Tag Archives: Cyber-Physical Attack

Security News for the Week Ending May 10, 2019

Hackers Wiping Github and Other Repos

Hackers are attacking repositories of users on Github, Gitlab and Bitbucket, leaving a ransom note that says pay up if you want your software back.

The ransom isn’t much – around $500, – which may cause people to pay up rather than trying to recover the data, which I assume is their strategy.

One possibility is that users have the password embedded in other repositories in clear text and the hackers were able to find those passwords.

Key point here is to make sure that you have backups OF ALL OF YOUR CLOUD BASED DATA.  Today it is Github;  tomorrow it is something else.  If you care about your data, make sure that it is securely backed up.  Offline backups are best because it is hard to wipe something that is not connected.  Source: Bleeping Computer.


Remember Shadow Brokers – China Already Had the Tools That Were Released

Remember all the fury a few years ago when Shadow Brokers released a whole bunch of NSA hacking tools?  Symantec now says that China already had those tool a year earlier and was using them against others.  Was NSA hacked?  Apparently not – China captured the NSA tools that were being used on them and repurposed them.

It is hard to keep these tools under check.  If you use them people will likely discover that fact and if they are motivated, they may use them against you.   In this case, China used them hacking targets in at least 5 countries including one telecom carrier where they got access to hundreds of thousands or millions of private communications.

After Shadow Brokers released the tools, China felt even bolder to use them because now they weren’t secret any more and would soon be patched.

Keeping these secrets under wraps is basically impossible.  Source:  The NY Times.

Israel Blows Up Palestinian Hackers

In an unusual move, Israel blew up a building that it said was used by Hamas for cyber attacks – in direct response to current or future Hamas cyber attacks, according to a press release from the IDF.

Neither side is saying much beyond that Israel did blow up the building.  No one is saying if there were casualties.

Apparently this facility was known to the Israelis.  This points to the likely escalation of cyber war into kinetic war as large countries fear what small countries can do in cyberspace.  This likely causes an escalation into cyber warriors operating out of spaces which would cause collateral damage if bombed, such as schools, hospitals and shopping malls.  Source: Gizmodo.


A Few More Details On Cyber Attack Against Western US Power Utility

We are hearing a few more details about the cyber attack on a so-far unnamed western US power utility.

The attackers, it is now being anonymously reported disabled the utility’s Cisco ASAs.  This is particularly scary since Cisco is pretty much the 800 pound gorilla in that space and their Adaptive Security Appliance is used by hundreds of thousands (or more) of businesses.  It is certainly possible that the ASAs were configured insecurely or missing patches (security patches are typically not available to owners unless they have a paid up maintenance plan, which I HOPE an electric utility would have).

Given how critical the electrical grid is in the US and how fragile it is, this is a bit of a wake up call for those utilities (water, power, gas, phone, Internet, etc.) that have not yet drunk the security Kool-Aid.  Source: EENews.


Navy May Be Getting Serious About Cybersecurity

Last year the Navy decided that having a CIO was superfluous and eliminated the position as unnecessary (See article).   They decided that the Undersecretary of the Navy could manage all those pesky IT and security details in his spare time.

In March the Navy released a SCATHING report on how bad their cybersecurity really was.  Now they are working on asking Congress to approve adding a position at the Assistant Secretary level, responsible for IT and security.

They also are looking at training (too basic) and discipline (can cyber-mistakes get you fired).

There is a report due June 1 outlining the roles, responsibilities and staffing for a Assistant secretary for cyber with a plan to role it out in July.  March.  June.  July.  This is amazingly fast for an organization as large as the Navy.



Hackers Attack France’s TV5, Almost Destroying It

All 12 channels France’s TV5 Monde were taken off the air one night in April 2015.  The company had just launched a new channel that day and were out celebrating when a flood of text messages told the director-general that all 12 stations had gone dark.

Attackers, claimed to be from the Cyber Caliphate. Since this occurred only a few months after the Charlie Hebdo attack, it certainly could be a follow on attack from Daesh (aka isis).

However, as investigations continued, another possible attacker appeared.

In this particular case, as we saw in the Sony attack, the Sands Casino attack, Saudi Aramco and others, the purpose was destruction, not theft of information.  They did a pretty good job of it.

What was not clear was why TV5 Monde was selected for this special treatment.  The attackers didn’t indicate that they had done anything wrong.

The good news was that since they had just brought a new channel online that day, technicians were still at the company offices.  They were able to figure out what server was in charge of the attack and unplug it.

While unplugging this server stopped the attack, it didn’t bring the TV feeds back on line.  Given that the goal of the attackers was to destroy and without subtlety, they destroyed software and damaged equipment.

From 8:40PM that evening until 5:25 AM the next day, those 12 channels were dark.  At 5:25 AM they were able to get one channel back on the air.

The director-general of TV5 Monde said that had they not gotten those feeds back online, the satellite distribution customers, which is most of their revenue, might have cancelled their contracts, putting the existence of the company in jeopardy.  The rest of the channels did not come back until later that day.

Much later French investigators linked the attack to the Russian hacker group APT28.

To this day, no one knows why TV5 Monde was targeted.

One theory is that it was a test run to see how much damage they could do to an organization and TV5 Monde just happened to be the crash test dummy.

The attackers had been inside TV5 Monde’s network for more than 90 days doing reconnaissance.

Once they had collected enough information, they were able to construct a bespoke (custom) attack to do as much damage as possible.

Certainly we have seen destructive attacks before, such as the ones mentioned above, but we also have seen more cyber-physical attacks such as the power blackout in Ukraine last year, the German steel mill which sustained millions of dollars of damage and the recent incursions into nuclear plants in the United States.

This company survived, even though they had to spend $5 million to repair things and incur additional costs of $3 million a year forever due to new security measures put in place.

The attack route, not surprisingly, was the Internet.  As more and more stuff gets connected – the remote control TV cameras were controlled out the Netherlands for example – the ease of attack becomes much more of a known art.  As hackers conduct test runs, such as the attack on TV5 Monde is thought to have been, they become more confident of their ability to do damage going forward.

The real question is, as your company becomes more and more intertwined with the Internet, whether your organization is vulnerable to an attack – even if all you are is a distraction or collateral damage.  And if you are vulnerable, will you be able to recover and survive?  While the Sony attack was done as a revenge attack, we are seeing other attacks which are just targets of opportunity.

The good news is that TV5 Monde survived, but they were completely disconnected from the Internet for months.  Could your company survive for months without being connected to the Internet?  In their case, once they were reconnected to the Internet, that conversation that many companies have – about security or convenience – became much more clear.  Now it was convenience or survival and survival won.  Every employee has had to permanently change the way that they operate.  Forever!

Information for this post came from BBC.