Max Sheridan —
About three months before the Colonial Pipeline hack paralyzed the Eastern Seaboard, an operator on the morning shift at the Oldsmar Water Treatment Plant in Florida noticed his mouse cursor was moving by itself. This is what he told local police hours later. He didn’t pay it any mind at the time. His boss routinely used TeamViewer, the plant’s remote-access software, to check on things when he wasn’t physically at the plant.
With Killware, cybercriminals now have the tools to end lives.
When his cursor malfunctioned again a little while later, it was obvious that this was no remote check-up. This time the cursor was moving with purpose, clicking on controls and changing settings. In another few seconds, whoever had hijacked Oldsmar’s operational technology (OT) had also reprogrammed the levels of sodium hydroxide in the city’s water supply.
FYI: The Oldsmar Water hack wasn’t the first case where a bad actor gained access to a city’s critical infrastructure. Back in 2001, in Maroochy, Australia, a deranged IT consultant looking for payback hacked into the municipality’s sewage treatment network, flooding local rivers with millions of gallons of toxic waste.
You may know sodium hydroxide by its household name, lye. In small doses lye can help control PH levels in water — small doses being 100 parts per million. The hacker who broke into Oldsmar’s OT had ramped the levels up to 11,100 parts per million, enough to sear flesh.
“This Is Dangerous Stuff”
In its official statement, the City of Oldsmar claimed that even if the plant hadn’t caught the hack in real time, it would have taken over a day for the city’s water supply to reach toxic levels. In between the breach and a full-blown public emergency, they say, someone at the plant would have noticed, and stopped it.
The Oldsmar hacker was never caught, by the way. Media scrutiny of the “killware” attack fizzled out in about a week.
But the fact is, we don’t know what would have happened if that plant operator hadn’t been watching his screen when the hackers struck, especially since the fail-safe mechanisms the city claimed would have saved the day were part of the operational technology they’d hijacked.
As Pinellas County sheriff Bob Gualtieri warned reporters at a press conference the day the attack went public: “This is dangerous stuff.”
Indeed, it is.
A Closer Look: Operational technology (OT) falls under the general umbrella of cyber-physical systems (CPSs), which use computer algorithms to run and monitor physical systems. Our critical national infrastructure relies on OT to keep our power grids, transportation systems, and water supplies running.
The Backdoor That Shouldn’t Have Been There
The Colonial Pipeline ransomware hack and the Oldsmar killware hack have one thing in common, and it’s the part of the story that usually gets lost in the hype surrounding payouts and data breaches. It’s also the part that should be worrying us most of all.
Darkside ransomware hackers wormed into Colonial Pipeline’s network via a virtual private network (VPN) account employees used to access the company’s network remotely. Once inside, they attacked the computerized equipment that controlled the pipeline. In other words, they attacked Colonial Pipeline’s OT.
They also stole about 100 gigs of data off CP’s network, the official ransom. Colonial Pipeline did end up paying to rescue their sensitive data, but that wasn’t their primary concern at the time. With their OT hijacked, CP executives realized that physical infrastructure, and possibly lives, were in jeopardy.
If this sounds eerily like the Oldsmar Water Hack, that’s because it is similar. FBI forensics experts believe that the bad actors who tried to dump enough sodium hydroxide into Oldsmar’s water supply to wipe out the whole city gained entry to the plant’s operational technology — its physical systems — through software it accessed via the internet.
Did You Know: The COVID-19 pandemic has left many organizations underfunded and understaffed, exposing our already vulnerable critical instructure to serious attack, as witnessed this year with the rash of ugly PYSA ransomware hacks. These attacks targeted U.S. hospitals, school systems, and universities.
This should not have been possible. IT networks and OT networks should never intersect. Critically, you shouldn’t be able to access an OT network via the internet, as both the Oldsmar Water Plant and Colonial Pipeline hackers did.
When this happens, you’re not looking at a ransomware scenario anymore. You’re looking at a “Die Hard” scenario. Which is what Oldsmar really was. It was just sheer luck that Oldsmar had its John McClane, the plant operator who caught the breach. We may not be so lucky the next time around.
Hacking Into the Internet of Things
In “No Time to Die,” the latest Bond film, the Specter crime syndicate designs a strain of plague-carrying nanobots to eliminate its enemies upon contact. Specter is using OT the way it should be used. Their bots are self-contained. They can’t be reprogrammed from afar.
If Specter had designed technology they could communicate with and control via the internet, MI6 could have hacked their system and told the bots to do something nice to their targets instead – like make a cup of tea.
FYI: In 2015, six years before Oldsmar and the Colonial Pipeline attack, the Russian hacker collective Sandworm left 250,000 Ukrainians without power after they hacked into the Ukraine power grid and crippled it via remote-access software.
This is what the Internet of Things (IoT) is today, cyber physical systems we monitor and control via devices connected to networks. From the point of view of a hacker, there is no difference between the internet-dependent OT at Oldsmar and our smart home security cameras, thermostats, lights, appliances, and exercise machines. They are equally vulnerable.
We already know how REvil’s Ransomware as a Service works. Forget gas and water shortages for just a second and try to imagine a near future where cybercriminals lease out the malware to hobble our home security systems, leaving our physical houses wide open to burglary. Or our wearables. Or our cars.
The Light at the End of the Virtual Private Tunnel
Cybercrime has reached grim new benchmarks this year, but it also looks like world governments have begun to read the writing on the wall.
In mid-October, the first Congress on Ransomware met via Zoom (30 countries minus Russia.) Big tech has also put skin in the game. Google, for instance, has pledged a hearty $10 billion to help get our critical infrastructure up to speed, detangling our vulnerable legacy systems (OT) from the hackable networks (IT) that make us sitting ducks.
A Closer Look: In a so-called reverse hack, the U.S. government managed to reclaim $6 million from the REvil hacking gang, about half what the cybercriminals stole from meat processing giant JBS in May.
Elsewhere in Silicon Valley, the cyber insurance start-up, Coalition, is on a mission to change the whole conversation around cybersecurity. Less focus on bulletproofing networks and more on anticipating vulnerabilities, they argue.
From the point of view of hindsight — 37 percent of companies around the world fell victim to ransomware attacks in 20211 — Coalition’s proposal makes a lot of sense. It also offers real hope that, if businesses and governments do get their acts together, a potentially catastrophic breach like Oldsmar will remain an outlier
The post Move Over Ransomware. Killware Is Here. appeared first on SafeHome.org.