U.S. warns public about attacks on energy, industrial firms

(Reuters) – The U.S government issued a rare public warning that sophisticated hackers are targeting energy and industrial firms, the latest sign that cyber attacks present an increasing threat to the power industry and other public infrastructure.

The Department of Homeland Security and Federal Bureau of Investigation warned in a report distributed by email late on Friday that the nuclear, energy, aviation, water and critical manufacturing industries have been targeted along with government entities in attacks dating back to at least May.

U.S. Department of Homeland Security emblem is pictured at the National Cybersecurity & Communications Integration Center (NCCIC)

The agencies warned that hackers had succeeded in compromising some targeted networks, but did not identify specific victims or describe any cases of sabotage.

The objective of the attackers is to compromise organizational networks with malicious emails and tainted websites to obtain credentials for accessing computer networks of their targets, the report said.

U.S. authorities have been monitoring the activity for months, which they initially detailed in a confidential June report first reported by Reuters. That document, which was privately distributed to firms at risk of attacks, described a narrower set of activity focusing on the nuclear, energy and critical manufacturing sectors.

Department of Homeland Security spokesman Scott McConnell declined to elaborate on the information in the report or say what prompted the government to go public with the information at this time.

“The technical alert provides recommendations to prevent and mitigate malicious cyber activity targeting multiple sectors and reiterated our commitment to remain vigilant for new threats,” he said.

The FBI declined to comment on the report, which security researchers said described an escalation in targeting of infrastructure in Europe and the United States that had been described in recent reports from private firms, including Symantec Corp.

“This is very aggressive activity,” said Robert Lee, an expert in securing industrial networks.

Lee, chief executive of cyber-security firm Dragos, said the report appears to describe hackers working in the interests of the Russian government, though he declined to elaborate. Dragos is also monitoring other groups targeting infrastructure that appear to be aligned with China, Iran, North Korea, he said.

    The hacking described in the government report is unlikely to result in dramatic attacks in the near term, Lee said, but he added that it is still troubling: “We don’t want our adversaries learning enough to be able to do things that are disruptive later.”

The report said that hackers have succeeded in infiltrating some targets, including at least one energy generator, and conducting reconnaissance on their networks. It was accompanied by six technical documents describing malware used in the attacks.

Homeland Security “has confidence that this campaign is still ongoing and threat actors are actively pursuing their objectives over a long-term campaign,” the report said.

The report said the attacker was the same as one described by Symantec in a September report that warned advanced hackers had penetrated the systems controlling operations of some U.S. and European energy companies.

Symantec researcher Vikram Thakur said in an email that much of the contents of Friday’s report were previously known within the security community.

Cyber-security firm CrowdStrike said the technical indicators described in the report suggested the attacks were the work of a hacking group it calls Berserk Bear, which is affiliated with the Russian Federation and has targeted the energy, financial and transportation industries.

“We have not observed any destructive action by this actor,” CrowdStrike Vice President Adam Meyers said in an email.

By: Jim Finkle in Toronto; Additional reporting by Gary McWilliams in Houston; Editing by Nick Zieminski and James Dalgleish

Source: https://www.reuters.com/article/us-usa-cyber-energy/u-s-warns-public-about-attacks-on-energy-industrial-firms-idUSKBN1CQ0IN

Top Priorities of the Intelligence Community’s New CIO

The intelligence community is getting a new, permanent CIO. On Aug. 18, the White House announced that President Donald Trump would nominate John Sherman to be CIO in the Office of the Director of National Intelligence (ODNI).

Aerial View- CIA head quarters at Langley, VA


As The Wall Street Journal notes, Sherman replaces Raymond Cook, who left the post in January after holding the position for two years under former President Barack Obama. Then, Jennifer Kron took over the CIO role on an interim basis. However, she just formally left ODNI to go on detail with the National Geospatial-Intelligence Agency (NGA) in Australia, where she will work with the Australian government to set up a new office of national intelligence and improve information sharing, Federal News Radio reports.

If Sherman gets confirmed by the Senate, as excepted, he will have a lot on his plate, including managing the IC Information Technology Enterprise. ICITE is a platform of nine shared services, from security to networking, email and virtual desktops, all delivered via a private cloud.

Sherman knows his way around the intelligence community — he’s a 20-year veteran of the IC. He currently serves as the deputy director of the CIA’s Open Source Enterprise, where he has been involved in incorporating open-source intelligence and capabilities into ICITE. Sherman previously served in senior executive positions at NGA.

Here are what will likely be Sherman’s top IT priorities.

Expand the Use and Capabilities of ICITE

At the top of the priority list is ICITE, which ODNI started in 2012. As Federal News Radio notes, ICITE’s goal is “standardizing the IT infrastructure for all 17 intelligence agencies at the [Top Secret / Sensitive Compartmented Information] level to improve efficiency, information sharing and cybersecurity.”

Sherman is already deeply familiar with ICITE, given his work at the CIA. Intelligence agencies have made progress on moving away from siloed IT environments, and it will be Sherman’s job to help shepherd that process along.

However, moving from legacy infrastructure to a new cloud and cross-IT environment will take years, as FedTech recently reported. Staffers are not required to use ICITE, though Kron told FedTech IC employees may be unknowingly using aspects of it, such as its identification and authentication services. Instead, the IC is migrating its legacy systems during normal refresh cycles.

Still, there are clear signs of movement toward a more shared IT operating environment. For example, the National Security Agency offers a government-provided cloud, or GovCloud, Nextgov notes. Additionally, the publication notes, the Defense Intelligence Agency and NGA are partnering to provide a desktop environment service to the IC, which tens of thousands of users have joined over the last few years, as Federal News Radio reports.

ICITE may also become more broadly accessible. In August, Kron said the IC is working on a “multi-fabric initiative” to identify which services can be made unclassified, FCW reports.

Sherman will need to keep the momentum moving forward on streamlining the IC’s technology environments.

What’s Next for Intelligence Community R&D?

As FCW reports, the IC’s CIO also “has procurement authority across intelligence agencies when it comes to enterprise architecture, and is authorized to weigh in on IT procurement of all types while having a voice in R&D efforts to make sure they align with the overall goals of the intelligence community.”

The Trump administration has signaled that increased physical and cybersecurity are among its tech R&D priorities, a directive that will likely impact the intelligence community.

“Agencies should invest in R&D to increase the security and resilience of the Nation’s critical infrastructure from both physical threats and cyber-attacks, which have increased rapidly in number and complexity in recent years,” according to an Aug. 17 memorandum from Mick Mulvaney, director of the Office of Management and Budget, and Michael Kratsios, deputy assistant to the president in the Office of Science and Technology Policy.

Source: https://fedtechmagazine.com/article/2017/09/here-are-top-priorities-intelligence-community-s-new-cio

By: Phil Goldstein

U.S. energy grid intrusion is a warning, says former NSA official

Power Grid (Photo: Getty Images)


SAN FRANCISCO — Over the last nine months, dozens of U.S. power companies were compromised by an organized hacking group to the extent that some of them could have sabotaged and shut down production and distribution, according to Symantec, a cybersecurity company that discovered the attack.

In some cases, this involved access to details about how the company operated, engineering plans and equipment, in some cases ev

en down to the level of controlling valves, pipes or conveyer belts, said Vikram Thakur, principal research manager at Symantec, which discovered the intrusions and first published information about them in a blog posting Wednesday.

The level of access could have led to “pretty strong impacts,” said Thakur. “It could have taken out the business for a period of a day or two or maybe a month,” he said.

The core focus seems to have been companies that focus on power generation, transmission and distribution, Symantec said.

These attacks come as no surprise to anyone who’s worked in intelligence, said Joel Brenner. He was head of U.S. counterintelligence under the Director of National Intelligence from 2006 to 2008 and then Inspector General of the National Security Agency from 2009 – 2010. He is now a senior research fellow at the Massachusetts Institute of Technology.

The aim is to make clear to the United States that its systems are vulnerable and thus make the president think twice before engaging in any kind of military action, with the looming threat of darkened cities a possibility, he said.

“I think preparation for a potential attack is what we’re seeing. And whoever’s doing this, presumably the Russians, want us to know. People in the intelligence business always say that when the Russians are found, it’s because they want to be found.”

There are already examples of power companies being attacked by hackers and the lights going out. In 2015 and 2016 hackers disrupted Ukraine’s power grid, causing blackouts that hit more than 200,000 people. The Ukrainian government has blamed Russian-supported hackers for the attacks.

Why things didn’t go that far in this case is unknown, though Symantec believes it might have been a “proof of concept” attack, simply to prove to whatever government or organization was sponsoring the attackers that they had the capability.

“This confirms, again, that advanced adversaries are targeting and gaining access to the world’s critical infrastructure” said Galina Antova, co-founder, Claroty, a company that provides security for industrial control networks.

 “This gives bad actors the ability to harm our systems and possibly people when they choose — as a political statement, during the next conflict, before our during a war,” she said.

The Department of Homeland Security said it was aware of the Symantec report and was reviewing it.

“At this time there is no indication of a threat to public safety. We continue to coordinate with government and private sector partners to look into this activity,” the agency said in a statement.

The North American Electric Reliability Corporation is aware of the threat and is sharing information with industry and government partners, said Bill Lawrence, director of NERC’s  Electricity Information Sharing and Analysis Center.

“At this time, there are no impacts on the operation or reliability of the bulk power system in North America. NERC continues to monitor potential cyber security risks to reliability and share information with security stakeholders on emerging and evolving threats,” he said.


The ongoing attack appears to be the work of a group that Symantec and others first reported was targeting the energy sector beginning in 2011. Symantec dubbed it Dragonfly. CrowdStrike, which reported on the group in 2014, called it Energetic Bear and suggested it might have links to Russia.

Once the report went public in 2014, the group went dark. Then it appeared again in 2015, focused on Turkish energy companies that it continued to infiltrate through 2016, Thakur said.

Beginning in January, the attackers turned their attention to the United States and Switzerland. The initial attacks came through simple email phishing campaigns that got them into company networks, Symantec researchers found.

That led to two years of research and the discovery that Dragonfly 2.0 had penetrated “dozens” of companies.

“It’s still an ongoing campaign,” Thakur said.

Symantec shared information about the attackers with the companies and others who might have been impacted, but did not release their names in its public blog. Thakur said he has personally called between 50 and 75 energy companies in the past few months to warn them.

Thakur believes that energy-related companies have also been probed by the Dragonfly group, including companies that do commodity trading, finance organizations and investment groups.

The hackers appear to have made a concerted effort to make it difficult to identify them by using only open source and readily-available malware that wouldn’t pinpoint their location.

Critical infrastructure is being targeted with complex, well-resourced cyber attacks, said Josh Douglas, chief strategy officer for cyber services at Raytheon, a major U.S. defense contractor and industrial corporation.

The attributes of the Dragonfly attack are similar to those perpetrated by nation-states with deep pockets and long-term goals.

“They have invested strongly in their capabilities — some of which we have yet to see  — and that we may not yet know the full extent of this attack,” said Douglas.


Source: https://www.usatoday.com/story/tech/news/2017/09/06/dozens-power-companies-breached-hackers-cybersecurity-researcher-says/638503001/