More detail please
Would love to read more detail on how they exploited the air gapped systems, I assume from Russia.
The US Department of Homeland Security is once again accusing Russian government hackers of penetrating America's critical infrastructure. Uncle Sam's finest reckon Moscow's agents managed to infiltrate computers networks within US electric utilities – to the point where the miscreants could have virtually pressed the off …
There is no more detail right now – just a strategic exclusive briefing by Homeland Sec officials with the WSJ.
[ Edit: There's more detail here ]
Presumably the equipment suppliers have access to the utilities' networks so they can provide remote support. That's one way in. The other way is to hack vendors, infect devices, wait for them to be shipped to power plants. Phone home, somehow.
Relevant bits from the Journal:
"The Russian hackers, who worked for a shadowy state-sponsored group previously identified as Dragonfly or Energetic Bear, broke into supposedly secure, 'air-gapped' or isolated networks owned by utilities with relative ease by first penetrating the networks of key vendors who had trusted relationships with the power companies, said officials at the Department of Homeland Security.
"The cyber-attack, which surfaced in the U.S. in the spring of 2016 and continued throughout 2017, exploited relationships that utilities have with vendors who have special access to update software, run diagnostics on equipment and perform other services that are needed to keep millions of pieces of gear in working order.
"The attackers began by using conventional tools—spear-phishing emails and watering-hole attacks, which trick victims into entering their passwords on spoofed websites—to compromise the corporate networks of suppliers, many of whom were smaller companies without big budgets for cybersecurity.
"Once inside the vendor networks, they pivoted to their real focus: the utilities. It was a relatively easy process, in many cases, for them to steal credentials from vendors and gain direct access to utility networks."
I was thinking "Isn't this exactly how STUXNET was infected into the Iranian nuclear programme?
Who thought US companies would be so dumb to fall for this?*
*Kidding. If a nation state started laying explosives around the infrastructure of another nation state this would be called an act of war. It is time alien code running on strategic servers was viewed in the same way.
Probably the same way those attacks always seem to go. Either the system is only air gapped 99% of the time (i.e. they have to temporarily connect it for vendor service/diagnosis) or they use USB devices as their sneakernet medium. Yes, it would be stupid to have autorun enabled on those air gapped machines, but often you see TERRIBLE security settings on air gapped machines because "they're safe from hackers, so why bother?"
With enough resources you can compromise the USB key itself to attack the system
Don't you need to modify hardware to do that? If it is even theoretically possible for software to remotely hack a USB flash storage device connected to a standard PC to make it act like a keyboard when connected to a different standard PC, color me shocked (and I'd like a link, please)
If you can leave USB keys laying around the parking lot and they're dumb enough to use that in the air gapped system, then they probably have so many other security failures you don't need this attack. If you're able to do a black bag job and break in to swap out the USB keys they use on the air gapped systems with one that's been modified, then you might as well just go directly to the air gapped system and do what you please.
There was a research paper a while back where they were able to re-program the microcontroller in some USB flash drives to turn them into a keyboard emulator.
What do you know, it was on El Reg...
Here's your link, other Doug. Bunnie and Xobs figured out how long ago, but didn't go too far into the black hat part so as to stay out of jail. But if you know computers, and know that USB sticks and SD cards can indeed be programmed with the right code (knocking sequence) then the rest follows.
Um. If somebody/anybody has remote access to a network, then it is not "air-gapped".
A properly air-gapped environment has absolutely no communications connections with any other environment, and is completely self-contained in one location.
Anything else should probably be described as "firewalled" (assuming that there are firewalls in place!)
Hang on a tick. You could try crossing an air-gapped network by infecting a software package destined for it before it's taken across the gap, but then what?
Basic security (granted, that's a bit of an assumption) would require that you check everything coming in from outside, even a vendor's network. A simple checksum calculation would show if a package has been tampered with. For that to pass, the correct checksum would have to be replaced by that of the compromised package.
OK, that might be achievable. But once you've installed your malware, how do you pass commands to it?
TBH, this reads like Cold War reds under the bed. Time to set up camp at Greenham Common again?
asic security (granted, that's a bit of an assumption) would require that you check everything coming in from outside, even a vendor's network. A simple checksum calculation would show if a package has been tampered with. For that to pass, the correct checksum would have to be replaced by that of the compromised package.
A simple checksum would be easy to spoof, but if checksum was HMAC'd or encrypted, then less so
I noticed this.... BUT
"We're told, and can well believe, that the equipment makers and suppliers have special access into the utilities' networks in order to provide remote around-the-clock support and patch deployment"
So... not air-gapped then if suppliers could log in to provide remote support?
Ok try this:
Infect vendors networks
Conntect Laptop to network
Take laptop on service call to air gaped network & plugin
Air gaped network infected
Malware delivers payload/slurps info
Passed info back to laptop
Take laptop back to vendor and plug into network
Data sent home
Gaining access to unrelated systems in order to know about the social graph of the target.
You then use that information to pose as a trusted partner, e.g. the vendor of the software, and send "updates" or office documents with which you can infiltrate the system.
This can be done via e-mail or, depending on the typical way software updates are distributed, postal mail. If your vendor sends you software updates via mail, sending a fake update which looks the same as a real one won't raise any suspicion and it will be installed.
BTW probably _all_ secret services do that kind of thing.
Yeah, but they used to be commies and they're probably still commies really so they're the bad guys and they were infecting US computers with malware and everyone knows that is an ACT OF WAR.
Stuxnet was just a prank that got a little out of hand but it didn't do any harm and even if it did those eye-ranians are bad guys and they deserved it and they were going to attack us so we retaliated in self defence first.
The US will have their NSA equivalent (or whichever agency it is).
They will know how to properly secure such things. No one will ask them, no one will listen to their answers if they do.
It'll be too expensive to implement. I.E any cost higher than the current one.
What about all the k1dd13 college funds, pensions, retirement boats and timeshares in the Caribbean?
If the networks are properly secured and there is no more Red Bear threat there will be no jobs for the people who draft these announcements.
On a more serious note, this is more believable than the usual crap fed by the 3 letters to the press including the air-gapped story. While the networks are air-gapped at the utility, they quite often have remote out-of-band or private network access from the vendor which is supposed to be accessing it from an air gapped machine. Quite clearly they do not. That is believable (same as using vendors as a vector).
I'll bet some of these "air gapped" systems have a modem or possibly a leased line connected to a private network (the beancounter says "air gapped from the internet is good enough, right?")
Air gapped systems still need to be supported, which implies something gets access to them at some point. You could say "fine, everything that touches them has to be air gapped" but that's reductio ad absurdum.
A vendor creates a software update, intending to deliver it to the air gapped customer systems. How do they get that software update off their non-gapped developer machines onto an air gapped system in a 100% secure manner. Answer: you can't. They'd have to have 100% air gapped developer machines, which is totally infeasible.
Another issue is that too many will assume that because systems are air gapped, they're secure by default and thus don't need to be locked down, don't need good passwords, don't need patching, etc.
On a more serious note, this is more believable than the usual crap fed by the 3 letters to the press including the air-gapped story.
I'm unconvinced. First there's a logic flaw that all if there's all these holes in SCADA systems, why do they need this remote access yet without fixing the flaws, particularly when the TLAs are telling them there's all these issues? Second, we've been told for years that Iran/Norks/ISIS et al have staggeringly capable state sponsored hackers. If all the holes are there, and there are adversaries who don't see any downside, why haven't they been exploited? Even for the usual state sponsored nasties (Russia/China/Israel) there would be the potential for "fun" false flag attacks.
More Chicken Little shit from the TLAs, in my view. Which isn't to say that there are no problems with SCADA, merely that the current "news" is deliberate attempts to create a moral panic to justify some bureaucrat's job, or some commercially preferred course of action.
I'm unconvinced. First there's a logic flaw that all if there's all these holes in SCADA systems, why do they need this remote access yet without fixing the flaws, particularly when the TLAs are telling them there's all these issues?
Do you really want to start messing around with the PDP-11 assembler code that controls a running nuclear power plant? Years after the person who understood all the issues and wrote it retired and/or died?
Some things, if working properly, should not be changed.
If you want to know how old the hardware and software at a nuclear plant may be, look at how long ago the first of that model/submodel of reactor powered up, then add a few years for testing, certification of hardware and software, retesting, etc.
I suspect that the more critical the system, the older the hardware and software is likely to be. There is a reason the space shuttles were run by 286s, generations obsolete in the outside world.
So access that is 'special' doesn't count in a not really airgapped system?
Either it has an air gap or it doesn't, remote access no matter how 'special' by definition cannot be an air gap.
General: "Okay, this is all out nukular war, launch a strike"
Minion pressing big red button: " Erm the button doesn't seem to be working Sir.
General: "I said launch a strike....... anyone got a box of matches?
I would assume it's two machines on something like GSM modems that allow access to the control system in emergencies. If it was me I'd also put a 5 second delay when the modem picks up, wrap the them in foil and put a sticker on them saying beware of the budgie, that's why I don't work with control systems.
You didn't explicitly state your bicycle was in the cellar when you found it with a flat tyre. I can't assume you didn't leave it chained up outside your house.
Even if it was stored in your cellar, the Russians could have used a needle when you popped into the corner shop the previous day to give you a slow puncture that takes time to manifest.
I think there needs to be a discussion on the meaning of "Air Gapped"
The last article throwing that phrase around seemed to imply some malware had achieved magic powers , and caused more confusion than it enlightened - and that was malware that didnt need to phone home. This hack apparently does , if the russians want to "throw switches" , so it navigates the "air gap" at will , not just once.
I think what we are learning here is that very few systems are indeed "Air gapped" . Were these power companies claiming that?
Indeed. A true air-gapped network will have no physical or ethereal (wifi) connection other networks i.e. the outside world.
Although there have been a couple of clever proof of concept ways to breach this (acoustic for example), they always initially require physical access to the "gapped" network (or components of) to install required components (malware). You can't get roll up and access a gapped network unless it has already been compromised.
A true air-gapped network can only transfer data to and from another network via physical media transfer.
Stuxnet only needed to work in one direction, it needed no command and control and it didn't need to send any data back. The perp could find out it worked via the failure and reorder rate of centrifuges and other info likely to leak out.
It's a different case.
Now, what goes around DOES come around, sooner or later. Why are they in such a panic? Even if it isn't true just now (likely) then, well, later...
And they need to whip up fear to keep their jobs. HL Mencken had a few tasty quotes on that one.
"A true air-gapped network"
OFFS, saying this is as bad as those Interns looking for the Stand Alone Internet
Terminals and this Industry calling itself the Cloud. You've marketed away your security.
Like it matters anyway since China and the CIA has backdoored every Router and Switch so....
The usual pattern for this sort of thing is that it starts when the US do this to someone else. The US counter-intelligence department then find out what their colleges on the floor above have been up to and crap their pants over the thought that someone might do the same to them. They then stage a series of leaks into the press that someone else has been doing it to them in an effort to whip up enough publicity to spur the industry into taking some preventive measures.
Prior to the news of what the Americans did to Iran with Stuxnet, there was a long series of "confidential intelligence briefings" to selected newspapers and politicians about how US utilities may be vulnerable to being hacked. A demonstration using a specially set up diesel generator (simulating a power plant) was conducted which was supposed to show how SCADA systems could be infiltrated.
The utility industry just shrugged it off, as they weren't seeing any of this in practice. And then Stuxnet hit the news and we saw that it had done exactly the sort of SCADA infiltration that the Americans had claimed was the threat to US utilities.
And then there was the big campaign using the same PR techniques over how Chinese IT gear might have back doors in it. Nobody could find these back doors, but we were assured they might be there and it was a huge national security risk. And then it turned out that the American NSA was putting back doors in Cisco kit.
I could go on with more examples, but the pattern follows a well-worn groove by now. The US hacks someone else, they crap themselves over the thought that someone might do the same to them, they start a propaganda campaign via the channel of suitably compliant major news media to whom they give an "exclusive" in return for not asking the wrong sort of questions, and industry is left to wonder "WTF?" because the story is full of holes due to so many details being held back because of course the US doesn't want the target they had actually hacked to find out what had been done.
To address the story in particular, very likely the "air gapped" systems aren't actually air gapped. The utility has an "air gap" policy, but an exception was made for remote vendor support. The vendor isn't air gapped because they're too small to have a dedicated IT security team who could plan such a thing. And true "air gapping" probably isn't practical to begin with because the vendors are software developers who need to get software updates from Microsoft and their PCs need to connect to the Internet on a regular basis to validate software licenses, etc., etc.
And if software updates from the vendors to the utilities aren't conducted on a timely basis, ordinary bugs can crash the electric network just as surely as malicious action could.
Genuine security is probably possible, but it would require a complete overhaul of the industry and the relationships with vendors and the software development environments they use, and that simply isn't going to happen any time soon.
hacked into the utilities' equipment vendors and suppliers by spear-phishing staff for their login credentials or installing malware on their machines via boobytrapped webpages
Taken from the same page as the hack on Target of 2013. Some people just can't/don't learn.
that the equipment makers and suppliers have special access into the utilities' networks in order to provide remote around-the-clock support and patch deployment
I'm going to wait for the official report but I suspect everyone is given admin access to the network.
This post has been deleted by a moderator
We're told, and can well believe, that the equipment makers and suppliers have special access into the utilities' networks in order to provide remote around-the-clock support and patch deployment – access that, it seems, turned into a handy conduit for Kremlin spies.
Not the first time that vendors have been used to access the real target.
Trusted connections between customer and vendor, sorry not happening on my network.
Seems like security measures need to be improved in both camps.
Clearly my understanding of 'air gapped' is wrong. I understand the need for patching systems and regular maintenance but I had always assumed air gapped meant exactly that, that there was air in between this here system and any possible outside influence i.e. not wired up to any outside network at all ever.
Wouldn't stop malware-ridden patches being deployed in the normal course of things, if the vendors were pwned of course, so a timebomb could still be planted. But it would stop the ability for said systems to phone home, to be taken over at will.
Never worked in that environment so it's a genuine question. Is it just too hard to patch and maintain genuinely air gapped large systems?
nice to see such heavy moderation on such an information-war related topic,
I just tried to reply to one comment, up/down vote it and I was hit with:
"Gone/ The requested resource /post/reply/3573596 is no longer available on this server and there is no forwarding address. Please remove all references to this resource. Apache/2.4.10 (Debian) Server at forums.theregister.co.uk Port 80"
Apache HTTP Server 2.4.10 [was] Released Jul 21, 2014 so exactly four years old, No chance that the Bears will eat your wares then!
Trump said they didn't do it, cos Putin said so, and hes a good guy, like the other murderous dictators that are good guys hes met.
So there you have it, nothing to see here, move along.
Also there is no global warming and foreign sales of American drugs meas Americans pay more for their prescriptions....
OK, so as far as we can tell, they infected vendors diagnostic laptops (which says more about the vendors corporate IT than the systems involved), then when the vendor connected to the airgapped system, it infected that.
One thing missing here. How did they control the air gapped system? It could cause an issue immediately or after a time delay, but both this degrades the system, but does not control it. In most of these scenarios the idea is to present backdoors so that a system can be controlled in event of war or Donald is no longer on office.
It sounds more like the Stuknet attack, where the idea is to gently degrade a system to the point where it fails causing infrastructure cost. It makes sense in that scenario, because US/Israel wanted to slow Iran's nuclear program, less so here
Another possibility is just intelligence gathering and looking for errant network connections. That would make more sense, since the infected PC could then phone home the details when connected
"One thing missing here. How did they control the air gapped system? It could cause an issue immediately or after a time delay, but both this degrades the system, but does not control it. "
If they have access to enough of a national network and can drop a few of the larger generators at the same time, the grid operator will lose control of the frequency - and when that happens the entire network has to be shut down and started form scratch.
A few of years ago I was at a national grid operator's operations centre, doing support on their comms equipment and I was invited to sit in on one of their induction sessions. Apart form seeing soime great foo0tage of what can go wrong when switching high voltages and why you don't use water on a transformer fire, there was an interesting discussion of how long it takes to bring a power network up from a 'black start' - even for a small country like NZ the answer is in days rather than hours, as the connected load has to be carefully matched to the on line generation capacity in order to prevent another loss of control of frequency event.
What better time to launch a nuclear attack?
If you've shut down the entire generating capacity for a modern country like the US for a few days you don't need a nuclear attack (miltary systems have backup non grid generators).
A 2 day outage on the US's JIT delivery systems will make it feel like a nuclear attack anyway.
While the network may have once been "Air Gapped" to the point where it ticked the boxes on the spreadsheet.
You find all sorts of connections added to make some support monkeys life easier.
I've found old 52k modems plugged into supposedly secure networks to give ops the chance to dial in instead of coming into London on a Saturday night.....
Also peoples idea of what makes an "Air Gapped" network is generally pretty fluid when the people getting the contact to supply and maintain it are the mates of the people giving the jobs out...
Hardware hacking. Election interference. We can give as good as we get in this regard and no doubt have done so. So can the Chinese, and the Indians. Even smaller states with talented computerists can engage at a high level. Moreover, this kind of interference can easily escalate into kinetic battle. It seems clear that some sort of systems treaty is needed lest something nobody really wants comes to pass.
There are very real and complex technical barriers to setting sensible limits and to getting verification, but sooner or later we must try. Technology is always way ahead of the law. But sooner or later we will need a body of international law to deal with this $#!+.
All major powers have this capability. Enough of them have f**ked other countries in various ways over the years that they've left a bunch of very angry people.
But this stuff doesn't need the infrastructure of nuclear, biological or even chemical weapons.
IOW it's a game everyone can play.
Cyberwarfare is the equalizer.
OK, does anyone here not think there are state sponsored operatives in America (or most other countries) attempting to gain access to almost every service in most other countries in the world?
You’re not going to tell me the US doesn’t have thousands of (patriotic) people who’s job is to investigate foreign entities.
Or are we only meant to believe it’s other countries that undertake such underhand and covert operations. Bad.
>Keyword here: "networks". So were these "networks" air-gapped....or not?
What is your definition of network and air-gap?
If copying words off a printed page by typing it into my computer, have I just bridged the networks?
What I don't think I've seen a previous post mention is KVM systems. My guess is the most practical definition of air gap for commercial systems would exclude the connected, networked KVMs from being considered breaching the air gap.
These companies aren't going to have top talent staff in their data centers -- or remote sites -- around the clock. They also can't wait several hours in a snow storm for a senior sysadmin to drive in and take a look at realize its a fat fingered DNS entry that will take 15 seconds to fix and 45 minutes to fill out the emergency change record afterwards.
Isolate the critical systems from the internet on a fully "air gapped" network which has no router to outside systems. Tech support KVMs in, see they need to patch, tell the 24x7 Operations staff where to download it so they can transfer it by USB/DVD/Zip Disk/1.2 Quadrillion Floppies to the secure network, tech support then continues the patch via KVM.
Now if you happen to compromise a networked KVM, you can have fun with #!/bin/sh or powersHell sneaking in scripts here and there. Find a system with a C or other compiler installed things could be really interesting.
If you can't stay online to see grab the video output, write to innocuous looking files (or right into a log file so it is hidden in plain sight) and come back later to take snap shots of the screen as you look through the files.
Compromise device of mark with physical access to isolated network.
Send messages purporting to be from a higher authority, and purporting to be "secure", to gain information, and to then ask them to do something that would normally be dodgy in itself e.g. throw the on/off switch.
For example, compromised "secure" messages could be sent from a higher authority stating that a project to test the fall-back capabilities of the isolated network is in operation, messages are sent back and forth requesting certain information based on valid information already sent to mark, then mark is finally asked to switch off "isolated and important system" off. Mark doesn't question anything, including the "switch isolated and important system off" message, because messages sound like they are from someone in the know.
ok we have let the twat hoxton app kids play but its time to go back to cold war era paranoia levels.
2 blokes in seperate silos keying in a long p/w string known only to themselves when access to a critical system is required.
Yes it will be slow and everything will happen in realtime but a fast typist may claw back some of the trillion's of instructions lost per day.
Entry requirments to any company will require a long exam onsite before the interview to weed out the woman that ran talktalk and the last home sec.
Forget long password strings.
Personal Identification Devices. Old as Secret Government Computing and working since steel-jacketed greenscreen TTY-era VDUs.
In order to enact a hack one would not only need to make copies of the PIDs used (which can be themselves time-limited), but you would need to have physical access to the equipment they permit access to as well, involving getting through whatever hard security is in place.
Call me crazy but a power station couldd communicate with the outside world without cat5/wan/lan etc using frequency changes and other techniques used by ham radio ops.
They would just need to attack a vendor and then mod the code to detect outside plant changes to environment. E.g. if you could make the power hit 60.3hz (us) on a pattern basis and send a signal from outside the plant to an internal module you have compromised you could in theory program it to turn off switches internally.
I remember when powerline broadband was touted as well in the uk but it died a death because it would turn power lines into very large broadcast antennas and ruin the broadcast bands I.e no more radio 4 law shopping forecasts. However it is commonly used in the home with network range extenders etc.
Biting the hand that feeds IT © 1998–2020