Russian 'Trojan Horse' Bug Lurking in Vital US Computers Since 2011

I mentioned cyberwarfare a couple of days ago along with the article on Putin "not having a real clue" and "living for the minute".

Of course we all kind of pooh-pooh such statements coming from former soviet aids, but in reality, Putin might be driving the train be he ain't putting the fuel in the vehicle. That would be the Politburo of the old Soviet Union. Remember that those people are still there, many of them, at least the younger people who are now older.

I don't believe for a second Putin hasn't thought out the future, and he's saying nuclear war is inevitable. That's a blatant threat to the West. "YOu do something we don't like, we'll hit you with nukes".

People like Obama would be scared of this. Hell, most of Congress is terrified of it.

But a cyber attack, plus perhaps an emp event would smack America harder than a direct nuclear war if you ask me.

Cyberattack Pings Data Systems of At Least Four Gas Networks

April 4, 2018

At least four U.S. pipeline companies have seen their electronic systems for communicating with customers shut down over the last few days, with three confirming it resulted from a cyberattack.

On Tuesday, Oneok Inc., which operates natural gas pipelines in the Permian Basin in Texas and the Rocky Mountains region, said it disabled its system as a precaution after determining that a third-party provider was the “target of an apparent cyberattack."

A day earlier, Energy Transfer Partners LP, Boardwalk Pipeline Partners LP, and Chesapeake Utilities Corp.’s Eastern Shore Natural Gas reported communications breakdowns, with Eastern Shore saying its outage occurred on March 29. The Department of Homeland Security, which said Monday it was gathering information about the attacks, had no immediate comment Tuesday.

“We do not believe any customer data was compromised,” said the Latitude Technologies unit of Energy Services Group, which Energy Transfer and Eastern Shore both identified as their third-party provider. “We are investigating the re-establishment of this data,” Latitude said in a message to customers.

The company wasn’t ready to make a statement or discuss the details of the service disruption yet, Carla Roddy, marketing director at Energy Services Group, said in a brief interview at the company’s headquarters in Norwell, Massachusetts.

The attacks follow a U.S. government warning in March that Russian hackers are conducting an assault on the U.S. electric grid and other targets. Last month, Atlanta’s government was hobbled by a ransomware attack.

Computer to Computer

The electronic systems help pipeline customers communicate their needs with operators, using a computer-to-computer exchange of documents. Energy Transfer said the electronic data interchange system provided by Latitude was back up and working Monday night. The business wasn’t otherwise affected, spokeswoman Vicki Granado said in an email.

Eastern Shore Natural Gas’s Latitude system was restored on Monday as well, the company said in a notice to customers. In addition to providing EDI services, Latitude also hosts websites used by about 50 pipelines for posting notices to customers. At least some of the websites went down on March 29 and didn’t start returning until Monday, according to Dan Spangler, pipeline manager for data provider Genscape Inc. in Boulder, Colorado.

“Although all of the sites are back up now, many of them are still missing” data for March 30 and April 1, he said. “Other than Energy Transfer pipes and the pipelines hosted by Latitude, we haven’t seen any issues with gas data.”

The shutdowns are “not operationally serious in the sense that it’s stopping the natural gas from moving, but it is serious because it’s causing these companies to use workarounds for communication,” said Rae McQuade, president of the North American Energy Standards Board in Houston, which is responsible for developing industry standards.

“If somebody is running a business that has some kind of critical asset to it -- pipelines, energy, finance -- those networks are going to be targets; those networks have been targets,” said John Harbaugh, chief operating officer at R9B, a Colorado Springs, Colorado, cybersecurity solutions provider.

Many of the 3 million miles of pipelines that spread across America rely on third-party companies for their electronic communication systems, Andy Lee, senior partner at Jones Walker LLP in New Orleans, said by telephone Tuesday. In turn, they depend on those companies to provide security for those systems from attacks.

Latitude is “very well known in the industry,” the energy board’s McQuade said. “They have a lot of clients, they are very well respected.”

The systems are gaining attention from hackers because they’ve proven to be "low-hanging" fruit that creates an opportunity for ransomware or to sell the information on the dark web, Lee said.

Entry Points

While the EDI systems may be entry points for hackers, they are likely not the ultimate target, said Jim Guinn, managing director and global cybersecurity leader for energy, utilities, chemicals and mining at Accenture Plc, a technology consulting company.

“There is absolutely nothing of intrinsic value for someone to infiltrate the EDI other than to navigate a network to do something more malicious," Guinn said by telephone Tuesday. "All bad actors are looking for a way to get into the museum to go steal the Van Gogh painting."

He also said there is nothing inherently different about oil and gas EDI systems.

Not First Time

This isn’t the first time U.S. pipelines have been targeted. In 2012, a federal cyber response team said in a note that it had identified a number of “cyber intrusions” targeting natural gas pipeline sector companies. The group, the Industrial Control Systems Cyber Emergency Response Team, is a division of Homeland Security.

“It’s important to recognize that this does not appear to be an attack on an operational system,” said Cathy Landry, a spokeswoman for the Interstate Natural Gas Association of America. “An attack on a network certainly is inconvenient and can be costly, and something any company – whether a retailer, a bank or a media company -- wants to avoid, but there is no threat to public safety or to natural gas deliveries.”

She said she “cannot speak for any of the companies specifically about what may or may not have happened to their systems.”

These folks need to return to old school shit that wasn't hackable.

Yes, I'm talking about dial-up, point to point comms over POTS. There's simply no hacking that. Oh, someone may be able to listen in if they are exceptionally gifted, but they couldn't change anything.

Toss on some end-to-end encryption with one-time passwords for initiating comms and no one is touching that shit.

The internet is not secure so use something else.

If we were serious about utility cybersecurity, we'd have a version of the Defense Information System Network for utilities exclusively.

Only thing is, no telling how secure DISN really is if there's Chinese networking gear with backdoors installed on it.

Hmm... Krebs doesn't seem to have a precise answer as to the cause.

Who’s Behind Monday’s 14-State 911 Outage?

September 29, 2020

Emergency 911 systems were down for more than an hour on Monday in towns and cities across 14 U.S. states. The outages led many news outlets to speculate the problem was related to Microsoft‘s Azure web services platform, which also was struggling with a widespread outage at the time. However, multiple sources tell KrebsOnSecurity the 911 issues stemmed from some kind of technical snafu involving Intrado and Lumen, two companies that together handle 911 calls for a broad swath of the United States.

On the afternoon of Monday, Sept. 28, several states including Arizona, California, Colorado, Delaware, Florida, Illinois, Indiana, Minnesota, Nevada, North Carolina, North Dakota, Ohio, Pennsylvania and Washington reported 911 outages in various cities and localities.

Multiple news reports suggested the outages might have been related to an ongoing service disruption at Microsoft. But a spokesperson for the software giant told KrebsOnSecurity, “we’ve seen no indication that the multi-state 911 outage was a result of yesterday’s Azure service disruption.”

Inquiries made with emergency dispatch centers at several of the towns and cities hit by the 911 outage pointed to a different source: Omaha, Neb.-based Intrado — until last year known as West Safety Communications — a provider of 911 and emergency communications infrastructure, systems and services to telecommunications companies and public safety agencies throughout the country.

Intrado did not respond to multiple requests for comment. But according to officials in Henderson County, NC, which experienced its own 911 failures yesterday, Intrado said the outage was the result of a problem with an unspecified service provider.

“On September 28, 2020, at 4:30pm MT, our 911 Service Provider observed conditions internal to their network that resulted in impacts to 911 call delivery,” reads a statement Intrado provided to county officials. “The impact was mitigated, and service was restored and confirmed to be functional by 5:47PM MT. Our service provider is currently working to determine root cause.”

The service provider referenced in Intrado’s statement appears to be Lumen, a communications firm and 911 provider that until very recently was known as CenturyLink Inc. A look at the company’s status page indicates multiple Lumen systems experienced total or partial service disruptions on Monday, including its private and internal cloud networks and its control systems network.

In a statement provided to KrebsOnSecurity, Lumen blamed the issue on Intrado.

“At approximately 4:30 p.m. MT, some Lumen customers were affected by a vendor partner event that impacted 911 services in AZ, CO, NC, ND, MN, SD, and UT,” the statement reads. “Service was restored in less than an hour and all 911 traffic is routing properly at this time. The vendor partner is in the process of investigating the event.”

It may be no accident that both of these companies are now operating under new names, as this would hardly be the first time a problem between the two of them has disrupted 911 access for a large number of Americans.

In 2019, Intrado/West and CenturyLink agreed to pay $575,000 to settle an investigation by the Federal Communications Commission (FCC) into an Aug. 2018 outage that lasted 65 minutes. The FCC found that incident was the result of a West Safety technician bungling a configuration change to the company’s 911 routing network.

On April 6, 2014, some 11 million people across the United States were disconnected from 911 services for eight hours thanks to an “entirely preventable” software error tied to Intrado’s systems. The incident affected 81 call dispatch centers, rendering emergency services inoperable in all of Washington and parts of North Carolina, South Carolina, Pennsylvania, California, Minnesota and Florida.

According to a 2014 Washington Post story about a subsequent investigation and report released by the FCC, that issue involved a problem with the way Intrado’s automated system assigns a unique identifying code to each incoming call before passing it on to the appropriate “public safety answering point,” or PSAP.

“On April 9, the software responsible for assigning the codes maxed out at a pre-set limit,” The Post explained. “The counter literally stopped counting at 40 million calls. As a result, the routing system stopped accepting new calls, leading to a bottleneck and a series of cascading failures elsewhere in the 911 infrastructure.”

Compounding the length of the 2014 outage, the FCC found, was that the Intrado server responsible for categorizing and keeping track of service interruptions classified them as “low level” incidents that were never flagged for manual review by human beings.

The FCC ultimately fined Intrado and CenturyLink $17.4 million for the multi-state 2014 outage. An FCC spokesperson declined to comment on Monday’s outage, but said the agency was investigating the incident.

Which also, as Krebs mentions, happened at about the same time as there was a large disruption at Microsoft with Azure/Office 365.

Microsoft 365 Services Are Coming Back After Major Outage

September 28, 2020

Microsoft 365 was hit with a significant outage late Monday that affected users' access to multiple services, including Outlook.

By late evening, services appeared to be largely restored: Microsoft tweeted at 9:21 p.m. ET that "most users should be experiencing relief." The company added that it was "continuing to see significant improvement for affected services."

Earlier, the company indicated affected services included Outlook.com, Office.com, Power Platform, Dynamics365, and Microsoft Teams including Teams Live Event.

According to Down Detector, a website that tracks internet outages, users reported issues with logging in, server connection and Outlook. The downtime began around 5 pm ET for Office 365, according to the site.

Microsoft initially attributed the outage to a recent change to the platform, but later indicated it was "not observing an increase in successful connections after rolling back a recent change. We're working to evaluate additional mitigation solutions while we investigate the root cause."

A Microsoft spokesperson later told CNN Business that "at this time, we've seen no indication that this is the result of malicious activity."

And another at the same time as the others...

Major Hospital System Hit With Cyberattack, Potentially Largest In U.S. History

Computer systems for Universal Health Services, which has more than 400 locations, primarily in the U.S., began to fail over the weekend.

September 28, 2020

A major hospital chain has been hit by what appears to be one of the largest medical cyberattacks in United States history.

Computer systems for Universal Health Services, which has more than 400 locations, primarily in the U.S., began to fail over the weekend, and some hospitals have had to resort to filing patient information with pen and paper, according to multiple people familiar with the situation.

Universal Health Services did not immediately respond to requests for comment, but posted a statement to its website that its company-wide network “is currently offline, due to an IT security issue. One person familiar with the company’s response efforts who was not authorized to speak to the press said that the attack “looks and smells like ransomware.”

Ransomware is a type of malicious software that spreads across computer networks, encrypting files and demanding payment for a key to decrypt them. It’s become a common tactic for hackers, though attacks of this scale against medical facilities aren’t common. A patient died after a ransomware attack against a German hospital in early September required her to be moved to a different hospital, leading to speculation that it may be the first known death from ransomware.

Hackers seeking to deploy ransomware often wait until the weekend, when a company is likely to not have as many technical staff members present.

Two Universal Health Services nurses, who requested to not be named because they weren’t authorized by the company to speak with the media, said that the attack began over the weekend and had left medical staff to work with pen and paper.

One of the nurses, who works in a facility in North Dakota, said that computers slowed and then eventually simply would not turn on in the early hours of Sunday morning. “As of this a.m., all the computers are down completely,” the nurse said.

Another registered nurse at a facility in Arizona who worked this weekend said “the computer just started shutting down on its own.”

“Our medication system is all online, so that's been difficult,” the Arizona nurse said.

While many patient charts at that facility are on paper, medication information is maintained online, though it’s backed up at the end of each day, the nurse said.

“We had those up to date as of the 26th,” the person said.

“Now we had to hand-label every medication,” the nurse said. “It's all improv.”

Ransomware can devastate hospitals. In 2017, a ransomware strain called WannaCry, created by hackers working for the North Korean government, spread across the world and infected the U.K.'s National Health System even though it wasn't a direct target. The attack disrupted at least 80 medical facilities, though there were no publicly reported deaths associated with the incident.

Kenneth White, a computer security engineer with more than a decade of experience working with hospital networks, said that the delays caused by ransomware attacks can have dire consequences for patients.

“When nurses and physicians can't access labs, radiology or cardiology reports, that can dramatically slow down treatment, and in extreme cases, force re-routing for critical care to other treatment centers," he said. "When these systems go down, there is the very real possibility that people can die."