Saturday, January 30, 2016

10 Things you probably didn’t know about Cyber Attacks on the Energy Sector

On 28 December 2015, five days after the blackout in the western Ukraine, Security Service of Ukraine (SBU) reported it suspected Russian hackers of conducting a “telephone flood” to regional energy companies’ technical support departments. According to SBU, this telephone flood was accompanying a “computer virus attack” on these companies.  

On 26 January, Ars Technical reported that the Israeli Electric Authority reported a power outage, and also claimed it to be the result of hackers.

For the past four years Wapack Labs has been digging deep into the targeting of the energy sector.  Once relegated to the nation state warfare, think STUXNET, it soon became clear that the shift for renewable energy, and development of geostrategic reserves put a bull’s eye on critical infrastructure in the energy sector --and that those cyber operations clearly have operational and physical effects. 

These are ten things that Wapack Labs knows about attacks on critical infrastructure in the Energy sector that you most likely have never heard before, including the most recent attacks on Ukraine’s power stations.  These ten things are just a peak at what we know about the threats to the Energy sector and are meant to provoke questions and conversation from the reader.

#1 Telephone Distributed Denial of Serve (TDoS) Attacks accompanied attacks on Ukrainian critical infrastructure
On 28 December 2015, five days after the blackout in the western Ukraine, Security Service of Ukraine (SBU) reported it suspected Russian hackers of conducting a “telephone flood” to regional energy companies’ technical support departments. According to SBU, this telephone flood was accompanying a “computer virus attack” on these companies.  

#2 What researchers are calling the new BlackEnergy was in fact first seen by Wapack Labs in October of 2014, over a year before the 2015 attacks on Ukraine’s power grid. 
The Russian APT group, the Sandworm Team, suspected in this attack and a BlackEnergy user, also previously targeted the Human-Machine interface (HMI) of General Electric’s (GE) CIMPLICITY SCADA systems in mid-2014.

#3 Malicious Software cyber-attacks on critical infrastructure in the energy sector believed to originate in China were written in a computer language popular with Russian hackers.
The Zwshell Trojan used in the Night Dragon campaign in 2011 was written in Delphi, a popular computing language with Russian programmers.  Despite the fact that Chinese hackers are not known to use Delphi, a connection between Night Dragon and Russian hackers remains as an intelligence gap.

#4 Striking INTESA workers in Venezuela disrupted two-thirds of the country’s oil production.
The attackers were unsophisticated, but reportedly managed to delete data from the programmable logic controllers (PLC) controlling a tanker loading at a marine terminal in eastern Venezuela. Backups were unaffected and PDVSA was able to restore operations but succeeded in disrupting two-thirds of Venezuela’s 3.0 million bbl/d of production. Ultimately, a strategic joint venture between SAIC and INTESA collapsed and all remote systems were ordered to be disabled. 

#5 Venezuela has partnered with Cuba to replace its commercial PLC and SCADA infrastructure.
Venezuela’s SCADA software management system, known as GALBA, was developed by the PDVSA and Havana’s University of Information Science “to preserve our sovereignty and oil independence.”  It is unlikely this new infrastructure is being tested for vulnerabilities and is likely compromised.

#6 Within a year of changing its PLC and SCADA infrastructure, the country was heavily targeted by the LIberpy keylogger malware.
Liberpy is a malware threat that undermines the security of a system by reporting all keyboard events (keys the user presses).  Liberpy is spread via USB devices, reminiscent of STUXNET, and compromised more than 2000 systems in only a few months. By 2015, over 98% of global Liberpy infections were in Venezuela.  It is likely, Venezuela’s critical infrastructure has been infected with this malware.

#7 Global energy supply chains are being compromised by the least sophisticated malware.
Wapack Labs has discovered nearly 12,000 individual organizations that have been compromised by inexpensive commercial administration tools.  So called Nigerian 419 scammers target the energy sector through social engineering and computer intrusion schemes fooling employees into wiring money. The FBI estimates the losses near US$800 million.

#8 Once compromised by Nigerian 419 scammers, all your infrastructure is compromised.
Through key loggers, Nigerian 419 scammers are saving unencrypted credentials of their victims on public webservers.  Simple techniques allow others to aggregate those credentials, including administration passwords, and are sold on the black market to fraudsters and others conducting industrial espionage, including access to PLC and SCADA systems.

#9 If you’re business is located in located at a supply chain choke-point, you’re more likely to be a target of attack
There is no doubt that energy choke points are high valued targets for industry espionage.  Wapack Labs has geo-located thousands of compromised credentials of energy sector employees that fall near, or at, supply chain choke points including the Danish Straits, Suez Canal, Panama Canal and the Strait of Malacca.  These compromised systems give extraordinary access to global energy supply chains.

#10 Critical infrastructures vital to the free movement of the world’s energy supply has been compromised.

Wapack Labs has identified pilot services responsible for the movement of oil and LNG ships, including post-Panamax ships, have been compromised giving hackers access to pilot operations. In the same location, suppliers of harbor monitoring systems such as data buoys a meteorological measurement have also been compromised, giving unauthorized access to systems critical to safety of persons and property at sea.


This was an introductory piece written by one of our analysts this week as a primer on work we've tracked, and analyzed as a result of our GEOPOLITICAL risk monitoring in current world hot spots. We've partnered with some really smart folks who know the industrial control space but by simply monitoring risk in the world, pieces like these become possible. When corroborated with sources on the ground and the cyber work we do on a regular basis, the storied move from risk, to threat, to real. 

For more information, please feel free to contact me.
844-4-WAPACK (ext 700)