Russian Breach US Grid? Nah, Someone Fell For Social Engineering And Enabled Macros

Untitled-1 (1).jpg Breathlessly, the Washington Post reports that the Russian Grizzly Steppe malware was found within the system of a Vermont power utility.

Nah, they just dodged a bullet. This time someone fell for a social engineering ruse, opened an email, next opened the attachment and then enabled macros on a laptop that was not connected to the grid. It's a bad security awareness fail, but no real damage done. Yet. Because that's similar to how Natanz was penetrated by Stuxnet.

However, it does open up the picture to something way more important. The Russian hackers linked to the DNC breach are also behind attacks on utilities in Ukraine. In December, Ukraine’s capital city of Kiev suffered a partial power outage when a high-voltage electric substation turned off under suspicious circumstances. Engineers sat by powerless, watching cursors move on their screens, opening circuit breakers at 50 substations and shutting off electricity to about 700,000 people.

In November 2014, U.S. federal authorities reported that a Russian malware known as BlackEnergy had been detected in the software controlling electric turbines in the United States. Remember Stuxnet in the turbines of the Iranian uranium enrichment plant?

A recent report by FireEye, a Silicon Valley cybersecurity company, said the Russian group has evolved its malware to use “flexible and lasting platforms indicative of plans for long-term use.” What goes around comes around and the genie is out of the bottle.

We Are Engaged In a Cyber Cold War

Frank Cilluffo, a former homeland security adviser during the George W. Bush administration, said such brazen attacks signal a cyber Cold War has broken out. “We need to raise the cost and consequence” of these acts, he said.

The WSJ observed: "Russia’s military laid out what is now seen as a blueprint for cyberwarfare with a 2013 article in a professional journal by Gen. Valery Gerasimov, the chief of Russia’s General Staff. Cyberspace, wrote Gen. Gerasimov, 'opens wide asymmetrical possibilities for reducing the fighting potential of the enemy.'"

In his 2013 article, Gerasimov talked about the Russian military’s desire to hone its hacking skills as an extension of conventional warfare and political conflict. In reality, they were already deeply engaged in this and expanding their reach.

In Washington’s defense and national security circles, Russia’s use of hard-to-attribute attacks in cyberspace have become known as the “Gerasimov doctrine,” in reference to the 2013 article. And as expected, Russia categorically denies involvement.

Ukraine Power Grid Attack Started With Spear-Phishing

“Russia is the most capable cybersecurity adversary we have,” said Keith Smith, vice president of threat intelligence at Root9B, a network security company. “They penetrated the DNC with a module strikingly similar to BlackEnergy.”

The attack on Ukraine’s power grid started in March 2015 with spear-phishing where emails to utility employees looked like they contained data about military mobilization. Workers who clicked MS Office files to “enable macros” infected their workstations with remote access Trojans, the hackers moved laterally through the network and finally stole the credentials to access the utilities’ operations systems.

They did recon for nine months, and when the attack actually happened December 23, 2015, the hackers remotely took control of three of Ukraine’s 30 power distribution utilities within a half-hour. During the attack, the first time that power systems had been shut down by black hats in another country.

The same bad guys then used the KillDisk malware to both erase their tracks and also delete critical automation software, so utilities had to dispatch crews to each substation to manually restore equipment. Electricity was mostly flowing again about six hours after the hackers withdrew, but for months the utilities had to limp along without normal automation.

Michael Assante, who works for SANS and was a member of the a fact-finding team that studied the attacks in Ukraine, said it is a fallacy to think the U.S. could repel a similarly sophisticated assault. In fact, heavier reliance on automation makes the U.S. electric system harder to completely restore once knocked out. “The same tactics used in Ukraine would absolutely cause a problem here,” he said.

“The next Pearl Harbor will be cyber,”

Sen. Angus King (I-Maine) is sponsoring federal legislation that would require utilities to have manual-control capabilities. “The next Pearl Harbor will be cyber,” he said. “It’s a cheap way to attack. No bombers or submarines needed.” U.S. officials say it is possible that malware, including BlackEnergy, still lurks in American utility networks. There is no federal requirement that it be rooted out.

Root9B's Keith Smith said if relations between America and Russia break down, he said, “I don’t see anything that would stop them.”

There is something that can be done about this...

The vast majority of these attacks start with phishing attacks. KnowBe4's integrated training and phishing platform allows you to send fully simulated phishing emails so you can see which users answer the emails and/or click on links in them or open infected attachments. If you have a Platinum subscription you can even send them "vishing" attacks straight to the phone on their desk.

See it for yourself and get a live, one-on-one demo.