In December of 2010, long before news broke regarding the Chinese attacks on US critical infrastructure, I got a call from a utility customer that quite simply said, “We’ve been hacked and I don’t know how bad. Can you help?”
I was on a plane the next day and over the next seven weeks we tracked a hacker on their internal network. When we finally caught our hacker, the first thing that caught us by surprise was that he was on site. We always suspected a team of foreigners, hired to provide support for a Smart Grid development contract, and in fact we had already confiscated one of their laptops. Still, we couldn’t prove any of them were part of the attack.
What we really believed was the contractors were the conduit through which some rogue agent or agents were able to plant malware and compromise systems. Surely the guys on site would not be so bold as to be actively hacking. After all, my client had sophisticated intrusion detection and prevention systems in place. What wasn’t a surprise, and was always considered a possible motive, was that our hacker was stealing Smart Grid technology and sending it back to China. We expected as much.
A recent article in Bloomberg identified UglyGorilla as a Chinese Hacker who infiltrated a major utility company in the Northeastern United States. As a result, he gained access to dozens of documents that describe the technical details of a major part of the United State’s critical infrastructure, namely the pipeline system.
Armed with this information, UglyGorilla now has the necessary information to exploit vulnerabilities within the industrial control systems that manage the transport of much of our nation’s oil and natural gas. If UglyGorilla was a lone actor, we could minimize the level of threat associated with this activity, but UglyGorilla is part of China’s state sponsored hacking group known as Unit 61398, part of the Peoples Liberation Army (PLA). In other words, China has not only stolen the technical details to build their own sophisticated pipeline systems, but they now have the information they need to create a catastrophic event in the United States without using bombs, bullets or troops.
Industrial control systems (ICSs) have historically been separated from other networks, particularly the Internet. But in recent history, ICSs have been increasingly integrated with administrative networks including the Internet.
For at least the last two years, Unit 61398 has been hacking utility companies including electric utilities, oil and gas companies, and even water systems. In fact, they primarily target industries that are identified as strategic to China’s economic growth. The immediate benefit to China is of an economic nature. Why spend money on research when it is so much cheaper to steal the technology from U.S. companies? Because of this, up until recently strategists believed China’s hacking activity was economically motivated.
Today, we have to question China’s motivation. Much of the technology is readily available all over the world. Why would they need to steal technical documents regarding building Smart Grid or pipeline operations?
In the months following my customer’s attack, I began to ask myself some basic tactical questions. How did we really catch this guy? How could my customer be prepared to catch him quicker? How could they have prevented this from happening in the first place? In other words, what were the lessons to be learned? Today I ask myself even more questions that are more strategic in nature. Let me summarize.
Tactical Lessons Learned
- Control of contractors and subcontractors is important
- Control of internal devices including desktops, notebooks, mobile devices, etc. is important
- Network monitoring is critical
- Establishing a perimeter may be impossible
- Never forget the attacker could be physically on your network
- What are the real risks?
- How can we protect our nations infrastructure?
- What fundamental changes will have the greatest positive impact on national security?
While it is probably safe to say that the attack we discovered in 2011 was motivated by economic gain, could, or have Chinese hackers unlocked secrets to not only attack, but defeat the U.S. in war without bombs, bullets and troops?
This is a guest post by David Thomason, President/Founder of Thomason Technologies, LLC.
Think your network may be in danger of attack? Schedule a free network visibility consultation and let our engineers pinpoint (and correct) any potential holes in your network.