Malicious Data Manipulation - Part One
Three instances of companies that have been harmed by malicious data manipulation include the Kemuri Water Company, Ukrenergo, and EnerVest. The details of each case are below.
KEMURI WATER COMPANY
- In 2016, a "hacktivist" group linked to Syria hacked into an anonymous water treatment plant's utility control system and "changed the levels of chemicals being used to treat water."
- Verizon Security Solutions, the company charged with finding a solution to the data breach, stated, "Due to the sensitive nature of the breach, which gave the hackers access to the personal and financial records of over 2.5 million customers, Verizon is not releasing the name of the water company or the country it resides in, referring to the company by the fake moniker ‘Kemuri Water Company’ (KWC)."
- Kemuri Water Company was tipped off to the hack by "unusual movements at valves and ducts", and called in Verizon Security Solutions to identify the problem.
- The hack involved "SQL injection and phishing... and exposed KWC's aging AS/400-based operational control system because login credentials for the AS/400 were stored on the front-end web server."
- Using the credentials they found on the web server, the hackers were able to "interface with the water district’s valve and flow control application, also running on the AS400 system."
- Once they were in the system, the hackers "managed to manipulate the system to alter the amount of chemicals that went into the water supply and thus handicap water treatment and production capabilities so that the recovery time to replenish water supplies increased."
- KWC was fortunate to have quickly identified the changes made to the chemicals and was able to reverse the damage, "largely minimizing the impact on customers."
- In late 2016, Ukrenergo, a Ukranian electric utility company, had its computer systems infiltrated by malware known as either "Industroyer" or "Crash Override."
- This attack represented just the second-known case of malicious code that was built specifically to "disrupt physical systems."
- The malware was able to automate a mass power outage, which caused a blackout of "a portion of the Ukrainian capital equivalent to a fifth of its total power capacity." Tens of thousands of Ukrainians in Kiev lost power.
- The blackout lasted only about an hour, but the event represented "a dangerous advancement in critical infrastructure hacking."
- According to investigators, the malware included "swappable, plug-in components that could allow it to be adapted to different electric utilities, easily reused, or even launched simultaneously across multiple targets."
- Crash Override was uniquely different from previous attacks in that it was fully automated. It was "programmed to include the ability to 'speak' directly to grid equipment, sending commands in the obscure protocols those controls use to switch the flow of power on and off."
- The most frightening part of Crash Override is that it is much more scalable than any previous infrastructure attack attempt. What has traditionally required about 20 people to pull of now requires far less human involvement.
- Although it is unknown for sure how the malware was initially introduced to the Ukrenergo system, a similar attack in 2015 used targeted phishing emails and experts suspect "the hackers may have used the same technique a year later."
- Crash Override had a "swappable component design," which means it could have used any one of four protocols to communicate with grid systems in different countries, including Europe and the United States.
- A later analysis of Crash Override found that the malware "does manipulate data streams and data control, but it doesn’t destroy things."
- The attack was deemed to be a test for "refining attacks on critical infrastructure around the world.
- In 2012, Ricky Joe Mitchell, an employee at EnerVest, a company that "manages oil and gas exploration and production operations," learned he was going to be fired.
- Mitchell remotely accessed EnerVest's computers and "reset the company's network servers to factory settings, essentially eliminating access to all of the company's data and applications for the eastern US operations."
- In the process, Mitchell also deleted all of EnerVest's phone system accounts and accounting data.
- Prior to losing access to the EnerVest facilities, Mitchell also entered the building after hours and "disconnected critical pieces of computer-network equipment and disabled the equipment's cooling system."
- As a result, EnerVest was "unable to fully communicate or conduct business operations for nearly 30 days."
- Moreover, EnerVest spent hundreds of thousands of dollars attempting to recover the historical data that Mitchell deleted from the system. Unfortunately, some data could not be restored at all.
- Overall, the harm caused to EnerVest as a result of Mitchell's sabotage totaled over $1 million.
- The prosecuting U.S. attorney named the company, its employees, and its customers as victims of the attack, stating, "In this day and age, that kind of attack is devastating. And this defendant didn’t just hurt EnerVest. He hurt his former co-workers, he hurt EnerVest’s customers, and, ultimately, he hurt consumers."
- Mitchell received a four-year prison sentence for his actions and was ordered to "pay $428,000 in restitution to the company and pay a $100,000 fine."
Although we were able to identify two cases of malicious data manipulation since 2015 with the Kemuri Water Company and Ukrenergo, neither of those instances caused significant harm to either the companies or individuals. While the Ukrenergo case caused tens of thousands of electric customers to lose power for about an hour, the Kemuri Water Company was able to catch the data manipulation before any of their customers became ill. Due to the lack of significant harm from these two situations, we expanded our search beyond the five-year time frame to find an additional instance of data manipulation that resulted in EnerVest losing at least 30 days of production and over $1 million.