Archer

Why security experts are taking note of string of cyber attacks on Japanese oil, gas and electric companies.

Maybe you clicked on a tainted e-mail back in 2011, a “video link” sent by a friend, or a message from “your bank” asking you to enter your password.

The bad guys wanted to steal your money, right? Or maybe, just maybe, you became part of a five-year cyber attack on Japanese targets that could eventually lead back home to the U.S.

The attackers tried to steal user IDs and passwords from Yahoo, Windows Live and other accounts to further their goals of hacking into Japanese critical infrastructure, like oil, gas and electric companies, said security company Cylance in its report on the attack, called Operation Dust Storm.

And they got in, Cylance said, first using unsophisticated methods, later developing tactics that were “undetected and highly effective,” the report said.

“The reason these are key targets is because if a country’s key resources that supply the fundamentals of economic and political stability are disrupted, significant harm can be done,” Cylance’s Greg Fitzgerald told Archer News.  

And cybersecurity experts say the Dust Storm attacks on Japanese critical infrastructure could also happen in the U.S.

“Nobody’s safe,” said Dewan Chowdhury with SCADA (supervisory control and data acquisition) security company MalCrawler.

What do the attackers want?

The attackers are not just run-of-the mill malicious hackers, Fitzgerald said, but instead appear to be a nation-state from Asia.

“The team has discovered that a significant entity has the funding, focus and sophistication to sustain a long term cyber attack on the critical infrastructure of Japan,” he said.

There are only two countries that could do that, Fitzgerald said—China and North Korea.

An enemy of Japan could be an enemy of the U.S. said Leonard Chamberlin with Archer Security Group.

“Not only is Japan one of our strongest allies, but we share common threat actors that would inflict harm upon our two countries,” said Chamberlin.

The attackers could soon use their tactics against the U.S. in the same way, he said.

“Japan is likely to see increased malicious attacks against critical infrastructure by those shared threat actors concurrently or possibly before the US would see those same threats,” he added.

What are they looking for?

Some big cyber attacks involve money, like the cyber campaign that drained $50 million from an airplane-parts maker in Austria.

If only money were the target in Operation Dust Storm. The motive may be far more sinister.

It is clear that the intent was espionage, said Fitzgerald.

Spying on infrastructure

Some cases of espionage involve stealing secrets about how to make product.

“The Chinese are notorious for stealing information to create their own versions of a given piece of equipment,” said Chamberlin.

But, he said, there is no confirmation that China is behind the attack.

And power companies don’t have that kind of intellectual property, Chowdhury told Archer News.

“The goal may be to simply map out the companies’ infrastructures in preparation for a future attack, much like the pattern we recently saw with the Ukrainian attack,” said Chamberlin.

Cyber attackers shut down power to 225,000 customers in Ukraine in December 2015, after spending months doing reconnaissance in the power companies’ computer systems.

Reasons to spy

The attackers may want to check to see how sophisticated a company’s system is, or may want to monitor a major change in capacity or some kind of ramp-up, Fitzgerald said.

They may want to spy on merger and acquisition data and the company’s financial forecast, suggested Chowdhury.

But another likely reason could be for attack, he added.

“If you want to collect information on how their industrial control systems work, or target their industrial control systems,” he said.

Industrial control systems are the computer-run systems that make factories, power plants, and other companies operate, performing tasks that humans used to perform in the past.

“The only reason you would be interested in this ‘top shelf’ data would be to attack it,” he said.

More defense

U.S. power companies should pay more attention to defending their industrial control systems, not just their IT systems, said Chowdhury.

“A lot of the focus for advanced threats are focused on IT,” he said. “Yet the most devastating impact is on industrial control systems.”

He said companies spend more money on IT defense.

“If you compare the amount of money spent to protect the industrial control side, it doesn’t match up. “As a power company, you should really be focused on protecting your industrial control side,” Chowdhury said.

Attackers often get in through e-mail, so IT defense is needed, cybersecurity experts say.

“But if they target the power generating facility or substation, that creates physical damage. And we have no idea how far that damage can go,” he said.

Making moves

The U.S. needs to work with Japan more to identify the attacks and how to defend against them, Chamberlin said.

“Unfortunately, opportunities to work with Japan have been ignored at top energy agencies. We should be actively working with Japan to jointly identify mitigation strategies,” he added.

The same kinds of attacks would have similar results in U.S. companies, said Chamberlin, especially if the companies utilized the same vendor equipment that was compromised.

Patching systems and vigilant monitoring may help, he said, but warned about relying completely on antivirus.

“It is important to note that antivirus vendors failed to detect the majority of the exploits. As such, any company that exclusively depends on antivirus would likely have been compromised. Antivirus is just one aspect of a complete defense-in-depth security posture,” said Chamberlin.

“Overall, U.S. companies are doing a good job compared to their counterparts across the globe,” said Chowdhury. “But they need to be more vigilant.”