A new report by security researchers is sending chills down the spines of power industry executives.
While investigating a power outage in Ukraine from last December, they found a new type of malware that appears to have been custom-made for infecting electric utilities. The malware, called CrashOverride, is fairly significant in the world of criminal hacking because its sole purpose is to sabotage a utility’s operations and trigger a power outage.
CrashOverride is just the latest example of a growing trend on the dark side of the Web.
For the past few years, cybercriminals have been more aggressive at trying to hijack a business’ data and operations. In the vast majority of these cases, they’ve done so for the express purpose of making money. Known as “cyber extortion,” these attacks have ranged from ransomware to distributed denial-of-service attacks, and other techniques like the hijacking of Netflix’s fifth season installment of Orange Is the New Black. Ransomware has proven to be one of the most insidious of these attacks, and it hit a new high (or low) in May 2017 with the WannaCry attack which affected 230,000 computers worldwide, including a number of hospitals.
However, as bad as these attacks are, the one bright spot for victims has been that the criminals behind them are almost always financially motivated. As long as victims pay the ransom, the criminals usually stop their attacks. Doing so is simply good for business.
But what happens when hackers use these same cyber weapons and techniques, but they aren’t motivated by money? What if their goal is instead to put a company out of business, disrupt a criminal investigation or shut down a critical service like power or water supply?
What’s missing from the current discussion on cybercrime is how quickly and easily cyber extortion tools and tactics could be repurposed for cyber sabotage.
This has the potential to affect almost everyone, from everyday consumers who are increasingly reliant upon “Internet of Things” devices in their homes and cars to every conceivable type of business, critical infrastructure operator, law enforcement, government, you name it.
But, wait, isn’t this just Chicken Little the-sky-is-falling paranoia? How realistic is it that cyber sabotage attacks will actually happen?
Well, for one thing, they already are.
- The nation of Ukraine has now been hit twice by power outages caused by Russian hackers - once in December 2015, the other in December 2016.
- Sony Pictures was hit by North Korean hackers in 2014, who dumped its internal emails and infected it with “wiper” malware to destroy data.
- Iranian hackers have been having a field day too. In 2013, they targeted a New York dam and tried to remotely sabotage its sluice gate controls.
- Hackers, possibly affiliated with Anonymous, also hit automated tank gauges (ATGs) in 2015 that are used to monitor fuel tank inventory levels, track deliveries and raise alarms that indicate problems with the tank, such as a fuel spill.
These are all examples of recent cyber sabotage incidents. So far, this tactic has been used primarily by state-sponsored hacking groups, but like all other hacking techniques and tools, it will gradually trickle down to lower level criminal actors.
A few recent trends are leading us to this point.
First of all, digital crime is becoming increasingly organized, professionalized and weaponized. Nation-state hacking tools are now regularly finding their way into the black market. Crime-as-a-service is also a successful business model on the Dark Web, where experienced professionals sell their services to less qualified criminals, whether it’s malware, phishing kits, botnets, phone scams, crimeware kits, etc. Concurrent to this, a variety of open source tools are now online which make it easier for hackers to do their jobs. Shodan, a dedicated search engine for vulnerable critical infrastructure, is just one example of this.
Each year it's becoming easier and easier for an individual to launch a successful cyber attack without the requisite experience. The bar is being lowered across the board. Whether it’s a financial fraud ring or a car theft ring, terrorists or anarchists, all of these groups are now starting to harness the power of the Dark Web to achieve their goals.
Finally, as nation-states become more aggressive in cyberspace, they will continue to throw more fuel on the fire. Nation-state hacking is the tide that lifts all boats, because the tools drift down to the black market, and their tactics - as exposed by both researchers and the media - provide important lessons for criminals to learn from.
These trends are creating a perfect storm for cyber sabotage attacks in the years ahead.
For this reason, it is entirely conceivable that within the next few years, we could see a terrorist group disrupt service at a US electric utility or water utility, or target oil and gas distribution systems. Sooner or later, real world implications will occur, causing possible outages or even worse. Today, a cyber attack is far easier and safer for criminals to carry out than a traditional physical attack.
This is something we all need to start planning for. Whether you are a consumer with ‘smart’ appliances, a business owner, government official, law enforcement officer or utility operator, cyber sabotage attacks are sure to pose a very real danger in the years ahead.