Harm from Private Data Manipulation

Part
01
of two
Part
01

Malicious Data Manipulation - Part One

Three instances of companies that have been harmed by malicious data manipulation include the Kemuri Water Company, Ukrenergo, and EnerVest. The details of each case are below.

KEMURI WATER COMPANY

  • In 2016, a "hacktivist" group linked to Syria hacked into an anonymous water treatment plant's utility control system and "changed the levels of chemicals being used to treat water."
  • Verizon Security Solutions, the company charged with finding a solution to the data breach, stated, "Due to the sensitive nature of the breach, which gave the hackers access to the personal and financial records of over 2.5 million customers, Verizon is not releasing the name of the water company or the country it resides in, referring to the company by the fake moniker ‘Kemuri Water Company’ (KWC)."
  • Kemuri Water Company was tipped off to the hack by "unusual movements at valves and ducts", and called in Verizon Security Solutions to identify the problem.
  • The hack involved "SQL injection and phishing... and exposed KWC's aging AS/400-based operational control system because login credentials for the AS/400 were stored on the front-end web server."
  • Using the credentials they found on the web server, the hackers were able to "interface with the water district’s valve and flow control application, also running on the AS400 system."
  • Once they were in the system, the hackers "managed to manipulate the system to alter the amount of chemicals that went into the water supply and thus handicap water treatment and production capabilities so that the recovery time to replenish water supplies increased."
  • KWC was fortunate to have quickly identified the changes made to the chemicals and was able to reverse the damage, "largely minimizing the impact on customers."

UKRENERGO

  • In late 2016, Ukrenergo, a Ukranian electric utility company, had its computer systems infiltrated by malware known as either "Industroyer" or "Crash Override."
  • This attack represented just the second-known case of malicious code that was built specifically to "disrupt physical systems."
  • The malware was able to automate a mass power outage, which caused a blackout of "a portion of the Ukrainian capital equivalent to a fifth of its total power capacity." Tens of thousands of Ukrainians in Kiev lost power.
  • The blackout lasted only about an hour, but the event represented "a dangerous advancement in critical infrastructure hacking."
  • According to investigators, the malware included "swappable, plug-in components that could allow it to be adapted to different electric utilities, easily reused, or even launched simultaneously across multiple targets."
  • Crash Override was uniquely different from previous attacks in that it was fully automated. It was "programmed to include the ability to 'speak' directly to grid equipment, sending commands in the obscure protocols those controls use to switch the flow of power on and off."
  • The most frightening part of Crash Override is that it is much more scalable than any previous infrastructure attack attempt. What has traditionally required about 20 people to pull of now requires far less human involvement.
  • Although it is unknown for sure how the malware was initially introduced to the Ukrenergo system, a similar attack in 2015 used targeted phishing emails and experts suspect "the hackers may have used the same technique a year later."
  • Crash Override had a "swappable component design," which means it could have used any one of four protocols to communicate with grid systems in different countries, including Europe and the United States.
  • A later analysis of Crash Override found that the malware "does manipulate data streams and data control, but it doesn’t destroy things."
  • The attack was deemed to be a test for "refining attacks on critical infrastructure around the world.

ENERVEST

  • In 2012, Ricky Joe Mitchell, an employee at EnerVest, a company that "manages oil and gas exploration and production operations," learned he was going to be fired.
  • Mitchell remotely accessed EnerVest's computers and "reset the company's network servers to factory settings, essentially eliminating access to all of the company's data and applications for the eastern US operations."
  • In the process, Mitchell also deleted all of EnerVest's phone system accounts and accounting data.
  • Prior to losing access to the EnerVest facilities, Mitchell also entered the building after hours and "disconnected critical pieces of computer-network equipment and disabled the equipment's cooling system."
  • As a result, EnerVest was "unable to fully communicate or conduct business operations for nearly 30 days."
  • Moreover, EnerVest spent hundreds of thousands of dollars attempting to recover the historical data that Mitchell deleted from the system. Unfortunately, some data could not be restored at all.
  • Overall, the harm caused to EnerVest as a result of Mitchell's sabotage totaled over $1 million.
  • The prosecuting U.S. attorney named the company, its employees, and its customers as victims of the attack, stating, "In this day and age, that kind of attack is devastating. And this defendant didn’t just hurt EnerVest. He hurt his former co-workers, he hurt EnerVest’s customers, and, ultimately, he hurt consumers."
  • Mitchell received a four-year prison sentence for his actions and was ordered to "pay $428,000 in restitution to the company and pay a $100,000 fine."

RESEARCH STRATEGY

Although we were able to identify two cases of malicious data manipulation since 2015 with the Kemuri Water Company and Ukrenergo, neither of those instances caused significant harm to either the companies or individuals. While the Ukrenergo case caused tens of thousands of electric customers to lose power for about an hour, the Kemuri Water Company was able to catch the data manipulation before any of their customers became ill. Due to the lack of significant harm from these two situations, we expanded our search beyond the five-year time frame to find an additional instance of data manipulation that resulted in EnerVest losing at least 30 days of production and over $1 million.
Part
02
of two
Part
02

Malicious Data Manipulation - Part Two

Possible or probable scenarios that experts have identified that could lead to potential harm from malicious data manipulation are the stock market scenario, health record scenario, credit card micro payments, changed links on public websites, banking/wire transfer fraud, and salami slicing attack with ransomware.

STOCK MARKET SCENARIO:

  • This scenario involves a compromise in the security of the stock market.
  • Hypothetically, an attacker successfully breaches the IT systems and databases responsible for updating a stock ticker symbol.
  • He/she then manipulates data to show a billion-dollar tech giant like Apple, Microsoft, Google, or Amazon plunging.
  • This would cause immediate chaos and panic across the market, which could make people sell off their stocks in a frenzy.

HEALTH RECORD SCENARIO

  • Instead of resulting in tangible financial gain, data manipulation attacks can sometimes result in personal harm as well.
  • Malicious insiders, who are privy to sensitive data, are commonly implicated in these types of attacks.
  • In this type of attack, an attacker manages to carry out an attack against health record information of patients in hospitals. He/she then alters critical data like drug dosages and prescriptions that need to be administered, which could lead to sickness or death of the hospital's patients.

CREDIT CARD MICRO PAYMENTS

  • In this scenario, malicious actors will charge unsuspecting accounts a small amount, disguised as something unnoticeable.
  • For example, an e-commerce vendor gets attacked with millions of card numbers being compromised. The attacker would then charge all those numbers with a small ($0.25) fee with the label "Service Charge."
  • The total payout would accrue over several months, with many of the affected users oblivious of these activities.
  • This type of attack involves compromising numerous cards or accounts.

CHANGED LINKS ON PUBLIC WEBSITES

  • This scenario involves overriding and changing links on a public website by an attacker.
  • In this scenario, an attacker will simply override or change links on a public website and then wait for users to click that link.
  • Users then visit a "tried and true" website only to find that the link they just clicked directed them to a malicious site.
  • At this point, the attackers could take a number of actions such as acquiring user login credentials, cause the victims to download malware, or use ransomware to take over the victims' device.
  • In this scenario, the attacker can also intercept interactions between a user and an otherwise-protected web service.

BANKING/WIRE TRANSFER FRAUD

  • In this scenario, an attacker compromises a customer's email server and intercepts and changes an email containing information about a wire transfer.
  • This alteration in the email may allow a very large transfer to go to the wrong recipient.
  • Similar to wire transfer fraud, a data manipulation attack can be performed on any bank transaction by changing payment recipients or account owners.
  • Malicious actors will change payment recipients or account owners to alter payment destinations and amounts.

SALAMI SLICING ATTACK WITH RANSOMWARE

  • "A salami slicing attack is one of the early integrity-related attacks where a seemingly insignificant number is changed on many transactions to create a large profit for a criminal."
  • Ransomware could be used to execute a similar attack, where a victim's data is altered by malware as it is held hostage by the attacker. When the attacker returns the data, the victim would not be able to verify its integrity because he/she does not have a copy of the original data.
  • For the attacker to collect the ransom, the ransomware need only make small changes to "some of the data, like in every spreadsheet on an endpoint, or in a vulnerable Redis database. However, this would also require the ransomware to change the data randomly, since the algorithms used to change the data could be reverse-engineered."

RESEARCH STRATEGY

We started by looking for articles and interviews of cybersecurity experts and found many articles with such information as what data manipulation attack is, types of data manipulation attacks, and results of data manipulation attacks on mediums like Threatpost and Gillware. These articles also present a list of hypothetical or possible data manipulation attack scenarios. To verify the credibility and reliability of the authors of the articles, we checked their profiles on platforms such as LinkedIn, and the Our Team pages of the publishers. All the authors have experience in cybersecurity and are at very reputable positions in their current companies.
Sources
Sources