Critical infrastructure: Under cyberattack for longer than you might think
Lessons from history and recent attacks on critical infrastructure throw into sharp relief the need to better safeguard our essential systems and services
Just days ago, Ukraine’s power grid came under attack as the Sandworm group attempted to deploy a piece of malware called Industroyer2 against the operations of an energy supplier in the country. Industroyer2, uncovered during a response effort involving ESET and CERT-UA, is a new variant of sophisticated malware called Industroyer that turned the lights off in parts of Kyiv in December 2016
Additionally, in December 2015, BlackEnergy operators interrupted power supplies for hundreds of thousands of people in Ukraine’s Ivano-Frankivsk region for several hours after sabotaging the systems of several electricity distribution companies.
The incidents were a rude awakening for anyone who thought these kinds of events were science fiction. And yet, none marked the first time that a piece of malware has been used in an attack on critical infrastructure.
Back in June 2010, Iran’s nuclear fuel enrichment facility in Natanz was hit by Stuxnet, sophisticated malware that destroyed numerous centrifuges, slashing Iran’s capacity to produce enriched uranium as a result. Stuxnet is today known as the first discovered malware targeting industrial systems and the malware behind the first cyberattack on modern-day critical infrastructure.
These attacks collectively remind us of the risks faced by various types of critical infrastructure. Indeed, history, shows that in a way, this goes back to times long before the advent of modern digital computers.
Cyberattacks on critical infrastructure – a threat going back 200 years?
By the end of the 18th century, French emperor Napoleon Bonaparte built a communication network to provide his army with a fast and reliable system for the transmission of secret intelligence. The optical telegraph system, baptized a “semaphore”, was invented by French engineer Claude Chappe and allowed for encrypted optical communications that were decipherable only with a secret codebook that select tower officers possessed.
The system relied on a network of towers built on high hills 16 kilometers apart. On the top of each tower would stand two mechanical wooden arms that moved just like a puppet’s arms and were controlled by an officer equipped with a telescope. The message encoded by the position of the arms was copied from tower to tower until reaching its destination.
And just like that, the French government could make a message fly over long distances at speeds much faster than any horseback messenger. When reaching the last tower, an officer would translate the symbols to French using the codebook.
This was a true revolution at the time – Napoleon’s army now had a secret and exclusive line of communication. Or so it thought. Some years later, the first long-distance communications network also became one of the first critical infrastructure systems to be hacked. In 1834, two brothers, François and Joseph Blanc, committed what’s often called the first wire fraud, or even the first cyberattack.
The brothers traded government bonds on the Bordeaux stock market, which used the Paris stock market as an indicator for the ups and downs of its rates. However, this information travelled by horse, taking up to five days to reach France’s southwest. If only we knew what was going on at the Paris Exchange before everyone else, they probably thought.
The semaphore presented the perfect solution, and the trick was simple: a routine message incorporating a special symbol created by the Blancs would be delivered by an accomplice in the Paris tower until it reached them. This tiny code was made to appear as an innocent error and, as set by the semaphore protocol, such errors were only to be checked for and removed by tower managers stationed in a few posts in big cities. On the way to Bordeaux, the tower in Tours had one of these managers, so François and Joseph bribed him not to correct their signal.
Meanwhile, one last accomplice in Bordeaux would be watching the tower to detect those errors and deliver them to the Blancs. François and Joseph managed to get the inside scoop on the latest data from the Paris stock exchange without being noticed for a long time. They took advantage of an expensive government-funded network for their personal gain, making big profits and disrupting the communications of the French army in the process.
Within two years, they made so much money that people started doubting their luck. In the end, the fraud ended up being discovered.
These days, attackers can carry out their attacks in new and more insidious ways.
Disrupting parliaments, banks and research institutes – and raising fuel prices
History can teach us a lot, but perhaps above all it’s that history repeats itself – or at least that it rhymes. At present, cyberattacks strike thousands of small private businesses, individuals, and big public and governmental organizations.
According to a 2021 study by Claroty that surveyed 1,000 IT and OT security professionals working in critical infrastructure in the US, the UK, Germany, France, and Australia, 65% indicated concern over attacks on critical infrastructure. Ninety percent of them reported having experienced an attack in 2021.
While the Blanc brothers’ telecom fraud didn’t affect the population at large, the attacks on the electrical power grid in Ukraine did impact hundreds of thousands of people. The risk of these direct effects is becoming increasingly acute.
Estonia: The first time the network of an entire country faced a cyberattack
On the morning of April 27th 2007, like domino pieces Estonia’s government communications, banks, phone operators, media websites, ATM machines, and the website of Parliament, along with many other online services simply shut down. Everyone felt the endless brunt of the attack that lasted 22 days.
The digitally advanced country saw its cyberspace under attack. Already by 2007, Estonia was one of the most digitalized countries in the world. People used their phones to pay for parking, government services were online, even the voting system was online, and there was Wi-Fi everywhere! But in the blink of an eye, the Baltic country went from an online dreamland to digital havoc.
Attackers used several well-known tactics, from ping floods, a type of denial-of-service (DoS) attack, to malformed web queries and email spam, most of them originating from outside Estonia. Such a vast and constant activity only met a few protective layers, certainly less than what could have been implemented. The ordeal should have become an archetype, one that should have alerted other countries to their own security vulnerabilities.
There were no immediate solutions available and essentially the attacks lasted for as long as the attackers wanted. But since most of them were perpetrated from abroad, both public and private organizations started blocking all foreign traffic to their websites in a bid to gain time to identify and filter out the malicious sources of traffic with the help of internet service providers around the world.
The subsequent criminal investigation, unsurprisingly, came to only few conclusions due to the lack of legal mechanisms and an impossibility to track down concrete addresses and people. Dmitri Galuškevitš, a 20-year-old Estonian university student, was the only attacker identified as he acted from within Estonia. Galuškevitš used his PC to attack the website of the Estonian Prime Minister’s party, the Estonian Reform Party, and was ordered to pay a fine of 17,500 krooni (approx. US$700 USD at the time).
COVID-19: A race for information
Nothing united the world as much as the need to develop a COVID-19 vaccine. The approaches to this task, however, were different. Many labs all over the world started a marathon to claim the first and safest jab. On April 23rd 2020, the World Health Organization reported a “fivefold increase in cyber-attacks” on its staff, hoping this report would serve as an alert for the months ahead.
Just a few days later, the UK’s National Cyber Security Centre (NCSC) warned that the country’s universities and laboratories conducting research into COVID-19 were suffering multiple hacking attempts, including attacks by other countries looking to collect data related to the development of vaccines.
A few months after, on December 9th, the EU’s health regulator, the European Medicines Agency (EMA), revealed it had suffered a cyberattack. On the same day, BioNTech confirmed that some documents stored on EMA’s servers for the approval of its vaccine had been “unlawfully accessed”. According to EMA’s follow-up on December 22nd 2020, the hackers exclusively targeted COVID-19 information by breaching one undisclosed IT application. The data stolen was then leaked on January 13th 2021.
The case was investigated by the CERT-EU together with the Dutch police. However, the conclusions were never officially disclosed. According to the Dutch newspaper deVolkskrant, the attackers gained access to EMA’s systems after stealing a token used to set up multi-factor authentication for new employees. The publication also reveals that people close to the case believe the incident was a matter of nation-state espionage targeting the EU’s COVID-19 strategy.
Losing control of fuel supplies
On May 7th 2021, the DarkSide ransomware gang attacked Colonial Pipeline, exploiting multiple vulnerabilities and compromised passwords. That’s all it took for the group to take down the operations of the largest pipeline system of fuel distribution in the US over a period of five days. This was the first time in the company’s history spanning 57 years and required direct intervention by the White House.
This ransomware attack had major consequences, forcing several large gas station chains to close due to fuel shortages. Fuel prices in the US soared to highs not seen since 2014.
If initially the scale of the attack made all efforts focus on the investigation of possible state-sponsored hacking, it turned out instead that it was motivated by moneymaking. DarkSide acknowledged being responsible for the attack, but denied having any political motivation: “Our goal is to make money and not creating problems for society”, it said. The group, however, is known to provide ransomware as a service to affiliates, and received a US$4.4 million ransom payment, half of which was later recovered by the FBI.
Cyberattacks are here to stay
The incredible power that allows us all to instantly connect comes at a price. More connectivity also means more vulnerabilities, more attacks, and more sophisticated strategies. Such increased interconnectivity between the digital and real worlds puts pressure on the public and private infrastructure sectors to adopt new safety routines.
While in recent years, there has been significant security effort by the operators of critical infrastructure entities, the services often remain ripe targets for cyberattacks, further highlighting the need to better shield society’s essential services from harm.