After Ukraine, DHS Warns Domestic Utility Companies

Feds advise utilities to pull plug on Internet after Ukraine attack

WashingtonExaminer: The Department of Homeland Security advised electric utilities Thursday that they may need to stop using the Internet altogether, after the agency found that a cyberattack that brought down Ukraine’s power grid in December could have been far more devastating than reported.

The Dec. 23 cyberattack forced U.S. regulators to place utilities on alert after unknown attackers caused thousands of Ukrainian residents to lose power for hours by installing malicious software, or malware, on utility computers. But the Department of Homeland Security said Thursday that the attack may have been directed at more than just the country’s electricity sector, suggesting the attackers were looking to cause more harm than was reported.

In response, federal investigators are recommending that U.S. utilities and other industries “take defensive measures.” To start with, they need to best practices “to minimize the risk from similar malicious cyber activity,” according to an investigative report issued Thursday by Homeland Security’s Industrial Control Systems Cyber Emergency Response Team.

But the team is also recommending more drastic action, such as keep control-system computers away from the Internet.

“Organizations should isolate [industrial control system] networks from any untrusted networks, especially the Internet,” the report says. “All unused ports should be locked down and all unused services turned off. If a defined business requirement or control function exists, only allow real-time connectivity to external networks. If one-way communication can accomplish a task, use optical separation.”

The findings show that the power outages were caused by three attacks using cyberintrusion software to attack electric power distribution companies, affecting about 225,000 customers. It also reveals that once power was restored, the utilities continued “to run under constrained operations,” implying that the damage to grid control systems was profound.

The team also learned that “three other organizations, some from other critical infrastructure sectors, were also intruded upon but did not experience operational impacts.” That suggests the attackers were going after more than just the power grid, and may have been planning a much more economy-wide attack. The team does not disclose what other sectors of the country were targeted.

The team said the attack was well-planned, “probably following extensive reconnaissance of the victim networks,” the report says. “According to company personnel, the cyberattacks at each company occurred within 30 minutes of each other and impacted multiple central and regional facilities.”

The attackers were attempting to make the damage permanent. The report says the attackers installed “KillDisk” malware onto company computers that would erase data necessary to reboot operations after a cyberattack.

There is also a mystery to the attackers’ actions.

“Each company also reported that they had been infected with BlackEnergy malware; however, we do not know whether the malware played a role in the cyberattacks,” the report says. The malware was delivered using an email embedded hacking technique known as “spear phishing” that contained a number of malicious Microsoft Office attachments.

“It is suspected that BlackEnergy may have been used as an initial access vector to acquire legitimate credentials; however, this information is still being evaluated,” the team says.

The investigation was done with Ukraine authorities and involved the FBI, Department of Energy and the North American Electric Reliability Corporation.

*** 

New research is shining a light on the ongoing evolution of the BlackEnergy malware, which has been spotted recently targeting government institutions in the Ukraine.

Security researchers at ESET and F-Secure each have dived into the malware’s evolution. BlackEnergy was first identified several years ago. Originally a DDoS Trojan, it has since morphed into “a sophisticated piece of malware with a modular architecture, making it a suitable tool for sending spam and for online bank fraud,” blogged ESET’s Robert Lipovsky.

“The targeted attacks recently discovered are proof that the Trojan is still alive and kicking in 2014,” wrote Lipovsky, a malware researcher at ESET.

ESET has nicknamed the BlackEnergy modifications first spotted at the beginning of the year ‘BlackEnergyLite’ due to the lack of a kernel-mode driver component. It also featured less support for plug-ins and a lighter overall footprint.

“The omission of the kernel mode driver may appear as a step back in terms of malware complexity: however it is a growing trend in the malware landscape nowadays,” he blogged. “The threats that were among the highest-ranked malware in terms of technical sophistication (e.g., rootkits and bootkits, such as Rustock, Olmarik/TDL4, Rovnix, and others) a few years back are no longer as common.”

The malware variants ESET has tracked in 2014 – both of BlackEnergy and of BlackEnergy Lite – have been used in targeted attacks. This was underscored by the presence of plugins meant for network discovery, remote code execution and data collection, Lipovsky noted.

“We have observed over a hundred individual victims of these campaigns during our monitoring of the botnets,” he blogged. “Approximately half of these victims are situated in Ukraine and half in Poland, and include a number of state organizations, various businesses, as well as targets which we were unable to identify. The spreading campaigns that we have observed have used either technical infection methods through exploitation of software vulnerabilities, social engineering through spear-phishing emails and decoy documents, or a combination of both.”

In a whitepaper, researchers at F-Secure noted that in the summer of 2014, the firm saw samples of BlackEnergy targeting Ukrainian government organizations for the purposes of stealing information. These samples were nicknamed BlackEnergy 3 by F-Secure and identified as the work of a group the company refers to as “Quedagh.” According to F-Secure, the group is suspected to have been involved in cyber-attacks launched against Georgia during that country’s conflict with Russia in 2008.

“The Quedagh-related customizations to the BlackEnergy malware include support for proxy servers and use of techniques to bypass User Account Control and driver signing features in 64-bit Windows systems,” according to the F-Secure whitepaper. “While monitoring BlackEnergy samples, we also uncovered a new variant used by this group. We named this new variant BlackEnergy 3.”

Only Quedagh is believed to be using BlackEnergy 3, and it is not available for sale on the open market, noted Sean Sullivan, security advisor at F-Secure.

“The name [of the group] is based on a ship taken by Captain Kidd, an infamous privateer,” he said. “It is our working theory that the group has previous crimeware experience. Its goals appear to be political but they operate like a crimeware gang. There have been several cases this year of which BlackEnergy is the latest. The trend is one of off-the-shelf malware being used in an APT [advanced persistent threat] kind of way. The tech isn’t currently worthy of being called APT, but its evolving and scaling in that direction.”

Within a month of Windows 8.1’s release, the group added support for 64-bit systems. They also used a technique to bypass the driver-signing requirement on 64-bit Windows systems.

In the case of BlackEnergy 3, the malware will only attempt to infect a system if the current user is a member of the local administration group. If not, it will re-launch itself as Administrator on Vista. This will trigger a User Account Control (UAC) prompt. However, on Windows 7 and later, the malware will look to bypass the default UAC settings.  

“The use of BlackEnergy for a politically-oriented attack is an intriguing convergence of criminal activity and espionage,” F-Secure notes in the paper. “As the kit is being used by multiple groups, it provides a greater measure of plausible deniability than is afforded by a custom-made piece of code.”

In 2014 from the Department of Interior and DHS:

Summary: Investigation of NPS-GCNP SCADA SYSTEM

Report Date: August 7, 2014

OIG investigated allegations that the Supervisory Control and Data Acquisition (SCADA) system at Grand Canyon National Park (Park) may be obsolete and prone to failure. In addition, it was alleged only one Park employee controlled the system, increasing the potential for the system to fail or become unusable.

The SCADA system is a private utilities network that monitors and controls critical infrastructure elements at the Park. Failure of the system could pose a health and safety risk to millions of Park visitors. Due to potential risks that system failure posed, we consulted with the U.S. Department of Homeland Security Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) and asked that they assess the overall architecture and cybersecurity of the Park’s SCADA system.

ICS-CERT conducted an onsite review and issued a report outlining the weaknesses it found at the Park’s SCADA system, including obsolete hardware and software, inadequate system documentation and policies, insufficient logging and data retention. We provided a copy of ICS-CERT’s assessment report to the National Park Service for review and action.

 

 

The Wilful Reckless Handling of Classified Docs in DHS too?

Okay, so we have had the issue at the U.S. State Department and now the Department of Homeland Security, so it begs the question, what other agencies? Further, Iran, Russia, China and North Korea are likely loving this.

Security? Heh….

Homeland Security Is Spilling a Lot of Secrets

By

Bloomberg: The Department of Homeland Security suffered over 100 “spills” of classified information last year, 40 percent of which came from one office, according to a leaked internal document I obtained. Officials and lawmakers told me that until the Department imposes stricter policies and sounder practices to better protect sensitive intelligence, the vulnerabilities there could be exploited. Not only does this raise the threat that hostile actors could get their hands on classified information, but may lead to other U.S. agencies keeping DHS out of the loop on major security issues.

A spill is not the same as an unauthorized disclosure of classified information. A Homeland Security official explained that spills often include “the accidental, inadvertent, or intentional introduction of classified information into an unclassified information technology system, or higher-level classified information into a lower-level classified information technology system, to include non-government systems.”

Examples include: using a copier not approved for the level of classified information copied; failing to properly mark a classified product; transmitting classified information on an unclassified system like Gmail; or sending classified information to someone who, while having the proper level of clearance, is not authorized to read a section of information sent to them, the official said.

There were 119 of these classified spills reported throughout the Homeland Security Department in fiscal year 2015, according to the internal document, which itself is unclassified. The section with the most spills by far was the Office of Intelligence and Analysis, headquartered at building 19 of the Nebraska Avenue Complex in Washington, led by retired General Francis Taylor. This office is composed mostly of intelligence analysts assigned to produce and review classified reports that are often the work of other intelligence agencies, including the Central Intelligence Agency and the Office of the Director of National Intelligence.

One senior Homeland Security official told me that the intelligence and analysis office at DHS suffers from lax enforcement of the established policies and practices to protect classified information. This official said the numbers of classified spills in the internal report only represents those incidents that were officially reported, and the actual number is much higher.

S.Y. Lee, a department spokesman, told me that DHS does not comment on reports of leaked information, but that the department is currently having mandatory employee training sessions on the handling of classified and sensitive information.

“We take any report of mishandling of information very seriously, and when violations are discovered, the Department takes immediate, appropriate actions to address the situation,” he said. “DHS takes the protection of all our assets very seriously, and will continue to evolve our training and remediation efforts to address security needs and accountability to the American public.”

Experts on government secrecy and classified information handling told me that the number of spills alone does not directly prove that there is a larger cultural or policy problem at DHS. But there is a history of carelessness with e-mail at the department, and this new finding combined with anecdotal reports of bad practices indicate that there should be more investigation the intelligence and analysis division in particular.

“At a minimum, this raises a question about what’s going on at this corner of the agency,” said Steven Aftergood, director of the program on government secretary at the Federation of American Scientists. “If it is happening disproportionally in one part of the agency, that may mean that remedial measures are needed there, including security training, better oversight and similar steps.”

Spillages are a normal part of the classification system at the DHS and elsewhere, and there are formal procedures for addressing them because it’s understood that you cannot eliminate human error, he said. But if one intelligence shop is mishandling information from another part of the government, that could cause real problems in the interagency cooperation and intelligence-sharing.

“If they have a reputation as a shop with unreliable security, other agencies are going to think twice about sharing their most valuable information with Homeland Security,” Aftergood said. “It can hurt other agencies and it can rebound on them. It’s bad all around and should be corrected.”

Johannes B. Ullrich, dean of research for the SANS Technology Institute, said that it’s probable most of the classified spills were unintentional and the result of sloppiness more than anything else. But lax enforcement of policies meant to protect sensitive information also presents an opportunity for exploitation by malicious actors.

“If it’s accepted practice that you print documents and scan them in, for example, then it’s much easier for an insider to take advantage of that,” he said. “By reducing the unintentional spillage you make it easier to find the intentional ones.”

The House Homeland Security Committee is currently pushing DHS to implement new systems for monitoring employees who handle classified information. Last November, the House passed the DHS Insider Threat and Mitigation Act, which was sponsored by Representative Peter King, chairman of the Homeland Security Committee’s subcommittee on counterterrorism and intelligence. The bill would require Taylor, among other things, to develop a timeline for deploying workplace monitoring technologies, employee awareness campaigns, and education and training programs related to potential insider threats to the department’s critical assets. The Senate Homeland Security Committee marked up a companion bill earlier this month.

“In recent years, the department has made progress installing limited monitoring technology, but much more needs to be done,” King said in a statement. “Results from the existing systems demonstrate the need for more auditing and education for DHS employees.”

Classified spills are a government-wide problem and there’s no way to know if the incidents at the DHS intelligence shop have been exploited. But unless that office and the government as a whole does a better job of protecting classified information, it’s just a matter of time before real damage is done to U.S. national security

Chilling Details of the Sony Hack, Reported

These Are the Cyberweapons Used to Hack Sony

MotherBoard: In late November 2014, a mysterious group of hackers calling itself “God’sApstls” sent an ominous and jumbled email to a few high-level Sony Pictures executives.

“The compensation for it, monetary compensation we want,” the hackers wrote. “Pay the damage, or Sony Pictures will be bombarded as a whole.”

The executives at the Hollywood studio, which was about to release the controversial James Franco and Seth Rogen’s comedy The Interview, ignored the email. Just three days later, the hackers’ followed through with their threat and breached the studio’s systems, displaying a message on the computer screen of every employee: “Hacked by #GOP [Guardians of Peace].”

The hackers not only defaced employee’s computers, they then wiped their hard disks, crippling Sony Pictures for weeks, and costing the company $35 million in IT damages, according to its own estimate.

Now, more than a year later, several security researchers are still hunting down the hackers behind the attack, which the FBI officially identified as North Korean government-employed hackers. And despite the fact that the group is apparently still alive and well, a coalition of security researchers believes they can now disrupt them by exposing their extensive malware arsenal.

On Wednesday, a group of companies led by Novetta released a report detailing the Sony hackers’ long history of operations, as well as its large stock of malware. It’s perhaps the most detailed and extensive look at the group behind what might be the most infamous cyberattack ever.

Andre Ludwig, the senior technical director at Novetta Research and Interdiction Group, said that the investigation started from four hashes (values that uniquely identify a file) that the Department of Homeland security published after the attack. With those few identifying strings, and after months of sleuthing, the researchers found 2,000 malware samples, both from online malware portal VirusTotal, as well as from antivirus companies. Of those, they manually reviewed and catalogued 1,000, and were able to identify 45 unique malware strains, revealing that the Sony hackers had an arsenal more sophisticated and varied than previously thought.

The researchers hope that by shedding light on the hackers’ toolkit, the group, which the researchers called “Lazarus Group,” will be forced to adapt, spending resources and time, and perhaps even lose capabilities after antivirus companies and potential targets put up new defenses.

“There is no more shadows to hide in for these tools.”

“If all of a sudden you have antivirus signatures that detect and delete all the group’s arsenal, boom!” Jaime Blasco, the chief scientist at AlienVault Labs and one of the researchers who investigated the Sony hackers, told Motherboard. “They lose access to all the victims’ they got before.”

As Ludwig put it, “there is no more shadows to hide in for these tools.”

As it turns out, the hackers’ arsenal contains not only malware capable of wiping and destroying files on a hard disk like the Sony hack, but also Distributed Denial of Service (DDoS) tools, tools that allow for remotely eavesdropping on a victim’s computer, and more, according to the report. The researchers tracked some of this tools in cyberattacks and espionage operations that go as far as back as 2009, perhaps even 2007, showing the hackers that hit Sony have a long history.

While others suspected this before, Blasco said that nobody demonstrated it as conclusively until now.

Novetta researchers and their partners, which include AlienVault and Kaspersky Lab, don’t get into saying who the hackers really are, but they also don’t question the FBI’s controversial claim that North Korea was behind the attack.

The main reason, LaMontagne explained, is that the new data they found discredits the alternative theories that the hackers were actually a disgruntled former employee or just an independent hacktivist group.

A former Sony system administrator is unlikely to have built more than 45 malware tools in the span of more than seven years, LaMontagne told me. And the same time, he added, it’s also unlikely that a previously unheard of hacktivist group would pop up, claim responsibility for such a high-profile attack, and then disappear.

“They’re extremely motivated, regimented, organized, and they can definitely execute.”

“We have no reason to dispute what the US government and other governments have asserted as the threat being North Korean,” Peter LaMontagne, the CEO of Novetta, told me.

And as it turns out, those hackers have been around for longer than anyone thought—wielding sophisticated weapons. This, according to the researchers, shows the group was much more seasoned than anyone believed.

“Their motivation and operational execution, it’s impressive,” Ludwig said. “They’re extremely motivated, regimented, organized, and they can definitely execute.”

Now that their methods and tools are exposed, however, the researchers hope that they won’t be as effective.

The head-scratcher is sanctions are only for the missile test?

US to present UN sanctions resolution on North Korea

United Nations (United States) (AFP) – The United States will on Thursday present a draft UN resolution toughening sanctions on North Korea after reaching agreement with China on a joint response to Pyongyang’s fourth nuclear test and a rocket launch.

The UN Security Council will meet at 2:00 pm (1900 GMT) to discuss the draft text detailing a new package of measures to punish North Korea, but there will be no immediate vote.

US Ambassador Samantha Power “intends to submit for consideration by the Security Council a draft sanctions resolution in response to the DPRK’s recent nuclear test and subsequent proscribed ballistic missile launch,” US spokesman Kurtis Cooper said, using the abbreviation for North Korea’s formal name.

“We look forward to working with the Council on a strong and comprehensive response to the DPRK’s latest series of tests aimed at advancing their nuclear weapons program.”

UN diplomats said a vote was expected as early as Friday.

U.S. Poised to Take on China Aggressions

The Pentagon Readies Backup Island in Case of Chinese Missile Onslaught

Threat prompts the U.S. military to prepare a fallback option

WiB: The United States can no longer count on its Pacific air bases to be safe from missile attack during a war with China. On the contrary, a 2015 paper from the influential RAND Corporation noted that in the worst case scenario, “larger and accurate attacks sustained over time against a less hardened posture could be devastating, causing large losses of aircraft and prolonged airfield closures.”

Kadena Air Base in Okinawa, due to its relative proximity, would be hardest hit. To up the stakes, China in September 2015 publicly revealed its DF-26 ballistic missile, which can strike Andersen Air Force Base in Guam — nearly 3,000 miles away — from the Chinese mainland. Andersen and Kadena are among the U.S. military’s largest and most important overseas bases.

Enter Tinian. The lush, small island near Guam is emerging as one of the Air Force’s backup landing bases. On Feb. 10, the flying branch announced that it selected Tinian as a divert airfield “in the event access to Andersen Air Force Base, Guam, or other western Pacific locations is limited or denied.”

In the Pentagon’s 2017 budget request, it asked for $9 million to buy 17.5 acres of land “in support of divert activities and exercise intiatives,” the Saipan Tribune reported. In peacetime, the expanded Tinian airfield will host “up to 12 tanker aircraft and associated support personnel for divert operations,” according to the Air Force.

7637127318_661f4e4d60_kAbove — Tinian’s West Field in 1945. At top — Tinian seen from the cockpit of a C-130H. U.S. Air Force photo

Tinian is now a sleepy place.

During World War II, the 4th and 2nd Marine Divisions captured the island, which later based the B-29 Superfortresses Enola Gay and Bockscar which took off from Tinian’s North Field and dropped the atomic bombs on Hiroshima and Nagasaki. An arsenal during the war, most of its airstrips are now abandoned and unused. The island’s other former air base, West Field, is a small, neglected international airport.

The Air Force first wanted Saipan for its airfield. Very close to Tinian, Saipan has 15 times the population, a larger airport and a harbor. But this proposal met opposition from local activists due to the effect on “coral, potable water, local transportation and socioeconomic factors on surrounding communities,” Stars and Stripes reported.

The opposition even included the pro-business Saipan Chamber of Commerce, which worried that Tinian’s rusty airport would miss out on the flood of Pentagon spending. Saipan’s airport is also overcrowded — with locals not happy about the prospect of hundreds of airmen flying in for military exercises lasting up to eight weeks ever year.

In a way, its a return to the past. The United States dispersed air bases to varying degrees — and in different parts of the world — during the Cold War, but as the threat of a Soviet missile attack evaporated and post-Persian Gulf War budget cuts hit hard in the 1990s, the trend shifted toward larger mega-bases that operate on economies of scale.

But dispersed bases are more survivable, RAND’s Alan Vick noted in his 2015 paper:

Dispersing aircraft across many bases creates redundancy in operating surfaces and facilities. This enhances basic safety of flight by providing bases for weather or inflight-emergency diverts. It also increases the number of airfields that adversary forces must monitor and can greatly complicate their targeting problem (in part by raising the prospect that friendly forces might move among several bases).

 

At the least, dispersal (because it increases the ratio of runways to aircraft) forces an attacker to devote considerably more resources to runway attacks than would be the case for a concentrated force. It also greatly increases construction and operating costs to spread aircraft across many major bases. To mitigate these costs, dispersal bases tend to have more-modest facilities and, at times, might be nothing more than airstrips.

Now China Deployed Fighter Jets to Disputed Islands

EXCLUSIVE: China sends fighter jets to contested island in South China Sea

FNC: EXCLUSIVE: In a move likely to further increase already volatile tensions in the South China Sea, China has deployed fighter jets to a contested island in the South China Sea, the same island where China deployed surface-to-air missiles last week, two U.S. officials tell Fox News.

The dramatic escalation comes minutes before Secretary of State John Kerry was to host his Chinese counterpart, Foreign Minister Wang Yi, at the State Department.

Chinese Shenyang J-11s (“Flanker”) and  Xian JH-7s (“Flounder”) have been seen by U.S. intelligence on Woody Island in the past few days, the same island where Fox News reported exclusively last week that China had sent two batteries of HQ-9 surface-to-air missiles while President Obama was hosting 10 Southeast Asian leaders in Palm Springs.

Wang was supposed to visit the Pentagon Tuesday, but the visit was canceled. It was not immediately clear which side canceled the visit. Pentagon press secretary Peter Cook said a “scheduling conflict” prevented the meeting, when asked by Fox News at Tuesday’s press briefing.

When asked about the earlier Fox News story in Beijing, Wang said the deployment of the missiles was for “defensive purposes.”

Woody Island is the largest island in the Paracel chain of islands in the South China Sea.  It lies 250 miles southeast of a major Chinese submarine base on Hainan Island. China has claimed Woody Island since the 1950s, but it is contested by Taiwan and Vietnam.

Ahead of Wang’s visit to Washington, a spokeswoman likened China’s military buildup on Woody Island to the U.S. Navy’s in Hawaii.

“There is no difference between China’s deployment of necessary national defense facilities on its own territory and the defense installation by the U.S. in Hawaii,” Foreign Ministry spokeswoman Hua Chunying said Monday.

More than $5 trillion of worth of natural resources and goods transit the South China Sea each year.

Earlier Tuesday, the head of the U.S. military’s Pacific Command said China is “clearly militarizing” the South China Sea, in testimony before the Senate Armed Services Committee.

“You’d have to believe in a flat Earth to believe otherwise,” Admiral Harry Harris said.

China has sent fighter jets to Woody Island before. In November, Chinese state media published images showing J-11 fighter jets on the island, but this was the first deployment of fighter jets since the Chinese sent commercial airliners to test the runway at one of its artificial islands in the South China Sea.

The Pentagon sailed a guided-missile destroyer past a contested island in the South China Sea as a result.  Late last year, the U.S. military conducted a flight of B-52 bombers and another warship to conduct a “freedom of navigation” exercise.

The Chinese have protested the moves and vowed “consequences.”

On Monday, new civilian satellite imagery from CSIS showed a possible high frequency radar installation being constructed in late January.

The imagery shows radar installations on China’s artificial islands in the Spratley Island chain of reefs-Gaven, Hughes, Johnson South, and primarily on Cuarteron reefs—the outermost island in the South China Sea.

*** 

FNC: China apparently has been building radar facilities on some of the artificial islands it constructed in the South China Sea in a move to bolster its military power in the region, according to a report released Tuesday by a U.S.-based think tank.

The Center for Strategic and International Studies (CSIS) says the radars on the outposts of Gaven, Hughes, Johnson South and Cuarteron reefs in the disputed Spratly Islands “speak to a long-term anti-access strategy by China—one that would see it establish effective control over the sea and airspace throughout the South China Sea.”

The report was released one week after Fox News reported that China had deployed an advanced surface-to-air missile system as well as a radar system on Woody Island, part of the Paracel Island chain located north of the Spratlys.

The release of the report also coincides with the first day of a three-day visit to the U.S. by Chinese Foreign Minister Wang Yi, during which the issue of competing South China Sea claims is expected to be discussed, as well as North Korea’s latest nuclear test.