Hackers may have wider access to Ukrainian industrial facilities

KIEV (Reuters) – Hackers were able to attack four sections of Ukraine’s power grid with malware late last year because of basic security lapses and they could take down other industrial facilities at any time, a consultant to government investigators said.

Three power cuts reported in separate areas of western and central Ukraine in late December were the first known electrical outages caused by cyber attacks, causing consternation among businesses and officials around the world.

The consultant, Oleh Sych, told Reuters a fourth Ukrainian energy company had been affected by a lesser attack in October, but declined to name it.

He also said a similar type of malware had been identified by the Ukrainian anti-virus software company Zillya! where he works as far back as July, making it impossible to know how many other systems were at risk.

“This is the scariest thing – we’re living on a powder keg. We don’t know where else has been compromised. We can protect everything, we can teach administrators never to open emails, but the system is already infected,” he said.

Sych, whose firm is advising the State Security Service SBU and a commission set up by the energy ministry, said power distributors had ignored their own security rules by allowing critical computers to be hooked up to the Internet when they should have been kept within an internal network.

This so-called “air gap” separates computer systems from any outside Internet connections accessible to hackers.

“A possible objective was to bring down some branches (of the Ukrainian energy system) and create a ‘domino effect’ to collapse the entire system of Ukraine or a significant part,” Sych said.

Ukraine has also been targeted in other cyber attacks, which included hacking into the system of Ukraine’s biggest airport and TV news channels.

Security services and the military blamed the attacks on Russia, an allegation dismissed by the Kremlin as evidence of Ukraine’s tendency to accuse Russia of “all mortal sins”.

Russia annexed Crimea from Ukraine in 2014 and has supported separatist rebels in east of the former Soviet republic, arguing that Kiev’s Western-backed government, elected after the Moscow-backed president fled widespread protests, was illegitimate.

Sych, who said he could not reveal all the details of the probe, said there was no conclusive evidence that the attacks originated in Russia. One of the emails was sent from the server of a German university, another from the United States, he said.

INSIDER

International cyber-security researchers who have studied the attacks believe the attackers broke into networks by sending targeted emails designed to trick utility insiders to click on Excel documents that were poisoned with malware used to gain control inside the networks.

Sych agreed, saying:

“We understand that this couldn’t have happened without an insider. To carry out this kind of attack you need to know what kind of operating system and SCADA (supervisory control and data acquisition) are used and what software controls the industrial facility,” he said.

SCADA software is widely used to control industrial systems worldwide.

“The attackers must have known what software was installed … to test (the malware) on it. Clearly preliminary investigations were carried out and this was easy to do with this kind of insider information.”

He said the hackers had sent the e-mails in question to workers at the affected power distribution companies with infected Word or Excel files that were meant to look like official correspondence from the energy ministry.

They contained topics that would have been recognizable to the workers and were not sent out en masse but targeted certain individuals instead. One of the emails was about regional electricity production levels, he said.

“It was all very simple and stupid,” Sych said, adding that the hackers totally wiped the data of some of the computers in one of the firms.

Details of the impact of the attacks have been sketchy, but one is reported to have affected 80,000 customers for two hours. The three named companies declined to comment on Sych’s remarks.

“All experts agree this sort of attack on electric utilities or other critical infrastructure was bound to happen because engineering-wise, physics-wise it is technically possible to do,” said Kenneth Geers, a Kiev-based national security analyst who worked for U.S. intelligence agencies for 20 years until 2013.

All it takes is political will or opportunism to try something like this, he said.

Ukrainian Deputy Energy Minister Oleksander Svetelyk has also accused the companies of lapses, saying on Tuesday there had been a “a lot of errors”. He added that U.S. cyber experts would come to Kiev later this week to help with the investigation.

(Additional reporting by Maria Tsvetkova in Moscow and Eric Auchard in Brussels; Writing by Matthias Williams; Editing by Philippa Fletcher)

South Korea suspects North Korea may have attempted cyber attacks

SEOUL (Reuters) – South Korea said on Wednesday it suspected North Korea of attempting cyber attacks against targets in the South, following a nuclear test by the North this month that defied United Nations sanctions.

South Korea has been on heightened military and cyber alert since the Jan. 6 test, which Pyongyang called a successful hydrogen bomb test, although U.S. officials and experts doubt that it managed such a technological advance.

“At this point, we suspect it is an act by North Korea,” Jeong Joon-hee, a spokesman of the South’s Unification Ministry, told a news briefing, when asked about reports that the North might have attempted cyber attacks.

Authorities were investigating, Jeong said, but did not provide further details.

Last week, South Korean President Park Geun-hye said the scope of threats from North Korea was expanding to include cyber warfare and the use of drones to infiltrate the South.

North Korea has been using balloons to drop propaganda leaflets in the South, amid heightened tension on the Korean peninsula since the nuclear test.

Since the test, there have been unconfirmed news reports that the computer systems of some South Korean government agencies and companies had been infected with malicious codes that might have been sent by the North.

Defectors from the North have previously said the country’s spy agency, run by the military, operates a sophisticated cyber-warfare unit that attempts to hack, and sabotage, enemy targets.

South Korea and the United States blamed North Korea for a 2014 cyber attack on Sony Pictures that crippled its systems and led to the leaks of unreleased films and employee data.

At the time, the company was set to release the film, “The Interview”, featuring a fictional plot to assassinate North Korean leader Kim Jong Un.

North Korea has denied the allegation.

In 2013, cybersecurity researchers said they believed North Korea was behind a series of attacks against computers at South Korean banks and broadcasting companies.

(Reporting by Ju-min Park and Jack Kim; Editing by Tony Munroe)

Companies look beyond firewalls in cyber battle with hackers

TEL AVIV (Reuters) – With firewalls no longer seen as enough of a defense against security breaches, companies are looking at new tools to foil hackers trying to enter a computer network.

U.S. and Israeli startups are leading the way, with new approaches such as “honeytraps” that lure a hacker to fake data or “polymorphic” technology that constantly changes the structure of applications running on a computer.

Some of the technology is still in the early stages and it remains to be seen whether it will be good enough to outfox the hackers.

But with corporate giants such as Sony and Twitter Inc facing high-profile hacks in recent years, companies are desperate for new ideas to make sure financial, personal and corporate data stays safe.

“We view this (deception technologies) as a $3 billion market over the next three years, with Israel and Silicon Valley being the epicenter of this innovation wave,” said Daniel Ives, a senior technology analyst at FBR Capital Markets.

TopSpin Security, Illusive Networks, Cymmetria and GuardiCore in Israel, California-based TrapX and Attivo Networks are among a handful of start-ups forging ahead with deception technology. Israel’s Morphisec and U.S. Shape Security are developing “polymorphic” systems.

Many of those companies use techniques partly developed in the U.S. and Israeli military that were taken to startups by veterans such as Gadi Evron, the head of Cymmetria and of Israel’s Computer Emergency Response Team.

TrapX Security offers DeceptionGrid, a technology using fake information that triggers a security alert.

TrapX clients include Israel’s central bank, U.S. hospital chain HCA, Bezeq, Israel’s largest telecoms group, and Union Bank of Israel, according to Asaf Aviram, sales director for Israel and emergent markets at TrapX.

TopSpin Chief Executive Doron Kolton said his clients include one of Israel’s top five banks, a large U.S. hospital and a mobility technology company. The product is resold by Optiv Security in the United States and Benefit in Israel.

EARLY DAYS

While still a fraction of the overall cybersecurity market, Gartner, a leading technology consultancy, sees 10 percent of businesses using deception tactics by 2018.

But Gartner analyst Laurence Pingree noted that they “have so far had only nascent adoption” as many of the companies don’t yet understand the technology.

“Educating security buyers on its usefulness will be crucial,” he said.

Some in the industry note that several companies including FireEye and CrowdStrike tried to launch similar products three or four years ago before pulling back although analysts say the technologies have improved greatly in the past two years.

“A lot of companies are looking at it but it’s still early days,” said a security executive with a Fortune 500 company.

He said deployments were quite limited, with most trials where business test the product on a limited basis at no cost.

Others said hackers may quickly be able to detect the traps.

“They will be challenged by the fact that (some) hackers are so sophisticated they might detect decoy servers or fake data,” said Ziv Mador, head of research at Chicago-based cybersecurity firm Trustwave.

The technology could offer a second layer of defense to firewalls, which cannot always block malicious attempts, he said, and did not rule out Trustwave offering deception tools in the future.

TopSpin’s Kolton also noted that deception would be “part of a bigger solution” and to “be combined with other things”.

TRAIL OF BREADCRUMBS

The system developed by TopSpin, whose investors include Check Point Software Technologies co-founder Shlomo Kramer, engages attackers once they have penetrated the network. It leads hackers to decoys by sprinkling “breadcrumbs”, such as fake credentials.

While the idea of a honeypot is not new, in the past they were used to alert IT administrators that there was a hacker in the system.

With more advanced technology they slow the hacker and set off tools to stop them getting further into the system. If they follow the trail to the trap, the company knows they are a hacker.

“When someone hits a honeypot it’s malicious activity,” Kolton said.

Attivo’s website says their system lures attackers into revealing themselves when they start to look for “high-value assets”. It also promises no false-alarms, a problem with traditional detection systems.

Other tools are being developed that would prevent hackers from penetrating a network entirely.

Morphisec, backed by Jerusalem Venture Partners, Deutsche Telekom and GE Ventures, has developed technology that randomly changes the structure of applications running on the computer.

“When an attack seeks its target it expects to find a certain memory structure. With Morphisec it finds something different,” Morphisec CEO Ronen Yehoshua said.

Shape Security of California also uses such “polymorphic” technology.

While these new ideas have mainly been generated by start-up companies, investors say bigger, more established security players are interested.

“I’d say that many antivirus companies are already looking into building similar technologies on their own or buying them,” JVP managing partner Gadi Tirosh said.

(Additional reporting by Jim Finkle in Boston; Editing by Anna Willard)

Ukraine to review cyber defenses after airport targeted from Russia

KIEV (Reuters) – Ukrainian authorities will review the defenses of government computer systems, including at airports and railway stations, after a cyber attack on Kiev’s main airport was launched from a server in Russia, officials told Reuters on Monday.

Malware similar to that which attacked three Ukrainian power firms in late December was detected last week in a computer in the IT network of Kiev’s main airport, Boryspil. The network includes the airport’s air traffic control.

Although there is no suggestion at this stage that Russia’s government was involved, the cyber attacks have come at a time of badly strained relations between Ukraine and Russia over a nearly two-year-long separatist conflict in eastern Ukraine.

“In connection with the case in Boryspil, the ministry intends to initiate a review of anti-virus databases in the companies which are under the responsibility of the ministry,” said Irina Kustovska, a spokeswoman for Ukraine’s infrastructure ministry, which oversees airports, railways and ports.

Ukraine’s state-run Computer Emergency Response Team (CERT-UA) issued a warning on Monday of the threat of more attacks.

“The control center of the server, where the attacks originate, is in Russia,” military spokesman Andriy Lysenko said by telephone, adding that the malware had been detected early in the airport’s system and no damage had been done.

A spokeswoman for the airport said Ukrainian authorities were investigating whether the malware was connected to a malicious software platform known as “BlackEnergy”, which has been linked to other recent cyber attacks on Ukraine. There are some signs that the attacks are linked, she said.

“Attention to all system administrators … We recommend a check of log-files and information traffic,” CERT-UA said in a statement.

In December three Ukrainian regional power firms experienced short-term blackouts as a result of malicious software in their networks. Experts have described the incident as the first known power outage caused by a cyber attack.

A U.S. cyber intelligence firm in January traced the attack back to a Moscow-backed group known as Sandworm.

The Dec. 23 outage at Western Ukraine’s Prykarpattyaoblenergo cut power to 80,000 customers for about six hours, according to a report from a U.S. energy industry security group.

Ukraine’s SBU state security service has blamed Russia, but the energy ministry said it would hold off on attribution until after it completes a formal probe.

(Editing by Matthias Williams and Gareth Jones)

U.S. helping Ukraine investigate December power grid hack

WASHINGTON (Reuters) – The U.S. Department of Homeland Security said on Tuesday it was helping Ukraine investigate an apparent attack last month on the country’s power grid that caused a blackout for 80,000 customers.

Experts have widely described the Dec. 23 incident at western Ukraine’s Prykarpattyaoblenergo utility as the first known power outage caused by a cyber attack. Ukraine’s SBU state security service has blamed Russia for the incident, while U.S. cyber firm iSight Partners linked it to a Russian hacking group known as “Sandworm.”

In an advisory, DHS said they had linked the blackout to malicious code detected in 2014 within industrial control systems used to operate U.S. critical infrastructure. There was no known successful disruption to the U.S. grid, however.

DHS said the “BlackEnergy Malware” appears to have infected Ukraine’s systems with a spear phishing attack via a corrupted Microsoft Word attachment.

The DHS bulletin from the agency’s Industrial Control Systems Cyber Emergency Response Team, or ICS-CERT, is the first public comment about the Ukraine incident.

A report released by Washington-based SANS Inc over the weekend concluded hackers likely caused Ukraine’s six-hour outage by remotely switching breakers in a way that cut power, after installing malware that prevented technicians from detecting the intrusion. The attackers are also believed to have spammed the Ukraine utility’s customer-service center with phone calls in order to prevent real customers from communicating about their downed power.

DHS and the FBI did not immediately respond to requests for additional comment.

(Reporting by Dustin Volz and Jim Finkle; Editing by Doina Chiacu and Andrew Hay)

Hackers Access Power Grid, N.Y. Dam; Might Have Accessed Government Talks

Hackers gained access to the United States power grid, including detailed drawings that could have been used to cut power to millions of people, according to a new Associated Press report.

The report, published Monday, indicated that there have been roughly 12 times in the past 10 years when foreign hackers accessed the networks controlling lights across the United States.

That includes one instance where hackers, believed to be from Iran, had swiped passwords and detailed sketches of dozens of power plants, invaluable tools if one planned to cut off the power. Cybersecurity experts told the Associated Press the breach (which affected energy company Calpine, which operates 83 power plants) dates to at least August 2013 and could be ongoing.

The Associated Press reported that hackers accessed passwords that could have been used to access Calpine’s networks remotely, along with highly detailed drawings of 71 energy-related facilities across the country. That could allow skilled hackers to specifically target certain plants.

But targeting a plant and successfully shutting off the power are two different things.

The Associated Press report noted the power grid is designed to keep the lights on when utility lines or equipment fail. To cause a widespread blackout, a hacker would have to be exceptionally skilled, bypassing not only a company’s security measures but also creating specialized code that disrupts the interactions of the company’s equipment. Still, experts told the AP that it remains possible for a sufficiently skilled and motivated hacker to send a large swath of the country into blackout, and enough intrusions have occurred that a foreign hacker can likely “strike at will.”

The Associated Press report was published the same day the Wall Street Journal unveiled that Iranian hackers accessed the controls of a dam about 20 miles away from New York City in 2013.

In another breach, tech company Juniper Networks announced last Thursday that it discovered some “unauthorized code” in its software that could have allowed skilled hackers to improperly access some devices and decrypt secure communications. CNN reported the FBI is investigating the hack because it fears the code might have been used to spy on government correspondence.

Because government use of Juniper products is so widespread, one U.S. official told CNN the hack was like “stealing a master key to get into any government building.” CNN reported a foreign government is believed to be behind the hack, but it still is not clear who is responsible.

Juniper said it released a patch that corrects the issue. The company said it wasn’t aware of “any malicious exploitation” of the security loophole, but noted there likely wasn’t a way to reliably detect if a device had been compromised because hackers could have easily erased the evidence.

U.K. to Build Cyber Attack Forces to Take On ISIS

British Finance Minister George Osborne said on Tuesday that Britain was building an elite cyber force to take down ISIS fighters, hackers, and hostile powers.

Osborne went on to tell Reuters that the Islamic State is trying to develop a way to attack British infrastructure including power networks, air traffic control systems, and hospital.

“The stakes could hardly be higher – if our electricity supply, or our air traffic control, or our hospitals were successfully attacked online, the impact could be measured not just in terms of economic damage but of lives lost,” he told CNBC News.

As a response, he stated that Britain would fight fire with fire by developing their own cyber attack force.

“We will defend ourselves. But we will also take the fight to you,” Osborne said in a speech at Britain’s GCHQ eavesdropping agency.

“We are building our own offensive cyber capability – a dedicated ability to counter-attack in cyberspace. When we talk about tackling (Islamic State), that means tackling their cyber threat as well as their guns, bombs and knives.”

The cyber attack force will be headed jointly by GCHQ – Britain’s spy agency – and the Defence Ministry. They will target criminal gangs, individual hackers, militant groups, and hostile powers.

Public spending on cyber security will be doubled by 2020 Osborne told Reuter, raising the budget to almost $3 billion. GCHQ has already been monitoring various cyber threats as cyber security issues have doubled to 200 a month since last year. The new cyber security plan also includes training coders, blocking bad URLs, and fending off malware attacks.

Currently, ISIS has been using the Internet to spread its propaganda and lead more people to their radical cause.

“They have not been able to use it to kill people yet by attacking our infrastructure through cyber attack,” Osborne added. “But we know they want it and are doing their best to build it.”

The global cyber war against ISIS has also caught the attention of the hacktivist group “Anonymous” who released a video earlier this week declaring cyber war on the Islamic State.

“Anonymous” Hackers Declare War on ISIS

The hacker collective known as “Anonymous” declared war on ISIS in a video posted on YouTube in response to the horrendous attacks that took place in Paris on Friday.

According to NBC News, the video has yet to be verified by officials, but in the video a spokesman wears the group’s signature Guy Fawkes mask and says in French that the group will use their expertise in a “war” against the Islamic terrorist group.

“Expect massive cyber attacks. War is declared. Get prepared,” the announcer says in French.

“Anonymous from all over the world will hunt you down. You should know that we will find you and we will not let you go. We will launch the biggest operation ever against you,” the spokesperson continued, according to translated transcripts of the video.

The spokesman continued to call the members of ISIS “vermin,” and that their actions would not go “unpunished.”

As of Monday at 8:30 a.m. Central Time, the video had accumulated 1.1 million views on YouTube, according to the Jerusalem Post.

The Huffington Post reports that the hacktivist group also posted on Twitter: “Make no mistake: Anonymous is at war with Daesh.” Daesh is another name for ISIS.

Anonymous is a group of international network of activist computer hackers who have claimed responsibility for numerous cyberattacks against corporate, religious, and government websites over the past 12 years. Since the Charlie Hebdo attack in January that led to the death of 17 people, Anonymous has been targeting and shutting down Twitter profiles believed to be used by ISIS and their supporters. The Jerusalem Post reports that the hacktivist group has reported more than 39,000 ISIS accounts to Twitter. Out of those, more than 25,000 have been suspended, but almost 14,000 are still active.

China Still Trying to Hack U.S. Firms, Despite Denials

Despite a recent pact between Chinese President Xi Jinping and President Obama to stop cyber war, security services provider, CrowdStrike, has reported that several Chinese state-backed hackers have been carrying out cyberattacks on several U.S. companies, according to NBC.

CrowdStrike claims that they have blocked every attack that they have come across so far and that the hackers seem to be targeting the networks of U.S. technology and pharmaceutical companies.

Just a few weeks ago, Xi visited the United States, promising leaders of American technology companies that the cyber attacks would stop. He also signed an agreement with President Obama that China and the United States would refrain from continued hacks that were aimed at obtaining company trade secrets for commercial advantage.

But two days after the agreement there were two attacks on technology companies, and more hacking attempts have happened since then.

“Seven of the companies are firms in the technology or pharmaceuticals sectors, where the primary benefit of the intrusions seems clearly aligned to facilitate theft of intellectual property and trade secrets, rather than to conduct traditional national-security related intelligence collection which the Cyber agreement does not prohibit,” CrowdStrike wrote in a blog post Monday.

If the cyberattacks continue it could lead to sanctions being placed against Chinese companies according to the agreement made between Xi and Obama.

The U.S. has also been accused of attempting to hack the networks of Chinese companies. Edward Snowden, former NSA contractor, came forward with information on how the U.S. hacked Chinese company, Huawei last year. Government officials continue to state that the reason for the hack was for national security purposes, not economic advantages.

The Chinese government has not made any comments regarding these attacks at this time.

ISIS Group Sends Threat to U.S. Military Members

A hacking group connected to the Islamic terrorist group ISIS is sending a threat to members of the U.S. military and government workers, saying that they’re being watched in their own homes.

The group published a list on Tuesday that they claim contains personal information of soldiers and government employees.  The hackers for ISIS told The Blaze that they are continually spying on Americans.

(All grammatical errors in the quotes below are directly from the terrorists.)

“Just like they spy on the muslims,” the terrorists stated, “we are spying on them, watching their employees, watching their soldiers, recording their movements and taking their location information and passing it on the soldiers of the islamic state.”

The terrorists focused on what they say is the fact they don’t need to attack military facilities.

“the brothers don’t need to attack them in military bases or secured buildings,” the hacking group member added. “they can now turn up in their houses. in their homes. this is war, what did you expect? u think u can bomb the islamic state and we don’t do nothing back? soon, very soon you will see.”

The hackers said this is “war.”

“this is what, what did you expect?” the hacker wrote.  “u think u can bomb the islamic state and we dont do nothing back?”

The declaration comes just days after a Mississippi couple was arrested for attempting to fly to Turkey to join the terrorist group.