The US energy industry is constantly under cyber attacks

Data related to the number of incidents occurred to national infrastructure confirms that the US Government energy industry is constantly under attack.

The US Government is aware that nation’s energy grid is constantly under attack by state-sponsored hackers and cyber criminals. Recently The Department of Homeland Security (DHS) revealed that Russian hackers have infiltrated several critical infrastructure in the United States confirming that foreign entities are continuously probing US networks for cyber espionage and sabotage purposes.

In the fiscal year 2014, according to data provided by the Computer Emergency Readiness Team there were 79 hacking incidents at energy companies, meanwhile the incidents observed in the previous year were 145. Do not be fooled by the numbers, unfortunately, many of the attacks are difficult to detect and often ATP groups are able to operate in the shadows for years before being discovered. Between April 2013 and 2014, threat actors hit 37% of energy companies, according the results of a survey by ThreatTrack Security, making energy sector one of the most critical industries under cyber security perspective.

“The survey found that 35% of respondents reported endpoints on their network had been infected by malware that evaded their defenses during the last 12 months. Moreover, 58% of respondents cited the complexity of malware as the most difficult aspect of defending their organization.” reports the survey, highlighting the difficulties of tracking the threats due to their level of sophistication. “Respondents within the energy sector (37%) reported a 6% higher rate of infection than their financial services counterparts.”

 

Security experts at FireEye firm have identified nearly 50 strain of malware that specifically target energy companies in 2013, the company in the sector were mainly targeted by spyware and RATs, the FireEye annual report shows that the most common vertical targets of Dark Comet operations in 2013 were financial services, energy/utilities, and education.

In July 2014 researchers at FireEye detected a new variant of Havex RAT that was specifically designed to scans SCADA network via Object linking and embedding for Process Control (OPC), control systems hit by the malware are vital components in any industrial process including energy.

In June 2014 experts at F-Secure discovered instances of the Havex malware used to target Industrial Control Systems (ICS) in surgical attacks implementing “watering-hole attack” scheme which involved ICS vendor site as intermediary target.  It has been estimated that the number of compromised energy companies in the US and Europe is nearly 1000, an impressive number that gives us an idea of the impact of the Havex operation.

A few weeks ago, the US-CERT issued an Alert (ICS-ALERT-14-281-01A) related to an ongoing sophisticated Malware campaign compromising ICS systems with BlackEnergy malware.

The BlackEnergy malware was authored by a Russian hacker and originally used for DDoS attacks, bank frauds and spam distribution, but the new strain of malware was used in targeted attacks on government entities and private companies across a range of industries.

According to the report proposed by experts at ESET, the new strain of malware has been found targeting more than 100 government and industry organizations in Poland and the Ukraine, but the cases are not isolated, other attacks based on BlackEnergy hit a target in Brussels, Belgium, as reported by F-Secure.

In a recent interview released to Bloomberg I commented the fact that these attacks apparently haven’t caused any damage.

“Whatever they were up to, the cyber-infiltrators didn’t use the digital weapons they’d planted to do any damage.” “This suggests that attackers are collecting detailed information on systems and processes running the vital infrastructure of the U.S.…to coordinate further attacks,” says Pierluigi Paganini, a security analyst who publishes the blog SecurityAffairs. The DHS conjectured that attackers planted the threat to deter a future U.S. attack. (RememberStuxnet?)” states Katie Benner on BloomberView.

Energy industry, ana many other industries, resulted particularly vulnerable to cyber attacks due to the lack of security by design for the majority of the equipment and machineries they use. Several Industrial Control Systems were designed to operate stand alone, without having security in mind and in a scenario completely different from actual in which the threats are completely changed.

The fear of possible major attacks against the energy industry was also highlighted recently by NSA director Admiral Mike Rogers during the power grid security conference in San Antonio, Texas in October.

“Power… is one of the segments that concerns me the most,” he said, according to a transcript obtained by CNNMoney, explaining that energy and power infrastructure were not designed to be resilient to today cyber attacks.

The US Government started an awareness campaign that is involving the authorities, including DHS and FBI, and national energy providers and utility companies, the intent is discuss of the threats and improve security of the infrastructure with a series of specific countermeasures.

Pierluigi Paganini

(Security Affairs –  Energy industry, US Government)