Information Technology

The renewable energy industry is becoming more important as countries attempt to move away from fossil fuels, but the continued growth of the sector must be managed with cybersecurity in mind, or there’s the danger that vulnerabilities in everything from power plants down to smart meters could leave energy providers and their customers open to risk.The energy industry is already a high-profile target for hackers, including those looking to deploy espionage campaigns, ransomware and even attacks with the intent to sabotage systems to cut off power – and the rapid transition towards renewable energy could lead to additional avenues for cyber criminals to exploit.  

ZDNet Recommends

A new report by defence and security think tank the Royal United Services Institute (RUSI) has outlined some of the top cyber risks during the transition towards renewable energy from fossil fuels.  SEE: A winning strategy for cybersecurity (ZDNet special report) “Renewables offer huge opportunities for the UK to become more self-sufficient in energy production whilst mitigating effects of climate change. This transition has to be taken with cybersecurity in mind, cognisant of future cyber threats to society due to the massive digitalisation of the sector,” said Sneha Dawda, research fellow in cybersecurity at RUSI. One of the main targets for cyber attackers is the supervisory control and data acquisition (SCADA) systems responsible for managing industrial networks.There are two key security issues in SCADA systems – the first is that many of these networks are old, sometimes to the extent they can’t receive security updates, which means that if they’re linked to internet-facing areas of the network, they can potentially be infiltrated by cyber criminals.  

SCADA systems’ security can also be threatened if there’s a remote element to access, via cloud services and VPNs. Newer systems can lean heavily on remote access, but if secure login credentials or patch management isn’t looked after properly, this can provide another avenue for cyberattacks, particularly if automated systems that might not be intently monitored are involved. Some of the most common cybersecurity advice is to patch systems with security updates to protect against attacks. But the reality is that for many energy providers, the network is based on legacy systems – and in many cases, updating or replacing those systems could potentially affect services or involve rebuilding them completely.  According to the RUSI paper, another of the key concerns facing the renewable energy sector is cybersecurity risks in the supply chain.  “If one vendor within the supply chain is compromised, this can have widespread consequences for all connected organisations,” the report warns, citing the likes of the Kaseya and SolarWinds attacks as examples of how cyber attackers can cause massive disruption through the software supply chain. In order to combat this, some of those consulted by researchers suggest that energy providers should take a more careful approach with supply chains, asking questions of suppliers and even helping them improve their security in some cases.But it isn’t just energy providers themselves that could be affected directly by cybersecurity vulnerabilities – products and devices used in homes and businesses are also potentially at risk. One threat that the report warns about is Lithium-ion batteries, which use a battery management system (BMS) to monitor safety and reliability – and can be connected to networks. However, the paper warns that weaknesses in encryption, authorisation and remote access into these connected devices could be exploited by attackers. What’s more, these aren’t the only connected devices that potentially contain cybersecurity risks that need to be examined. The paper suggests that home car chargers are “a unique point of intrusion because they serve a very specific purpose”. Home chargers are becoming more common as hybrid and electric vehicles increase in popularity – but there’s already examples of connected chargers being found to have firmware vulnerabilities that attackers can exploit, either to gain access to networks or to rope the devices into a botnet. “While these vulnerabilities have been patched, they provide good examples of how this technology is lacking in industry standards,” says the paper. The final cybersecurity risk relating to renewable energy examined by the paper is IoT devices in smart homes and buildings.  Energy companies are increasingly encouraging customers to install smart meters and other sensors. However, smart meters and IoT devices can be vulnerable to cyberattacks, providing cyber criminals with a route into networks and the ability to build botnets. It can also be difficult for users to patch IoT devices – if they can be patched at all.  The paper suggests initiatives like the UK government’s ‘Secure by Design’ legislation could help improve the cybersecurity situation – and concludes that further research into risk-mitigation strategies and policy-focused recommendations are required. MORE ON CYBERSECURITY More

A new campaign focused on emptying the cryptocurrency wallets of organizations in the financial and crypto spaces has been revealed by researchers. 

Dubbed SnatchCrypto, Kaspersky researchers said on Thursday that the campaign is the work of BlueNoroff, an advanced persistent threat (APT) group suspected of being connected to the larger Lazarus APT. Lazarus is a North Korean hacking unit tied to cyberattacks against banks and financial services. The APT specializes in SWIFT-based intrusions in countries including Vietnam, Bangladesh, Taiwan. Alongside Cobalt and FIN7, Blueliv recently branded the group as one of the top threats faced by FinTech firms today.  “The group [BlueNoroff] seems to work more like a unit within a larger formation of Lazarus attackers, with the ability to tap into its vast resources: be it malware implants, exploits, or infrastructure,” the researchers say. According to Kaspersky, BlueNoroff has conducted a series of attacks against both small and medium-sized companies tied to cryptocurrency, virtual assets, the blockchain, smart contracts, decentralized finance (DeFI), and FinTech in general.  BlueNoroff focuses on building — and abusing — trust to infiltrate company networks. Whether this is business communication and chats or wider social engineering techniques, the APT spends a lot of time and effort learning about its victims. As of November 2021, Kaspersky says the group has been “stalking and studying” cryptocurrency startups. BlueNoroff aims to create ‘maps’ of current topics of interest in the target organization and then uses this information as a springboard to launch social engineering attacks that appear to be legitimate and trustworthy. 

“BlueNoroff compromises companies through precise identification of the necessary people and the topics they are discussing at a given time,” the researchers note. “A document sent from one colleague to another on a topic, which is currently being discussed, is unlikely to trigger any suspicion.” For example, an email may be sent that pretends to be a shared document hosted on Google Drive from a ‘colleague’ to an employee of a startup. In a sample obtained by Kaspersky, a notification was sent at the time the trap document was opened.  In another example, an email was pushed as a forward that appears to have been sent by a colleague — potentially increasing trust as the message looked as though it had already been checked.

The APT also impersonates legitimate companies in phishing emails, including Coinsquad, Emurgo, Youbi Capital, and Sinovation Ventures.  CVE-2017-0199, a remote code execution (RCE) flaw, is used to trigger a remote script linked to the malicious documents. The exploit will fetch a payload from a URL embedded in these files, and a remote template is also pulled. When they combine, base64-encoded binary objects and a VBA macro become available, then used to spawn a process for privilege escalation before the main payload is executed on a target system.  “Interestingly, BlueNoroff shows improved opsec at this stage,” Kaspersky says. “The VBA macro does a cleanup by removing the binary objects and the reference to the remote template from the original document and saving it to the same file. This essentially de-weaponizes the document leaving investigators scratching their head during analysis.” Other infection chains observed include the use of zipped Windows shortcut files or malicious Word documents that are used to fetch secondary-stage payloads.  At this point, a PowerShell agent is used to deploy a backdoor. The malware is able to remotely connect to its operator’s command-and-control (C2) server, manipulate processes and the registry, execute commands, and steal data stored by the Chrome browser, Putty, and WinSCP. In addition, a secondary backdoor, keylogger, and screenshot taker may also be launched on the machine.  The final payload is a custom backdoor that has only been seen in attacks conducted by BlueNoroff. This malware will collect system data and configuration related to cryptocurrency software and will attempt to interject between transactions stemming from hardware wallets.  Of particular note is when victims use browser extensions to manage their crypto, The Metamask extension, for example, will be tampered with to monitor transactions and allow the attackers to choose the right moment to strike.  The researchers explained how these attacks take place: “When the compromised user transfers funds to another account, the transaction is signed on the hardware wallet. However, given that the action was initiated by the user at the very right moment, the user doesn’t suspect anything fishy is going on and confirms the transaction on the secure device without paying attention to the transaction details.  The user doesn’t get too worried when the size of the payment he/she inputs is low and the mistake feels insignificant. However, the attackers modify not only the recipient address, but also push the amount of currency to the limit, essentially draining the account in one move.” Victims have been traced to Russia, Poland, the US, Hong Kong, Singapore, China, and other countries.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Hackers from North Korea stole nearly $400 million worth of cryptocurrency in 2021 through at least seven attacks and most of it was Ether or ETH rather than Bitcoin, according to blockchain analysis firm, Cainalysis. 2021 was a record year for North Korea’s military hackers, the most notorious of which is Lazarus, the group behind the destructive wiper attack on Sony Pictures Entertainment in 2014, WannaCry ransomware in 2017, multiple banks via the SWIFT banking system, and numerous cryptocurrency exchanges. 

ZDNet Recommends

Also known as APT 38, the group has focused in on cryptocurrency theft as a prime vehicle for raising revenue for the country and evading US and UN economic sanctions. A UN Panel of experts in 2018 concluded that its cryptocurrency hacks contribute to North Korea’s ballistic missile programs.SEE: Scallops, vaccines and Tesla: The wild world of blockchain and cryptocurrencyThe group employs common tactics used by other nation-state hacking groups and cybercriminals, including social engineering, phishing and software exploits. “From 2020 to 2021, the number of North Korean-linked hacks jumped from four to seven, and the value extracted from these hacks grew by 40%,” Chainalysis said in its report. Attacks from North Korean hackers in 2021 mostly targeted investment firms and centralized cryptocurrency exchanges, according to Chainalysis. The groups used social engineering to move funds from targets’ wallets to addresses controlled by North Korean accounts. The funds were then laundered and cashed out.  

Last year, 68% of the funds that North Korean hackers stole were Ether, which replaced Bitcoin as the primary cryptocurrency. Bitcoin, however, still plays a key role in laundering stolen Ether via decentralized exchanges before being mixed into new wallets and then cashed out. Cryptocurrency mixer or ‘tumbler’ software breaks down a user’s funds into small sums and blends it with other transactions in micro-transactions before sending an equivalent value to a new address. The US filed its first money laundering charges against a US Bitcoin mixing service in 2020.   “DPRK is a systematic money launderer, and their use of multiple mixers … is a calculated attempt to obscure the origins of their ill-gotten cryptocurrencies while offramping into fiat,” the report notes.North Korea also has about $170 million in cryptocurrency holdings from 49 attacks that have yet to be laundered through mixers. Of that, $55 million came from attacks carried out in 2016 while $35 million came from attacks in 2020 and 2021. Chainalysis notes that $97 million stolen from cryptocurrency wallets managed by Japanese cryptocurrency exchange Liquid.com in August was moved to addresses controlled by a party working on behalf of DPRK, resulting in $91.35 million being laundered. North Korea’s hacks on cryptocurrency exchanges are well document by the US Cybersecurity and Infrastructure Security Agency (CISA). The US government’s umbrella term for the country’s hacking is HIDDEN COBRA. A February 2021 report from CISA details the work of North Korean hackers in connection with the AppleJesus malware that targeted Windows and Mac systems worldwide by posing as a legitimate cryptocurrency trading platform.  More

A ‘massive’ cyberattack has taken down several government websites in Ukraine, including the Ukrainian Foreign Ministry and the Ministry of Education and Science.A statement by Ukranian police says cyber attackers left “provocative messages” on the main pages of government websites, which have been taken offline – but no personal data has been altered or stolen.

ZDNet Recommends

The country’s cyber-police department is working with the State Special Communications Service and Ukraine’s security service to investigate the attacks. As of Friday morning, some of the websites have been restored, while others remain offline.SEE: A winning strategy for cybersecurity (ZDNet special report) “As a result of a massive cyber attack, the websites of the Ministry of Foreign Affairs and a number of other government agencies are temporarily down. Our specialists have already started restoring the work of IT systems, and the cyberpolice has opened an investigation,” Oleg Nikolenlo, spokesperson for Ukraine’s Foreign Ministry, said on Twitter.Websites affected by the attack include those of the Ukrainian cabinet, a number of ministries and the state services website, which stores electronic passports and vaccination certificates.Josep Borrell, high representative of the EU for foreign affairs and security policy, said the European Union is mobilising “all its resources” to aid Ukraine following the cyberattack.

“This deserves the strongest condemnation,” he told reporters, according to Bloomberg, adding: “Of course I cannot point at anyone as I have no evidence, but we can imagine.” Currently, nobody has explicitly claimed responsibility for the attack or made concrete accusations over where it originated. However, it came just hours after the EU renewed economic sanctions on Russia by a further six months.Russia has previously been accused of conducting a number of different cyberattacks against Ukraine, including one that disrupted energy supplies, causing power cuts in December 2015.MORE ON CYBERSECURITY More

Singapore has uncovered a distribution network hawking e-vaporisers and other related components via Telegram. The messaging app was tapped to advertise and supply the contraband items to “a large number of people” in chatgroups. The network was busted followed a 24-hour operation conducted on January 6, which uncovered the illegal activities of a distributor and peddlers, said Singapore’s Health Sciences Authority (HSA) in a statement Friday. The industry regulator said the items had an estimated street value of almost SG$200,000 ($148,596). Adding that two male and one female subjects were assisting in its investigation, HSA said: “They had used Telegram to illegally advertise and supply such prohibited items to a large number of people in these chatgroups. “E-vaporiser smugglers and peddlers are using anonymous messaging applications, such as Wechat and Telegram, in a bid to conduct their illegal activities clandestinely. HSA had been closely monitoring the e-vaporiser distribution networks on platforms such as Telegram, which are used to sell the prohibited items,” it added.Singapore’s Tobacco (Control of Advertisements and Sale) Act prohibits the import, distribution, sale, or offer for sale of imitation tobacco products, which include e-vaporisers, shisha tobacco, and smokeless tobacco. Violators face a fine of up to SG$10,000, or imprisonment of up to six months, or both for the first offence, and a fine of up to SG$20,000, or imprisonment of up to 12 months or both for the second or subsequent offence. The law also prohibits the purchase, use, and possession of such products. Violators face a fine of up to SG$2,000.HSA last October seized a record of more than SG$2 million worth of e-vaporisers and related components. RELATED COVERAGE More

The House Select Committee investigating the January 6th terror attack on the US Capitol has issued four subpoenas to Google, Facebook, Twitter and Reddit as it seeks more information about the incident. Chairman Bennie Thompson said in a statement that the subpoenas were issued due to “inadequate responses to prior requests for information.”The subpoenas related to “the spread of misinformation, efforts to overturn the 2020 election, domestic violent extremism, and foreign influence in the 2020 election.””Two key questions for the Select Committee are how the spread of misinformation and violent extremism contributed to the violent attack on our democracy, and what steps—if any—social media companies took to prevent their platforms from being breeding grounds for radicalizing people to violence,” Thompson said. “It’s disappointing that after months of engagement, we still do not have the documents and information necessary to answer those basic questions.  The Select Committee is working to get answers for the American people and help ensure nothing like January 6th ever happens again. We cannot allow our important work to be delayed any further.”In a letter to Alphabet CEO Sundar Pichai, Thompson said YouTube was a “platform for significant communications by its users that were relevant to the planning and execution of January 6th attack on the United States Capitol, including livestreams of the attack as it was taking place.”The letter notes that former Trump administration official Steve Bannon live-streamed his podcast on YouTube in the days before and after January 6 and live-streams of the attack appeared on YouTube as it was taking place. 

“The Select Committee believes Alphabet has significant undisclosed information that is critical to its investigation, concerning how Alphabet developed, implemented, and reviewed its content moderation, algorithmic promotion, demonetization, and other policies that may have affected the January 6, 2021 events,” Thompson wrote. “For example, Alphabet has not produced any documents that fully explain non-public moderation discussions and policies that led to President Trump’s suspension or that explain whether or why the platform did or did not act regarding President Trump’s account in advance of January 6th. Additionally, Alphabet has not produced documents relating to YouTube’s policy decisions that may have had an impact on the planning, coordinating, and execution of January 6th Attack on the U.S. Capitol.”In a statement to ZDNet, Google said they “have been actively cooperating with the Select Committee since they started their investigation, responding substantively to their requests for documents, and are committed to working with Congress through this process.” “We have strict policies prohibiting content that incites violence or undermines trust in elections across YouTube and Google’s products, and we enforced these policies in the run-up to January 6 and continue to do so today. We remain vigilant and are committed to protecting our platforms from abuse,” a Google spokesperson said. Thompson’s letters to the CEOs of Facebook parent company Meta, Reddit and Twitter similarly criticize the companies for failing to adequately respond to questions from Congress about their role in facilitating the attack last year. Meta did not respond to ZDNet’s requests for comment. A Twitter spokesperson declined to comment. A Reddit spokesperson said, “We received the subpoena and will continue to work with the committee on their requests.”Thompson said a number of Meta’s platforms were used “to share messages of hatred, violence, and incitement; to spread misinformation, disinformation, and conspiracy theories around the election; and to coordinate or attempt to coordinate the Stop the Steal movement.””Public accounts about Facebook’s Civic Integrity Team indicate that Facebook has documents that are critical to the Select Committee’s investigation,” Thompson said among a host of other charges about Facebook’s role in the attack on Congress. Reddit was slammed by the Select Committee for hosting the “r/The_Donald” ‘subreddit’ community that eventually moved to the website TheDonald.win in 2020. The website “hosted significant discussion and planning related to the January 6th attack,” according to Thompson. Twitter was also accused of allowing users to plan and execute the assault on the Capitol. Thompson said Twitter “was reportedly warned about potential violence being planned on the site in advance of January 6th.””Twitter users also engaged in communications amplifying allegations of election fraud, including by the former President himself,” Thompson said. “Twitter’s former CEO Jack Dorsey acknowledged last year that Twitter bore some responsibility for the violence that occurred on January 6th.”Thompson said Twitter has refused to produce documents related to the warnings they got about the potential attack and would not commit to a timeline for complying with the Select Committee’s request for a variety of documents related to the 2020 election. “Finally, Twitter has failed to produce any documents that fully explain either its decision to suspend President Trump’s account on January 8, 2021, or any other decisions the company made regarding President Trump’s account relating to the events of January 6th,” Thompson said.  More

The New York Power Authority (NYPA) announced a new deal with cybersecurity firm IronNet and Amazon Web Services that will help the country’s largest state public power organization bolster its cybersecurity defenses. Victor Costanza, deputy CISO at the NYPA, said the rise in sophisticated cyber attacks prompted them to help municipal utilities implement a strong security program that can detect and mitigate attacks in real-time. “With the technologies provided by IronNet and AWS, the IT and power infrastructures in NYPA’s supply chain ecosystem can collect and share anonymized cyber threat information so we can defend our enterprise networks collectively, raising the security posture of all of us throughout the state,” Costanza said.The deal comes two days after the Cybersecurity and Infrastructure Security Agency (CISA) released an alert detailing a variety of tactics used by Russian state-sponsored groups to attack local and tribal governments across the US between September 2020 and December 2020.CISA also specifically cited previously reported attacks by Russian groups on critical infrastructure in Ukraine. A US Homeland Security report from 2016 said 225,000 customers were left without power two days before Christmas because of the Russian attack on three regional electric power distribution companies. Bill Welch, co-CEO of IronNet, said that in the same way utilities band together to provide mutual aid after damaging weather events, NYPA is making collaborative responses to cyber attacks possible. “We are proud to work with NYPA to enable all public utility stakeholders to adopt a proactive defense against any cyber adversary with an eye on the grid—from criminal groups to nation-states,” Welch said.  

NYPA will be adopting IronNet’s Collective Defense solution, which is supported by AWS. The tool will allow municipal utilities in New York and their partners “to create a dynamic, radar-like view of the attack landscape that provides visibility into a wider and deeper range of threats across the state’s entire power grid.”IronNet and AWS ran a pilot program with five NYPA municipalities before the deal was signed and decided to expand it due to its success. “Powered by a network detection and response system that tracks network anomalies with behavioral analytics, NYPA’s key supply chain partners can use IronNet’s Collective Defense platform to collaborate in real time to better detect and defend against attacks. This approach further enhances the resilience of New York’s grid amidst the escalating prevalence of attacks on US critical infrastructure,” IronNet explained in a statement. “Defenders of the state’s IT and power infrastructure will receive alerts on anomalous network behaviors correlated with other Collective Defense participants from the U.S. energy sector at large. In the event of a coordinated attack, the community also benefits from expert guidance from the top cybersecurity professionals of IronNet’s Security Operations Center.” More

School officials in Albuquerque, New Mexico have cancelled classes for Thursday and Friday due to a cyberattack. The shutdown took place just days after a ransomware attack hit government services across Bernalillo County.

In a statement posted to the Albuquerque Public Schools (APS) website, officials said schools will remain closed “as the district continues to investigate a cyberattack that compromised the student information system used to take attendance, contact families in emergencies, and assure that students are picked up from school by authorized adults.” On Wednesday, the school said it was working with cybersecurity experts to get systems back up and running before Friday. The school amended its statement on Thursday.  Athletic activities and other extracurricular activities will continue, but school meals will not be served while the schools are closed. For those in need of meals while the schools are shut down, officials suggested the Roadrunner Food Bank Food Assistance Line for help.They also suggested parents turn to the Boys & Girls Clubs of Central New Mexico, which will be providing free all-day programming for youth 5-18 while the school deals with the cyberattack.  APS Superintendent Scott Elder told the Albuquerque Journal that teachers discovered the attack on Wednesday morning after they tried to log into the student information system and were unable to gain access to the site.”APS is working with local and national law enforcement as well as teams of cyber specialists to as quickly as possible limit our exposure to this attack, to protect all systems in our network, and ensure a safe environment to return to school and business as usual,” Elder said. 

APS spokeswoman Monica Armenta said the district does have cyber insurance. Multiple government services across Bernalillo County — which covers the state’s most populous cities of Albuquerque, Los Ranchos, and Tijeras — have been dealing with a ransomware attack that started between midnight and 5:30 a.m. on January 5.

County officials have taken the affected systems offline and cut network connections, but most county building are closed to the public. Emergency services are still available and 911 is still operating, but a Sheriff’s Office customer service window was closed.Visitation at the Metropolitan Detention Center has been postponed indefinitely, but all community centers are still open. Many other government services are still available over the phone and in person. County officials said in a statement that the attack knocked out the Clerk’s Office, limiting access to marriage licenses, real estate transactions, and voter registrations. “The public is being asked to understand the gravity of this ransomware issue and that, at this time, county services are still limited,” officials said. FBI spokesman Frank Fisher told the Albuquerque Journal that even though the school outages were taking place at the same time as the other issues, the cyberattack on APS was not tied to the ransomware attack on Bernalillo County.On Wednesday, reports emerged that the Metropolitan Detention Center went into lockdown after the attack. A public defender filed a lawsuit revealing that the ransomware attack knocked out the jail’s internet, data management servers, and security camera networks. The lawyer said inmates’ rights had been violated because video-based court hearings were cancelled and people could only contact their lawyers through pay phones. 

ZDNet Recommends More