Attackers of suspected Russian origin targeted facilities in December 2015. Those 23 December outages affected Ukraine's Prykarpattya Oblenergo and Kyivoblenergo utilities cutting power to some 80,000 customers for six hours. Last month's attacks also used the BlackEnergy and KillDisk malware. Other hacks included highly-convincing and successful phishing attacks against an unnamed Ukrainian bank, various remote exploitation, and denial of service attacks. @Marmusha talks about the recent cyber-attack in Ukraine #S4x17 pic.twitter.com/wg6IUqn3Lz — Parnian (@Parnian_7) January 10, 2017 The phishing attack on 14 July last year used the ancient trick of malicious Word document macros but wrapped it in high levels of obfuscation and anti-forensics. Information Systems Security Partners head of research Oleksii Yasynskyi, who worked on dissecting the hacks, reckoned the attackers were a mix of groups specialising in different aspects of offensive security, from infrastructure to obfuscation and payload delivery. Phishing emails numbered in the thousands. Hackers kept quiet observation for months whenever one payload was successful at breaching one of the Ukrainan assets, Krotofil told MotherBoard Yet the attackers' origin was not disclosed, if it is known; Kiev laid blame squarely on Russia for the similar 2015 utility hacking. Krotofil told Dark Reading the Ukraine's utilities may be seen as a test bed for attacks elsewhere, something she says is common with Russian hackers. Alex Mathews, security evangelist lead with Russian SCADA and industrial control system outfit Positive Technologies told El Reg says vulnerabilities in critical infrastructure are easy to find and difficult to get fixed. “It takes just two days to find a new SCADA flaw, yet almost a year to get it fixed," Mathews says. "The vulnerability of our critical infrastructure is evident. "Those charged with protecting industrial control system and SCADA networks must acknowledge that they’re exposed to cyber threats and take steps to reduce the risk." ® Bootnote While concerns the attacks are a test bed for further control system hacking in other countries, compromising such infrastructure cannot be done by cookie cutter hackers. Control systems are highly specialised with proprietary and often undocumented protocols that are not ordinarily understood outside of specialist fields. Using Ukraine as a means to hack US energy companies for example is further troubled by the variance in security controls that may exist in front of and around control systems. ® Sponsored: Flash enters the mainstream.
Visit The Register's storage hub
A December 2015 attack that caused 225,000 Ukrainians to lose electricity was the first known instance of someone using malware to generate a real-world power outage. Ukrainian officials have pinned the attack on the Russian government, a claim that's consistent with some evidence collected by private security firms. Now, researchers say a second power outage that struck Ukraine in mid-December was also the result of a computer intrusion and bears many of the same technical hallmarks as the first one.
It was part of a series of malicious hacks that have recently targeted key Ukrainian infrastructure, including the country's rail system server, several government ministries, and a national pension fund.
The attacks started on December 6 and lasted through December 20.
The December 17 power outage was the result of an attack at the Pivnichna substation outside Kiev that began shortly before midnight.
It lasted for about an hour. Demonstration of capabilities "The attack [was] not meant to have any lasting dramatic consequences," Marina Krotofil, a security researcher for Honeywell Industrial Cyber Security Labs, told Motherboard. "They could do many more things, but obviously they didn't have this as an intent.
It was more like a demonstration of capabilities." At the S4x17 Conference in Miami on Tuesday, Krotofil said last month's attacks used many of the same tools that were deployed in the year-earlier hack—including a framework known as BlackEnergy and disk-wiping malware called KillDisk.
The breaches stemmed from a massive spear phishing campaign that struck government organizations in July and allowed the attackers to conduct months of covert reconnaissance before finally striking last month.
The phishing e-mail came from a highly trusted individual and contained a macro attachment that infected people who allowed it to run.
The "dropper" malware, DarkReading reported, underwent 500 software builds over a two-week period, a testament to the rigor of the attackers' software development. In a pre-recorded video played at the conference, Oleksii Yasynskyi, head of research for Information Systems Security Partners in Ukraine, which has investigated the attacks, said the attackers belonged to several different groups that worked together.
Among other things, they gathered passwords for targeted servers and workstations and created custom malware for their targets. The attack on the Pivnichna transmission facility shut down the remote terminal units that control circuit breakers.
That hack was less severe than the one used in the 2015 attack, which rendered the devices inoperable and prevented engineers from remotely restoring power. Last month's hacking campaign also made use of denial-of-service attacks. It's still too early to definitively attribute the attacks to the Russian government, but it's also not possible to rule the possibility out. Last month's attack came around the same time that the US intelligence community blamed Russia for hacks against Democratic groups and individuals, attacks that were allegedly aimed at disrupting the 2016 US presidential election.
If Russia is in fact behind campaigns in both countries, the attacks signal Russia's growing willingness to use hacking to achieve geopolitical goals.
Even if Russia isn't involved, the events in Ukraine demonstrate that once-unprecedented attacks on power facilities and other critical infrastructure are quickly becoming the new normal.
That was different from" the 2015 attack that appeared to be more disjointed and disorganized, she said. A spear phish on July 14, 2016, kicked off the first phase of the attacks aimed at a Ukraine bank.
The attachment employed malicious macros that checked for sandboxes and hid its activity with obfuscation techniques.
The researchers did not confirm the initial attack vector for the electric grid, however. Via a translater, in a pre-recorded video shown during Krotofil's talk, Oleksii Yasynskyi - head of research for Information Systems Security Partners in Ukraine and a fellow investigator of the Ukraine attacks - said that the attackers were "several cybercriminal groups" working together. Yasynskyi said the groups employed legitimate IT administrative tools to evade detection as they gathered the necessary intelligence about the networks in the reconnaissance phase of the attacks. They gathered passwords about targeted servers and workstations, for instance, noted Yasynskyi, and they created custom malware for their targets. "The code was written by experts," he said. Macro Got More Game The attackers upped their malicious macro game significantly in the 2016 attacks in comparison to the 2015 attack.
Case in point: 69% of the code in their macro software was for obfuscation, 30% for duping forensic analysis, and only one percent of the code actually corresponded to the macro's ability to launch malware, according to Yasynskyi. "In essence, this macro is a sophisticated container for infiltrating and delivering malicious code for actual intrusion by the attackers," he said. The attackers this time around also put extra effort into making malware analysis as onerous as possible. "It writes itself into certain parts of memory, like a puzzle," he said. "It unwraps only parts it needs at the time. "This only confirms the theory that this was executed by several teams: infrastructure, instruments to automate the analysis and penetration, and to deliver the malicious code," he said. The dropper malware, a custom tool called Hancitor, had two different samples, but some 500 software builds during a two-week period, demonstrating the level of software development by the attackers, Krotofil noted. The attackers also obviously had done the homework in order to wreak havoc on the power grid, such as the inner workings of industrial processes there. "You can't simply get" that information or documents on the Net, Krotofil said. Interestingly, while it took some four months to investigate the 2015 Ukraine power grid attack, it took Yasynskyi and the other investigators only two weeks to investigate the 2016 attacks.
They were able to detect the similar methods and tools in the second attacks based on the research from the previous attacks. Michael Assante, SANS lead for ICS and SCADA security, in a presentation here today noted that the Ukraine attacks raise new issues for ICS/SCADA operators. "In the case of Ukraine, it opened up a lot of questions" after that 2015 attack about how to engage when such physically disruptive events hit, such as who should identify a cyberattack, how to respond, and what protocol to follow if the attack causes damage. Related Content: Kelly Jackson Higgins is Executive Editor at DarkReading.com.
She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ...
View Full Bio More Insights
Schmidt was arrested January 7, 2017 in Florida and is expected to be charged with conspiracy and fraud in the Volkswagen emissions scandal.
Schmidt was formerly a key emissions compliance manager for VW in the U.S. (Photo by Broward Sheriff's Office via Getty Images) Handout/Getty Images On Saturday night, the FBI arrested Oliver Schmidt, a former emissions compliance executive for Volkswagen Group, as he waited to catch a plane back to Germany at Miami International Airport in Florida.
The arrest is a major setback for VW Group, which has thus far been able to shelter most of its high-level executives from individual prosecution by US authorities. In a Monday appearance in US District Court in Miami, a Justice Department lawyer said that an attorney for Schmidt “had alerted government lawyers that the executive would be in Florida for vacation,” according to the Wall Street Journal. Schmidt, 48, was charged with defrauding the United States, wire fraud, and violating the Clean Air Act. He allegedly played a central role in hiding from US regulators the fact that some 500,000 Volkswagen and Audi vehicles with 2.0L diesel engines sold in the US were equipped with various types of illegal software designed to help the cars pass their emissions tests in a lab and to kill the emissions control system on the cars when they were driving on the road under “real world” conditions. Schmidt allegedly knew of this illegal software since VW Group began using it in Audis in 2009, but the charges the US Government has lodged against him have focused on his involvement between April 2014 and when news of the scandal broke in September 2015.
As an emissions compliance executive for VW Group, Schmidt was based in Detroit, Mich. and was alerted when the International Council for Clean Transportation (ICCT) and West Virginia University produced a report finding that many VW Group diesels showed an alarming divergence from their reported emissions levels when tested in real world driving scenarios. According to the complaint against him (PDF), Schmidt allegedly wrote to other VW Group managers at the time, “It should first be decided whether we are honest.
If we are not honest, everything stays as it is.” For the next year, VW Group danced around regulators’ questions about the study from ICCT and West Virginia University, claiming that the issue could be solved through a minor, voluntary recall. Later in the year, Schmidt wrote an e-mail to the then-CEO of VW Group of America analyzing the “Possible Consequences/Risks” of fallout from the ICCT and West Virginia University Study.
Schmidt added that modifications to the software in Generation 1 and Generation 2 engines “can achieve reductions of NOx emissions under RDE [Real Driving Emissions], but not compliance with the limits.” Even to this day, VW Group has only been able to certify a fix for Generation 3 vehicles—all 2015 models—that will bring the cars into compliance with federal emissions standards. According to the complaint, in August 2015, just a month before the Environmental Protection Agency (EPA), Schmidt traveled to Michigan to meet with a member of the California Air Resources Board (CARB), which had been aggressive in pursuing VW Group’s emissions discrepancies. “Schmidt offered technical reasons and excuses such as ‘irregularities’ or ‘abnormalities’ for the discrepancy without revealing the fundamental reason for the higher NOx measurements on the road: software intentionally installed in VW vehicles so the vehicles could detect and evade emissions testing.” The accusations in the complaint are bolstered by claims from two unnamed cooperating witnesses and James Liang, a engineer for Volkswagen that pleaded guilty to working on the diesel conspiracy in September. Liang has agreed to testify against VW Group to avoid prosecution in the US. Volkswagen has already settled two civil complaints over its illegal software in 2.0L and 3.0L diesel VWs, Audis, and Porsches.
The largest, concerning the 2.0L diesels, will set the company back $15 billion.
Earlier this month, the Wall Street Journal reported that Volkswagen and the Justice Department were considering another billion-dollar settlement based on a criminal investigation of the company.
Charges in that case have not been filed yet, however. Listing image by Handout/Getty Images
Among the 10 people targeted in the conspiracy were Brennan; then-Deputy FBI Director Mark Giuliano; National Intelligence Director James R.
Clapper; Greg Mecher, the husband of White House Communication Director Jen Psaki; and other government officials.
The group called itself Crackas with Attitude, and it was led by a co-conspirator going by the name of Cracka. "She talks mad shit abt snowden," Liverman said on December 10, 2015 in an online chat with Cracka, referring to a target who is believed to be Psaki, according to a statement of facts signed by Liverman and filed in US District Court for the Eastern District of Virginia. (The document refers to Mecher and Psaki as Victim 3 and the spouse of Victim 3 respectively.) "If you come across anything related to [Victim 3's spouse] let me know.
If you find her cell or home number omg gimme." Liverman went on to say he wanted to "phonebomb the shitt [sic] outta" Psaki. The statement of facts shows Liverman discussing other intrusions with Cracka.
After getting a cellphone number Cracka had unlawfully obtained from a breached online account belonging to Victim 2, Liverman dialed it to make sure it belonged to the government official, whose real-world identity couldn't be immediately confirmed by Ars. Liverman "then paid an online service to automatically dial Victim 2's phone number once an hour, for 30 days, and leave a threatening recorded message." "We will keep a close eye on your family" Liverman later sent text messages to the cellphone that read in part: "We will keep a close eye on your family, especially your son." The message included a photo of the son that had been unlawfully obtained from one of Victim 2's compromised accounts.
That same day, Liverman publicly posted the cellphone number to pseudonymous Facebook and Twitter accounts and wrote: "This line will be active for only 24hrs, so call/sms it if you want to talk to me ... i also accept sexy nudes lol." Two days later Liverman told Cracka: "if we could get [Victim 2] swatted that would be amazing." Swatting is the term for falsely reporting violent crimes in progress to emergency responders in an attempt to elicit a response from special weapons and tactics police officers. Cracka used Victim 2's official credentials to gain unauthorized access to the Law Enforcement Enterprise Portal, an online database that's supposed to be available only to law enforcement officials.
At Liverman's request, Cracka used his access to obtain a list of more than 80 police officers and law enforcement employees in the Miami area. On January 6, 2016, Liverman posted the list online. The group allegedly also published a 47-page security clearance questionnaire containing highly personal information, which Brennan completed to obtain his post.
Around the same time, the group published a separate spreadsheet containing the personal data of the 29,000 FBI and DHS employees.
A day later, a group member allegedly presented evidence showing it had hijacked accounts belonging to Clapper. According to an affidavit filed in September, the group didn't rely on computer hacking to break into restricted accounts.
Instead, members used social engineering in which they impersonated their targets and various IT support personnel purporting to help the victims. On October 11, 2015, one of the suspects allegedly accessed the account belonging to Brennan by posing as a technician from Verizon.
The suspect then tricked another Verizon employee into resetting the password for Brennan's Internet service. Prosecutors said the suspects went on to take over a Brennan AOL account. The group allegedly used similar techniques to access other accounts.
The affidavit said another group member appeared to gain access to a law enforcement database by calling an FBI help desk and asking that Giuliano's password be reset. Now, Liverman faces a maximum possible sentence of five years in prison at sentencing, which is scheduled for May 12. The statement of facts filed with Friday's guilty plea offers a window into the depravity and viciousness that motivates so many online intrusions.
The perpetrators often succeed not through any technical skill but rather by making fraudulent phone calls that carefully exploit weakness in various companies' customer support services.
It's not the first time social engineering has exacted such a high price, and sadly, it likely won't be the last.
According to the agreement, Liverman's actions were responsible for $95,000 in damages, out of $1.5 million in total damages caused by the CWA. According to the original affidavit in the case, the CWA attackers used anonymizing software and social media platforms to communicate with each other, as well as to obtains unlawful access to online accounts and harass their victims. The CWA attackers used social engineering techniques in order to exploit victim's accounts.
Among the exploits that were conducted was one in November 2015, when a member of the CWA was able to gain access to a victim's Comcast account. Using the victim's credentials, a member of the CWA was able to gain access to the victim's account for the Law Enforcement Portal (LEEP).
A member of the CWA, then released information from the LEEP system on more than 80 officers from several Miami -area law enforcement agencies.
The CWA also according to the affidavit made a false bomb threat to the Palm Beach County Sherriff's Office in West Palm Beach, Florida in January 2016.As part of the statement of facts filed with the plea agreement, Liverman's role was identified as publicly posting online documents and personal information unlawfully obtained from a victim’s personal account.
Additionally, Liverman sent threatening text messages to the same victim's cellphone.Liverman will be sentenced on May 12 and faces up to five years in prison. His U.S co-defendant, Andrew Otto Boggs who is also from North Carolina, is expected to enter a guilty plea on January 10, according to the DoJ.Liverman's legal defense was assisted by the Courage Foundation, which is a group that aims to help support the efforts of whistleblowers."Nothing was really hacked in this case because important government officials and agencies left the door wide open," Courage attorney Tor Ekelan said in a statement. "One hopes that hostile nation state actors didn't walk through that open door before Justin (Livermore) did."Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com.
Follow him on Twitter @TechJournalist.
Monday's "temporary outage" leaves thousands of international travelers stranded.
A nationwide Customs and Border Protection system outage stranded thousands of travelers at airports on Monday.
Folks trying to enter the US via a handful of cities were met with long lines and excessive delays as customs officers manually processed international passengers.
Issues were reported in Atlanta, Ft. Lauderdale, Los Angeles, Miami, and Washington, D.C., as well as Baltimore, Boston, Newark, and San Francisco. All airports came back online Monday night, following what CBP called "a temporary outage" of its processing systems.
"US Customs and Border Protection is experiencing a temporary outage with its processing systems at various air ports of entry and taking immediate action to address the technology disruption," the agency said in a statement to ABC News.
"CBP officers continue to process international travelers using alternative procedures until systems are back online," it continued. "Travelers at some ports of entry are experiencing longer than usual wait times and CBP officers are working to process travelers as quickly as possible while maintaining the highest levels of security."
US Customs and Border Protection did not immediately respond to PCMag's request for comment. According to a tweet, however, there is no indication the disruption was malicious.
According to social media accounts, conditions at Miami International Airport were particularly harsh: an army of angry, hungry people crowded the hallways for three-plus hours as rising temperatures caused fainting and vomiting.
@cnnbrk please let US Customs know the Miami airport could use a little help. Thousands of us waiting in a "line". pic.twitter.com/VGLUOUiaoP— Garret Prather (@garretp) January 3, 2017
@wsvn immigration @ M.I.A. Hundreds waiting, system has been down for hours pic.twitter.com/kuyR9u7boO— Reza (@EGerami) January 3, 2017
Nightmare at the #Miami airport for all incoming int'l flights: all systems were down at immigration. Hours of wait #miamiairport pic.twitter.com/MOorFyfv9x— Sarah (@iLoveSassou) January 3, 2017
Similar scenes were depicted at Washington Dulles International Airport, where Twitter user Richard Walker documented "36 unusable passport express kiosks, 20 unused global entry" stalls, eight agents, and a one-hour wait.