Iranian Cyber-Attackers Target US Energy Companies
Cyber-attackers backed by the Iranian government have breached and infiltrated several US-based energy companies in an ongoing campaign, according to the Wall Street Journal.
Iranian cyber-attackers launched a series of infiltration and surveillance missions against energy companies in the United States, and successfully accessed control-system software they could have used to manipulate oil or gas pipelines, the Wall Street Journal reported Thursday. The attackers have collected information on the control systems and “acquired the means” to disrupt or destroy these systems in the future, current and former officials said, according to the report.
They got “far enough to worry people,” a former official told the Journal.
The attackers appear to be focusing on oil and gas companies, but it’s not clear at this point which companies have been infiltrated, or how many. The Journal also did not say how long these campaigns have been in progress.
But the U.S. has “technical evidence” directly linking the hacking of energy companies to Iran, the Journal reported.
Adversaries Other Than China
It’s no surprise that attacks against critical infrastructure have been escalating, Ken Silva, senior vice president of cybersecurity at ManTech International told SecurityWatch. The stakes are much higher, and attack methods are evolving rapidly, he said.
“Nation-state attackers in China, Iran, Russia and South American countries are becoming more brazen and their attacks more complex, involving elaborate plans to steal intellectual property and money,” Silva said.
Unlike the recent reports of attackers from China targeting US companies to steal intellectual property, the Iranians appear to be more interested in disrupting operations and outright sabotage. “Unlike many other nation-sponsored attacks, the purpose is disruption versus IP theft or espionage,” Darien Kindlund, manager of threat intelligence from FireEye, told SecurityWatch.
“To single out the Chinese when it comes to nation-sponsored attacks is a mistake,” Kindlund said, noting that attacks originating from the Middle East are generally “noteworthy for their sophisticated methods of infection and evasion.”
Iranian Response: Not Us
“Although Iran has been repeatedly the target of state-sponsored cyberattacks, attempting to target Iran’s civilian nuclear facilities, power grids, oil terminals and other industrial sectors, Iran has not ever retaliated against those illegal cyberattacks,” Alireza Miryousefi, Iran’s spokesman at the United Nations, told the Journal. “We categorically reject these baseless allegations used only to divert attentions,” he said.
Cyber security was an “international issue” that needed the “collective efforts” of all the countries to reach comprehensive international agreement similar to the ones currently in place for nuclear, biologic and chemical weapons, said Miryousefi, according to Iranian online news site Payanz.
Defending Critical Infrastructure
Most people don’t realize just how interconnected industrial control systems such as those used to control oil and gas pipelines are interconnected with the Internet, said Tom Cross, director of security research at Lancope. The systems are also highly vulnerable because security flaws are unlikely to be fixed right away. The systems aren’t designed to be patched or restarted after installing a patch.
Cyber-security experts have sounded the alarm for years, and President Obama’s executive order on cyber security is a step in the right direction, said Chris Petersen, CTO of LogRhythm. “However, as today’s reports tell, we may be running short on time,” Petersen said.
There is a “fine line” between regulation and voluntary standards, said Lila Kee, GlobalSign’s chief product and marketing officer. Regulations cannot be so rigid that it can’t evolve with the threats, and voluntary standards can’t be so lax that they are worthless. Kee believes an industry-government model where standards “are developed by those who understand the exact challenges of this industry” is more likely to be accepted by individual companies, she said.