Grid cyberthreats, Bitcoin busts and a Russian botnet takedown
Charles Cook/Flickr
Welcome to Changelog for 4/10/22, published by Synack! Blake here, writing from the nation’s capital. Last week saw a spate of cyber hearings on the Hill, including one covering U.S. Cyber Command, two House Homeland Security Committee hearings on critical infrastructure threats and defenses, plus a closed session on training the next generation of U.S. cyber operators. Here’s what to know after another busy week for the cybersecurity world:
The payload
U.S. electricity authorities on Thursday shared lessons from last year’s GridEx security exercise that drew in hundreds of power utilities, as I reported for README. Security planners at the North American Electric Reliability Corp. threw everything but the kitchen sink at participants in the executive tabletop session, forcing leaders to rehearse how they’d handle a coordinated set of cyber and physical attacks on the nation’s energy backbone.
One phase of that Nov. 18 session rang a bell: attackers in the scenario threw a wrench into wind generation resources, subjecting them to “widespread control and response issues.”
In March 2019, a first-of-its-kind real cyberattack on the U.S. grid did just that, fogging up grid operators’ view into some 500 megawatts of wind and solar resources across the West. The DDoS-style attack on Cisco firewalls used by Salt Lake City-based sPower may not have caused a power outage, but it did register as a cyber “interruption” of electrical system operations based on its impact to critical communications. That level of grid cyber disruption had never happened before in the U.S., as I reported for E&E News at the time.
The wind turbines and solar panels kept generating electricity — enough to power close to 100,000 homes — during the minutes-long intervals the firewalls were dragged offline. But a longer, more widespread communications outage could have caused problems for grid operators trying preserve the delicate balance of generation and demand. And as the U.S. power grid grow more interconnected with the internet, it’s become harder to separate the digital from the physical and revert to “manual mode” like Ukrainian utility workers did after an unprecedented 2015 cyberattack on the power grid there.
Some U.S. utilities can still fall back to some semblance of manual operations in the event of a debilitating cyberattack. But rolling out bucket trucks and flipping switches by hand may not be an option for others.
“Manually operating the grid is one arrow in the quiver, so to speak, that we will continue to leverage,” Manny Cancel, CEO of the Electricity Information Sharing and Analysis Center, told reporters Thursday. “But we have to continue to look at this and see how widely it can be used as well.”
The week, compiled
Speaking of grid cyberthreats, China state-sponsored hackers have reportedly been caught snooping around in neighboring India’s power networks, according to an analysis by cybersecurity firm Recorded Future.
So-called “Threat Activity Group 38” may be “pre-positioning” for future malicious activity in India’s power grid, Recorded Future analysts warned. Some of TAG-38’s behavior echoes that of the RedEcho threat group linked to past cyber intrusions in India’s energy networks, according to the report, but there isn’t enough technical evidence to definitively connect the dots between RedEcho and the latest string of breaches affecting at least seven grid control centers in northern India.
The use of the ShadowPad modular backdoor has been something of a calling card for Beijing, and TAG-38 is no exception.
“At this time, we track at least 10 distinct activity groups with access to ShadowPad, which is assessed to have likely been originally developed and used by MSS-linked contractors linked to the APT41 (BARIUM) intrusion set,” Recorded Future said.
What might China be planning for its neighbor’s power grid? Recorded Future doesn’t say in its report, but it does note — in a bit of cyber understatement — that the intrusions are “cause for concern.” I’m hoping experts will shed more light on these and other grid threats at the S4 industrial cybersecurity conference in Miami Beach next week, where I’ll be gathering intel on all the latest digital risks and vulnerabilities facing global critical infrastructure. Drop me a line if you’ll be there, too!
In the meantime, here’s your weekly news roundup:
Ars Technica: FBI took the extraordinary step of removing “Cyclops Blink” malware from infected devices across the U.S. as part of a wider takedown of a Russia-backed botnet. While many experts applauded the move, which defanged the botnet before it could even be used, others raised concerns about potential privacy and data integrity risks tied to federal law enforcement proactively disinfecting users’ machines.
Wired: Bitcoin was hyped as an untraceable tech that would upend global finance and empower a new generation of cryptocurrency-savvy cybercriminals. But each payment on the blockchain is, as Andy Greenberg writes, “a smoking gun in broad daylight.” Come for his account of a methodical takedown of a horrific child sexual abuse site; stay for the colorful characters like “Bitcoin Jesus.”
CNBC: One of the oldest and largest darknet emporiums, Hydra Market, was dismantled by U.S. and German authorities.
A message from Synack
Does your penetration testing meet compliance requirements? Synack recently announced it received Moderate “In Process” status from FedRAMP, meaning even more US departments, agencies and contractors can utilize its global network of elite ethical hackers for on-demand, around-the-clock pentesting. Find out more here.
Flash memory
Five years ago, analysts at Mandiant warned that the financially-motivated FIN7 threat group was targeting restaurant chains and hospitality companies with malicious .docx and .rtf files hooked onto spearphishing email lures.
Active since at least late 2015, FIN7 has stolen tens of millions of credit cards and by some estimates caused victims over $1 billion in costs. Their tactics have shifted over the years, but they’ve always been laser-focused on making money, whether it be through stealing debit cards or lately dabbling in ransomware.
On Thursday, the Justice Department announced FIN7 member Denys Iarmak had been sentenced to 5 years in prison for his role as a “pen tester” for the cybercriminal group. He was arrested in Thailand in 2019 at the request of U.S. authorities, and extradited the following year. The 32-year-old’s sentence closes a chapter in FIN7 history, though other members of the group remain active.
Local files
The Washington Post: Des Moines, Iowa-based Berkshire Hathaway Energy has managed to prevent any cyberattacks on the industrial control systems of its own networks or those of its 11 subsidiaries, according to Chief Security Officer Michael Ball. (Though some cybersecurity experts have their doubts.)
Foreign Affairs: Russia’s cyberattacks on Ukraine in the runup to the war there may not have been flashy, but that doesn’t mean they’re ineffective, according to NATO officials David Cattler and Daniel Black. “[T]he lack of overwhelming ‘shock and awe’ in cyberspace has led to the flawed presumption that Russia’s cyber-units are incapable, and even worse, that cyber-operations have offered Russia no strategic value in its invasion of Ukraine,” they write.
Off-script
“DALL-E is good at avocados.”
Alex Nichol’s wry remark to the New York Times undersells the computer-generated talent of his DALL-E AI system.
Developed by Nichol and other researchers at the OpenAI lab, DALL-E’s early handiwork has drawn a mix of awe, fascination and more than a little fear. Give the tool a text prompt, and it whips together, well, art:
The latest version of the DALL-E system is not yet publicly available, as backers of the system iron out remaining glitches and assess the potential risks of sharing it widely. I’d gear up for a bit of disinformation chaos when it drops.
That’s all for this week— please send any tips, feedback and spare challenge coins to bsobczak@synack.com. See some of you at S4 next week!