MandiantThe Shanghai office building from which the hackers apparently operate.
The New York Times’ front-page scoop this morning outlines an understood-but-not-well-articulated threat: hackers supported by the Chinese military, targeting American companies and infrastructure. The article provides a good overview of how a security firm, Mandiant, uncovered the hacking system — down to the building from which it likely operates — but the report from Mandiant itself [PDF] provides much more detail.
What jumped out at us were the targets. While Madiant doesn’t identify specific companies (many are the firm’s clients), it does provide a matrix of targeted industries by year. One of the first compromised, in 2006, was transportation. Energy companies have been accessed multiple times between 2009 and 2012. As the hackers grow more sophisticated, the focus on infrastructure has increased. From the Times:
While [a unit of hackers] has drained terabytes of data from companies like Coca-Cola, increasingly its focus is on companies involved in the critical infrastructure of the United States — its electrical power grid, gas lines and waterworks. According to the security researchers, one target was a company with remote access to more than 60 percent of oil and gas pipelines in North America.
The Financial Times reported on an attempt to hack natural gas pipelines last May.
A sophisticated cyberattack intended to gain access to US natural gas pipelines has been under way for several months, the Department of Homeland Security has warned, raising fresh concerns about the possibility that vital infrastructure could be vulnerable to computer hackers. …
There was no information about the source or motive for the attack, but industry experts suggested two possibilities: an attempt to gain control of gas pipelines in order to disrupt supplies or an attempt to access information about flows to use in commodities trading.
The original tip-off came from companies that had noticed fake emails sent to staff. The attack uses what is known in computer security jargon as “spear-phishing”: using Facebook or other sources to gather information about a company’s employees, then attempting to trick them into revealing information or clicking on infected links by sending convincing emails purportedly from colleagues.
This is precisely the technique outlined by Madiant in its report.
In 2009, the Wall Street Journal reported on attempts to access the nation’s electrical grid — a timeline that corresponds with Madiant’s matrix. The Journal notes that the attacks originate in China and other countries, like Russia. This may either be an artifact of how the Chinese hackers route attacks through other countries — a video created by Mandiant shows how this works — but it also reinforces that China isn’t the only country seeking access to American infrastructure.
Last week, President Obama signed an executive order targeting cybercrime, increasing the government’s ability to respond to threats. Some threats, anyway. MIT Technology Review is skeptical it will do much to prevent infrastructure attacks:
The executive order — announced during Obama’s State of the Union address — won’t force companies to introduce measures that would protect infrastructure like the power grid. Ravi Sandhu, executive director at the Institute for Cyber Security at the University of Texas at San Antonio, says this seriously limits its value. “This sounds like a strategy of: ‘Let’s keep trying the same thing again, and maybe this time is it will succeed,’ or perhaps kick the can down the road so it becomes someone else’s problem,” he says. “I don’t see much chance of meaningful success. Cybersecurity of critical infrastructure should be a high priority for all nations.”
Drawing attention to the threat to our infrastructure is critical, but it’s not clear what else can be done. Networking our electrical and energy systems is a key step toward building smarter systems that can reduce the amount of fossil fuels we use. Unfortunately, networking those systems also makes them more vulnerable to intrusion. How we balance safety with sharing will be determined — hopefully on our terms, not on the hackers’.
