A cyber-attack cripples a power grid leaving an entire town in the dark, and a jammed home security system stops detecting intruders. What's the commonality across all these seemingly unrelated events? Surprise! It's inadequately trained staff.
First Published 15th January 2016 | Latest Refresh 6th May 2021
Power generation in Ukraine has, let’s say, a history.
5 min read | Reflare Research Team
Today, the need for practical cyber security training has never been more critical. In fact, 'inadequately trained staff' is often the organisation’s weakest link for allowing cybercriminals to wreak havoc on business-critical networks and systems.
Whether they are developers, administrators or otherwise, your team can unintentionally assist hackers in their nefarious intentions. Here we look at two major security breaches where a simple lack of security awareness in staff brought down not just a major player in broadband, but almost an entire country.
On one chilly December afternoon, over 200,000 people in Ukraine lost electricity for several hours after hackers breached the country’s Prykarpattyaoblenergo power grid using a type of social engineering attack called spear phishing.
Spear phishing sends phishing attacks to key personnel within an organisation to obtain highly sensitive credentials and data. Social engineering is an attack vector of choice for cybercriminals. It’s completely user-driven, which makes it efficient, quick and low-risk. The process involves building trust with potential victims and then persuading them into performing actions they normally wouldn’t.
One such action can be an employee simply clicking on a malicious link or downloading an attachment from an email that appears to come from a legitimate source. In the case of the Prykarpattyaoblenergo utility, hackers were able to breach Ukraine’s critical power supply using malware called ‘BlackEnergy Malware’ in a corrupted Microsoft Word file.
“This is the first case in Ukraine where the hacker attack resulted in a power outage”, Sergey Golovan, a spokesman for Ukraine’s state security service, said at a news conference. Not only was Sergey correct in saying it was the first time in Ukraine that a power grid had been taken out by a cyber-attack, it also was the first time in the world. Ukrainian accusations were pointed toward Russian hackers being the culprits, but there was little evidence to support this. At the time, this hack garnished so much global attention that NATO saw fit to release a short video profiling what happened.
In October 2020, a federal grand jury in Pittsburgh, Pennsylvania ruled six Russian GRU officers be charged in connection with the ‘worldwide deployment of destructive malware and other disruptive actions in cyberspace’, which included the Ukraine blackout. It is also worth noting that this is the same group to be charged with the NotPetya ransomware attack, spearfishing the 2017 French elections and among other things, conducting the odd Novichok poisoning in the United Kingdom.
This breach brings to light the importance for workers in major infrastructures such as power, sewage, water, and food production to be on alert for potential risks. Hackers no longer target just individuals but also government entities and critical networks. These structures were built decades ago, and older systems are sometimes vulnerable to various attacks if not patched properly.
For critical infrastructure that possesses ageing technologies operated by lackadaisical staff, it is no longer a question of “if” their systems will get hacked, but of when, and by whom.
Engineers at Comcast Corp. (Nasdaq: CMCSA, CMCSK) have learnt the importance of thinking like a hacker the hard way. Engineers do not often think of security risks when designing systems, which is a critical mistake made all too often in software development. Such is the case with Comcast’s Xfinity Home Security systems. IoT has become increasingly targeted by hackers since security is not often integrated into its software.
A motion sensor unable to sense motion might be problematic.
Xfinity’s security system monitors the home for intruders using Wi-Fi connectivity. However, jamming the wireless signal that sends data back to the central hub was found to set a false negative within the home even if an intruder is present.
Instead of considering ‘failure’ a case for an alert, the Xfinity system considers the environment ‘safe’, which goes against standard security protocols and designing a system with security in mind. Subsequently, the use of Xfinity Home Security could leave the home vulnerable to a thief with $20 worth of jamming equipment.
The irony of a security system engineer designing a security system without security is not lost on this writer.
After the fact, Comcast did issue a voluntary product recall on the Xfinity Home to fix this “glitch”, but not after receiving negative press for putting their customers at risk, as well as bringing their ability to design secure products into question.
The breach brings to light the importance of security as part of development and engineering with IoT systems, which are currently problematic. The Xfinity hack is just one of several IoT systems that have been shown to be vulnerable to hackers. Until IoT designers think like hackers, these systems will continue to expose severe flaws.
As you have read in this research brief, both of these vulnerabilities could have been easily avoided if it had not been for the complacency of individual staff members who simply did not have security forward-of-mind. The challenge now is to identify other vulnerabilities and take preventative action before they become problematic. To stay up to date with the latest information on similar events and learn how to mitigate specific IT security risks before they land in your lap, read more of our research briefs on related topics.