For the first time, Norwegian companies are being targeted by a new kind of computer attacks, aimed at critical social management systems, like water oil and gas supply systems. The attacks was first discovered in Germany and Belarus in June. Since then, at least 6000 infected computers have been confirmed.
“A malicious foreign power – given €86 million, 750 people and two years to prepare – could launch a devastating cyber attack on the EU.”
This summer the Norwegian National Security Authority (NSM) discovered for the first time targeted computer attacks directed against internal process and control systems to ensure supply of electricity and water. Similar attacks was discovered in Germany and Belarus. EU’s cyber-security unit, ENISA, will in late October or early November carry out the first ever pan-European cyber security exercise.
According to the Norwegian newspaper, Aftenposten, the National Security Authority confirms that Norwegian companies have been attacked, but will not say which.
“It’s the first time we see this Trojans, specifically designed to take control of the process and control systems. We know that other companies are affected, besides the Norwegians,” Christophe Birkeland at the NSM says.
“Malicious software that comes into these systems, stealing business critical information, and in worst cases, destroy or take over control of the systems. We know Norwegian companies have gotten this Trojan into some of their systems,” he says.
NSM emphasizes that it is not reported any injuries at the moment.
However, NSM are now sending out a new warning against what they perceive as a serious threat to a number of critical social actors in Norway:
* Government and the national institutions.
* Power producers and suppliers.
* The oil companies.
* Water supply and treatment plants.
* Transport companies.
Going For The Most Advanced
In the operational center of Hafslund in Oslo, computers provide electric power for about 1.4 million people in the area.
The Hafslund central is one of the world’s most advanced power systems.
“We have also experienced attempts to hack into our office support systems. We are fully focused on this, and it is a very familiar problem,” information officer, Morten Schau, at Hafslund says.
Behind the seemingly innocent file name “% System% \ drivers \ mrxnet” is the malicious, and highly sophisticated, computer virus “Stuxnet,” which this summer has been a hot topic amongst computer security experts.
The attacks may have been going on for many months before it was discovered in Germany and Belarus in June.
One of the many technical features is the fact that the Trojan hides itself very well. Since June, at least 6.000 computers have been confirmed infected by “Stuxnet”.
The cyber criminals have exploited vulnerabilities in Windows, but first in early August did Microsoft create a security update that plugged the hole.
Siemens System Infected
The attack has been directed towards a management system supplied by Siemens – Simatic WinCC.
In Norway, the system is in use in at least 200 oil companies, power suppliers, and metal and food industries.
Siemens admits that 12 companies have been affected, but stresses that this is not its Norwegian customers.
“Those customers who were infected was quickly helped, and the problem is now fixed,” information officer, Christian Jahr, at Siemens says.
“What happened was that an employee has used a USB stick outside the office, or in other private places. This became infected with the virus, which is activated when used on a PC with WinCC installed. This goes to show that you have to be awake and updated to ensure the best security facilities possible,” Jahr says.
Who’s Fighting Who?
No one knows who is behind the attacks, or what country they come from.
Worldwide companies in Indonesia, India, Iran and the US are being hit the hardest.
There are also several different theories about what the goal is:
* Industrial Espionage.
* Sabotage attempts.
The most important way to protect themselves is to make absolutely watertight bulkhead between the data networks used to control machines, and computer systems used for communication with the outside world, according to the experts.
One must also prevent careless use of memory sticks and other USB devices.
Previously, both the police, governments, health institutions, banks and industrial companies have been hit by computer criminals.
Able To Crash The Whole EU
A malicious foreign power – given €86 million, 750 people and two years to prepare – could launch a devastating cyber attack on the EU, a US security expert says.
Charlie Miller, a mathematician who served for five years at the US’ National Security Agency stress-testing foreign targets’ computer systems and designing “network intrusion detection tools,” calculated the EU scenario on the basis of a more detailed study of US vulnerability.
This is how it can be done:
Got 100 Million Dollar?
The assault would begin with a member of staff at, say, the London Stock Exchange or the French electricity grid operator, RTE, opening a PDF attachment in an email which looks as if it had been sent by a colleague.
The PDF would contain software enabling a hacker on a different continent to silently take over his computer.
Over time, the hacker would monitor the employees’ keystrokes, sniff out passwords, and use the information to take over computers higher up the command chain, eventually putting him in a position to switch off the target’s firewalls, leaving it open to DOS (Denial of Service) attacks, and to install RATs (Remote Administration Tools), which control its hardware.
Around 18 to 21 months down the line, with enough targets compromised, the assault could take place, the EUobserver.com writes.
The EU 27 countries would wake up to find electricity power stations shut down; communication by phone and Internet disabled; air, rail and road transport impossible; stock exchanges and day-to-day bank transactions frozen.
Crucial data in governments and financial institutions are scrambled and military units at home and abroad cut off from central command or sent fake orders.
Normal life could be restarted in a few days’ time. But the damage done to administrative capacity, consumer confidence and the economy by loss of vital data would last for years.
Mr Miller says the bulk of the money – €83 million ($105 million) would be used to pay an army of 750 hackers, with just €3 million spent on hardware – a testing lab with 50 computers, another two computers each per hacker and assorted smart-phones and network equipment.
* 100 million dollar are just small change for some of our current dictators and drug barons.
* You can win a 100 million dollar at one single game of poker in Las Vegas.
* You can earn 100 million dollars in one year as a commodities trader at Citigroup.
* 100 million dollar is what Tiger Woods paid for his divorce settlement.
Money won’t be a problem, but organizing the the right people for the operation might be.
Army Of Hackers
An elite corps would consist of 20 world class experts whose main job would be to find “0-day exploits” – previously undetected security gaps in popular software such as Windows, Java or Adobe.
The experts would have to be paid a small fortune – over €200.000 ($250.000) – each a year.
Or extorted, Dr. Miller adds.
Another 40 people, drawn from the enemy country’s secret services or recruited inside EU member states, would get inside “air-gapped” facilities – the most secure targets, such as military command structures or air traffic control bodies, which are physically cut-off from the Internet in order to prevent cyber attacks.
When the time came, the agents would un-airgap targets by connecting them to the Internet via 3G modems and satellite phones.
The rest of the cyber army, 690 people, mostly computer science graduates and post-graduates from inside the hostile state, would use the 0-day exploits to take over target networks.
They would also collect, maintain, create and test “bots” – software which secretly uses computers in ordinary people’s homes to run automated tasks, such as DOS attacks, which bombard target systems with overwhelming amounts of data.
The final assault would require 500 million bots in diverse locations, according to the calculations.
Dr. Miller, who currently works for the Baltimore, an US-based company, Independent Security Evaluators, admits that internet scare stories like this helps his firm to get business.
But he also underlines that classic intelligence gathering is the best line of defense, rather than hiring IT experts.
“It’s really hard to defend against an attack that’s well equipped and carried out by smart people. But you do have years to detect it before it happens. If you have an elaborate intelligence gathering network you could detect it, not technically because you can see it, but because you have human intel,” he says.
“If you want to spend your money well, spend it on your intelligence services.”
EU’s First Cyber War Exercise
The threat of cyber war against EU targets became clear on 27 April 2007 when hackers crashed Estonian online news agencies with DOS attacks in the middle of an Estonia-Russia political dispute.
The assault gathered pace over the next three weeks disrupting online banking services and government communications.
Three and a half years down the line there is no hard evidence linking the attack to a foreign power, although activists in the pro-Kremlin youth group, Nashi, claim to have taken part.
“If these cyber attacks were used to test the Estonian cyber defense capabilities, much more sophisticated attacks could possibly follow, based on the knowledge acquired during the attacks,” a report on the 2007 events by the Estonian government’s Computer Emergency Response Team says.
NATO and EU countries are now putting more resources than ever into joint cyber-security projects.
ENISA spokesman, Ulf Bergstrom, says the exercise will look at disrupting normal internet operations in the EU’s internal market and the way EU member states’ authorities co-operate across the union’s internal borders.
Mr Bergstrom notes that ENISA’s initial mandate, which covers security of e-commerce, online banking and mobile phones, is being expanded to cover cyber criminality.
“We have been given political signals, for example by information society commissioner Neelie Kroes, to work more closely with agencies like Europol and Interpol,” he says.
“Cyber security is vital for the economy of Europe, to protect the businesses and operations of ordinary citizens. This is the digital society that we take for granted, like water out of the tap, which we need to defend.”
Related by The Swapper:
- Guidance Software Unveils Industry’s First Forensic-based Critical Infrastructure Security Solution (eon.businesswire.com)
- Guidance Intros Forensics For Live Control Systems (informationweek.com)
- Details of the first ever control system malware (FAQ) (news.cnet.com)
- Murder by Malware: Can a Computer Virus Kill? (pcworld.com)
- Cyber attacks threaten MoD (computing.co.uk)
- Cost of Cyber Crime (deurainfosec.com)