DHS Warns of Russian Hacking of Utility Networks

NEWS ANALYSIS: Utility company partners and suppliers used as pathways to break into supposedly secure networks affecting hundreds of victims.


The U.S. Department of Homeland Security has begun a series of briefings with executives of utility companies into the successful penetration of their supposedly secure networks by Russian hackers. The briefings, first reported by the Wall Street Journal, began in 2016 and continued into last year. DHS previously warned about the activities through an alert by US-CERT on March 15, which gave details about the attacks.

In the briefings, DHS said that the attacks affected hundreds of victims in what was a yearlong effort to penetrate and conduct surveillance and intelligence gathering. In the process, DHS said that the agency believes that the Russians are poised to conduct a limited or widespread attack against the U.S. critical infrastructure.

While it might be nice to assume that the affected utilities have taken action to clean up the problem, the reality is that they probably haven’t. Partly this is because many of them don’t even know they’ve been penetrated. According to DHS, the attackers used the credentials of people with legitimate access.

But the problem doesn’t stop there. Many, if not most, of the utility networks were considered secure because they were air-gapped. This means that they had no direct connection to the internet, and because of that their operators assumed that hackers couldn’t reach them.

No Amount of Human Vetting is Enough

The operators also considered themselves secure because their employees had their backgrounds carefully checked. Likewise, many thought they were secure because their partners and vendors had been carefully vetted.

One common factor about all of these assumptions is that they’re wrong. Air-gapped networks aren’t made secure just because they’re not connected to the internet. Checking a person’s background is no assurance that they’re not compromised, and vendors and business partners are a common pathway for attacks, no matter how carefully you assume otherwise.

Probably the most common danger is assuming air-gapped networks aren’t connected to the internet. In reality, a surprising number actually do have an internet connection that the IT staff misses or doesn’t realize poses a threat. They include dual-homed workstations, rogue WiFi routers, backup connections and legacy connections.

A dual-homed computer is one that has two or more network interfaces, each on a different network. This is surprisingly common with high-end workstations and almost a standard configuration for enterprise servers. All it takes is one network connection to the wrong switch or router to remove the air gap.

With rogue WiFi routers, the network connection takes place via radio rather than a network cable, but it’s still there. All it takes is a wireless access point on a network that’s connected to the internet to make the link. The same thing can happen if a computer with a WiFi network interface happens to be connected to a wired network that has an internet connection.

Legacy Connections Often Are Problematic

Backup connections are those where there’s a network connection that’s disabled but still exists physically. They usually exist as a path to the network in case the primary links go down. When a network is air-gapped, it’s not uncommon for those connections to remain, since they don’t show up on a network map because they aren’t active.

The same is true for legacy connections. It’s not uncommon for a connection to the outside world, such as a T1 line, to exist long after its primary function has been abandoned. It’s still there, but it’s not used. But a hacker can find it and use it, and you’ll never know unless you monitor your phone bills carefully.

But let’s say you’ve got a good air gap. There are still plenty of ways the Russians (or other bad guys) can get in. The one that DHS mentions is through vendors and partners. The risk here starts because your partners and vendors may not have the level of security that you do. They may be smaller companies that can’t afford a full time security staff, or they simply may not realize the threat they pose for you.

What happens is that the hackers target those other businesses and extract information that they can use either to break into your network, or, more likely, to use in a phishing attack. They can find out who works at your organization, what they do, their email addresses and phone numbers, and perhaps other important details.

Contractors Should Not Have Direct Access to the Network

They may also find direct access to your network, as happened with the infamous Target breach where an HVAC contractor was compromised, and the hackers used their credentials to attack Target. This same type of attack will work if you allow remote access to your network by someone at another company.

The Russian hackers described by DHS used all of those methods in their successful attacks. They were successful partly because of complacency and partly because of a lack of security awareness or capability.

It’s unclear what anyone can do about complacency; after all, those folks aren’t reading this, either. But there are solutions.

Finding unsuspected breaks in the air gap may be hard to do, but it’s possible if you look. This may require an audit and some detective work when it comes to finding legacy and backup connections, but a good network management system can find dual-homed computers and rogue routers.

Solving the risks of partners will require developing a real trust relationship, so that you can ask for help if you’re the small company that’s at risk of being the pathway for an attack. You also have to develop a level of trust if you’re the company that’s the target, because you may have to work closely with your vendors and partners to confirm that their security meets your requirements. More importantly , you may have to provide assistance to help them meet those requirements.

While you can make demands and set requirements for security practices, that doesn’t help you if the company you work with can’t or doesn’t know how to carry out those requirements. For your own protection, you may need to be actively involved in teaching them and supporting them in their effort to be more secure.

Wayne Rash

Wayne Rash

Wayne Rash is a freelance writer and editor with a 35 year history covering technology. He’s a frequent speaker on business, technology issues and enterprise computing. He covers Washington and...