About that "Russia hacked our power grid" thing
So a brand new ScaryRussia! came out today.
This time they hacked our power grid.
Russian hackers are conducting a broad assault on the U.S. electric grid, water processing plants, air transportation facilities and other targets in rolling attacks on some of the country’s most sensitive infrastructure, U.S. government officials said Thursday.
The announcement was the first official confirmation that Russian hackers have taken aim at facilities on which hundreds of millions of Americans depend for basic services. Bloomberg News reported in July that Russian hackers had breached more than a dozen power plants in seven states, an aggressive campaign that has since expanded to dozens of states, according to a person familiar with the investigation.
"Since at least March 2016, Russian government cyber actors" have targeted "government entities and multiple U.S. critical infrastructure sectors," including those of energy, nuclear, water and aviation, according to an alert issued Thursday by the Department of Homeland Security and Federal Bureau of Investigation.
Critical manufacturing sectors and commercial facilities also have been targeted by the ongoing "multi-stage intrusion campaign by Russian government cyber actors."
You see, I actually did something that they don't expect people to do - I looked at the report.
The first thing you'll notice from this report is the complete lack of any evidence that the Russian government, or even someone in Russia, had anything to do with this.
That doesn't mean that the evidence doesn't exist, but it does mean that we are supposed to trust them about this "sophisticated attack group".
And we all know that only a Putin Puppet wouldn't trust the FBI.
DHS analysis identified the threat actors accessing publicly available information hosted by organization-monitored networks during the reconnaissance phase. Based on forensic analysis, DHS assesses the threat actors sought information on network and organizational design and control system capabilities within organizations
Well that certainly sounds sophisticated.
What exactly is involved in this "Stage 1: Reconnaissance".
As an example, the threat actors downloaded a small photo from a publicly accessible human resources page. The image, when expanded, was a high-resolution photo that displayed control systems equipment models and status information in the background
Oh, yes. Very sophisticated reconnaissance!
Who would have thought about looking at a public web site?
"Stage 2: Weaponization" is next. Sounds scary doesn't it?
Throughout the spear-phishing campaign, the threat actors used email attachments to leverage legitimate Microsoft Office functions for retrieving a document from a remote server using the Server Message Block (SMB) protocol.
Seriously! Spear-phishing again?
And not even recent spear-phishing! Hackers stopped using loaded word documents a decade ago because commercial anti-virus software usually picked it up.
And what moron falls for that anymore?
"Stage 3: Delivery" this overly dramatic theme is getting tiresome.
Email messages included references to common industrial control equipment and protocols. The emails used malicious Microsoft Word attachments that appeared to be legitimate résumés or curricula vitae (CVs) for industrial control systems personnel, and invitations and policy documents to entice the user to open the attachment.
The obvious problem here is a lack of anti-virus software on email servers, and an idiotic staff.
"Stage 4: Exploitation" I'm starting to see a pattern.
Emails contained successive redirects to http://bit[.]ly/2m0x8IH link, which redirected to http://tinyurl[.]com/h3sdqck link, which redirected to the ultimate destination of http://imageliners[.]com/nitel. The imageliner[.]com website contained input fields for an email address and password mimicking a login page for a website
All this report is, is a "How to spear-phish" guide.
Interestingly, the report even tells you what files and registry keys to modify, and even the commands to use.
It's "how to hack for beginners".
Was this a wise thing to post on the internet?
This script contained hard-coded values for the group name “administrator” in Spanish, Italian, German, French, and English.
You know what's missing from this list? Russian.
the threat actors dropped and executed open source and free tools such as Hydra, SecretsDump, and CrackMapExec. The naming convention and download locations suggest that these files were downloaded directly from publically available locations such as GitHub.
You know what that sounds like? Ordinary criminal hackers.
Literally everything about this hack is ordinary.
The only IP addresses listed in this report are:
220.127.116.11, and that's in Belgium.
18.104.22.168, which is in Germany.
22.214.171.124, in Netherlands.
Now I'm not saying that there wasn't a hack.
There most likely was.
What I am saying is a) there is absolutely no evidence given that this originated from Russia, and b) this is such an ordinary hack that teenagers could do it.