{"id":3725,"date":"2020-12-24T19:33:33","date_gmt":"2020-12-24T19:33:33","guid":{"rendered":"https:\/\/www.radiofree.org\/?p=143221"},"modified":"2020-12-24T19:33:33","modified_gmt":"2020-12-24T19:33:33","slug":"solarwinds-hack-infected-critical-infrastructure-including-power-industry","status":"publish","type":"post","link":"https:\/\/radiofree.asia\/2020\/12\/24\/solarwinds-hack-infected-critical-infrastructure-including-power-industry\/","title":{"rendered":"SolarWinds Hack Infected Critical Infrastructure, Including Power Industry"},"content":{"rendered":"
\n

The hacking campaign<\/u> that infected numerous government agencies and tech companies with malicious SolarWinds software has also infected more than a dozen critical infrastructure companies in the electric, oil, and manufacturing industries who were also running the software, according to a security firm conducting investigations of some of the breaches.<\/p>\n

In addition to these companies, the SolarWinds software also infected three firms that provide managed services to critical infrastructure industries, says Rob Lee, founder and CEO of Dragos, which specializes in industrial control system security for critical infrastructure and whose company discovered some of the infections.<\/p>\n

The managed service providers, known in the industry as original equipment manufacturers or OEMs, sometimes have authorized remote access directly into critical parts of customer networks, as well as privileges that let them make changes to those networks, install new software, or even control critical operations. This means that hackers who breach such a provider can potentially use that provider\u2019s credentials and access to control critical processes on their customers\u2019 networks.<\/p>\n

\u201cIf an OEM has access to a network, and it\u2019s bi-directional, it\u2019s usually for more sensitive equipment like turbine control, and you could actually do disruptive actions,\u201d Lee told The Intercept. \u201cBut just because you have access doesn\u2019t mean you know what to do or how to do it. It doesn\u2019t mean they can then flip off the lights; they have to do more after that.\u201d<\/p>\n

But compromising an OEM does magnify the potential risks to multiple entities.<\/p>\n

\u201c[I]t\u2019s particularly concerning because \u2026 compromising one OEM, depending on where you compromise them, could lead to access to thousands of organizations,\u201d Lee said. \u201cTwo of the \u2026 OEMs that have been compromised \u2026 have access to hundreds of ICS networks around the world.\u201d<\/p>\n<\/div>\n

<\/span><\/p>\n

\u201cCompromising one OEM could lead to access to thousands of organizations.\u201d<\/div>\n<\/blockquote>\n
\n

He notes that in some cases the OEMs actually infected their customers with the SolarWinds software. Some of the OEMs use the SolarWinds software not just to manage and monitor their own networks, but they also have installed it on customer networks to manage and monitor those. And some of those customers weren\u2019t aware the SolarWinds software was on their network, because it had been installed by their OEM as part of the OEM\u2019s monitoring and maintenance package.<\/p>\n

Lee wouldn\u2019t identify the OEMs and doesn\u2019t know if the SolarWinds hackers took an interest in the providers and further compromised them to gain access to the customer networks they remotely manage.<\/p>\n

The SolarWinds software was compromised back in March; it installed a backdoor to provide an attacker access to the network of anyone who downloaded it in the last eight months. The backdoor, which security researchers at the security firm FireEye have dubbed SUNBURST, gathers information about the infected network then waits about two weeks before sending a beacon to a command-and-control server owned by the hackers, along with information about the infected network, to signal to them that the infected system is open for them to surreptitiously enter. The hackers would have used that network information to pick out high-value targets and determine which ones they wanted to burrow into further. Once inside an infected system and network, the hackers can download more malicious tools to it and steal employee credentials to gain access to more critical parts of the network to either collect valuable information or potentially to alter data or alter processes on those networks. Kevin Mandia, CEO of cybersecurity company FireEye, has said the attackers only entered about 50 of the thousands of entities that were infected with the backdoor.<\/p>\n

Lee said some of the infections in the critical infrastructure sector occurred on the IT networks of the critical infrastructure entities, but others were on the actual industrial control system networks that control critical functions. There is currently no evidence, however, that the hackers used the backdoor in the SolarWinds software to gain access into the 15 electric, oil, gas, and manufacturing entities that were infected with the software. But Lee notes that it may not be possible to uncover such activity if the attackers did access them and burrow further into the industrial control networks, because critical infrastructure entities generally don\u2019t do extensive logging and monitoring of their ICS networks.<\/p>\n

\u201cIn these ICS networks, most organizations don\u2019t have the data and visibility to actually look for the breach,\u201d says Lee, a former critical infrastructure threat intelligence analyst for the NSA. \u201cSo they might determine if they are compromised, but \u2026 almost none of them have network logs to \u2026 determine if there is follow-on activity [in their network].\u201d<\/p>\n

He says all of the infected companies are \u201cdoing the necessary hunting and [are] assuming they are compromised.\u201d But without logging to catch the initial infection months ago and track the hackers\u2019 movements through the network if they did burrow in further, the companies have to hunt for what looks like malicious behavior. \u201cAnd this is an adversary that burrows in deep and is very very hard to root out.\u201d<\/p>\n<\/div>\n

<\/span><\/p>\n

\u201cAlmost none of them have network logs.\u201d<\/div>\n<\/blockquote>\n
\n

If the hackers came in through the infected OEM instead, using the OEM\u2019s credentials and privileged access, it could be even more difficult for OEM customers to spot the hackers\u2019 activity since it would look legitimate.<\/p>\n

Dragos notified the three OEMs that they were infected, as well as government officials and officials in President-elect Joe Biden\u2019s incoming administration. An alert published last week by the Department of Homeland Security\u2019s Cybersecurity and Infrastructure Security Agency noted that critical infrastructure entities were compromised by SolarWinds software, but didn\u2019t indicate which industries were affected and didn\u2019t note that this included managed services providers for critical infrastructure.<\/p>\n<\/div>\n

\n
\n

Internal computer internet servers are seen at the Telvent GIT SA company headquarters in Madrid on July 19, 2011.<\/p>\n

\nPhoto: Denis Doyle\/Bloomberg via Getty Images<\/p>\n<\/div>\n<\/div>\n

\n

Potential Operations Against a \u201cPretty Resilient\u201d U.S. Power Grid<\/h3>\n

It\u2019s not the first time an OEM in the industrial control system has been hacked. In 2012 hackers believed to be from China breached an OEM called Telvent<\/a> and stole engineering drawings and accessed files used to program industrial control systems. Telvent is a division of Schneider Electric that is headquartered in Spain, but its software is used in oil and gas pipelines across the U.S. and Canada and in some water control system networks. The breach raised concerns at the time that the hackers could have embedded malicious code in the software to infect customer control systems.<\/p>\n

\u201cWhen you look at industrial networks many people still believe them to be highly segmented, but that only means segmented from the\u201d corporate enterprise network, Lee said. \u201cWhile they might be segmented from the enterprise, they have a vast series of connections to OEMs and others who are connected to those networks for maintenance and other [purposes].\u201d<\/p>\n

The SolarWinds hacking campaign came to light earlier this month when FireEye revealed that it had been breached by hackers who took software tools the company uses to find vulnerabilities in customer systems. The company then revealed days later that the intruders had gained access to their network using a backdoor that had been implanted in network monitoring software made by the Austin-based company SolarWinds. The software is used widely across government and industry to manage and monitor networks, and SolarWinds has revealed that up to 18,000 customers could have downloaded the infected code.<\/p>\n

Investigators in the security community have said they have seen nothing to attribute the SolarWinds campaign to a particular known hacking group or nation, but officials in the government have attributed the operation to Russia, though they haven\u2019t indicated what has led them to this conclusion.<\/p>\n

\u201cIt\u2019s so many different people in the government [attributing this to Russia], you wouldn\u2019t get this sort of statement if there wasn\u2019t something there,\u201d says James Lewis, a former government official who oversees cybersecurity programs at the Center for Strategic and International Studies. \u201c[T]he forensic guys are looking at what\u2019s left behind [on networks], and that may not be the best way to attribute something. Governments use other methods to look for attribution. So the fact that the forensic people haven\u2019t discovered it isn\u2019t determinative; they don\u2019t have the full picture.\u201d<\/p>\n

Russia has denied responsibility for the hacking operation.<\/p>\n

The scope of the hacking operation is still unknown, but so far reports indicate that the departments<\/a> of Homeland Security, Commerce, and the Treasury; at least two national laboratories; the Federal Energy Regulatory Commission; and the National Nuclear Safety Agency<\/a>, which maintains the nation\u2019s stockpile of nuclear weapons, were all infected. Microsoft<\/a>, Cisco, and Intel<\/a> are among those in the tech sector that were also infected. A number of the intrusions at government agencies went beyond merely being infected by the SolarWinds malware. Sen. Ron Wyden revealed this week that the hackers were able to read and steal emails of some of the top officials at the Treasury Department.<\/p>\n

Currently, the campaign is being characterized by security professionals and government officials as an espionage operation. But the compromise of critical infrastructure could have put the hackers in a position to do more than simply steal data, if they wanted to do so. Although there is currently no evidence this was or would have been their intention, Russia has a history of engaging in disruptive operations in critical infrastructure.<\/p>\n

In 2015, Russia hacked several Ukrainian power distribution plants<\/a> and took out power for about 230,000 customers for up to six hours in some cases, in the middle of winter. They repeated their operation again in Ukraine in 2016, taking out power to some customers for about an hour, and also struck the State Administration of Railway Transport, which manages Ukraine\u2019s national railway system. The operations led experts to conclude that the Russians were using Ukraine as a test bed<\/a> to refine hacking techniques that could be used in other countries, such as the U.S.<\/p>\n

On Sunday, speaking<\/a> on CNN\u2019s \u201cState of the Union,\u201d Sen. Mitt Romney said, \u201cWhat Russia has done is put in place a capacity to potentially cripple us in terms of our electricity, our power, our water, our communications.\u201d He continued, \u201cThis is the same sort of thing one can do in a wartime setting, and so it\u2019s extraordinarily dangerous, and it\u2019s an outrageous affront on our sovereignty and one that\u2019s going to have to be met with a very strong response.\u201d<\/p>\n

But Suzanne Spaulding, former undersecretary for the Department of Homeland Security who led the division that oversees critical infrastructure security, cautions that the intentions of the SolarWinds adversary are still unknown, and even if they breached networks in the electric, oil, and gas industries, this isn\u2019t the same as having the ability to cause disruption or damage.<\/p>\n

\u201cBut you can [still] get a lot of information \u2026 that can help you to plan a truly disruptive attack,\u201d she noted. Because the hackers in the SolarWinds campaign were also able to breach FERC, this could have provided them with information on vulnerabilities and security measures in the U.S. grid that they could later leverage for an attack. She points to the 2015 Russian hack of the Ukrainian distribution plants: The hackers were in the plant networks at least six months doing reconnaissance to understand the equipment and how it worked before taking out the power in December that year.<\/p>\n<\/div>\n

<\/span><\/p>\n

\u201cYou can get a lot of information \u2026 that can help you to plan a truly disruptive attack.\u201d<\/div>\n<\/blockquote>\n
\n

But even an attack aimed at disrupting the U.S. electric grid would be limited in its effect, she notes.<\/p>\n

\u201cIt\u2019s hard to have a really impactful attack, particularly on our electric grid, which is pretty resilient,\u201d she said. \u201c[But] we don\u2019t know that that\u2019s what they\u2019re doing.\u201d<\/p>\n

In the past, when Russian hackers have targeted the oil and gas industry in hacking operations, Spaulding said the U.S. government assessed that they may have just been looking for information that could make their own oil and gas industry more efficient. \u201cSo I don\u2019t think that we can know that their objective here is reconnaissance for being in a position to potentially disrupt critical infrastructure,\u201d Spaulding said. \u201cI do think that we should always, for planning purposes, assume that and take measures to reduce the damage that could be done. But we can\u2019t know that [this is their intention]. And there\u2019s a difference between assuming that for planning purposes and for mitigation, and assuming that for a [U.S. government] response to Russia.\u201d<\/p>\n

Spaulding says this doesn\u2019t mean anyone should take the SolarWinds campaign lightly.<\/p>\n

\u201cI don\u2019t think this is just traditional spy vs. spy espionage. This is of a scale and scope that really is beyond traditional espionage,\u201d she said. \u201cParticularly because we have been told that over half the victims were not government, but were private sector. And if it\u2019s critical infrastructure, not just defense-industrial base, that is not traditional kinds of espionage and that\u2019s very serious.\u201d<\/p>\n

Lee cautions that there is no indication yet that the SolarWinds hacking campaign is anything other than espionage at the moment, but just being in critical infrastructure networks gives the adversary potential political power they might not otherwise have. \u201cI\u2019m thinking about president-elect Biden. The last thing I want him to have to worry about is getting into international relation discussions with Putin or others and not knowing if a foreign adversary can turn their access [in these networks] into a foreign operation on key parts of the infrastructure.\u201d<\/p>\n

Although other intruders have been inside the U.S. electric grid before, Lee says this is different. If Iran or China compromises industrial control systems in critical infrastructure, he said, \u201cyou assume they could [disrupt operations] but you don\u2019t know [if they have the knowledge and ability]. But Russia has shown an ability to go beyond access to disruption. So when they get access you no longer have the question could they use it? The question is how long would it take them and would they?\u201d<\/p>\n<\/div>\n\n

This post was originally published on Radio Free<\/a>. <\/p>","protected":false},"excerpt":{"rendered":"

The hacking campaign that infected numerous government agencies and tech companies with malicious SolarWinds software has also infected more than a dozen critical infrastructure companies in the electric,\u2026<\/p>\n","protected":false},"author":368,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4,369],"tags":[],"_links":{"self":[{"href":"https:\/\/radiofree.asia\/wp-json\/wp\/v2\/posts\/3725"}],"collection":[{"href":"https:\/\/radiofree.asia\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/radiofree.asia\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/radiofree.asia\/wp-json\/wp\/v2\/users\/368"}],"replies":[{"embeddable":true,"href":"https:\/\/radiofree.asia\/wp-json\/wp\/v2\/comments?post=3725"}],"version-history":[{"count":1,"href":"https:\/\/radiofree.asia\/wp-json\/wp\/v2\/posts\/3725\/revisions"}],"predecessor-version":[{"id":3726,"href":"https:\/\/radiofree.asia\/wp-json\/wp\/v2\/posts\/3725\/revisions\/3726"}],"wp:attachment":[{"href":"https:\/\/radiofree.asia\/wp-json\/wp\/v2\/media?parent=3725"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/radiofree.asia\/wp-json\/wp\/v2\/categories?post=3725"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/radiofree.asia\/wp-json\/wp\/v2\/tags?post=3725"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}