Slashdot Mirror

← Back to Stories (view on slashdot.org)

Western Energy Companies Under Sabotage Threat

Posted by timothy on from the shame-if-anything-was-t'-happen dept.

An anonymous reader writes In a post published Monday, Symantec writes that western countries including the U.S., Spain, France, Italy, Germany, Turkey, and Poland are currently the victims of an ongoing cyberespionage campaign. The group behind the operation, called Dragonfly by Symantec, originally targeted aviation and defense companies as early as 2011, but in early 2013, they shifted their focus to energy firms. They use a variety of malware tools, including remote access trojans (RATs) and operate during Eastern European business hours. Symantec compares them to Stuxnet except that "Dragonfly appears to have a much broader focus with espionage and persistent access as its current objective with sabotage as an optional capability if required."

23 of 86 comments (clear)

  1. Dragonfly by Symantec by OzPeter · · Score: 5, Funny

    I read The group behind the operation, called Dragonfly by Symantec as that Symantec had a group called Dragonfly, and they were performing the espionage.

    And my thought processes didn't toss that out as being unreasonable.

    --
    I am Slashdot. Are you Slashdot as well?
    1. Re:Dragonfly by Symantec by alphatel · · Score: 3, Insightful

      I read it the same way. A well placed comma would go a long way...

      Or a properly placed quotation:

      The group behind the operation, called "Dragonfly" by Symantec

      --
      When the foot seeks the place of the head, the line is crossed. Know your place. Keep your place. Be a shoe.
  2. Attribution by Ceriel+Nosforit · · Score: 3, Interesting

    "...the group mostly worked between Monday and Friday, with activity mainly concentrated in a nine-hour period that corresponded to a 9am to 6pm working day in the UTC +4 time zone."

    Which government has working days like that? Is it the Russians?

    --
    All rites reversed 2010
    1. Re:Attribution by thieh · · Score: 3, Informative

      Anywhere from Eastern Europe (UTC+2, 7AM-4PM) to Myanmar (UTC+6:30, 11:30AM-8:30PM) would also be reasonable, no?

    2. Re:Attribution by Ceriel+Nosforit · · Score: 2

      No, it would not... Government bureaucracy so rigid that we can have much better guesses than that. We should be able to eliminate most countries in this range, and their enemies to accommodate false-flag ops, and subtract according to capability. You get a short-list and then you just wait for the smoking gun.

      --
      All rites reversed 2010
    3. Re:Attribution by ColdWetDog · · Score: 2

      "The International situation is desperate, as usual"
      -- Tom Robbins

      --
      Faster! Faster! Faster would be better!
    4. Re:Attribution by PPH · · Score: 2

      Iran? If they start work at 8:00.

      --
      Have gnu, will travel.
    5. Re:Attribution by flyingsquid · · Score: 2
      To establish guilt in a crime, you try to identify who has means, motive, and opportunity. The working hours provide you information on opportunity; not to say that someone from China or North Korea couldn't attack during Eastern European business hours, but this tends to point to Eastern Europe as being the most likely source.

      That brings us to means. Who has the capability to launch a campaign of this scope and duration? Anybody can launch a cyberattack, but relatively few countries have the resources to launch attacks against multiple organizations, in multiple countries, over many years. The big players in cyberwarfare are a relatively exclusive club, and would include the United States, Israel, China, North Korea, and Russia. So our suspect is almost certainly one of those countries.

      Which brings us to motive. Who might want to attack these countries? The U.S. has a long list of enemies; certainly China, North Korea, or Russia might be interested in attacking the U.S. or at least having the capability to do so. Having the U.S. on this hit list tells us little. But what about the other countries? They include Spain, France, Italy, Germany, Turkey, Poland, Romania, Greece, and Serbia. With the exception of Serbia, every single one of those countries is a member of NATO. And NATO was created specifically to counter and deter Russia. So now put it all together: the attacks appear to be coming from Eastern Europe, the only country on the list of cyberwarfare powers in that area is Russia, almost all of the countries are part of a military alliance designed to counter Russia...

  3. No airgap? by thieh · · Score: 4, Interesting

    I would have thought some of these should be airgapped for security reasons by design? Is it so hard to go to work these days that you have to hook it up to the outside?

    1. Re:No airgap? by swb · · Score: 5, Insightful

      I've done a couple of projects with engineering companies including one at a power plant. From what I've seen, the thing that tends to lead from air gapping to lack of airgapping is support.

      The engineering companies don't have the IT infrastructure experience or skills in their engineering practice. They hired me to do basic stuff like SAN setup, switch configuration, VMware, etc.

      The engineering company is required to provide support for their subsystem for a period of a couple of years and this includes everything IT related. Their office is hundreds of miles from the plant so problems with the IT environment require them to fly someone out. This is expensive, the guy who goes out has limited troubleshooting and they turn to me.

      But they don't want to pay for my services on site, so ultimately they end up ungapping the environment so it can be supported with less cost. They have some security -- VPN only and possibly other restrictions which limit VPN connectivity, but they break the air gap.

      They could maintain the air gap, but it would cost money -- support and travel costs, etc.

      Ideally the engineering company would make IT systems part of their practice, but I think a lot of engineers have an "I'm an engineer" mentality which makes them they're good at everything, so they see this as unnecessary. They could negotiate with the plant to engage their IT resources, but that would cost them money.

    2. Re:No airgap? by asylumx · · Score: 2

      Stuxnet affected airgapped machines...

    3. Re:No airgap? by BUL2294 · · Score: 2

      Yes, but now you'd need someone on-site, at the machine in question or on another PC within the airgapped network, to do their evil deeds. Doesn't matter if I know the password of the machine with the "NOC list" (from "Mission Impossible 1"); if the airgapped PC is physically thousands of miles away and/or I can't get into the site with the airgapped network, then what's the point??? I'm willing to bet some of the passwords on PCs within an airgapped network are "password", "12345", blank, "00000", etc.

      And if you're really paranoid or anal, keyboards are cheap to replace -- or randomly cycle different brands/models/styles of keyboards between a set of PCs at random intervals...

      --
      Windows 3.1x calc: 3.11 - 3.10 = 0.00
    4. Re:No airgap? by mlts · · Score: 2

      Worst case, replace the keyboard with something like the Optimus Maximus keyboard with the keys changing characters every time a password is asked.

      What really is needed are what we had before everything got linked to the Internet. We need separate networks. Examples of this would be SIPRnet, NIPRNet, and GRU's equivalents.

      Yes, this network can be hacked, but it adds an additional barrier -- one has to hack the network (which likely will be designed with this in mind from the ground up), forge access as a trusted machine (tough, due to machines having their own public keys), then try to attack the targets themselves.

      I wonder why this isn't done. I would think a "BIPRNet" would be obvious since it gets sensitive traffic and things like wide-open SCADA systems completely off the Internet, but still allows remote access and management.

    5. Re:No airgap? by DigiShaman · · Score: 2

      but I think a lot of engineers have an "I'm an engineer" mentality which makes them they're good at everything

      I got news for you. A lot of professionals are arrogant enough to to think they're qualified to perform another craft. Same thing goes for Doctors, Lawyers, and well, IT folk as well.

      --
      Life is not for the lazy.
    6. Re:No airgap? by VorpalRodent · · Score: 4, Funny

      I am an engineer, but I agree with your assessment - I feel fully qualified to act as a doctor. None of my patients have complained, but if by chance one were to survive and make a fuss, I feel sufficiently competent as a lawyer that I'm sure I'd be okay.

      --
      Take it to the limit, everybody to the limit, come on, everybody fhqwhgads.
  4. Welcome to the future! by MRe_nl · · Score: 2

    People no longer have an expectation of privacy, according to Mark Zuckerberg.
    Corporations are people, according to recent laws.
    Ergo please stop whining, what goes around comes around, much like an enrichment centrifuge PLC : ).

    --
    "Kill 'em all and let Root sort 'em out"
  5. Re:How is this any different than any other day? by Errol+backfiring · · Score: 4, Insightful

    To bear the blame if things go wrong. Oh, you want quality? Sorry, in the modern everything-must-be-done-yesterday-at-no-cost IT sector, quality is usually not an option. There's no market for quality.

    --
    Nae king! Nae laird! Nae yurrupiean pressedent! We willna be fooled again!
  6. perhaps a slice of crow for the US? by nimbius · · Score: 2

    America patented this handy attack vector during the cold war. the CIA once destroyed a gas pipeline in 1982 by hacking malicious controls software into a system purchased by them from canada.The pipeline software that was to run the pumps, turbines and valves was programmed to go haywire, to reset pump speeds and valve settings to produce pressures far beyond those acceptable to the pipeline joints and welds.
    Again, the US did this in 2010 in collusion with Israeli Mossad, who were at the time busy with bomb attacks against key nuclear scientists in Iran. Stuxnet was meant to sabotage the uranium enrichment facility at Natanz. The worm worked by first causing an infected Iranian IR-1 centrifuge to increase from its normal operating speed of 1,064 hertz to 1,410 hertz, causing repeated stress and ultimately failure.

    now the cows have come home. America is finding itself on the receiving end of increasingly sophisticated attacks against its 60 year old reactors and control systems by proxy. smaller western nations use the same GE technology and concepts while arguably being 'under the radar' enough to avoid major investigation into penetrations that would result in increased security of these systems by the US, or so i suspect the prevailing theory would be. It is no longer a matter of if, but when we as a country will take a seat for one of our famous 'teachable moments'

    --
    Good people go to bed earlier.
    1. Re:perhaps a slice of crow for the US? by flyingsquid · · Score: 5, Interesting
      It's unquestionable that the U.S. has let this thing loose; the U.S. has perhaps the most advanced cyberwarfare capabilities (at least in terms of offense) as any country on earth, having developed these weapons and techniques they can't complain too much if other countries start using them as well. However the idea is that cyberwarfare, just like conventional warfare, can and should be governed by a code of conduct. The idea would be that targets that would be considered off-limits to conventional attacks would also be off-limits to cyber-attacks. So it would be considered acceptable to attack the enemy's command-and-control network, their radars, their weapons systems, or military shipping and transport... but not to attack civilian infrastructure such as electricity, water supply, trains, banks, the stock market, etc. etc. So far, U.S. actions are consistent with this policy; we have attacked Iran's nuclear facilities but haven't tried to take down their banks or power plants, even though we probably could. You can see this policy in action where the U.S. recently accused a number of Chinese soldiers of engaging in cyberwarfare against the U.S. The issue wasn't that they engaged in cyberwarfare, which we expect the Chinese to do. It was that they were attacking civilian targets for corporate espionage, and the U.S. wanted to send a message that while they expect the military to be attacked by the Chinese, and it's a legitimate target, it's not OK to target U.S. companies.

      In the current case, it would appear that Russia doesn't accept the U.S. argument that civilian infrastructure should be off-limits. Whether the U.S. can complain here or not is debatable. The U.S. has targeted civilian infrastructure during conventional operations; they knocked out the power in Serbia during actions in Kosovo, for example. So the Russians could easily argue- and not without merit- that if it's OK to take out the power in Serbia using a stealth bomber and a conventional bomb, it ought to be OK to turn out the lights in the U.S. using a logic bomb.

  7. It's the Russians by ziggystarsky · · Score: 4, Insightful

    It's Russia because
    - UTC+4 is one time-zone east of moscow;
    - it shifted to energy supplying firms with the beginning of the crisis in Ukraine (where Russia's gas delivieries are considered as the its only trump)
    - it's either Russia or China in general

  8. Re:Jesus Christ, just use OpenBSD! by ColdWetDog · · Score: 2

    No, there is no 'easy' solution to security and people like you are why it's harder than it should be. Security is an ongoing process, not something you just install. The minute you forget about that little detail is the minute that you get pawned.

    That's the easy part.

    --
    Faster! Faster! Faster would be better!
  9. Decentralized power ? by einar.petersen · · Score: 2

    Hmmm... Did anyone just say why don't we use this opportunity of reliance upon centralized power and the weakness thereof to get rid of the energy cartels and rely on decentralized power instead, thus making our nations stronger, more independent and resilient to both attacks and natural disasters ? Just food for thought on a day that Solar Power just got greener and not to mention cheaper http://www.geek.com/science/se... The fact that power companies are being "attacked" is old news - The right path to take in the light of these "attacks" is one of energy self reliance. That means "self powering" each building and furthermore securing such installations from infograbbing / controlling entities looking out for their own profits with no real concern for your needs or finances.

    --
    MS, ALS, Aphasia ? http://globability.org - Me http://einarpetersen.com
  10. TBH I'd be more worried... by Torp · · Score: 2

    ... about the ones Symantec doesn't know about.
    Also, I don't remember Symantec doing anything useful since like, forever. I remember them for purchasing Norton Utilities and turning them into a bloated mess. Should we trust them on this, or is their marketing department manufacturing a threat? :)

    --
    I apologize for the lack of a signature.