact same bugs -- that have plagued consumers and businesses that run Microsoft Corp.'s Windows and its Office application suite.
"I have no doubt that there's been this kind of attack, or attempt to attack, for quite some time," said Thompson, "perhaps using the same kind of Office zero days that have been coming out." In security parlance, a "zero-day" exploit is one that leverages an unpatched vulnerability.
- University of North Florida breach exposes data on 107,000 individuals
- Zeus Trojan bust reveals sophisticated 'money mules' operation in U.S.
- GAO slams White House for failing to lead on cybersecurity
- Man charged with attack on Web site of Fox News' Bill O'Reilly
- Heartland breach expenses pegged at $140M -- so far
- IT contractor gets five years for $2M credit union theft
- Democracy would suffer if Google left China, says MIT panel
- Gonzalez accomplice gets five years for hacking TJX
- Threat of cyberattacks from overseas high, federal IT execs say
- Botnets 'the Swiss Army knife of attack tools'
- Why Projects Fail CIOs are expected to deliver more projects that transform business, and do so on time, on budget and with limited resources.
- The New Business Case for Video Conferencing: 7 Real-World Benefits Beyond Cost-Savings This whitepaper provides insight into the value of video conferencing in today's business environment, and how organizations are using visual collaboration to find...
- Gartner Magic Quadrant for Client Management Tools The client management tool market is maturing and evolving to adapt to consumerization, desktop virtualization, and an ongoing need to improve efficiency.
- Audit Ready and Asset Optimized: The Solid Promise of an Intelligent Software Asset Management Solution In this paper Frost & Sullivan examines the benefits of enterprise-grade Software Asset Management solutions, and how these solutions serve as the convergence...
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Cybercrime and Hacking White Papers | Webcasts