Public utilities remain in the bullseye for cyberattackers. This past week, the Delta-Montrose Electric Association (DMEA) disclosed that it had discovered an internal network breach on November 7, 2021. Earlier this year the rural Alabama electric cooperative, Wiregrass Electric Cooperative, also experienced a ransomware attack. This is part of an ongoing wave of attacks upon public utilities, and it is one that will likely continue to increase over time.
What we’ve seen over time is a dangerous convergence and alignment of threat actors against our public utilities. These are clearly high value targets both for organized crime (financial extortion) and nation-states that seek to promote their policies through the threats they can successfully leverage against public utilities.
Some of the attacks have been highly dangerous. In 2015 we witnessed a dangerous nation-state sponsored cyberattack which brought down the power for hundreds of thousands of homes in the Ukraine. These are the very real threats faced by public utilities today. Many nation-state threat actors have likely stored away carefully acquired Zero Days necessary to launch future attacks against public utility infrastructure.
The DMEA Electric Association Ransomware Attack
Just this past month, DMEA discovered a targeted effort to access portions of its internal network system by an unauthorized third party. As a result, DMEA lost 90% of internal network functions, and a good portion of their data, such as saved documents, spreadsheets, and forms, was corrupted. It also impacted DMEA phones and emails.
Fortunately, the DMEA power grid and fiber network remained unaffected by the incident. Some news sources have noted that the attack seems to have been caused by file-oriented ransomware, although no specific type of ransomware has been called out just yet. If ransomware, then the motivation was clearly financial and more likely organized crime.
DMEA has a good playbook in place for response, and they have benefited from this preparation. DMEA engaged immediately with cybersecurity experts and other important government resources brought in to assist in investigating the scope of the incident and better understand the impact on DMEA and DMEA membership. That investigation is still ongoing at this time.
The restoration of networks and normal operations will take DMEA time. DMEA estimated that member payments can begin during the first week or so in December. This includes payments via SmartHub, payments Kiosks. They also expect to resume member billing in roughly the same timeframe. DMEA suspended all penalty fees and disconnections for non-payment through January 31, 2022.
The Rural Alabama Electric Wiregrass Electric Cooperative Ransomware Attack
Recently this year the Wiregrass Electric Cooperative was recovering from a ransomware attack which required that both member account information and payment systems were taken offline for maintenance. During this maintenance period, the disconnection of prepaid accounts that reach a zero balance was suspended. Remediation required a detailed review of every server, every laptop, and every computer.
The Convergence of Attacks on Public Utilities – A Walk Through Time
Let’s go to ground zero to get a sense of where we are headed. History perhaps shines a light on the blueprint for the future. Going back to March 2007 the U.S. government Department of Energy sponsored a test called the Aurora Generator Test. The purpose of the test was to demonstrate how a carefully targeted cyberattack could physically destroy components within the electric grid. This video, obtained by the Freedom of Information Act by a major news service, was subsequently posted on youtube and shows the test.
A 27 ton 2.25-megawatt power generator was set up within a test chamber at the Idaho National Laboratory. In order to start the test, one technician entered 21 lines of malicious code via a digital relay. The code, in turn, opened a circuit breaker in the generator’s protection system, and then rapidly closed it which created a non-recoverable synchronization fault. Initially, you can see parts come loose and fly off the generator.
In the video you can see the shaking as housings crack, and the unit belches smoke, bursts into flames, and then ceases to function. The Aurora test was an early proof point for what the Government expected to see in the future as the internet developed, and as current and future adversaries emerged. Well, it is here now. No one should be surprised.
Many of the techniques that would be used today are based upon many of the same principles. Stuxnet evolved these further, though not in the service of an attack on a public utility, but instead an attack on thousands of Iranian centrifuges within a highly protected underground complex.
As time passed, utilities continued to remain in the spotlight. In 2017 threat actors stepped up again. Rather shamelessly, a new threat actor, Xenotime, seems to have specialized in the compromise of industrial safety systems.
Xenotime, as some of us may recall, is the threat actor behind the 2017 Trisis/Triton malware attacks and likely the cause of others. In 2017 Xenotime rose to visibility when Dragos and FireEye jointly published details of the Trisis/Triton attack in which they targeted Schneider Electric’s Triconex safety instrumented system. The malware used caused multiple industrial systems in a Middle Eastern facility, believed to be in Saudi Arabia, to shut down.
Xenotime appeared to target the Triconex industrial safety technology made by Schneider Electric SE in what seems to have been a state sponsored attack. The computer security company Symantec claimed that the malware, known as “Triton”, exploited a vulnerability in computers running the Microsoft Windows operating system.
Let’s be crispy clear. The goal of an industrial safety system is to provide safety. This is done by providing error-free, fault-tolerant control of industrial systems, usually through the use of totally redundant command and control modules. Simply put, the targets of Xenotime are centered around the compromise of safety systems—this implies that significant damage and the loss of human life were considered as goals or likely fallout from the attack. Safety systems are there to protect people, the compromise of these systems is designed to potentially hurt people. When these are compromised, the resulting failure can result in widespread destruction, explosions, and other hazards depending on the infrastructure being safely controlled.
Every day and every month threat actors, some nation-state supported, continue to align their time and resources against public utilities around the world. The sophistication and capability of these threats, whether driven by ransomware, or by sophisticated software designed to compromise the process control infrastructure common to many utilities, continue to increase.
DNS is an Essential Part of Your Defense
It’s tough out there now.
You need a full security stack for your clouds, your on-premise resources, your IoT and related process control components, and your remote workers – a critical part of this stack is DNS security.
DNS is in the kill chain in the great majority of attacks. Sooner or later, malware tools must reach back to command & control and DNS is used as a covert communication channel for this purpose. In some cases, attackers use malicious domains and IP addresses that could already have a reputation and may be identified by threat intelligence. In many other cases the behavior of DNS queries, in context, can provide the critical clues you need to identify and stop the attack.
DNS is ubiquitous and frequently used as an attacker technique for malware infiltration and data exfiltration. Standard security controls and technologies such as next-gen firewalls, IPS, and gateways generally do not inspect DNS for detecting malicious communications. Much of the time they are unable to prevent specific attacks such as DNS data exfiltration . Most importantly, they are not able to detect the subtleties of newly created malicious addresses and domains.
Infoblox BloxOne Threat Defense enables public utilities’ information technology and security teams the ability to leverage DNS to improve their security posture. DNS security provides the highest visibility into malicious activity so that the cyberattackers can be detected and shut down early in the kill chain of events.
Rewards for Justice Reporting
The problem is well understood, and the Feds have stepped up to help the State and local governments that often control these public utilities. At this time, the U.S. Department of State’s Rewards for Justice (RFJ) program offers a reward of up to $10 million for reports of foreign government malicious activity against U.S. critical infrastructure including many types of public utilities. See the RFJ website for more information on how this can work.