As we are close to finishing off the first month of 2020 (it is so hard to believe that the time has gone by so quickly), the Cyber Threat Landscape so far, has been about the same as it was back in late 2019.  Of course, this is just my opinion. 

I scour the news headlines on a daily basis, and probably some of the biggest headlines that were happening dealt with the crisis in the Middle East, and how Iran could launch a new campaign of Cyberwarfare against the United States.

There have been some different news headlines, for instance just this past week, the big story was all about how a Saudi Prince broke into Jeff Bezos’ smartphone device.  But so far this month, it hasn’t been all bad news, believe it or not, there was some good news as well. 

This included a number of Cybersecurity firms receiving investor money in order to fuel their growth, and there are more colleges and universities across the United States that are now offering degree programs exclusively in Cybersecurity.

But, there one theme that keeps coming up the front, and that is the potential attack for an attack on Critical Infrastructure here in the United States.  This actually has happened in Baltimore and in different regions in Texas late last year, but the real fear now is that is that the magnitude of this could increase by multiple factors. 

But the reports that are coming out now pinpoint one area of US Critical Infrastructure that is at grave risk:  the national power grid.  This is according to the latest market research report that was conducted by an organization known as Dragos, Inc.  More details on this can be seen at this link, and you can also download the entire document here as well:

This report is entitled the “January 2020 North American Electric Cyber Threat Perspective”, and in it, seven knowns Cyberattack groups were tracked, and include the following:

*PARISITE;

*XENOTIME;

*DYMALLOY;

*ALLANITE;

*MAGNALLIUM;

*RASPITE;

*COVELLITE.

It is important to note that while these Cyberattacks have been target different kinds and types of victims, they are notoriously known for their attempts to literally hijack the national power grid of any country, especially here in the United States.  Out of the above-mentioned list, the two that have been the most active starting late last year and going into 2020 have been PARISITE and MAGNALLIUM.

The attack vehicles used by PARISITE include targeting and taking complete control over the unknown vulnerabilities from with the Virtual Private Network (VPN) infrastructure of the major electrical companies. 

The vehicles used by MAGNALLIUM utilize password spraying campaigns, but these are targeted more towards the oil and gas companies in the United States as well. 

In this report, MAGNALLIUM has been mostly for the Cyberattacks that have occurred after the rising tensions between the United States and Iran started to escalate quickly just this past month.  Dragos, Inc. fully expects that this trend will continue, and will only further increase in both scale and magnitude. 

Another mentioned Cyberattack group, XENOTIME, is also expected to emerge as a powerful nation state threat actor, but rather than targeting the power grids, their emphasis will be more upon the supply and distribution chains here in the United States.  This will include all modes of transportation which are rail, water and air transports. 

The modes of transportation (such as the airplanes, freight trains, and cargo ships) won’t be the actual targets themselves, but rather, it will be the Industrial Control Systems (ICS) hardware and software packages that run them.

Keep in mind that these systems are very much legacy based ones.  They were probably built and installed in the late 70’s to early 80’s, when even the term “Cyberthreat” was not even heard of during that time.

Rather, most of the security concerns were around Physical Access Control and making sure that only authorized individuals had access to these specific systems.  Because of this, adding any layers of Cybersecurity protection can be considered a close to impossible task, because of interoperability issues. In order to truly make these ICS’s hardened from any sort of Cyberattack, the existing systems will have to be ripped out and new ones put in place.

This scenario is guaranteed to never happen, based from a benefit-risk standpoint.  This is why they are so prone to a Cyberattack, because of these ICS’s have many unknown vulnerabilities and weaknesses that have not even been discovered yet. 

Also, it would be very difficult for a Penetration Test or Threat Hunting exercise to unearth them, because they are all hardware based.  They hardly have any digital assets associated with them.

But it is also important to note that another favorite vehicle that is favored by these Cyberattack groups to disrupt the United States power supply system is that of the traditional Phishing Email (yep, the oldie but the still the 800 pound gorilla) using a tactic specifically as “Spear phishing”. 

In these specific instances, the major electrical power companies received deceptive Emails claiming to be from both  licensing and certification bodies from the United States Federal Government. 

Of course, these Emails contained either a malicious link or an infected attachment which contained the malware known as the “LookBack”.  But, the report from Dragos did detail six major of vulnerable points where these above mentioned Cyberattacks could be aimed at, and these include the following:

*Third-party and original equipment manufacturer (OEM) compromises;

*Systematic attack on electricity generation;

*OT communications gateways;

*Adversary access through cellular or satellite connections.

My Thoughts On This

One of the saving graces so far that the United States national power grid from not being impacted on a large scale yet is that despite its old age and legacy systems that are used to support it, the system is actually quite complex.  It is not as simple as finding one weak spot.  There are many vulnerable areas that the Cyberattacker has to look out for, which will of course take a lot of time to discover.

But the real fear is that once a majority of these have been located, it is then just a matter of a short period of time where a piece of nefarious malware can be deployed into them, which will then result in a both cataclysmic and cascading failure of our electrical power supply. 

But as I have mentioned before on many occasions in my blogs, the Cyberattacker of today is very patient and extremely deliberate in what they do.

They are in no rush whatsoever, and in fact even if takes these Cyberattack groups even a couple of years to find all of these unknown weak spots, in my opinion, that is fine by them.  So far, we have time on our side, but if it is not used wisely, we will lose out in the end, and in a big very horrific way. 

Right now, even just losing a few hours of electrical power can cause some serious disruptions in a large city, such as right here in Chicago. 

Now, can you imagine fi we lost weeks or even months of electricity?  We may never even recover.  The human and financial toll would be just too much too bear.  But also keep in mind that losing electricity is just one aspect-just about everything we depend upon today in our daily lives depends upon a consistent flow of it.  In this regard, electricity is just like water. 

We cannot go for more than two or three days without it.

Also, the report claimed that another catalyst fueling these groups motivations to shut down the United States power supply is the upcoming Presidential Election.  Heck if you can cease this to happen, our whole Federal Government would then literally cease to exist. 

Did our forefathers who wrote the Constitution hundreds of years not only ensure our freedoms but to ensure continuity of our government ever think of this scenario?

Probably not.