Black Hat: Govt. ICS Attacks

Thursday, August 7, 2014 @ 05:08 PM gHale


By Gregory Hale
Government sponsored malware attacks, once thought of a science fiction, are real and they are hitting industries, like the manufacturing industry, across the world.

Unlike the nuclear arms race, the cyber arms race has a bunch of governmental contestants, but no one really knows their strengths.

RELATED STORIES
Black Hat: ICS Vendors Need to Test for Security
Black Hat: A Security Plan
Talk to Me: Elevating Security Awareness
IoT Devices Vulnerable to Attacks: Report

“Cyber warfare is not detectable, unlike nuclear warfare, which is. If you look at the changes in the threat landscape, the cyber arms race does not allow for (who has what technology), said Mikko Hyppönen, chief research officer for F-Secure during his talk Wednesday at Black Hat USA 2014 in Las Vegas. “Yes, the U.S. has capabilities, but what about the other countries? Government actively using malware is only about 10 years old. If you talked about that back then, it would sound like science fiction, but it is true.”

Hyppönen went into bit of a history lesson on government sponsored malware attacks, but he also talked about what some of the advantages governments get out of using malware.

Some of those benefits:
• Law enforcement
• Espionage
• Surveillance
• Sabotage
• Warfare

Russians ended up linked to some big malware attacks like CosmicDuke and Havex, Hyppönen said. Havex is interesting because it appears to be doing reconnaissance work in the industrial control industry.

“Havex is scanning ICS gear,” he said. “It doesn’t do anything, so we don’t actually know what it is doing. We think it could be fingerprinting; it is unclear, but it is interesting.”

What is also interesting, Hyppönen said, is its method of distribution. “To distribute the malware, they hacked four ICS vendors and infected them.” So, when their customers downloaded software from the vendors, they were then infected.

When you talk about government sponsored malware, one of the first major attacks was Stuxnet, which ISSSource reported was a joint project between the U.S. and Israel to damage Iran’s nuclear program by bringing down centrifuges at Iran’s Natanz facility.

Now the Stuxnet code is out and available on various web sites, you would think there would be more attacks.

“We expected more copy cats of Stuxnet, but we haven’t seen it yet, Hyppönen said. “We are surprised and that is good news.”

One of the more amusing fallouts from Stuxnet came a couple of years after when Hyppönen received an email out of the blue from a worker at the Iranian Atomic program, but not at Natanz. The email said: “There was also some music playing randomly on several of the workstations during the middle of the night with the volume maxed out. I believe it was the American band acdc thunderstruck. It was all very strange and happened very quickly. the attackers also managed to gain root access to the machine they entered from and removed all the logs.”

Click here to review the slides from Hyppönen’s presentation.

While Hyppönen said he was unable to confirm the note, he said that is one of the things governments try to do and that is have victim country’s leaders lose faith in their engineers. They want to raise doubts. Once there is a lack of confidence, that hurts the country.

“When I joined this company in 1991, Hyppönen said, “I didn’t expect it to come to this, but that is what has happened.”



4 Responses to “Black Hat: Govt. ICS Attacks”

  1. […] Jednocześnie w niedawnych latach rosło wyrafinowanie malware’u. Jedną z przyczyn jest to, że cybernapastnikami stały się państwa. Przeznaczają one znaczne środki na znajdowanie i przełamywanie słabych punktów w szykach […]

  2. […] livello di sofisticazione. Una delle ragioni per cui ciò sta accadendo risiede nel fenomeno degli Stati Nazionali che diventano i nuovi ‘attaccanti’. Questi Stati investono enormi risorse per trovare e sfruttare debolezze nei sistemi di difesa sia […]

  3. […] Jahren ein neues Niveau von Raffinesse erreicht. Einer der Gründe dafür ist das Auftauchen von Nationalstaaten als Cyberangreifer. Diese stecken gewaltige Ressourcen in das Finden und Ausnutzen von Schwachstellen in der […]

  4. […] Samaan aikaan haittaohjelman ovat muuttuneet jatkuvasti etevämmiksi. Yksi syy tähän on se, että kansallisvaltiot ovat alkaneet tehdä hyökkäyksiä. Valtiot käyttävät suunnattomasti resursseja löytääkseen yksilöiden ja yritysten […]


Leave a Reply

You must be logged in to post a comment.