The US government has charged seven Iranian hackers working for computer companies associated with the Iranian government, including the Islamic Revolutionary Guard Corps, with coordinating an extensive campaign of cyberattacks targeting a small dam outside of New York City and dozens of US financial institutions. The attack has raised concerns over the vulnerability of US critical infrastructure to foreign attack.
Ahmad Fathi, 37; Hamid Firoozi, 34; Amin Shokohi, 25; Sadegh Ahmadzadegan, aka Nitrojen26, 23; Omid Ghaffarinia, aka PLuS, 25; Sina Keissar, 25; and Nader Saedi, aka Turk Server, 26, allegedly launched distributed denial of service (DDoS) attacks against at least 46 victims, primarily in the US financial sector, between late 2011 and mid-2013.
The attackers disabled or attempted to disable the computer servers of the victim corporations to prevent them from doing business, including providing online banking services, with customers. The victim institutions incurred tens of millions of dollars in remediation costs as a result of the attacks, according to the indictment.
“In unsealing this indictment, DOJ is sending a powerful message: that we will not allow any individual, group, or nation to sabotage American financial institutions or undermine the integrity of fair competition in the operation of the free market,” said Attorney General Lynch.
In addition, Firoozi is charged with repeatedly obtaining unauthorized access into the Supervisory Control and Data Acquisition (SCADA) systems of the Bowman Avenue Dam, a small flood control structure located in Rye, New York, in August and September of 2013. This unauthorized access allowed him to obtain information regarding the status and operation of the dam, including information about the water levels, temperature. and status of the sluice gate, which is responsible for controlling water levels and flow rates.
Remediation for the Bowman Dam intrusion cost over $30,000.
“The infiltration of the Bowman Avenue dam represents a frightening new frontier in cybercrime,” said US Attorney Bharara. “These were no ordinary crimes, but calculated attacks by groups with ties to Iran’s Islamic Revolutionary Guard and designed specifically to harm America and its people. We now live in a world where devastating attacks on our financial system, our infrastructure and our way of life can be launched from anywhere in the world, with a click of a mouse. “
Bharara added, “Confronting these types of cyber-attacks cannot be the job of just law enforcement. The charges announced today should serve as a wake-up call for everyone responsible for the security of our financial markets and for guarding our infrastructure. Our future security depends on heeding this call.”
If convicted, all seven defendants face a maximum sentence of 10 years in prison for conspiracy to commit and aid and abet computer hacking. Firoozi faces an additional five years in prison for obtaining and aiding and abetting unauthorized access to a protected computer at the Bowman Dam.
Prior to the indictment of the seven hackers, Sen. Charles Schumer (D-NY) called the cyberattack a warning that nation-state area clear and present danger to US critical infrastructure. Schumer said the Iranians were sending “a shot across our bow,” adding, “They were saying that we can damage, seriously damage, our critical infrastructure and put the lives and property of people at risk.”
Not the first time: Nation-state infiltration of US critical infrastructure
This is not the first time the US has discovered nation-state sponsored hackers rooting around in the systems that operate US critical infrastructure.
In May 2014, five Chinese military hackers were indicted for computer hacking, economic espionage and other cybercrimes directed at six American victims in the US nuclear power, metals and solar products industries. All five defendants were officers in Unit 61398 of the Third Department of the Chinese People’s Liberation Army.
The companies the five allegedly hacked include Westinghouse Electric Co.; US subsidiaries of SolarWorld AG; United States Steel Corp.; Allegheny Technologies Inc.; the United Steel, Paper and Forestry, Rubber, Manufacturing, Energy, Allied Industrial and Service Workers International Union; and Alcoa Inc.
“America’s adversaries including China, Iran and Russia are relentlessly attacking and probing our computer networks looking for ways to conduct cyber espionage and to disrupt and destroy our critical infrastructure including financial institutions, energy grids andtransportation systems that keep our nation moving,” said House Committee on Homeland Security Chairman Michael McCaul (R-Texas), commenting on the indictment of the Chinese hackers.
China is not the only threat. In July 2014, the Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response (DHS ICS-CERT) alerted critical infrastructure operators to a Russian hacking group known as “Energetic Bear,” or “Dragonfly,” behind a malware campaign targeting the energy sector in the United States and Europe with the capability to sabotage the power supply of the attacked countries.
The only logical reasons behind targeting the energy sector, according to Adam Kujawa, head of Malware Intelligence at anti-malware company Malwarebytes, are to keep an eye on developments made to the energy grid in order to “identify if the economy and ability of the country has risen to a dangerous level” or to gain control of the energy grid in the event of a physical attack where the ability to control the power supply would give the attackers an advantage over their adversaries.
“Energy is one of the most valued and often relied upon resources in our society today,” Kujawa said. “If you were to remove that aspect of our lives it would most certainly throw the country into complete chaos, something that an offensive force might want to do rather than try and fight the full force of a country.”
Then, in December 2014, California-based Cylance released a report revealing that Iranian hackers had penetrated the computer networks of government agencies and major critical infrastructure companies in the United States and 15 other countries in a campaign that could eventually cause physical damage.
Targets included some of the most sensitive global critical infrastructure companies across the globe, including: military, oil and gas, energy and utilities, transportation, hospitals, telecommunications, technology, education, aerospace, defense contractors, chemical, companies and governments.
“With minimal separation between private companies and the Iranian government, their modus operandi seems clear: blur the line between legitimate engineering companies and state-sponsored cyber hacking teams to establish a foothold in the world’s critical infrastructure,” the report stated.
Furthermore, just months ago, the vulnerability of critical infrastructure worldwide came into question after Ukraine experienced a major power outage impacting 225,000 customers. The United States and Ukrainian government have officially linked the outage to a sophisticated cyberattack.
The Ukrainian blackout has raised questions over whether a similar—or even worse—attack could happen here. The attack was limited in regional scope, outage time, and lack of electric equipment damage, leading to speculation that the event may have been conducted to “test the waters” or send a message.
Either way, the United States should be deeply concerned.
A sample of BlackEnergy malware was found on the compromised Ukrainian SCADA network. This same malware is already present in US industrial control systems. In November 2014, DHS ICS-CERT warned that a sophisticated malware campaign using a variant of the BlackEnergy malware had compromised numerous industrial control systems environments.
The campaign has been ongoing since 2011, and while no attempt had been made to activate the malware to “damage, modify, or otherwise disrupt” the industrial control process, it has raised questions over the intention behind the placement of the malware in key US systems.
While the attack on Ukraine’s power grid did not directly impact the United States, the presence of BlackEnergy in our nation’s grid is cause for concern. Attacks in other parts of the world can create a ripple effect.
As Homeland Security Today recently reported, cybersecurity firm Crowdstrike in February released its 2015 Global Threat Report, which revealed that today’s threats are fueled by geopolitical and economic events around the world, which can create a ripple effect.
George Kurtz, chief executive officer and co-founder of CrowdStrike, explained, “Distant geopolitical events occurring in disparate parts of the world are actually creating ripple effects that wash up on the doorstep of industries and companies thousands of miles away in the form of cyber threats. Businesses and organizations ignore these geopolitical developments at their own peril if they do not allocate adequate resources and build the capacity needed to protect their information and networks.”
Last year, Crowdstrike security researchers forecasted an uptick in nation-state cyberattacks. Adam Meyers, vice president of intelligence at Crowdstrike, explained in a blog post, “Western businesses and enterprises need to know that there are serious bad guys in North Korea, China, Iran, Russia and other countries working tirelessly on ways to get around our defenses to steal intellectual property, disrupt business and even destroy.”
Doug Wylie, CISSP, Vice President of Product Marketing and Strategy at NexDefense, told Homeland Security Today in an exclusive interview that the US indictment of the seven Iranian hackers in an effort to send a message to Iran—and all nation-states conducting cyberattacks against the US—that we have the capability to evaluate these attacks and trace them back to the nefarious actors behind them.
“All critical infrastructure is being evaluated by a variety of adversaries,” Wylie said. “This is an indication of just how pervasive the challenges are for the services we depend on—whether its water, power, transportation. Nation-states are knocking on our door, if you will, carrying out reconnaissance and trying to build a characterization of where all these critical assets are.”
Is there a clear and present danger to US critical infrastructure?
When examining threats to critical infrastructure, it is important to assess the means, motive, and opportunity, said Wylie. In the case of attack on the Bowman Avenue Damn, there is not yet enough information publicly available that confirms the motivation behind that attack.
However, Wylie believes that certain indicators reveal that the dam may have just been happened upon during a financially-motivated activity and then earmarked as something of interest for a future activity.
“It is not surprising to me to see the financial side, but sticking the dam into the middle of this gives me the impression that this was an opportunity found as part of a financially motivated activity,” said Wylie. “What I mean by that is it is not unusual for any adversary to begin looking at the landscape and identifying items of interest.”
Understanding the motivation will be key to determining whether this event, among others, is a precursor to a much more damaging attack. Since critical infrastructure is the backbone of American society, such an attack could be catastrophic.
Consequently, the US needs to use every tool at its disposal to safeguard critical infrastructure. Private industry, which owns most critical infrastructure, and the government need to overcome the “head in the sand” mentality that governs the assessment of the vulnerability of the nation’s most critical assets.
Because the vast majority of our nation’s critical infrastructure is privately owned and operated, both the government and private sector have formed vital partnerships to fulfill our shared responsibility to prevent and reduce the risks of disruptions to critical infrastructure. Government and the private sector need to be working on solutions together rather than separately. Year after year, we are still asking the same questions, without solutions.
The private sector needs incentives to bring breaches to the surface. In many cases, companies are making the call to keep something internal because they do not want to face the business consequences.
“There has definitely been a long history of events that have affected critical infrastructure, but the private sector hasn’t been motivated to bring them to the surface because it affects their brand and reputation,” said Wylie.
Furthermore, everyone needs to understand they could be compromised, whether they are a small dam in New York or a high profile target.
“Even a small facility like this has a responsibility to have an understanding of what is happening to their business systems and to their critical operations, and that they can’t ignore these types of risks any more than the higher profile infrastructures,” Wylie said.
Other challenges include multi-vendor systems, in which different products from various companies are knitted together. The problem is that each company has a different conception of what security means to them. In addition, many of these infrastructures, particularly dams, use older systems that have not kept pace with modern technology, resulting in inherent weaknesses in these systems.
Finally, there is a limited pool of individuals with sufficient knowledge of industrial controls systems, which can be very complex, who also have the IT knowledge necessary to know how to secure them. It is critical that the nation begin to train this generation and the next generation of cybersecurity professionals to have an understanding of how these control systems work in order to develop effective solutions to secure them.
“As we look to the future, we need to develop—and there is evidence of this already—a more disciplined perspective of security for industrial controls,” said Wylie. “For those who are coming out of school or go back to school to expand their careers, there are avenues to build competence that can be widely applied. These are becoming, because of supply and demand, more highly compensated type roles, but are still in their infancy, since critical infrastructure is not the sexy industry of making consumer products, smart cars, iPhones, and whatnot.”
Wylie says amessage that has not been widely delivered today is that oftentimes we treat an attack on critical infrastructure, such as this dam, as an isolated event. Leadership in government and private industry need to begin to raise awareness that the combination of losing more than one critical service could have a devastating impact on the economy, health, and safety of the nation. It is one thing to lose power—and another to lose water and power, a disruption that could unleash chaos and fear into society.
Wylie sums up the challenges facing critical infrastructure as follows, “The forces at work here at complexity, the volume of assets being connected, the age of the assets, the creativity used to take these assets and get them connected, and the challenges within industry to have the competence necessary to not only move the information but to actually secure the movement of the information.”
Though the challenges to securing critical infrastructure are significant, now is the time to work towards better solutions. The threat is real–and its already here.