Terrorism and the Electric Power Delivery System

Electrical grid is said to be vulnerable to terrorist attack. I can agree that electrical power distribution network would be quite vulnerable if someone tries to sabotage it and knows what to do. I know this because I design software and hardware for control systems for electrical companies.

Some days ago I saw in Finnish television an interesting documentary Suomi polvilleen 15 minuutissa (viewable on Yle Areena at least for Finnish people still for few weeks). It says that in Finland there has been debate on how many weeks the army could protect the country against potential attacks. The document says that the country could collapse in 15 minutes if some outside attacker or a small terrorist group would attack to certain key point in power network. Practically nothing would work anymore without power and it will take quite bit of time to get replacement parts for some key component. There are not too many spare parts and it it take months or a year to build a new big high voltage distribution transformer.

This vulnerability would hold to practically all developed countries. I have understood that Finnish electrical power distribution network would be in pretty good condition compared to electrical power networks on some other countries. I think that in many countries could quite easily cause huge problems by damaging some key points on power distribution network. Those attacks could be either cyber-attacks or attacks or damaging physical infrastructure.

s_080220133187

In USA there has been lots of talk lately about electrical grid vulnerability to terrorist attack. There are warnings like this: Cyber-terrorists could target the U.S. electrical grid and throw the nation into chaos. And there is indeed some truth on those because this critical infrastructure is vital to a country’s economy and security, not a new target for terrorist groups (there have been documented incidents since the 1970s), inherently vulnerable (economical and practical reasons) and extremely hard to protect well. The electric power delivery system that carries electricity from large central generators to customers could be severely damaged by a small number of well-informed attackers. The system is inherently vulnerable because transmission lines may span hundreds of miles. Electrical infrastructure is not necessarily a new target for terrorist groups- there have been documented incidents since the 1970s.

New York Times writes that Terrorists could black out large segments of the United States for weeks or months by attacking the power grid and damaging hard-to-replace components that are crucial to making it work. By blowing up substations or transmission lines with explosives or by firing projectiles at them from a distance, the report said, terrorists could cause cascading failures and damage parts that would take months to repair or replace.

Remember the fact that causing large scale problems for long time is usually hard. In Debunking Theories of a Terrorist Power Grab article a Penn State power-system expert cites laws of physics to pull the plug on worries that a terrorist attack on a minor substation could bring down the entire U.S. electric grid. The most vulnerable points are the ones that have the most energy flowing through them — like huge power stations or highly connected transformers. Those are the ones that should be well protected well and there should not be too much worrying on protecting smaller transformers.

Here are few links to articles for more information:

There is also a free book Terrorism and the Electric Power Delivery System on-line covering those topics. Check it out if you want to learn more. It gives you much more background than those articles.

512 Comments

  1. Tomi Engdahl says:

    India Claims It Foiled Chinese Cyberattack on Disputed Border
    https://www.securityweek.com/india-claims-it-foiled-chinese-cyberattack-disputed-border

    India on Thursday claimed it foiled an attempted cyber-attack by Chinese hackers targeting its power distribution system near a disputed frontier where the two countries are engaged in a military stand-off.

    Ties between the world’s two most populous nations are at a low ebb after a deadly skirmish in the Himalayan region of Ladakh that left at least 20 Indian and four Chinese soldiers dead in 2020.

    “Two attempts by Chinese hackers were made to target electricity distribution centres near Ladakh but were not successful,” power minister R.K. Singh told reporters in New Delhi.

    Singh added that India had deployed “defence systems” to counter such attacks.

    New Delhi’s claim came a day after US-based intelligence firm Recorded Future said suspected Chinese hackers had made at least seven attempts to target Indian power infrastructure in recent months.

    The attacks targeted infrastructure “responsible for carrying out real-time operations for grid control and electricity dispatch”, the group reported.

    “This targeting has been geographically concentrated… in north India, in proximity to the disputed India-China border in Ladakh.”

    Reply
  2. Tomi Engdahl says:

    Ukrainalaisviranomaiset: Venäjä yritti katkaista maasta sähköt massiivisella kyberiskulla https://www.is.fi/digitoday/art-2000008748186.html

    Reply
  3. Tomi Engdahl says:

    Sandworm hackers fail to take down Ukrainian energy provider
    https://www.bleepingcomputer.com/news/security/sandworm-hackers-fail-to-take-down-ukrainian-energy-provider/

    The Russian state-sponsored hacking group known as Sandworm tried on Friday to take down a large Ukrainian energy provider by disconnecting its electrical substations with a new variant of the Industroyer malware for industrial control systems (ICS) and a new version of the CaddyWiper data destruction malware.

    The threat actor used a version of the Industroyer ICS malware customized for the target high-voltage electrical substations and then tried to erase the traces of the attack by executing CaddyWiper and other data-wiping malware families tracked as Orcshred, Soloshred, and Awfulshred for Linux and Solaris systems.

    In an announcement today, CERT-UA notes that the threat actor’s goal was “decommissioning of several infrastructural elements.”

    The ICS malware used in the attack is now tracked as Industroyer2 and ESET assesses “whith high confidence” that it was built using the source code of Industroyer used in 2016 to cut the power in Ukraine and attributed to the state-sponsored Russian hacking group Sandworm.

    CERT-UA says that “the implementation of [Sandworm's] malicious plan has so far been prevented” while ESET notes in a technical report on the malware used in this attack that “Sandworm attackers made an attempt to deploy the Industroyer2 malware against high-voltage electrical substations in Ukraine.”

    ESET researchers say that Industroyer2 is highly configurable and comes with hardcoded detailed configuration, which requires it to be recompiled for each new victim environment.

    Reply
  4. Tomi Engdahl says:

    Ukrainalaisviranomaiset: Venäjä yritti katkaista maasta sähköt massiivisella kyberiskulla https://www.is.fi/digitoday/art-2000008748186.html
    Venäjä yritti katkaista sähköt noin kahdelta miljoonalta ukrainalaiselta kyberoperaatiossa, jonka oli määrä toteutua perjantai-iltana 8. huhtikuuta.
    Järjestelmiin istutettu kyberase neutraloitiin torstaina 7.4. Sen oli määrä aktivoitua seuraavana päivänä eli perjantai-iltana 8.4. viikonloppuvapaiden alkaessa. Onnistuessaan hyökkäys olisi pimentänyt sähköt noin kahdelta miljoonalta ukrainalaiselta.
    Ukrainalaisten mukaan kyberaseen oli määrä aiheuttaa fyysistä tuhoa. Sen tarkoitus oli tuhota sekä Windows-työsemia että sähköverkon laitteita. Se olisi aktivoituessaan saattanut työntekijät hengenvaaraan.
    Nimen Industroyer2 saanut viritetty kyberase oli räätälöity lähettämään ohjauskomentoja korkeajänniteverkon syöttöasemiin, jotka oli kartoitettu ja yksilöity etukäteen.
    Zhoran mukaan haittaohjelma joulukuussa 2016 nähdyn, Industroyeriksi nimetyn kyberaseen merkittävästi kehittyneempi versio. Joulukuussa 2016 tapahtuneessa kyberhyökkäyksessä pimennettiin viides Kiovasta tunnin ajaksi.
    Maailmanlaajuisesti on ihmetelty, miksi Venäjä ei ole kyennyt tehokkaampiin iskuihin Ukrainan infrastruktuuria vastaan. Apulaisministeri Safarovin mukaan syy on suurilta osin siinä, että järeät ja monimutkaiset kyberoperaatiot ovat edellyttävät paljon valmisteluja ja vievät aikaa.
    Lisäksi Ulkraina on saanut paljon apua kyberpuolustukseensa ulkomailta. Zhora kiitti nimeltä Microsoftia ja tietoturvayhtiö Esetiä, jotka olivat mukana vastaoperaatiossa.
    – Venäläisiä hakkereita on yliarvioitu. Heillä on silti paljon potentiaalia, Zhora sanoi.

    Translation:
    Russia tried to cut off electricity to about two million Ukrainians in a cyber operation scheduled to take place on Friday night, April 8th.
    The cyberase implanted in the systems was neutralized on Thursday 7.4. It was due to be activated the next day, Friday night 8.4. at the start of the weekend holidays. If successful, the attack would have blackouted some two million Ukrainians.
    According to Ukrainians, cyber weapons were to be physically destroyed. Its purpose was to destroy both Windows workstations and networked devices. It would have put workers at risk of death if activated.
    Named Industroyer2, the tuned cyberase was customized to send control commands to high-voltage network input stations that had been mapped and identified in advance.
    According to Zhora, the malware is a significantly more advanced version of the cyber weapon seen in December 2016, called Industroyer. In a cyber attack in December 2016, the Fifth of Kiev was blacked out for an hour.
    Globally, it has been wondered why Russia has not been able to make more effective attacks on Ukraine’s infrastructure. According to Deputy Minister Safarov, the reason is largely that robust and complex cyber operations are time-consuming and time-consuming.
    In addition, Ukraine has received a lot of help in its cyber defense from abroad. Zhora thanked Microsoft and security company Eset for their involvement in the counter-operation.
    - Russian hackers have been overestimated. They still have a lot of potential, Zhora said.

    More:

    Sandworm hackers fail to take down Ukrainian energy provider
    https://www.bleepingcomputer.com/news/security/sandworm-hackers-fail-to-take-down-ukrainian-energy-provider/
    The Russian state-sponsored hacking group known as Sandworm tried on Friday to take down a large Ukrainian energy provider by disconnecting its electrical substations with a new variant of the Industroyer malware for industrial control systems (ICS) and a new version of the CaddyWiper data destruction malware.
    The threat actor used a version of the Industroyer ICS malware customized for the target high-voltage electrical substations and then tried to erase the traces of the attack by executing CaddyWiper and other data-wiping malware families tracked as Orcshred, Soloshred, and Awfulshred for Linux and Solaris systems.
    In an announcement today, CERT-UA notes that the threat actor’s goal was “decommissioning of several infrastructural elements.”
    The ICS malware used in the attack is now tracked as Industroyer2 and ESET assesses “whith high confidence” that it was built using the source code of Industroyer used in 2016 to cut the power in Ukraine and attributed to the state-sponsored Russian hacking group Sandworm.
    CERT-UA says that “the implementation of [Sandworm's] malicious plan has so far been prevented” while ESET notes in a technical report on the malware used in this attack that “Sandworm attackers made an attempt to deploy the Industroyer2 malware against high-voltage electrical substations in Ukraine.”
    ESET researchers say that Industroyer2 is highly configurable and comes with hardcoded detailed configuration, which requires it to be recompiled for each new victim environment.

    Reply
  5. Tomi Engdahl says:

    Sandworm rolls out Industroyer2 malware against Ukraine
    A second generation of the Sandworm-linked Industroyer malware has been identified by ESET researchers and Ukraine’s national CERT
    https://www.computerweekly.com/news/252515855/Sandworm-rolls-out-Industroyer2-malware-against-Ukraine

    A new variant of the Industroyer malware, used to great effect against the Ukrainian energy sector by Russia’s Sandworm or Voodoo Bear advanced persistent threat (APT) group in 2016, has been identified by researchers from ESET, working in tandem with Ukraine’s national Computer Emergency Response Team, CERT-UA.

    Predictably dubbed Industroyer2, it was used in an attempted cyber attack on a Ukraine-based energy company on the evening of Friday 8 April 2022. The attack used an ICS-capable malware and disk wipers against Windows, Linux and Solaris operating systems at the target’s high-voltage electrical substations.

    The Industroyer2 malware was compiled on 23 March, suggesting the attack had been planned for some time, and the initial compromise took place in February according to CERT-UA.

    Sandworm also used a number of other destructive malwares in its attack, including the recently identified CaddyWiper, Orcshred, Soloshred and Awfulshred.

    “Ukraine is once again at the centre of cyber attacks targeting their critical infrastructure,” said ESET’s research team in a disclosure notice. “This new Industroyer campaign follows multiple waves of wipers that have been targeting various sectors in Ukraine. ESET researchers will continue to monitor the threat landscape in order to better protect organisations from these types of destructive attacks.”

    ESET said it had been unable to establish how the victim was compromised, nor how Sandworm, which is part of the Russian GRU intelligence service’s Main Centre for Special Technologies, or GTsST, moved laterally from the victim’s IT network to the separate ICS network.

    Industroyer2: Industroyer reloaded
    This ICS-capable malware targets a Ukrainian energy company
    https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/

    Key points:

    ESET researchers collaborated with CERT-UA to analyze the attack against the Ukrainian energy company
    The destructive actions were scheduled for 2022-04-08 but artifacts suggest that the attack had been planned for at least two weeks
    The attack used ICS-capable malware and regular disk wipers for Windows, Linux and Solaris operating systems
    We assess with high confidence that the attackers used a new version of the Industroyer malware, which was used in 2016 to cut power in Ukraine
    We assess with high confidence that the APT group Sandworm is responsible for this new attack

    In this case, the Sandworm attackers made an attempt to deploy the Industroyer2 malware against high-voltage electrical substations in Ukraine.

    In addition to Industroyer2, Sandworm used several destructive malware families including CaddyWiper, ORCSHRED, SOLOSHRED and AWFULSHRED. We first discovered CaddyWiper on 2022-03-14 when it was used against a Ukrainian bank – see our Twitter thread about CaddyWiper. A variant of CaddyWiper was used again on 2022-04-08 14:58 against the Ukrainian energy provider previously mentioned.

    At this point, we don’t know how attackers compromised the initial victim nor how they moved from the IT network to the Industrial Control System (ICS) network.

    Reply
  6. Tomi Engdahl says:

    Energy Provider in Ukraine Targeted With Industroyer2 ICS Malware
    https://www.securityweek.com/energy-provider-ukraine-targeted-industroyer2-ics-malware

    An energy provider in Ukraine was recently targeted with a new piece of malware designed to cause damage by manipulating industrial control systems (ICS).

    The attack, which targeted high-voltage electrical substations and reportedly failed, has been analyzed by Ukraine’s Computer Emergency Response Team (CERT-UA), cybersecurity firm ESET, and Microsoft.

    The operation has been linked to Sandworm, a threat group believed to operate on behalf of Russia’s GRU military intelligence agency.

    According to ESET, the attack, whose likely goal was to carry out destructive actions in the targeted energy facility and cause power outages on April 8, involved the deployment of several pieces of malware, in both the ICS network and systems running Solaris and Linux.

    Sandworm rolls out Industroyer2 malware against Ukraine
    https://www.computerweekly.com/news/252515855/Sandworm-rolls-out-Industroyer2-malware-against-Ukraine

    A second generation of the Sandworm-linked Industroyer malware has been identified by ESET researchers and Ukraine’s national CERT

    A new variant of the Industroyer malware, used to great effect against the Ukrainian energy sector by Russia’s Sandworm or Voodoo Bear advanced persistent threat (APT) group in 2016, has been identified by researchers from ESET, working in tandem with Ukraine’s national Computer Emergency Response Team, CERT-UA.

    Predictably dubbed Industroyer2, it was used in an attempted cyber attack on a Ukraine-based energy company on the evening of Friday 8 April 2022. The attack used an ICS-capable malware and disk wipers against Windows, Linux and Solaris operating systems at the target’s high-voltage electrical substations.

    The Industroyer2 malware was compiled on 23 March, suggesting the attack had been planned for some time, and the initial compromise took place in February according to CERT-UA.

    Sandworm also used a number of other destructive malwares in its attack, including the recently identified CaddyWiper, Orcshred, Soloshred and Awfulshred.

    Reply
  7. Tomi Engdahl says:

    Industroyer2: The Worst Sequel
    https://medium.com/@RoseSecurity/industroyer2-the-worst-sequel-9103a8998ee9

    Background:

    Industroyer, also referred to as Crashoverride, is a malware framework considered to have been used in the cyberattack on Ukraine’s power grid on December 17, 2016. The attack cut a fifth of Kiev, the capital, off power for one hour and is considered to have been a large-scale test. The Kiev incident was the second cyberattack on Ukraine’s power grid in two years. The first attack occurred on December 23, 2015. Industroyer is the first ever known malware specifically designed to attack electrical grids.
    The Sequel:

    On April 12, 2022, ESET researchers collaborated with CERT-UA analysts to dissect malware targeting the Ukrainian energy sector. CERT-UA, the Governmental Computer Emergency Response Team of Ukraine, said the attack used Industroyer to target “several infrastructural elements” including high-voltage electrical substations, computers at the facility, network equipment and server equipment running Linux operating systems.

    Industroyer2 was deployed as a single Windows executable named 108_100.exe and executed using a scheduled task on 2022–04–08 at 16:10:00 UTC. It was compiled on 2022–03–23, according to the PE timestamp, suggesting that attackers had planned their attack for more than two weeks. Industroyer2 only implements the IEC-104 (aka IEC 60870–5–104) protocol to communicate with industrial equipment. This includes protection relays, used in electrical substations. This is a slight change from the 2016 Industroyer variant that is a fully-modular platform with payloads for multiple ICS protocols. Industroyer2 is highly configurable. It contains a detailed configuration hardcoded in its body, driving the malware actions. This is different from Industroyer, stores configuration in a separate .INI file. Thus, attackers need to recompile Industroyer2 for each new victim or environment. However, given that the Industroyer* malware family has only been deployed twice, with a five year gap between each version, this is probably not a limitation for Sandworm operators. The configuration contains values that are used during communication via IEC-104 protocol, such as ASDU (Application Service Data Unit) address, Information Object Addresses (IOA), timeouts, etc.

    Before connecting to the targeted devices, the malware terminates a legitimate process that is used in standard daily operations.

    Reply
  8. Tomi Engdahl says:

    Ukraine energy grid hit by Russian Indestroyer2 malware
    The 2016 malware known as “Indestroyer” has resurfaced in a new series of targeted attacks against industrial controller hardware at a Ukraine power company.
    https://www.techtarget.com/searchsecurity/news/252515899/Ukraine-energy-grid-hit-by-Russian-Indestroyer2-malware

    A notorious piece of malware has been rehashed as an agent of cyberwar in Russia’s invasion of Ukraine.

    Security researchers working with the Ukraine government say that a new variant of the “Indestroyer” malware has been detected in power stations in the Ukraine and is likely being used by the Russian government to sabotage industrial controller systems (ICS). Industroyer was first detected in 2016 cyber attacks against Ukraine’s power grid, which substantial blackouts in the country.

    Researchers with threat detection vendor ESET reported Tuesday that Russian attackers have been targeting energy plants in Ukraine with the aim of shutting down critical infrastructure. The Industroyer2 malware targets the controller hardware that manages the flow of water, use of cleaning agents, and other embedded machines that keep water systems running efficiently.

    Reply
  9. Tomi Engdahl says:

    Ukraine Says Potent Russian Hack Against Power Grid Thwarted
    https://www.securityweek.com/ukraine-says-potent-russian-hack-against-power-grid-thwarted

    Russian military hackers attempted to knock out power to millions of Ukrainians last week in a long-planned attack but were foiled, Ukrainian government officials said Tuesday.

    At one targeted high-voltage power station, the hackers succeeded in penetrating and disrupting part of the industrial control system, but people defending the station were able to prevent electrical outages, the Ukrainians said.

    “The threat was serious, but it was prevented in a timely manner,” a top Ukrainian cybersecurity official, Victor Zhora, told reporters through an interpreter. “It looks that we were very lucky.”

    Reply
  10. Tomi Engdahl says:

    Industroyer2: Industroyer reloaded
    https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/
    The blogpost presents the analysis of a cyberattack against a Ukrainian energy provider..
    Also https://www.wired.com/story/sandworm-russia-ukraine-blackout-gru/

    Reply
  11. Tomi Engdahl says:

    Watch hackers break into the US power grid
    https://m.youtube.com/watch?v=pL9q2lOZ1Fw

    A power company in the Midwest hired a group of white hat hackers known as RedTeam Security to test its defenses. We followed them around for 3 days, as they attempted to break into buildings and hack into its network, with the goal of gaining full access. And it was all much easier than you might think. Based on our experiences, it would seem that power companies need to step up their game in the fight against cyber attackers or it could be “lights out.”

    Reply
  12. Tomi Engdahl says:

    Advanced hackers have shown they can take control of an array of devices that help run power stations and manufacturing plants, the U.S. government said in an alert on Wednesday, warning of the potential for cyber spies to harm critical infrastructure.

    U.S. says advanced hackers have shown ability to hijack critical infrastructure
    https://www.reuters.com/technology/us-says-advanced-hackers-have-demonstrated-ability-hijack-multiple-industrial-2022-04-13/

    Advanced hackers have shown they can take control of an array of devices that help run power stations and manufacturing plants, the U.S. government said in an alert on Wednesday, warning of the potential for cyber spies to harm critical infrastructure.

    The U.S. Cybersecurity and Infrastructure Security Agency and other government agencies issued a joint advisory saying the hackers’ malicious software could affect a type of device called programmable logic controllers made by Schneider Electric (SCHN.PA) and OMRON Corp (6645.T).

    Alert (AA22-103A)
    APT Cyber Tools Targeting ICS/SCADA Devices
    https://www.cisa.gov/uscert/ncas/alerts/aa22-103a

    The Department of Energy (DOE), the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Federal Bureau of Investigation (FBI) are releasing this joint Cybersecurity Advisory (CSA) to warn that certain advanced persistent threat (APT) actors have exhibited the capability to gain full system access to multiple industrial control system (ICS)/supervisory control and data acquisition (SCADA) devices, including:

    Schneider Electric programmable logic controllers (PLCs),
    OMRON Sysmac NEX PLCs, and
    Open Platform Communications Unified Architecture (OPC UA) servers.
    The APT actors have developed custom-made tools for targeting ICS/SCADA devices. The tools enable them to scan for, compromise, and control affected devices once they have established initial access to the operational technology (OT) network. Additionally, the actors can compromise Windows-based engineering workstations, which may be present in information technology (IT) or OT environments, using an exploit that compromises an ASRock motherboard driver with known vulnerabilities. By compromising and maintaining full system access to ICS/SCADA devices, APT actors could elevate privileges, move laterally within an OT environment, and disrupt critical devices or functions.

    Technical Details
    APT actors have developed custom-made tools that, once they have established initial access in an OT network, enables them to scan for, compromise, and control certain ICS/SCADA devices, including the following:

    Schneider Electric MODICON and MODICON Nano PLCs, including (but may not be limited to) TM251, TM241, M258, M238, LMC058, and LMC078;
    OMRON Sysmac NJ and NX PLCs, including (but may not be limited to) NEX NX1P2, NX-SL3300, NX-ECC203, NJ501-1300, S8VK, and R88D-1SN10F-ECT; and
    OPC Unified Architecture (OPC UA) servers.
    The APT actors’ tools have a modular architecture and enable cyber actors to conduct highly automated exploits against targeted devices. The tools have a virtual console with a command interface that mirrors the interface of the targeted ICS/SCADA device. Modules interact with targeted devices, enabling operations by lower-skilled cyber actors to emulate higher-skilled actor capabilities.

    The APT actors can leverage the modules to scan for targeted devices, conduct reconnaissance on device details, upload malicious configuration/code to the targeted device, back up or restore device contents, and modify device parameters.

    APT Tool for OPC UA
    The APT actors’ tool for OPC UA has modules with basic functionality to identify OPC UA servers and to connect to an OPC UA server using default or previously compromised credentials. The client can read the OPC UA structure from the server and potentially write tag values available via OPC UA.

    DOE, CISA, NSA, and the FBI recommend all organizations with ICS/SCADA devices implement the following proactive mitigations:

    Isolate ICS/SCADA systems and networks from corporate and internet networks using strong perimeter controls, and limit any communications entering or leaving ICS/SCADA perimeters.
    Enforce multifactor authentication for all remote access to ICS networks and devices whenever possible.
    Have a cyber incident response plan, and exercise it regularly with stakeholders in IT, cybersecurity, and operations.
    Change all passwords to ICS/SCADA devices and systems on a consistent schedule, especially all default passwords, to device-unique strong passwords to mitigate password brute force attacks and to give defender monitoring systems opportunities to detect common attacks.
    Maintain known-good offline backups for faster recovery upon a disruptive attack, and conduct hashing and integrity checks on firmware and controller configuration files to ensure validity of those backups.
    Limit ICS/SCADA systems’ network connections to only specifically allowed management and engineering workstations.
    Robustly protect management systems by configuring Device Guard, Credential Guard, and Hypervisor Code Integrity (HVCI). Install Endpoint Detection and Response (EDR) solutions on these subnets and ensure strong anti-virus file reputation settings are configured.
    Implement robust log collection and retention from ICS/SCADA systems and management subnets.
    Leverage a continuous OT monitoring solution to alert on malicious indicators and behaviors, watching internal systems and communications for known hostile actions and lateral movement. For enhanced network visibility to potentially identify abnormal traffic, consider using CISA’s open-source Industrial Control Systems Network Protocol Parsers (ICSNPP).
    Ensure all applications are only installed when necessary for operation.
    Enforce principle of least privilege. Only use admin accounts when required for tasks, such as installing software updates.
    Investigate symptoms of a denial of service or connection severing, which exhibit as delays in communications processing, loss of function requiring a reboot, and delayed actions to operator comments as signs of potential malicious activity.
    Monitor systems for loading of unusual drivers, especially for ASRock driver if no ASRock driver is normally used on the system.

    Reply
  13. Tomi Engdahl says:

    US agencies warn of custom-made hacking tools targeting energy sector systems
    https://therecord.media/us-agencies-warn-of-custom-made-hacking-tools-targeting-energy-sector-systems/

    Several advanced persistent threat (APT) actors have created custom-made tools designed to breach IT equipment used in critical infrastructure facilities, according to a new advisory from multiple US agencies.

    In an alert released on Wednesday, the Department of Energy (DOE), the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Federal Bureau of Investigation (FBI) warned critical infrastructure operators of potential attacks targeting multiple industrial control systems (ICS) and supervisory control and data acquisition (SCADA) devices.

    The alert says the tools used in the attacks were designed specifically for Schneider Electric programmable logic controllers (PLCs), OMRON Sysmac NEX PLCs, and Open Platform Communications Unified Architecture (OPC UA) servers.

    Eric Byres, chief technology officer of ICS cybersecurity software firm aDolus Technology, told The Record that Schneider Electric MODICON PLCs and OPC Unified Architecture (OPC UA) servers are incredibly common and are used widely within many major industrial facilities across the US.

    “The tools enable them to scan for, compromise, and control affected devices once they have established initial access to the operational technology (OT) network. Additionally, the actors can compromise Windows-based engineering workstations, which may be present in information technology (IT) or OT environments, using an exploit that compromises an ASRock motherboard driver with known vulnerabilities,” the alert explained.

    “By compromising and maintaining full system access to ICS/SCADA devices, APT actors could elevate privileges, move laterally within an OT environment, and disrupt critical devices or functions.”

    Reply
  14. Tomi Engdahl says:

    Chinese Hacker Groups Continue to Target Indian Power Grid Assets
    https://thehackernews.com/2022/04/chinese-hacker-groups-continue-to.html

    Reply
  15. Tomi Engdahl says:

    Suomen kantaverkon tietoturvan kestävyyttä “koputellaan” jatkuvasti koko maan pimentäminen on psykologisestikin tehokas kyberuhka
    https://yle.fi/uutiset/3-12400753
    Suomen sähkönsiirron perusrunko, kantaverkko, kiinnostaa.
    Käyttötoiminnan johtaja Reima Päivinen Fingridistä puhuu palomuurin “koputteluista”, joita on edelleen jatkuvasti. Ne ovat jo kauan olleet arkipäivää. Mitään suurta ja massiivista ei kuitenkaan ole tullut, hän kertoo. Tämän hetken maailmantilanne ei myöskään ole lisännyt ainakaan vielä kantaverkkoon kohdistuvia verkkohyökkäyksiä.

    Reply
  16. Tomi Engdahl says:

    Economic Warfare: Attacks on Critical Infrastructure Part of Geopolitical Conflict
    https://www.securityweek.com/economic-warfare-attacks-critical-infrastructure-part-geopolitical-conflict

    We’ve known for years that since at least March of 2016, Russian government threat actors have been targeting multiple U.S. critical infrastructure sectors including the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors. The Department of Homeland Security (DHS), the Federal Bureau of Investigations (FBI), and other agencies have acknowledged this for quite some time in many of their technical alerts and statements.

    In the intervening years, with the acceleration of digital transformation, cyber criminals and nation-state actors have increasingly set their sights on these sectors. The convergence of physical and digital assets brings competitive advantage but also inevitable risks. Attacks against hospitals, oil pipelines, food supply chains, and other critical infrastructure, have brought into sharp focus the vulnerability of cyber-physical systems (CPS) and the impact on lives and livelihoods when they are disrupted. Now, overwhelming signs indicate critical infrastructure companies are in the bullseye of geopolitical conflict.

    In early April, high-voltage electrical substations operated by an energy provider in Ukraine were targeted with Industroyer2 malware, with the intent of causing damage by manipulating industrial control systems (ICS). And on April 13, 2022, the Department of Energy (DOE), the Cybersecurity and Infrastructure Security Agency (CISA), the NSA, and the FBI warned that threat actors have developed custom-made tools to target ICS and supervisory control and data acquisition (SCADA) devices.

    Reply
  17. Tomi Engdahl says:

    Alert (AA22-110A) – Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure https://www.cisa.gov/uscert/ncas/alerts/aa22-110a
    he cybersecurity authorities of the United States, Australia, Canada, New Zealand, and the United Kingdom are releasing this joint Cybersecurity Advisory (CSA). The intent of this joint CSA is to warn organizations that Russias invasion of Ukraine could expose organizations both within and beyond the region to increased malicious cyber activity . This activity may occur as a response to the unprecedented economic costs imposed on Russia as well as materiel support provided by the United States and U.S. allies and partners.
    Evolving intelligence indicates that the Russian government is exploring options for potential cyberattacks (see the March 21, 2022, Statement by U.S. President Biden for more information).

    Reply
  18. Tomi Engdahl says:

    Economic Warfare: Attacks on Critical Infrastructure Part of Geopolitical Conflict
    https://www.securityweek.com/economic-warfare-attacks-critical-infrastructure-part-geopolitical-conflict

    We’ve known for years that since at least March of 2016, Russian government threat actors have been targeting multiple U.S. critical infrastructure sectors including the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors. The Department of Homeland Security (DHS), the Federal Bureau of Investigations (FBI), and other agencies have acknowledged this for quite some time in many of their technical alerts and statements.

    In the intervening years, with the acceleration of digital transformation, cyber criminals and nation-state actors have increasingly set their sights on these sectors. The convergence of physical and digital assets brings competitive advantage but also inevitable risks. Attacks against hospitals, oil pipelines, food supply chains, and other critical infrastructure, have brought into sharp focus the vulnerability of cyber-physical systems (CPS) and the impact on lives and livelihoods when they are disrupted. Now, overwhelming signs indicate critical infrastructure companies are in the bullseye of geopolitical conflict.

    In early April, high-voltage electrical substations operated by an energy provider in Ukraine were targeted with Industroyer2 malware, with the intent of causing damage by manipulating industrial control systems (ICS). And on April 13, 2022, the Department of Energy (DOE), the Cybersecurity and Infrastructure Security Agency (CISA), the NSA, and the FBI warned that threat actors have developed custom-made tools to target ICS and supervisory control and data acquisition (SCADA) devices.

    Since the beginning of the year, we’ve seen a steady drumbeat of alerts and new resources available for critical infrastructure organizations. A joint Cybersecurity Advisory, authored by the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the FBI, released in January, 2022, details tactics, techniques, and procedures associated with a number of Russian state actors. Given these threat actors’ demonstrated capabilities and activities, it comes as no surprise that CISA is stepping in and speaking directly to operators of critical infrastructure networks, giving them specific indicators of compromise to look out for and any unexplained equipment behavior.

    Reply
  19. Tomi Engdahl says:

    Critical infrastructure: Under cyberattack for longer than you might think https://www.welivesecurity.com/2022/04/21/critical-infrastructure-cyberattack-longer-think/
    Lessons from history and recent attacks on critical infrastructure throw into sharp relief the need to better safeguard our essential systems and services

    Reply
  20. Tomi Engdahl says:

    These hackers showed just how easy it is to target critical infrastructure
    Two Dutch researchers have won a major hacking championship by hitting the software that runs the world’s power grids, gas pipelines, and more. It was their easiest challenge yet.
    https://www.technologyreview.com/2022/04/21/1050815/hackers-target-critical-infrastructure-pwn2own/

    Reply
  21. Tomi Engdahl says:

    It’s Pretty Easy to Hack the Program That Runs Our Power Grids, It Turns Out
    Getting inside a program that runs most of the world’s industrial control systems? The easiest thing you’ll do all weekend, two white hat hackers said.
    https://gizmodo.com/hackers-breach-power-grid-opc-ua-pwn2own-2022-1848825967

    Reply
  22. Tomi Engdahl says:

    Catherine Stupp / Wall Street Journal:
    Hackers have attacked three German wind energy companies since Russia’s war in Ukraine, shutting down 2K+ turbines’ remote control systems for a day, and more

    European Wind-Energy Sector Hit in Wave of Hacks
    https://www.wsj.com/articles/european-wind-energy-sector-hit-in-wave-of-hacks-11650879000?mod=djemalertNEWS

    Three Germany-based wind-energy companies have been the targets of cyberattacks since Russia’s invasion of Ukraine; hacks come as governments move to transition away from Russian fuel

    Cyberattacks on three European wind-energy companies since the start of the war in Ukraine have raised alarm that hackers sympathetic to Russia are trying to cause mayhem in a sector set to benefit from efforts to lessen reliance on Russian oil and gas.

    The companies attacked haven’t publicly attributed the hacks to a particular criminal group or country and Russia has consistently denied that it launches cyberattacks.

    But the timing of the attacks suggests potential links to supporters of Russia’s invasion of Ukraine, said Christoph Zipf, a spokesman for WindEurope, a Brussels-based industry group.

    Serious cyberattacks on industrial equipment aren’t common and take significant knowledge to prepare, according to security experts.

    The three companies targeted in the attacks are all based in Germany. Deutsche Windtechnik AG, which specializes in the maintenance of wind turbines, was hacked in April. Remote-control systems for about 2,000 wind turbines in Germany were down for about a day after the attack, the company said.

    Turbine maker Nordex SE said it discovered a security incident March 31 that forced it to shut its information-technology systems. Conti, a ransomware group that has declared support for the Russian government, said this month that it was responsible for the attack.

    Enercon GmbH, also a turbine maker, said it was “collateral damage” in an attack on a satellite company in February that happened “at almost exactly the same time that Russian troops invaded Ukraine.” The attack knocked out remote control of 5,800 of Enercon’s wind turbines, though they continued to operate on auto mode.

    “We need high IT security standards” because the growing renewable-energy sector will become a bigger target for hackers, said Matthias Brandt, director of Deutsche Windtechnik, which has around 2,000 employees. “The crisis in Russia and Ukraine shows us that renewables are replacing oil and gas in the future,” he said.

    The European Union started reducing Russian energy imports this month as member countries considered alternatives such as nuclear power, or speeded up plans to move to renewable energy after years of relying on Russian oil and gas.

    Germany, Europe’s biggest economy, has rejected EU-wide sanctions on Russian fuel, arguing such a move would damage the German economy. The country moved up its plan to reach nearly 100% renewable energy electricity by 2035 and wean itself off Russian oil and coal imports this year. Still, a German official said in late March that Russia accounted for 40% of the country’s natural-gas imports, down from 55% four weeks earlier but still substantially above the EU average.

    Cybersecurity experts working with Deutsche Windtechnik are investigating whether the ransomware attack used Conti malware

    U.S. utilities aiming to provide alternative energy to Europe have also been targets

    Mr. Guinn said that at one U.S.-based liquefied-natural-gas company he has worked with, scanning by outside groups for cybersecurity flaws has tripled over the past month,

    A hacker who manages to infect the industrial equipment that controls wind turbines could manipulate the machines’ brakes to stop power production, said Trond Solbert, managing director for cybersecurity at Norwegian risk-management company DNV GL. That could disrupt services to customers and revenue for producers, Mr. Solbert said. A simpler strike on local internet-connected services could interfere with the remote monitoring systems of wind farms, he added.

    The attack on Deutsche Windtechnik hit internal IT systems, not the industrial systems that control its turbines, Mr. Brandt said.

    As European countries transition away from Russian energy, key alternative sources will be wind farms in Germany and the North Sea, said Mr. Guinn of Accenture. Hackers that have pledged to attack opponents of Russian interests are taking aim at companies working with those alternatives, he said. “This is a bit of a long game. This is a chess match—this isn’t smash and grab,” he added.

    Reply
  23. Tomi Engdahl says:

    It’s Pretty Easy to Hack the Program That Runs Our Power Grids, It Turns Out
    https://gizmodo.com/hackers-breach-power-grid-opc-ua-pwn2own-2022-1848825967

    Getting inside a program that runs most of the world’s industrial control systems? The easiest thing you’ll do all weekend, two white hat hackers said.

    Dutch security researchers Daan Keuper and Thijs Alkemade said that breaking into OPC UA, an open source communications protocol used by a majority of the world’s industrial control systems, was the “easiest” thing they’d hacked at the conference so far, MIT Technology Review originally reported. “In industrial control systems, there is still so much low-hanging fruit,” Keuper told MIT. “The security is lagging behind badly.” Comforting news!

    Reply
  24. Tomi Engdahl says:

    Science, Space, Health & Robotics
    Giant VR-operated humanoid robot used to fix power lines in Japan
    The West Japan Rail Company has developed a large, crane-mounted, VR-piloted Gundam-style robot for maintenance along train lines.

    Read more: https://www.tweaktown.com/news/85921/giant-vr-operated-humanoid-robot-used-to-fix-power-lines-in-japan/index.html

    Reply
  25. Tomi Engdahl says:

    T&T: Venäjältä tehty kyberhyökkäyksiä Suomen sähköjärjestelmään
    Vakavissaan tehtyjä hyökkäyksiä maailmalta tulee noin viikoittain, uutisoi Tekniikka&Talous.
    https://www.iltalehti.fi/kotimaa/a/d06a525e-9e3d-400f-b470-93f02d0af868
    Tekniikka&Talous-lehden mukaan Suomen sähkön kantaverkkoyhtiö Fingridin tietojärjestelmiin kohdistuu useita kymmeniä kyberhyökkäyksiä päivässä
    Asian vahvistaa T&T:lle yhtiön ict-johtaja Kari Suominen. Ylivoimaisesti suurin osa hyökkäyksistä on kuitenkin varsin arkipäiväisiä kalasteluyrityksiä.
    Selkeästi kohdennettuja, tosissaan tehtyjä hyökkäyksiä Fingridin tietoverkkoa kohtaan sattuu lehden mukaan viikkotasolla.
    Hyökkäyksistä osa tulee suurvalloista päin, mutta osa tulee jostakin muualta. Suominen mainitsee Tekniikka&Talouden haastattelussa valtioista Kiinan, Venäjän, Yhdysvallat ja Intian.
    Tekniikka&Talouden mukaan sekä arkipäiväiset että vakavammat hyökkäykset Fingridiä kohtaan ovat luonteeltaan lähes yksinomaan tunkeutumisyrityksiä, eli tietojen hankkimiseen tai järjestelmään sisään pääsyyn tähtääviä. Järjestelmän lamauttamiseen tähtääviä palvelunestohyökkäyksiä sattuu hyvin vähän.

    Venäjältä tehty kyberhyökkäyksiä Suomen sähköjärjestelmään
    Tuomas Kangasniemi17.5.2022 10:04|päivitetty17.5.2022 12:37TietoturvaSähköEnergia
    https://www.tekniikkatalous.fi/uutiset/venajalta-tehty-kyberhyokkayksia-suomen-sahkojarjestelmaan/b97ed96b-fd7c-4788-a7a2-f9277dcce3ca
    Vakavissaan tehtyjä hyökkäyksiä maailmalta tulee noin viikoittain. Kulloinenkin maantieteellinen suunta on helppo nähdä, mutta millainen toimija on asialla, on vaikeaa tai mahdotonta arvioida.
    Suomen sähkön kantaverkkoyhtiö Fingridin tietojärjestelmiin kohdistuu useita kymmeniä kyberhyökkäyksiä päivässä, kertoo yhtiön ict-johtaja Kari Suominen. Ylivoimaisesti suurin osa niistä on kuitenkin varsin arkipäiväisiä kalasteluyrityksiä.

    Reply
  26. Tomi Engdahl says:

    UK updates strategy to harden nuclear sector from cyberattacks https://therecord.media/uk-updates-strategy-to-harden-nuclear-sector-from-cyberattacks/
    The UK on Friday released new plans to address the cyber risks to the country’s civil nuclear sector as the government helps orchestrate a shift towards net-zero carbon emissions. The strategy outlines four key objectives for the sector to meet by 2026 including; prioritizing cybersecurity management through outcome-focused regulation, proactively acting to mitigate cyber threats, minimizing recovery time by responding cohesively to cyber incidents, and collaborating within the sector to advance cyber skills and a positive security climate.

    Reply
  27. Tomi Engdahl says:

    Loppuuko Suomesta sähkö ensi talvena? Todennäköisesti ei, mutta sähkösauna ja sähköautoilu voivat olla kovilla pakkasilla pannassa
    Venäjän hyökkäyssota saattaa näkyä ensi talvena suomalaisten sähkölaskussa. Kansaa myös saatetaan kehottaa välttämään sähkön tuhlaamista paukkupakkasilla.
    https://www.iltalehti.fi/kotimaa/a/43a0ebbb-ad27-4919-9acc-d4b6a310cda8

    Reply
  28. Tomi Engdahl says:

    Tuore selvitys: Suurin osa suomalaisyrityksistä ei pystyisi toimimaan kuin päivän, jos sähkönjakelu keskeytyisi
    Sähkönjakelun keskeytyminen on yrityksille suurin uhka, kertoo Keskuskauppakamarin selvitys.
    https://www.iltalehti.fi/kotimaa/a/888973e7-b711-4520-b398-cca756fb05d1

    Keskuskauppakamarin ja Huoltovarmuuskeskuksen tiistaina julkaistun selvityksen mukaan kaksi kolmasosaa vastaajayrityksistä ei kestäisi kuin yhden päivän, jos sähkönjakelu Suomeen keskeytyisi.

    Selvityksen mukaan sähkökatkoksen sattuessa puolet vastaajayrityksistä ei kykenisi jatkamaan tai siirtämään toimintaansa toiseen paikkaan.

    Yhden päivän sähkökatkoksen kestäisi lähes viidesosa vastaajayrityksistä, eli yhden päivän jälkeen kaksi kolmasosaa yrityksistä ei kykenisi lainkaan jatkamaan toimintaansa.

    Yritysten toiminta vaikeutuisi myös digitaalisten palveluiden estyessä. Selvityksen tuloksista ilmenee, että yhden päivän katkon jälkeen reilusti yli kolmasosa yrityksistä ei kykenisi toimimaan.

    Selvityksen mukaan suuriin yrityksiin kohdistuneen hybridivaikuttamisen todennäköisyys on kasvanut.

    Lähes puolet suurista yrityksistä arvioivat vaikuttamisen todennäköisyyden olevan vähintään melko todennäköistä.

    Hybridivaikuttamisen vakavimmat seuraukset yrityksille olisivat selvityksen mukaan luottamuksellisten tuotetietojen tai muun yritystiedon menettäminen, luotettavan liikekumppanin aseman menettäminen tai olemassa olevien asiakassuhteiden menetykset. Myös tulevien liiketoimintamahdollisuuksien menettäminen ja taloudelliset menetykset nousivat selvityksessä esiin.

    Reply
  29. Tomi Engdahl says:

    Industroyer: A cyberweapon that brought down a power grid https://www.welivesecurity.com/2022/06/13/industroyer-cyber-weapon-brought-down-power-grid/
    Five years ago, ESET researchers released their analysis of the first ever malware that was designed specifically to attack power grids

    Reply
  30. Tomi Engdahl says:

    White Papers
    Cyber Safe Green Energy
    https://www.txone.com/white-papers/cyber-safe-green-energy/?utm_source=SecurityWeek&utm_medium=newsletter&utm_campaign=GEnergy_WP&utm_content=300_200gif

    In our new white paper “Cyber Safe Green Energy”, we share experience from collaborating with industry leaders in green energy to secure work sites with the OT zero trust approach.

    Prevent cyber incidents that could interfere with power delivery, destroy property, or even endanger human lives
    Streamline oversight and compliance with regulations
    Neutralize insider threat and prevent supply chain attacks

    https://media.txone.com/prod/uploads/2022/05/Cyber-Safe-Green-Energy-TXOne-WP-202205_22050914485.pdf

    Reply
  31. Tomi Engdahl says:

    Texas’ power grid operator, ERCOT, is paying businesses that eat up lots of energy to shut down — which includes the state’s crypto mining companies.

    Texas’ power-grid operator is asking crypto miners to power down as the state’s electricity system grapples with sky-high temperatures
    https://www.businessinsider.com/texas-power-grid-operator-crypto-miners-shut-down-2022-7?utm_source=facebook.com&utm_medium=social&utm_campaign=sf-bi-main&r=US&IR=T

    Texas’ power-grid operator is paying big businesses that use a lot of power to power down.
    That includes crypto-mining companies that flocked to the state for its cheap energy and vast land.
    Texas has had historic three-digit temperatures as a sweltering summer grips the state.

    Texas’ power-grid operator is telling big businesses to power down as historic sky-high temperatures descend upon the Lone Star State.

    Among those major operations are crypto-mining companies, which flocked to Texas for its inexpensive electricity and wide, open spaces necessary for setting up shop.

    The Electric Reliability Council of Texas on Monday urged residents and businesses to conserve energy in the hottest hours of the day, between 2 and 8 p.m.

    Reply
  32. Tomi Engdahl says:

    Smart thermostats inadvertently strain electric power grids https://news.cornell.edu/stories/2022/07/smart-thermostats-inadvertently-strain-electric-power-grids
    The smart thermostats are saving homeowners money, but they are also initiating peak demand throughout the network at a bad time of day, according to Cornell engineers in a forthcoming paper in Applied Energy (September 2022.).
    https://www.sciencedirect.com/science/article/abs/pii/S0306261922007243

    Reply
  33. Tomi Engdahl says:

    Phishy calls and emails play on energy cost increase fears https://blog.malwarebytes.com/cybercrime/2022/08/phishy-calls-and-emails-play-on-energy-cost-increase-fears/
    Gas and electricity price concerns are rife at the moment, with spiralling costs and bigger increases waiting down the line. Sadly this makes the subject valuable material for fraudsters, playing into peoples fears with a dash of social engineering to make them worse off than they were previously. Warnings abound of several energy / cost of living-themed scams doing the rounds. Shall we take a look?

    Reply
  34. Tomi Engdahl says:

    Massive power outage hitting downtown Toronto causing major disruptions
    https://toronto.ctvnews.ca/massive-power-outage-hitting-downtown-toronto-causing-major-disruptions-1.6023350

    A massive power outage is currently affecting the downtown core in Toronto and officials say it may have been caused by a large crane that struck a high-voltage transmission line in the city’s Port Lands neighbourhood.

    Several blocks in the area of Yonge and Dundas streets, including Yonge-Dundas Square itself, lost power just after 12:30 p.m. on Thursday.

    Reply
  35. Tomi Engdahl says:

    Ranskan ydinvoiman musta vuosi
    Maan ydinreaktoreista noin puolet on pois käytöstä. Ranskalaisten murheenkryyni ensi talvena on sähkö, kun saksalaisilla se on kaasu.
    https://suomenkuvalehti.fi/ulkomaat/energiakriisi-yllatti-ranskan-se-mita-saksassa-tapahtuu-kaasulle-tapahtuu-ranskassa-nyt-sahkolle/?shared=1230457-1d1e3f8d-4&utm_medium=Social&utm_source=Facebook#Echobox=1661150198

    Reply
  36. Tomi Engdahl says:

    Lähde:
    “Around 22,000 households in Colorado lost the ability to control their thermostats after the power company seized control of them during a heatwave.

    After temperatures soared past 90 F degrees (+32 C), residents were left confused when they tried to adjust their air conditioning and found locked controls displaying a message that said “energy emergency.””

    https://summit.news/2022/09/01/power-company-seizes-control-of-thermostats-in-colorado/

    Reply
  37. Tomi Engdahl says:

    Colorado utility company locks 22,000 thermostats in 90 degree weather due to ‘energy emergency’
    The Colorado customers ‘chose to be part of’ the program that locked their thermostats, the company said
    https://www.foxbusiness.com/politics/colorado-utility-company-locks-22000-thermostats-in-90-degree-weather-due-energy-emergency

    Reply
  38. Tomi Engdahl says:

    Iranians Hacked A Domestic Violence Shelter And U.S. Power Companies In Ransomware Rampage, DOJ Says https://www.forbes.com/sites/thomasbrewster/2022/09/14/fbi-iran-ransomware-hacks-the-planet/
    The Justice Department announced charges on Tuesday against three Iranian nationals who, between October 2020 and 2022, allegedly hacked into hundreds of organizations across multiple countries, including the U.S., the U.K. and Russia. According to the DOJ, the hackers broke into computers and used Microsoft’s BitLocker security tool, which secures files, to lock up victims’ data. They then allegedly stole data and sent ransom demands, some of which were printed out using office printers. The victims were broad, from small businesses and utilities companies to local government agencies and nonprofits, including a domestic violence shelter in Pennsylvania. The Alert:
    https://www.cisa.gov/uscert/ncas/alerts/aa22-257a

    Reply
  39. Tomi Engdahl says:

    Nixu Threat Intelligence Bulletin: Russian hackers targeting the energy sector in the Baltic Sea region | Nixu Cybersecurity.
    https://www.nixu.com/blog/nixu-threat-intelligence-bulletin-russian-hackers-targeting-energy-sector-baltic-sea-region

    Location: Ukraine, Poland, and the Baltic states.
    Risk: Energy supply disruptions

    Link: https://www.securityweek.com/ukraine-says-russia-planning-massive-cyberattacks-critical-infrastructure
    Link: https://twitter.com/JarnoLim/status/1571891842437840899

    We assess with moderate confidence that it is likely that Russian hackers will attempt to increase their activity against the energy sector – particularly during the winter period and also elsewhere in Europe beyond Ukraine, Poland, and the Baltic countries. Such activity is propelled by Moscow’s attempt to break European resolve to back up Ukraine while at the same time attempting to strengthen its positions on the ground in Ukraine with the ongoing mobilization.

    Reply
  40. Tomi Engdahl says:

    Tällaisia kohteita venäläiset ovat hankkineet Suomesta – Pekka Toverilta kylmäävä arvio https://www.is.fi/kotimaa/art-2000009109233.html

    Venäjän sabotaasi-iskujen uhka suomalaista energiainfrastruktuuria kohtaan on kasvanut merkittävästi. Näin arvioivat Ilta-Sanomien haastattelemat asiantuntijat ja poliitikot.

    - Venäläiset ovat usein pyrkineet hankkimaan rakennuksia nimenomaan strategisesti tärkeiltä paikoilta. Niissä heillä on ollut myös vakoilu- ja tiedustelutoimintaa.

    – Venäläiset saattavat hyödyntää Suomessa omistamiaan kiinteistöjä mahdollisia sabotaasi-iskujaan varten. Nord Stream -putkien räjäytykset olivat varoittava esimerkki, niiden kohdalla Ilkka Remeksen romaanitkin kalpenevat, Niinistö, Kannuksen nykyinen kaupunginjohtaja, sanoo nyt.

    Eduskunnan puolustusvaliokunnan puheenjohtaja Jussi Halla-aho (ps) painottaa IS:lle, ettei energiakohteiden valvontaa saa millään aukottomaksi.

    – Olemme nyt tilanteessa, josta oli selkeitä ennusmerkkejä näkyvissä jo kymmenen vuotta sitten. Silloin riskipuheita ei uskottu. Suomessa oltiin liian sinisilmäisiä, Halla-aho summaa.

    Reply
  41. Tomi Engdahl says:

    Putin: Venäjä iski Ukrainan energia­infrastruktuuriin – lisäsi kylmäävän uhkauksen https://www.is.fi/ulkomaat/art-2000009092587.html

    Reply
  42. Tomi Engdahl says:

    Brittiläinen tiedustelu­johtaja Guardianille: venäläisten varusteet loppumassa https://www.is.fi/ulkomaat/art-2000009092587.html

    Venäjä vahvistaa hyökänneensä Ukrainan energiainfrastruktuuriin
    Venäjä on kohdistanut iskujaan Ukrainan sotilas- ja energialaitoksiin tiistaina, kertoo Venäjän puolustusministeriö. Asiasta uutisoi CNN.

    - Tänään Venäjän asevoimat jatkaa massiivista hyökkäystään laukaisemalla pitkän kantaman ilmassa ja merellä käytettäviä aseita Ukrainan sotilas- ja energialaitoksiin, puolustusministeriö kertoi Telegram-julkaisussa.

    Lvivin alueellisen sotilashallinnon päällikkö Maksim Kozytski sanoi, että Lvivin alueella tehtiin kolme iskua kahteen energialaitokseen

    Reply

Leave a Reply to Tomi Engdahl Cancel reply

Your email address will not be published. Required fields are marked *

*

*