Sunday, January 5, 2020

Take it from Vlad: “For best results, always hack through the supply chain!”



Last week, Kevin Perry, former Chief CIP Auditor of SPP Regional Entity, sent me the link to this article from Politico, which pointed out that Russia probably came a lot closer to directly hacking the 2016 election than most of us thought – in fact, it seems they might have directly affected the results (perhaps not the outcome itself, although there’s no way to know that) in at least one locality - Durham, NC.

This is of course quite scary, since if people don’t trust elections to provide accurate counts, all sorts of havoc could ensue (and that is, of course, exactly the purpose of the Russian election hacks!). However, Kevin was most interested in the fact that this successful or near-successful attack came through the supply chain – specifically a vendor in Florida, VR Systems, that provides software for local governments nationwide.

The article (and a predecessor article linked in it, which fills in details not in the main article) says that VR Systems was probably compromised through spear phishing emails, but that in itself was just half of the attack. It seems that VR was using remote access to troubleshoot software problems (including the problems that appeared in Durham a few days before the election), and it’s possible that the hackers, who already were present in  VR’s network, utilized that connection to get into Durham’s systems, and perhaps those of other governments as well.

Of course, having direct remote access into critical election systems is the equivalent of having direct access (i.e. not through an Intermediate System) into an Electronic Security Perimeter – it’s something that should never have been done in the first place, and VR wasn’t supposed to be doing it now (although there aren’t any regulations governing election system cybersecurity, of course).

However, the story here is the vector of the attack. A lot of people talk about hacks on the power grid as being direct assaults on the firewalls of major utilities. Of course, these assaults are occurring every second. But they’re not getting through, and the bad guys – especially the Russians (or am I wrong? Are they now good guys and I’m the bad guy? I can never be too sure about these things…) – have figured out that they’re wasting their time with any further assaults on the front gate. Instead of trying to take the castle by storm from the front, it’s much better to go around to the rear in the dark of night, and break in the door that’s there for the tradesmen to use.

In a conversation with me, someone recently pointed to the CRISP system as providing great security for utilities. It certainly provides great security against frontal assaults, just as the Maginot Line provided impenetrable security against German frontal assaults during World War II. Of course, the French had nothing protecting the border with Belgium and the Ardennes Forest, and that’s how the Germans came in. In the same way, anyone who thinks CRISP is all we need to protect the North American power grid from cyber attacks will be pretty surprised when the Russians break through on the supply chain front (and it seems they already have, if the FBI, CIA and NSA are to be believed. Of course, what do they know about anything?).

And look at other Russian attacks, including:

  1. The NotPetya attack, the most devastating cyber attack ever, which started off as a supply chain attack on Ukrainian companies (in fact a huge percentage of them) that used a certain supplier of tax software.
  2. The DHS briefings in July 2018, at which Jonathan Homer said that some number (anywhere between three and two hundred, depending on who you talk to. Of course, if it were just one, that alone would be huge) of US utilities had been penetrated at the control system level, and the Russians could have caused outages if they wanted to – and presumably they planted malware so they could come back later if they decided it was time for an outage. These attacks came completely through vendors, who had been penetrated through their (i.e. the vendors’) remote access systems, as well as phishing emails.
  3. The Wall Street Journal article of January 2019, describing in great detail – and naming names – how the Russians had used phishing emails to gain footholds in vendors, and thence to penetrate electric utilities. While the reporters didn’t themselves cite instances of penetration of utility control networks, the article quoted Vikram Thakur of Symantec as saying at least eight utility control centers had been penetrated.
While the most recent WSJ article – by the same reporters, Rebecca Smith and Rob Barry - describes attacks that may have occurred in some cases through phishing emails sent directly to utilities, it’s certain that supply chain attacks are still going on. And the new Politico article confirms that the Russians like supply chain attacks for election infrastructure as well. Why change tactics when what you’re doing now is working?

So listen to your good friend Uncle Vladimir: When you really want to get the hack done and cause damage, there’s no better vector than the supply chain! He’s a man who should know…

  
Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC.

If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com. Please keep in mind that if you’re a NERC entity, Tom Alrich LLC can help you with NERC CIP issues or challenges like what is discussed in this post – especially on compliance with CIP-013. My offer of a free webinar on CIP-013, specifically for your organization, remains open to NERC entities and vendors of hardware or software components for BES Cyber Systems. To discuss this, you can email me at the same address.

No comments:

Post a Comment