Citigroup denies it, but its Citibank unit was reportedly robbed of tens of millions of dollars, the victim of a cyberattack by members of a Russian criminal gang, says Tuesday's Wall Steet Journal (subscription required).
The attack was discovered this past summer, says the Journal, but investigators for the FBI and National Security Agency believe it could have happened months or a year prior. The two agencies have reportedly shared information with the Department of Homeland Security and Citigroup to defend against the attack. The investigation is supposedly ongoing, with no word on whether or not any of the stolen money has been found.
Investigators initially became suspicious after spotting traffic coming from IP addresses once used by the Russian Business Network, a Russian gang of cybercriminals who went off the radar back in 2007, notes the Journal. But reports have surfaced that members of the gang have since regrouped to launch a wave of new attacks.
One of the tools allegedly used by the hackers to break into Citibank was Black Energy, says the Journal, a $40 piece of software that launches Distributed Denial of Service (DDoS) attacks to prevent access to a specific Web site. Designed by a Russian hacker, Black Energy is commonly sold on certain Russian language forums. But Black Energy is now being sold as part of a $700 kit called the YES Exploit System. The kit includes other crimeware that steals bank account credentials, making it an especially dangerous threat to firms like Citibank.
But Citigroup denies that such an attack ever took place. In a prepared statement e-mailed to CNET, Citigroup said: "Allegations of a breach of Citi systems and associated losses are false. Denial-of-service attacks are directed against companies around the world. While there have been attempts to interfere with the availability of our systems, none of these have resulted in any breaches, compromise of customer information, or losses to Citi."
A company spokesperson further denied any involvement from the FBI. "We had no breach of the system and there were no losses, no customer losses, no bank losses," said Joe Petro, managing director of Citigroup's Security and Investigative services. "Any allegation that the FBI is working a case at Citigroup involving tens of millions of losses is just not true."
Phone calls to the FBI and NSA were not returned.
Cyberterrorism is on the rise around the world. But only one-third of companies are tackling it in their disaster recovery plans, says a survey released Tuesday by data center association AFCOM.
Although the majority (60.9 percent) of companies questioned see cyberterrorism as a threat to be addressed, "AFCOM's 2009/2010 Data Center Trends" survey found that only 24.8 percent have adopted it in their policies and procedures manuals. Further, only 19.7 percent provide cyberterrorism training to their employees.
Around 82 percent do run background checks on new hires. But that still leaves almost 20 percent of all data centers that don't perform security checks on new employees, even those working directly with personal, financial, and even military records, noted AFCOM.
Cyberattacks have made the headlines over the past few years as they've become more widespread.
Last summer, Georgia suffered a series of cyberattacks as several key Web sites went down for more than a week. The small nation blamed forces within Russia for the attacks.
This past July, the U.S. and South Korea were hit with denial-of-service attacks, preventing people from accessing several government Web sites.
The U.S. power grid has been especially vulnerable as utility companies rely more on network-based smart-grid technology to manage it. A Wall Street Journal report said spies from Russia and China have already hacked into the grid, leaving behind traces of their activity.
In an interview with "60 Minutes" in April, Defense Secretary Robert Gates said that the U.S. is "under cyberattack virtually all the time, every day."
Beyond the AFCOM survey, other reports have also noted flaws among organizations in their approach toward cyberterrorism.
A recent report by the SANS Institute found that companies have misplaced priorities in determining where and how to shore up their defenses against cyberattacks.
AFCOM noted that over the past five years, 63 percent of all its data center members have seen a dramatic rise in the amount of information they need to store and protect. The report urges data center managers to include cyberterrorism in their disaster recovery and security plans.
To compile its report, AFCOM surveyed 436 of its member data center sites across 27 countries. Approximately 83 percent of the respondents were in the U.S., with the rest overseas. Private industry made up 84.5 percent of those surveyed, with government agencies comprising 8.1 percent, and universities 7.4 percent. The survey also included questions on green technology, cloud computing, and virtualization.
Organizations are finding it difficult to prioritize defense strategies against cyberattacks because most of them do not have an Internet-wide view of the attacks, according to a report from SANS Institute, the security training organization.
As a result, two security risks--Web applications and phishing--carry the greatest potential for damage, even though users instead tend to concentrate on less-critical risks.
The report, published by security training organization SANS Institute, amalgamates global data from security attacks on computers from March to August.
It identifies two main defense priorities for enterprise users. The first is targeted e-mail attacks, or spear phishing, that exploit client-side vulnerabilities in programs such as Adobe Systems' PDF Reader and Flash, Apple's QuickTime, and Microsoft's Office. These applications are described as the "primary initial infection vector used to compromise computers that have Internet access" and are the result of attackers taking advantage of "programming errors that are not being picked up by common vulnerability scanners."
The second priority is vulnerable sites. More than 60 percent of attacks are against Web applications and "convert trusted Web sites into malicious Web sites serving content that contains client-side exploits" by exploiting the most common vulnerabilities such as SQL injection and cross-site scripting flaws, in both open-source and custom-built applications. Such vulnerabilities make up more than 80 percent of attack opportunities.
A further finding is that applications are now more vulnerable and see more exploitation attacks than operating systems. There were no new major operating system worms seen in the wild during the reporting period.
Additionally, the report found there has been a "significant increase" over the past three years in the number of people discovering zero-day vulnerabilities: flaws that become known to attackers before they are discovered by security researchers, opening the chance of an attack against which no preparation has been made.
"This report is different from anything we have done before," a SANS spokesman said, "because it reflects massive amounts of data on the actual attacks (millions of them) and on the speed with which the underlying vulnerabilities are being patched (actual data from thousands of companies)."
The report sources includes attack data from 6,000 organizations, compiled by security hardware vendor TippingPoint, vulnerability data from 9 million computers compiled by security software vendor Qualys, and additional analysis and tutorial by the Internet Storm Center and SANS faculty members.
Manek Dubash of ZDNet UK reported from London.
Smarter is not always better--at least when it comes to utilities.
More than a decade after initial reports said critical infrastructure in the U.S. is vulnerable to cyberattack, the situation has only worsened as utilities move their control systems closer to the Internet and install smart-grid technology, according to security experts.
Questions about the security of infrastructure in the United States arose this week following a Wall Street Journal report that said the nation's electricity grid has been compromised by foreign hackers. And several experts said in interviews this week that some energy systems have, in fact, gotten less secure as they have modernized. The Supervisory Control and Data Acquisition (SCADA) control systems used by the energy industry used to be segregated from public networks. But they have increasingly become more dependent on Internet protocol-based systems, the experts said. At the same time, their security precautions are inefficient, they said.
"The end result is that, as part of our modernization, we've made ourselves more vulnerable," said James Lewis, a senior fellow at the nonprofit Center for Strategic and International Studies (CSIS).
"Plant control networks (and their programmable logic controllers) should be disconnected from the Internet," said Peter "Mudge" Zatko, technical director of the national intelligence research unit at BBN Technologies. "These are the things lifting and lowering the plutonium rods into the water to make steam...It's on the Internet. This is terrifying."
Myriad operational problems
For many utility workers, it's easier to log onto the Internet from home when they get called at night. But if those home computers are infected with spyware, they can be used by attackers to get into the control systems, which are supposed to be separated from the Internet.
And there are other problems that are more deeply embedded in the day-to-day operations of a utility's business. Network control software that utilities buy from outside vendors often includes the ability to run Web servers and enable remote access and wireless access. Then there are configuration problems, such as routers and other systems that use default passwords, or worse, don't use passwords at all, according to Zatko and others who have tested the systems.
CEO, Leviathan Security
"It's out of ease-of-use and the fact that there weren't strong restrictions (the electric utilities were deregulated to a large extent) that the networks are a mess in a lot of places," Zatko said. Often, "the systems themselves aren't robust because they were designed to be on networks that weren't talking to the public Internet."
Many warnings have been sounded over the years. In 1999, Zatko compiled a list of about 30 utilities whose plant control networks could be accessed remotely, and he says many of them still have the same problems today. In 2004, Gartner did a report concluding that the use of IP networks for critical infrastructure could serve as bait for cyberattackers.
"It's painfully easy to exploit" the control systems, said Frank Heidt, chief executive of professional security services company Leviathan Security. "Energy management systems really can't be connected to the Internet. It's going to be painful for some companies, but they're going to have to change this."
Last year, a security expert at the RSA conference detailed how easy it is to break into power plants by downloading malware to employee computers through a socially engineered e-mail that directs them to a malicious server. Meanwhile, Core Security found a hole in the Suitelink software that is used to automate operations at power stations, oil refineries, and production lines.
Lewis of the CSIS acknowledged that using the Internet opens utilities up to cyberattack risks, but said there are "sound economic reasons" for them doing so.
"Most of the critical infrastructure on the Internet is there for legitimate business purposes," agreed John Bumgarner, a research director at the nonprofit U.S. Cyber Consequences Unit.
Security company Industrial Defender has done more than 100 threat assessments over the past seven years, primarily in utility infrastructure, and identified 34,000 vulnerabilities, said company CEO Brian Ahern.
For the most part, utilities--among the most conservative businesses in spending on technology--don't do basic security monitoring of their power generation and distribution equipment, he said.
"You can't protect when you don't know what's happening. I think that less than five percent of utilities have a good sense of critical threats," he said.
Utilities "are sacrificing security for convenience and cost savings," said Richard Forno, a principal at KRvW, an information security consulting firm in Washington, D.C. "We've allowed the situation to get worse, and it will be harder to get away from these networks touching the public Net now that we are 10 years, 15 years into the process."
Smart grids: Efficient but insecure
IP networks aren't the only problem. The use of smart-grid technology, which consists of networked meters designed for adjusting electricity flows and monitoring everything from power plants to individual appliances in homes, are also putting critical systems at risk, experts said.
Critical infrastructure insiders in the U.S. and Canada surveyed last year said the energy sector was the industry most vulnerable to cyberattack. The survey cited many contributing factors: an increase in the number of access points through the use of sensors, smart meters, and third-party contractors with remote access capability; use of more IP-based networks; integration between corporate and operational networks; reliance on standard or commodity IT platforms such as Microsoft Windows; and lack of attention to security by network automation and control system vendors. The biggest bottleneck to improving critical infrastructure security is cost, followed by apathy, they said.
CEO, Industrial Defender
In March, IOActive, which provides application and smart-grid security services, said it had verified "significant" and "inherent" security flaws with multiple smart-grid platforms" and found them susceptible to common security vulnerabilities such as protocol tampering, buffer overflows, persistent and non-persistent rootkits, and code propagation.
"These vulnerabilities could result in attacks to the smart-grid platform causing utilities to lose momentary system control of their advanced metering infrastructure smart meter devices to unauthorized third parties," the company said in a release (PDF). "This would expose utility companies to possible fraud, extortion attempts, lawsuits, or widespread system interruption."
More than 2 million smart meters are in use in the U.S. today, and an estimated 73 utilities have ordered 17 million additional smart meters, according to IOActive. The Obama administration's proposed 2010 budget has earmarked $4.5 billion for smart-grid technologies in the electricity infrastructure.
"The plan now would be to put in largely unsecured networks for smart grid," said Lewis of CSIS. "Hopefully they'll fix it."
The worst case scenario is that a person would access and control a smart meter and control other networked smart meters to disrupt the grid, said Ahern of Industrial Defender.
Standards for securing smart-grid technologies are still being finalized, but Ahern thinks that government-led efforts to modernize the grid should focus more on designing security in right at the beginning.
"We've got to take a step back from the hurry-up approach with the smart grid," he said. "There needs to be a balanced approach between investing in (smart grid) deployments and building security deeply into it."
The vulnerability of the critical infrastructure isn't news, so why the Wall Street Journal report, with its unnamed sources, now?
The story is likely linked to turf battles within the federal government over which agency will oversee the cybersecurity policies, and get the funding for it, several of the security experts suggested. For instance, the Department of Homeland Security has been criticized for not doing enough on cybersecurity, while the director of Homeland Security's National Cybersecurity Center resigned recently, accusing the NSA of trying to wrest control.
The Obama administration in December ordered officials to do a 60-day review on the Department of Homeland Security's cybersecurity efforts, and that report is due to be released next week.
Meanwhile, the administration's proposed 2010 budget includes $355 million to support the base operations of the National Cyber Security Division and the efforts of the Comprehensive National Cybersecurity Initiative.
"We're right at the point where they're naming new cybersecurity czars and there's a grab for funding between the Air Force, Navy, NSA, and others that want the cybersecurity budget," said Zatko. "There are a lot of renewed efforts in this particular field, and it's a field that's in a fair amount of disarray."
While experts discuss cybersecurity threats, physical attacks on infrastructure are taking place. AT&T said on Thursday that vandals are to blame for the massive phone and Internet outage in Silicon Valley on Thursday.
(CNET News' Martin LaMonica contributed to this report.)
The Pentagon spent more than $100 million in the past six months cleaning up after Internet attacks and network issues, military leaders said on Tuesday.
"The important thing is that we recognize that we are under assault from the least sophisticated--what I would say the bored teenager--all the way up to the sophisticated nation-state, with some petty criminal elements sandwiched in between," Air Force Gen. Kevin Chilton, head of U.S. Strategic Command, told reporters at a cyberspace conference in Omaha, Neb., as reported by CBS News.
Neither he nor Army Brigadier Gen. John Davis, deputy commander for network operations, would say how much of the estimated $100 million was spent cleaning up from viruses compared with outside attacks and inadvertent security problems due to U.S. Department of Defense employees. However, they did say that spending money to shore up the networks to prevent attacks and breaches would be better than paying to clean up after an incident.
The Defense Department was forced to take up to 1,500 computers offline last year because of a cyberattack, and it banned the use of external removable storage devices because of their ability to spread viruses.
The news comes amid internal government squabbles over which department would be best to manage the nation's cybersecurity programs and in the middle of a cybersecurity review ordered by President Obama.
Last week, legislation was introduced that would create a cybersecurity adviser who reports directly to the president and who would have the authority to disconnect federal or critical infrastructure networks from the Internet if they were deemed to be at risk of attack.
Asked which industry is the biggest target for cyberattack, critical infrastructure insiders in the U.S., Canada, and Europe point to the energy sector.
The energy industry also is the most vulnerable to cyberattacks and would have the most detrimental breach, while the financial sector is the best prepared in the case of a cyberattack, according to the survey sponsored by security firm Secure Computing. All other industries were deemed to be "not prepared" by greater than 50 percent of the respondents.
Survey participants from the U.S. and Canada were also asked how soon major exploits of critical infrastructure were likely to occur and more than half said they had already begun. Another 14 percent predicted that a major exploit was likely in the next 12 months. Only 2 percent said there would never be a severe exploit, according to the research released Monday.
Concerns about cyberattacks on the energy sector spurred U.S. lawmakers to consider legislation to broaden federal authority over electric companies in September.
Contributing to the increased vulnerability in the energy industry are: an increase in the number of access points through the use of sensors, smart meters, and third-party contractors with remote access capability; use of more IP-based networks; integration between corporate and operational networks; reliance on standard or commodity IT platforms such as Microsoft Windows; and lack of attention to security by network automation and control system vendors, according to a white paper on the research written by Energy Insights.
The biggest bottleneck to improving the security of critical infrastructure is cost, followed by apathy. Government bureaucracy and internal issues were tied for third place.
Nearly 200 industry leaders from the critical infrastructure industries completed the survey at industry events in August and September.
Security experts have discussed how easy it would be to break into a power plant. Cybersecurity worries prompted U.S. lawmakers in September to consider legislation to broaden federal authority over electric companies.
This chart shows how prepared respondents said specific industries are or aren't for cyberattack.
(Credit: Secure Computing)In Wednesday's edition of the Daily Debrief, CNET security expert Robert Vamosi and I discuss the latest exchange of cyberattacks between warring countries Russia and Georgia. It's been concluded that the initial attacks on the Georgian president's Web site were not the work of another government or sanctioned agency, but rather, amateurs whose country or origin is still unknown. Regardless, the Web site of a Russian newspaper has since come under attack in retaliation, most likely at the hands of the Georgians.
As Vamosi points out, there've been a handful of such attacks over the last decade: during the Kosovo conflict in the late '90s, between Russia and other former Soviet nations, and even during the 2002 Winter Olympics. Vamosi is also quick to mention that the United States, among other countries, is starting to develop contingency plans if a cyberattack were to happen on our soil, or rather, on any U.S. domains.
The Georgian embassy in the U.K. has accused forces within Russia of launching a coordinated cyberattack against Georgian Web sites, to coincide with military operations in the breakaway region of South Ossetia.
Speaking to ZDNet UK on Monday, a Georgian embassy spokesperson said that Web sites had been unavailable over the weekend, claiming this was due to Russian denial-of-service attacks.
"All Georgian Web sites have been blocked," said the spokesperson. "Georgia is working on redirecting Web traffic."
At the time of writing, the Web site for the Ministry of Defense of Georgia was unavailable for viewing from the U.K. The Web sites for both the Georgian presidential office and the Ministry of Foreign Affairs of Georgia were available, but the spokesperson said this was due to Georgian redirection work.
"They are new (Web sites)," said the spokesperson. "It was impossible two days ago (to access them)."
However, the spokesperson acknowledged that, as yet, Georgia could not confirm that Russia had been responsible, as the causes were still "under investigation." But the spokesperson asked: "Who else might it be, though?"
In 2007, disruptions of Internet service in Estonia--like Georgia, formerly a political division of the Russia-dominated Soviet Union--prompted talk of those events as possibly the first-ever cyberwar. The exact nature of the disruptions, and who might be to blame, proved hard to pin down.
The Russian embassy in London said it had no information regarding cyberattacks against Georgia, but insisted there had been no military attack against Georgia. "I'd like to draw attention to a misunderstanding," said a Russian embassy spokesperson. "There is no Russian (military) attack. There is peace enforcement in South Ossetia."
According to a post on the Web site of the president of Poland, Lech Kaczynski, the Russian government blocked Georgian Web sites to coincide with "military aggression."
"Along with military aggression, the Russian Federation is blocking Georgian internet portals," read a statement on the Polish presidential Web site. "On request of the president of Georgia, the president of the Republic of Poland has provided the Web site of the president of Poland for dissemination of information."
One of the statements made by the Georgian government on the Polish presidential Web site accused the Russians of bombing the port of Poti on the Black Sea, "far from South Ossetia," and of sending warships into the area.
"(Poti) serves as a vital energy-transit route to Europe," read the statement. "Over the past 48 hours, Russian forces have killed over 100 Georgian civilians and soldiers, after targeting residential complexes in Georgia, as well as airports, bases, and other vital infrastructure."
A "full cybersiege"?
The RBN Web site, which normally attempts to track the activities of the criminal Russia Business Network, kept a running commentary of technical developments over the weekend.
On Saturday, the RBN blog, which is run by security researcher Jart Armin, claimed there was a "full cyber-siege" of Georgia. The RBN blog post claimed that the Russia-based servers AS12389 Rostelecom, AS8342 Rtcomm, and AS8359 Comstar were controlling all traffic to Georgia's key servers.
According to the blog, German hackers managed to route traffic directly to Georgia through Deutsche Telekom's AS3320 DTAG server for "a few hours" on Saturday, but this traffic was intercepted and rerouted through AS8359 Comstar, which is located in Moscow.
The RBN Web site also warned users not to trust any Web sites that appeared to be maintained by the Georgian government but did not have any statements about the weekend's hostilities, as these had likely been intercepted and altered.
Security organization the Shadowserver Foundation reported in an update to an earlier blog post that it was also seeing cyberattacks directed against ".ge" sites, with the Georgian Web sites being hit with HTTP floods. Shadowserver reported that the command-and-control server being used to launch the attacks was located in Turkey.
In July, Shadowserver security volunteer Steven Adair reported that the president of Georgia's Web site had suffered a denial-of-service attack following a buildup of hostilities between Russia and Georgia over South Ossetia.
Tom Espiner of ZDNet UK reported from London.
Background information provided by CNET's Rob Vamosi
- prev
- 1
- next
