December 14, 2020

Article: Hackers Penetrate SIEA in Phishing Attack

Article: Hackers Penetrate SIEA in Phishing Attack

Published in the World Journal

The public image of hacking created by Hollywood is a black-clad twenty-something typing furiously as they evade government or corporate security.  The more accurate picture would be that of someone engaged in hunting or fishing, patiently awaiting their prey to make a mistake that they can exploit.

Hacking is such a well-established practice that corporate security and intelligence professionals have created a taxonomy of the strategies used by hackers.  Distributed Denial-of-Services Attacks (or DDoS attacks) overwhelm the servers of a web site, causing the site to crash.   Protestors, such as Anonymous, use DDoS attacks to bring down the websites of what they believe are bad actors.  Cracking - using key-loggers or decryption tools to learn a user's password to access a system - is less common.  This sophisticated tactic is the realm of organizations like the US National Security Agency (NSA) or the United Kingdom's Government Communications Headquarters (GCHQ).  The exploitation of missing security patches - those annoying operating system updates that you are supposed to download each month -  is another tactic to back door into a company's internal network.  Social engineering is the con artistry of hacking, using persuasion to encourage people to give up information that a hacker can use to penetrate a corporate network or a corporate facility.  Lastly, phishing and spear-phishing are tactics used to encourage a particular employee of a target company to open a malware-laden file sent to them via email or social media.  All of these tactics are used by Hackers so that they can obtain information to sell to others, obtain payment data or cryptocurrency directly from their target, surveil the target, or sabotage the target.

Conversely, those who fight hackers - cybersecurity professionals and counterintelligence agents - work to train a company's employees on what not to do.  The hope is that this training might prevent successful attacks in the future.  For example, cybersecurity professionals may require employees to undertake annual training on avoiding phishing attacks or require employees to ensure their computers are always up-to-date to prevent computers' exploitation with missing security patches.  Cybersecurity professionals may also engage in attempts to break into or penetrate their own facilities or networks as a form of "pen testing" (penetration testing) to identify security weaknesses that their employers can mitigate.  Lastly, cybersecurity professionals may engage in the post mortem form of cybersecurity, figuring out what happened during a hacking attack, who engaged in the attack, what information was compromised, and what sort of damage was caused.

On December 9, 2020, San Isabel Electric Association (SIEA) fell victim to a phishing attack.  One of its employees opened a malware-laden attachment to an email, allowing a hacker or group of hackers to penetrate SIEA's network.  SIEA's public affairs representative, Paris Elliott, reported the hack to SIEA customers via email.  Elliott noted that she did not believe that the hackers who targeted SIEA obtained customer payment data. However, Elliott said she was not involved in the investigation into the breach.  SIEA did not identify what data was transmitted to hackers or whether the hackers were attempting to sabotage SIEA's electrical management systems.  Elliott explained that SIEA provided its employees with intensive cybersecurity training because it is part of the energy sector, which the US Department of Homeland Security considers critical infrastructure.

Hackers perform malware and virus injection on targeted systems by installing harmful applications onto a computer or a server.   Sometimes hackers use digital means like phishing to get the malware on there.  Sometimes they merely scatter USB drives on company property in the hopes that an employee will attempt to plug in the drive into their work computer.  Once on a network, hackers can then target systems for information gathering, ransom, sabotage, surveillance, or to steal resources, whether traditional currency or cryptocurrency.

In 2017, cyberterrorists targeted another energy company.  These terrorists, apparently backed by the Islamic Republic of Iran, were responsible for what would become the largest hacking attack in history.  Petrochemical giant Saudi Aramco, owned by the Saudi Royal Family, had partnered with US chemical giant Dow Chemical to operate a chemical plant on the western edge of the Kingdom of Saudi Arabia.  Hackers broke into this chemical plant and disabled safety mechanisms in an attempt to cause the plant to explode and release deadly hydrogen sulfide gas into the facility.  Hundreds would have died had the hack not been discovered in time.  Saudi Aramco's subsidiary that operated the chemical plant utilized US cybersecurity firm FireEye to respond to this hack.

In the past four years, Colorado businesses and government agencies have been the target of multiple large-scale hacking attempts by Russia's military intelligence organization known to the west as the GRU (formally known as the Main Directorate of the General Staff of the Armed Forces of the Russian Federation).  During the run-up to the 2016 presidential election, the GRU targeted Colorado voting data systems.  On October 15, 2020, the National Security Division of the Department of Justice issued an unsealed indictment against multiple members of the GRU who had targeted Colorado, the Nation of Georgia, and the 2018 Olympic Winter Games.  Additional allegations and named defendants in this criminal suit are sealed and considered classified.

Elliott explained that she did not know if the hackers who targeted SIEA represented a nation-state or private criminal actors.  She also explained that she did not know which systems were targeted by the phishing attack.  Elliott declined to name the employee who opened the phishing email.

Just one day before the SIEA hack, cybersecurity firm FireEye - the same firm that helped Saudi Aramco respond to the 2017 chemical plant hack - revealed that it had been the target of a GRU hacking attempt.  Multiple US federal agencies were also targeted.

On December 14, 2020, SIEA revealed that it had begun working with a federal law enforcement agency to investigate its phishing attack.  It remains to be seen who is responsible for the SIEA hack, their intended goals, or the type of malware or virus utilized in the phishing attack.   Elliott stated that SIEA will begin training its employees on lessons learned from this attack.