Dragonfly Wants To Punch Our Lights Out? Round One

Somebody wants to punch our lights out – literally turn off the electric power grid. Who would want to do this?  Who has the capability?  Is it the Russians, who have already demonstrated this attack two years ago in the Ukraine?  Or the North Koreans, who have both motive and the cyber army to carry it off? Cybersecurity firm Symantec has attributed this attack to a group they have identified as the Dragonfly Group.

On October 20, I read an alert (TA17-293A) from US-CERT, the Department of Homeland Security, and the FBI that detailed an ongoing advanced persistent threat targeting the US electric grid and other infrastructure in the energy, nuclear, aviation, water, and critical manufacturing sectors. This alert is chilling.

The biggest problem we face as cybersecurity professionals often is believing we are a target, or believing that our highly secured network could still be vulnerable.  The reason for this is that cybersecurity professionals are usually not trained to think like an attacker.  In industry parlance, a typical security professional is a member of the “blue team.”  Blue team plays defense.  These people usually come up through network engineering, audit, compliance, or governance.  They are bound by a set of rules, and usually play by the rules.  Generally, they like the rules.  They tend to think and act in accordance with the rules, and therefore are predictable.  On the other hand, cyber-criminals, hacktivists, and nation-state attackers do not play by the rules.  They are unpredictable.  Attackers play offense.

The cybersecurity professionals who play offense are members of the “red team.”  I am on a red team.   As a red team member, I spend most of my time learning about the tactics, techniques, and procedures that the attacker use to gain access to networks and servers that they have targeted.  Then I use that knowledge to test the defenses of a client company.

A couple weeks ago I attended the ISSA International Conference in San Diego.  I had the honor of being one of the presenters this year.  This is a bigger cybersecurity conference, a gathering of cybersecurity professionals from all over the United States and the world.  I met a woman from the security team at Excel Energy, and happened to ask if she had read Ted Koppel’s book “Lights Out.”  She was put off by the question, and told me that there are security systems in place to defend the electric grid from attack.

After reading this alert, I think her confidence is misplaced. This particular threat is targeting critical infrastructure industries, but it would not take much editing to use this exploit against other important sectors such as government, health care, or financial targets.  It is time to check what you believe about your company’s security posture.  Do you think your defenses are good enough?  You might be wrong.

On Friday we will explore this exploit in more detail.

More Information:


About the Author:

Cybersecurity analyst, pen-tester, trainer, and speaker. Serving small business owners in the St Paul, Minneapolis, and western Wisconsin area since 2001. Cybersecurity and hacking have been a passion of mine since I entered the computer and networking business in 2000. I hold several cybersecurity certifications including Certified Information Systems Security Professional (CISSP), Certified Advanced Security Pratitioner (CASP), and Certified Ethical Hacker (CEH). Other computer industry certifications include A+, Network+ and Microsoft Certified System Engineer (MCSE). As Cybersecurity Analyst at The WyzCo Group, I help our clients experience high levels of security on their computers, networks, and websites. In addition to consulting on security products and services, we also conduct security audits, vulnerability assessments and full penetration tests. We also work with companies and organizations that need to certify compliance with regulations such as PCI-DSS (credit card processing), HIPAA/HITECH (medical records), and GLBA. We also provide Cybersecurity Awareness Training for clients and their employees. I am a frequent speakers at cybersecurity conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference, the (ISC)2 World Congress, and the ISSA International Conference, and many local community organizations, Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2008.
  Related Posts

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.