The recent Australian census has focussed a spotlight on the problems cyber attacks can cause for both governments and businesses in our increasingly online world. As well as causing disruptions, they reduce the public's faith in internet-based services.
Unfortunately it's not just data gathering exercises such as the census that are at risk. Everything from water and power plants to financial platforms and communication networks are tempting targets for criminals looking to cause widespread damage and disruption.
Attention is now focusing on the steps that can be taken to reduce the likelihood and impact of such attacks. How can core infrastructure that serves cities, regions or even the globe be protected from cyber criminals?
To understand what can be done to protect important assets, it's worth examining two recent high-profile attacks. Although different in terms of targets and objectives, they demonstrate what's required to prevent future similar incidents:
Example 1: Blackout in Ukraine
In late 2015, the entire western region of Ukraine experienced a massive electricity blackout. An estimated 225,000 residents were left in the dark, and sub-station control systems were overwritten making restoration by power companies difficult. This event was the first time in history a cyber attack had been proven to bring down an electrical system and disrupt the lives of citizens.
The attack began with a spear phishing campaign in which the criminals disguised themselves as legitimate system vendors and members the government. Three staff within the target utility companies believed the emails were legitimate and opened attached documents which contained a malicious macro. This caused malware to be installed on their machines.
The malware established a connection with its command and control server and deployed a secondary piece of malware known as KillDisk. KillDisk was capable of overwriting files on infected systems and rendering each system unbootable.
The attackers then stole credentials and used them to move laterally through the IT environment, staying under the radar of intrusion detection systems. They discovered electric breakers could be accessed over an internal VPN.
When the attack was launched, the criminals took control of workstations in the control room and remotely disabled them so system operators could not intervene. They then disconnected systems, opened breakers, and shut down electricity at 30 substations. They also disabled backup power supplies to two of the three energy distribution centres.
As the power went out throughout the area, the system operators were left helpless, with no ability to take back control of their machines and stop the attack.
Example 2: Financial attack in Bangladesh
In May, 2015, cyber criminals stole $US81 million from the Rizal Commercial Banking Corporation (RCBC) in Bangladesh. The money was sent through fake bank accounts and laundered through casinos in the Philippines.
The attack began with either a spear phishing drive-by-download attack which allowed the criminals to harvest credentials from infected systems and use them to move laterally throughout the bank's IT network. They eventually gained access to machines connected to the SWIFT inter-bank platform that allows secure transfers of money between banks around the globe. The attackers ordered a total of 35 transfers worth $951 million.
The orders were flagged during processing by the US Federal reserve, however the first four - worth
$81 million - had already been sent to fake bank accounts at RCBC in the Philippines. The bulk of that money is still missing.
The role of privilege
In both these attacks the role of privilege was shown to be particularly important. In the Ukraine incident, attackers were able to guess and capture administrative credentials from infected endpoints and use them to move laterally throughout the environment. This enabled persistent, privileged access to the network, and eventually allowed the attackers to VPN into control systems and shut down the power.
In the Bangladesh bank heist, the attackers captured administrative credentials from infected machines and used them to move laterally until they reached the SWIFT-connected systems. Because passwords being used were static and there was no second-factor authentication, the attackers were able to gain persistent, privileged access.
In both examples, taking a different approach to security could have helped prevent the damage and losses that occurred.
The Bangladesh Bank could have dramatically reduced its attack surface by eliminating unnecessary privileges. As a best practice, standard business users should never have full local administration. Without local admin rights, it would have been much more difficult for the attackers to break in, move throughout the network and install monitoring software.
Privileged account credentials should also be secure. This includes domain admin credentials, privileged SSH keys and any other credential that provides access to sensitive accounts or systems.
Highly sensitive systems should also be segmented from the rest of the IT network. Many utilities separate and 'air gap' their control systems and banks take a similar approach with their SWIFT-connected systems.
Organisations should also establish a single, highly controlled point of access into their sensitive systems. By forcing all users through this single point and closing all other routes, they can significantly reduce the attack surface and have granular control over who is able to access what systems.
While it's almost impossible to make large and complex infrastructures completely secure, following these techniques can go a long way towards reaching that goal. Cyber attacks of this nature are likely to continue to increase, making a focus on proper IT security ever more important.