A particularly destructive type of hacking is far more widespread than previously believed

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.businessinsider.com.au/r-exclusive-destructive-hacking-attempts-target-critical-infrastructure-in-americas-survey-2015-4

Hacking attacks that destroy rather than steal data or that manipulate
equipment are far more prevalent than widely believed, according to a
survey of critical infrastructure organisations throughout North and South
America.

The poll by the Organisation of American States, to be released on Tuesday,
found that 40 per cent of respondents had battled attempts to shut down
their computer networks, 44 per cent had dealt with bids to delete files
and 54 per cent had encountered “attempts to manipulate” their equipment
through a control system.

Those figures, provided exclusively to Reuters ahead of the official
release, are all the more remarkable because only 60 per cent of the 575
respondents said they had detected any attempts to steal data, long
considered the predominant hacking goal.

By far the best known destructive hacking attack on U.S. soil was the
electronic assault last year on Sony Corp’s Sony Pictures Entertainment,
which wiped data from the Hollywood fixture’s machines and rendered some of
its internal networks inoperable.

The outcry over that breach, joined by President Barack Obama, heightened
the perception that such destruction was an unusual extreme, albeit one
that has been anticipated for years.

Destruction of data presents little technical challenge compared with
penetrating a network, so the infrequency of publicized incidents has often
been ascribed to a lack of motive for attackers.

Now that hacking tools are being spread more widely, however, more
criminals, activists, spies and business rivals are experimenting with such
methods.

“Everyone got outraged over Sony, but far more vulnerable are these
services we depend on day to day,” said Adam Blackwell, secretary of
multidimensional security at the Washington, D.C.-based group of 35 nations.

The survey went to companies and agencies in crucial sectors as defined by
the OAS members. Almost a third of the respondents were public entities,
with communications, security and finance being the most heavily
represented industries.

The questions did not delve into detail, leaving the amount of typical
losses from breaches and the motivations of suspected attackers as matters
for speculation. The survey-takers were not asked whether the attempted
hacks succeeded, and some attacks could have been carried off without their
knowledge.

The survey did allow anonymous participants to provide a narrative of key
events if they chose, although those will not be published.

Blackwell said that one story of destruction involved a financial
institution. Hackers stole money from accounts and then deleted records to
make it difficult to reconstruct which customers were entitled to what
funds.

“That was a really important component” of the attack, Blackwell said.

In another case, thieves manipulated equipment in order to divert resources
from a company in the petroleum industry.

Blackwell said that flat security budgets and uneven government involvement
could mean that criminal thefts of resources, such as power, could force
blackouts or other safety threats.

At security company Trend Micro Inc., which compiled the report for the
OAS, vice president Tom Kellerman said additional destructive or physical
attacks came from political activists and organised crime groups.

“We are facing a clear and present danger where we have non-state actors
willing to destroy things,” he said. “This is going to be the year we
suffer a catastrophe in the hemisphere, and when you will see kinetic
response to a threat actor.”

So-called “ransomware,” which encrypts data files and demands payment be
sent to remote hackers, could also have been interpreted as destructive,
since it often leaves information unrecoverable.

A spokesman for the U.S. Department of Homeland Security, SY Lee, said the
department did not keep statistics on how often critical U.S. institutions
are attacked or see destructive software and would not “speculate” on
whether 4 out of 10 seeing deletion attempts would be alarming.

U.S. political leaders cite attacks on critical infrastructure as one of
their greatest fears, and concerns about protecting essential manufacturers
and service providers drove a recent executive order and proposed
legislation to encourage greater information-sharing about threats between
the private sector and government.

Yet actual destructive attacks or manipulation of equipment are
infrequently revealed. That is in part because breach-disclosure laws in
more than 40 states center on the potential risks to consumers from the
theft of personal information, as with hacks of retailers including Home
Depot Inc and Target Corp.

Under Securities and Exchange Commission guidelines, publicly traded
companies must disclose breaches with a potential material financial
impact, but many corporations can argue that even deletion of internal
databases, theft and manipulation of equipment are not material.

Much more is occurring at vital facilities behind the scenes, and that is
borne out by the OAS report, said Chris Blask, who chairs the DHS-led
Information Sharing and Analysis Center for cybersecurity issues with the
industrial control systems that automate power, manufacturing and other
processes.

“I don’t think the public has any appreciation for the scale of attacks
against industrial systems,” Blask said. “This happens all the time.”

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!