Hackers get closer to Die Hard 4.0 scenario
US Department of Homeland Security confirms breach of utility C&C
The US Department of Homeland Security yesterday confirmed that a cyber group managed to compromise the command-and-control systems of an unnamed public utility, Reuters reported.
The breach will reinforce the worst fears of security specialists such as Eugene Kaspersky, who has previously warned about real-world scenarios he compares to the plot of the movie Die Hard 4.0, where terrorists bring the US to its knees by compromising multiple C&C infrastructures.
Kaspersky's fears are reflected in the fact that the recent US breach was revealed by DHS' sub-unit, the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), which specialises in the kind of systems Kaspersky fears are at risk. In 2013 ICS-CERT investigated 256 logged attacks, with the majority occurring in the energy sector. The figure is almost double that of 2012, but the team claims that no incident has yet caused significant disruption.
DHS said operations were also not affected by the latest infiltration. "While unauthorised access was identified, ICS-CERT was able to work with the affected entity to put in place mitigation strategies and ensure the security of their control systems before there was any impact to operations," Reuters quoted a DHS official as saying.
The agency said the intrusion was accomplished through brute-force password-cracking on an Internet portal that allowed utility employees to access the C&C suite. Brute-force algorithms typically start with a pre-compiled list of common, weak passwords, followed by a dictionary search. If this does not work, the cracking system will employ an exhaustive alpha-numeric search. It is not clear from DHS statements which of those stages was required to gain entry.
"In most cases, systems that are so antiquated to be susceptible to such brute forcing technologies would not have the detailed logging required to aid in an investigation like this," said Justin W. Clarke, a critical infrastructure security consultant with Cylance Inc. Because of such antiquation, Clarke said it was rare for breaches to be detected and that incident disclosures were even more rare.