The cybersecurity company Symantec reported the attackers spent two years infiltrating, mapping out and possibly gaining control over power company systems, through a variety of techniques designed to trick people into activating malicious software.
The methods exploited what cybersecurity experts call the “insider threat,” a term for the various ways authorized users can let an attacker inside a network, either by mistake or malice.
“They’re basically playing on things that influence the weakest link inside your enterprise – people,” said Josh Douglas, chief strategy officer for Raytheon Cyber Services. “Their desires and their will their social interaction, their reading habits, etcetera. The behavioral aspects of employees are a direct link to the weakness of the security of an organization.”
The methods were common and well-documented, suggesting the attackers focused less on technological sophistication and more on knowing what energy company employees were likely to do – a hacking principle known as “social engineering.”
For example, Symantec reported, the attackers:
- Disguised malware as an invitation to a New Year's Eve party – a method known as "spearphishing," then followed up with messages containing "very specific content related to the energy sector;"
- Planted malware on websites frequented by utility employees, a technique known as a "watering hole" attack;
- Hid malware inside what appeared to be a legitimate software update, or "Trojanization."
Symantec attributed the attack to a group known as Dragonfly 2.0, the same party responsible for a cyber-spying operation on energy companies uncovered in 2014. It did not speculate on the group’s origins, but did call it “an accomplished attack group” and said it used one piece of what appeared to be custom-built malware.
Just as the attackers used human behavior to build their offensive, companies can use it to design their defense, said Richard Ford, chief scientist for Forcepoint, a commercial cybersecurity company jointly owned by Raytheon.
For example, he said, the company found that while people going to a website commonly click out of pop-up security warnings, they respond better to an intermediary webpage that tells them clicking through might be a bad idea.
“By changing the context of the interaction, the overall click-through rate was dramatically lowered,” he said.
The trick, Ford said, is “to steer people, as opposed to direct them,” and close the same types of security gaps the power-grid hackers exploited.
“People are great. We’re awesome. And we’re also very focused on what we’re doing, and we don’t think about the consequences for that,” Ford said. “There’s no patch for people. At least, if there is, I’m not sure I want to install it.”
Josh Douglas is the chief strategy officer for Raytheon’s cyber services business. Richard Ford is the chief scientist for Forcepoint, a commercial cybersecurity company jointly owned by Raytheon.