How attackers used human error to hack the power grid
Recent cyberattacks on power companies in the United States, Turkey and Switzerland – including one breach where the attackers may have gained control over operational systems – are showing how easily human error can put critical computer networks at risk, security experts said.
The cybersecurity company Symantec reported in September 2017 that a group of attackers spent two years infiltrating, mapping out and possibly gaining control over power company systems, through a variety of techniques designed to trick people into activating malicious software. In a separate, apparently failed attack, another group used at least one of those techniques – spearphishing, or emails designed to infect a device with malware – in an attempt to set up surveillance on U.S. electric companies.
"(This is) another attempt by a nation-state to compromise our critical infrastructure. It isn't the first, and it's certainly not going to be the last," said Michael Daly, chief technology officer for cybersecurity and special missions at Raytheon, in response to the second attack. "In fact, critical infrastructure networks are now the terrain over which nation-states are playing out their political and military battles."
The hackers' methods exploited what cybersecurity experts call the "insider threat," a term for the various ways authorized users can let an attacker inside a network, either by mistake or malice.
"They're basically playing on things that influence the weakest link inside your enterprise – people," said Josh Douglas, chief strategy officer for Raytheon Cyber Services. "Their desires and their will, their social interaction, their reading habits, etcetera. The behavioral aspects of employees are a direct link to the weakness of the security of an organization."
The methods were common and well-documented, suggesting the attackers focused less on technological sophistication and more on knowing what energy company employees were likely to do – a hacking principle known as "social engineering."
For example, Symantec reported, the attackers:
- Disguised malware as an invitation to a New Year's Eve party – then followed up with messages containing "very specific content related to the energy sector;"
- Planted malware on websites frequented by utility employees, a technique known as a "watering hole" attack;
- Hid malware inside what appeared to be a legitimate software update, or "Trojanization."
Symantec attributed the attack to a group known as Dragonfly 2.0, the same party responsible for a cyber-spying operation on energy companies uncovered in 2014. It did not speculate on the group's origins, but did call it "an accomplished attack group" and said it used one piece of what appeared to be custom-built malware.
Just as the attackers used human behavior to build their offensive, companies can use it to design their defense, said Richard Ford, chief scientist for Forcepoint, a commercial cybersecurity company jointly owned by Raytheon.
For example, he said, the company found that while people going to a website commonly click out of pop-up security warnings, they respond better to an intermediary webpage that tells them clicking through might be a bad idea.
"By changing the context of the interaction, the overall click-through rate was dramatically lowered," he said.
The trick, Ford said, is "to steer people, as opposed to direct them," and close the same types of security gaps the power-grid hackers exploited.
"People are great. We're awesome. And we're also very focused on what we're doing, and we don't think about the consequences for that," Ford said. "There's no patch for people. At least, if there is, I'm not sure I want to install it."
Last Updated: 10/11/2017