The vast majority of targeted computer attacks now start with a malicious e-mail sent to a company employee. Now evidence suggests that the same technique could be used to attack watersheds, power grids, oil refineries and nuclear plants.
Attackers increasingly use so-called spearphishing attacks, in which they send employees targeted e-mails â€" often from an e-mail address that matches the name of a colleague, supervisor or chief executiveâ€"that contains malicious code. One click is all it takes for an attacker to steal an employee’s administrative passwords, turn their machine into a recording device, and see everything they do.
Night Dragon, a series of computer attacks that hit oil, gas and chemical companies in the United States two years ago, used spearphishing. So did Shady Rat, another extensive digital espionage campaign discovered in 2011 that went after 70 government agencies, corporations and nonprofits in 14 countries. Spearphishing is so easy to deploy and effective that 91 ercent of targeted attacks start with malicious e-mails, according to TrendMicro, a computer security firm with headquarters in Tokyo.
But that same method could be used to harm utilities, power plants, gas pipelines and watersheds. In a presentation at the S4 computer security conference in Miami on Thursday, Tyler Klinger, a security researcher at Critical Intelligence, an open-source intelligence firm, demonstrated just how susceptible these systems are to spearphishing attacks.
Using Jigsaw, a Salesforce service that crowdsources contact information for sales teams, Mr. Klinger dug up the e-mail addresses for control room supervisors at power plants and the engineers that perform maintenance on oil pipelines. He was able to confirm those e-mail addresses using LinkedIn, and also see their contacts and those that had “endorsed†their work through the service.
Using that information, his team sent several targeted e-mails, ostensibly from colleagues and contacts, regarding job! opportunities or software training for Wonderware and Totalflow, software used in industrial control systems.
Mr. Klinger described the e-mails as “the trickle coming out of the dam before it breaks.â€
The hit rate was enough to make you shudder: Some 26 percent of employees who work closely with industrial control systems fell victim to the attack. Mr. Klinger did not disclose the names of the victims, but among their job titles were: a control room supervisor, a pipeline controller, an automation technician, a process controls engineer and a senior vice president for operations and maintenance.
The sample size of the study was not large â€" at one company of more than 300 people, Mr. Klinger’s team identified 23 employees who worked with industrial control systems; seven clicked the link. At another company with roughly 200 employees, they identified 49 employees who worked with critical systems. Eleven clicked the link.
But all it takes is one click for an attacker to getinside a system. In one case, Critical Intelligence could see an instant messaging exchange between two employees that discussed critical systems. And while it would be difficult for attackers to inflict catastrophic damage from one employee’s machine, a patient attacker would simply wait for that employee to connect his or her laptop to an electrical substation, or move around the network to an employee who connected to critical systems regularly.
“These are the people that have 24-7 access,†to control rooms, said Dale Peterson, the chief executive of Digital Bond, the security firm that presents the annual S4 conference. “This is about as real as it gets.â€
