The US Computer Emergency Readiness Team (CERT) published an advisory on Friday that detailed targeted destructive malware running on Microsoft Windows systems, the malware that was used against Sony Pictures Entertainment. The Server Message Block (SMB) Worm Tool “contains five components – a listening implant, lightweight backdoor, proxy tool, destructive hard drive tool, and destructive target cleaning tool.” It “propagates throughout an infected network via brute-force authentication attacks, and connects to a C2 infrastructure.”
“Due to the highly destructive functionality of this malware,” US-CERT warned, “an organization infected could experience operational impacts including loss of intellectual property and disruption of critical systems.” The suggested preventative measures included keeping antivirus, OS and application software updated, as well as reviewing a security tip about handling destructive malware. The advisory also suggested reviewing recommended practices for improving ICS cybersecurity with defense-in depth strategies (pdf).
While the attack on Sony is considered “unprecedented,” it was not the worst corporate hack in 2014. Bloomberg reported that Sony had 47,000 records stolen, but 83 million records were stolen from JPMorgan, “affecting 76 million households and seven million small businesses.” Attackers managed to steal 109 million records from Home Depot, broken down into 56 million credit cards and 53 million email addresses. The attack on eBay, in which hackers stole email addresses, physical addresses and login credentials, is believed to have affected up to 145 million active users.
Those numbers are disheartening, but to me, digital attacks that caused physical damage are downright scary.
Cyberwarfare: Digital attacks causing physical damage
This month, details have emerged about two previous cyberattacks that resulted physical damage in the real world. When it comes to cyberwarfare, Stuxnet jumps to mind, but Bloomberg said it wasn’t the first time a digital weapon caused physical damage. Instead, an attack on a Turkish pipeline was what actually rewrote the history of cyberwar. That unsettling news was followed by the German feds releasing a report about a cyberattack on a steel factory that caused “massive damage.” Both of these attacks seem like something you might see in a cyber-thriller movie.
Bloomberg reported that a 2008 cyberattack on a Turkish oil pipeline resulted in a fiery explosion. The pipeline had “sensors and cameras to monitor every step of its 1,099 miles from the Caspian Sea to the Mediterranean. The blast that blew it out of commission didn’t trigger a single distress signal.” The control room didn’t even know there was an explosion until a security worker physically saw the flames 40 minutes after the blast.
For western intelligence agencies, the blowout was a watershed event. Hackers had shut down alarms, cut off communications and super-pressurized the crude oil in the line, according to four people familiar with the incident who asked not to be identified because details of the investigation are confidential. The main weapon at valve station 30 on Aug. 5, 2008, was a keyboard.
The hackers, who U.S. intelligence believes were Russian, exploited vulnerabilities in the surveillance camera software to infiltrate the internal network. “Once inside, the attackers found a computer running on a Windows operating system that was in charge of the alarm-management network, and placed a malicious program on it. That gave them the ability to sneak back in whenever they wanted.”
The central element of the attack was gaining access to the operational controls to increase the pressure without setting off alarms. Because of the line’s design, the hackers could manipulate the pressure by cracking into small industrial computers at a few valve stations without having to hack the main control room.
Another digital attack that resulted in physical damage -- to a German steel factory this time -- was reported on Friday by the German Federal Office for Information Security (BSI). The report, which is in German, explained that the attackers combined social engineering with a spearphishing campaign to gain access to the steel factory’s office network. Once the hackers infiltrated the network, they were able to “tamper with the controls of a blast furnace.”
“After the system was compromised, individual components or even entire systems started to fail frequently,” added Loek Essers. “Due to these failures, one of the plant's blast furnaces could not be shut down in a controlled manner, which resulted in ‘massive damage to [the] plant,’ the BSI said, describing the technical skills of the attacker as ‘very advanced’.”
Do you suppose if all countries were to air their dirty cyber-laundry, would we learn that cyberattacks, which result in real world damage, happen more often than we are led to believe?
At the end of the year, all sorts of security firms release dire predictions for the coming year. Whether those are scare tactics to sell software or the truth, for years there have been reports of how vulnerable critical infrastructure is in the U.S. In November, NSA director Michael Rogers told the U.S. House Intelligence Committee:
“It is only a matter of the ‘when,’ not the ‘if,’ that we are going to see something dramatic. I fully expect that during my time as the commander we are going to be tasked to help defend critical infrastructure.”
Let’s hope that won’t be true in 2015; that it will never be the case. But for now, I wish you happy holidays!