Almost too much lye in the water, down Florida-way. BlackTech’s new malware strain. Huawei says it’s OK if the White House calls.
Dave Bittner: A Florida water treatment plant sustains a cyberattack. The hack was successful; the sabotage wasn't. A new malware strain is associated with Chinese intelligence services. Ben Yelin tracks a surveillance plane whose funding has fallen. Our guest is Colonel Stephen Hamilton from the Army Cyber Institute at West Point. And Huawei's CEO says, sure, he'd take a call from President Biden.
Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, February 9, 2021.
Dave Bittner: Late yesterday, the sheriff of Pinellas County, Florida, said that his office was investigating an attempt on Friday to alter chemicals introduced into the city of Oldsmar's water supply. An unknown party had remotely accessed the water utility's control systems and directed that the amount of sodium hydroxide be increased by a factor of 100, from the safe intended concentration of 100 parts per million to a dangerous 11,000 100 parts per million. A treatment plant operator noticed the change and immediately corrected it. The Tampa Bay Times says authorities have some leads, but that no arrests have been made.
Dave Bittner: Sodium hydroxide, familiarly known as lye or caustic soda, is a strong base that's the principal ingredient in many paint-stripping and drain-opening products and, less scarily, in many soaps. It's used in small quantities to regulate the acidity of drinking water. And in even smaller quantities, it's used in cooking - curing olives, preparing lutefisk, baking German pretzels and so on. But it's a highly caustic and dangerous chemical in high concentrations, and so this is a serious attack that could have had lethal consequences.
Dave Bittner: Pinellas County officials stressed that there was no danger, that it would have taken 24 to 36 hours before the sodium hydroxide concentration reached dangerous levels. But the incident is nonetheless a frightening one.
Dave Bittner: Despite a fair amount of tweeting and woofing about acts of war and so on, there's been no attribution of the attack. The operator who stopped the attack noticed something was amiss when his mouse cursor began moving.
Dave Bittner: Jorge Orchilles tweeted a lesson from the world of penetration testing - quote, "the easiest way to get caught as a red-teamer is to move someone's mouse. Nothing freaks people out more than their mouse moving when they aren't touching it. It's a psychological thing." Kevin Collier thinks this suggests that the attacker is probably more skid than mastermind, tweeting, "we know almost nothing about who they are, but here's a strong indication this wasn't a masterminded plan. That's not necessarily reassuring, he added. Is it comforting to know this probably wasn't some Russian master plan to poison some Floridians? Or more disturbing, to think this is how close an amateur could get," end quote.
Dave Bittner: It is, however, important to emphasize that nothing is publicly known so far about who may have attempted the attack. It's also worth remembering that the simplicity of an attack, its ease of execution, says little more than that there's a broad range of threat actors who could have accomplished it. In this case, that ranges from a failed-to-launch skid in the parents' basement all the way to a nation-state's espionage or military services from a knucklehead down the block doing something for the lulz up to one of Huggy Bear's cunning brood.
Dave Bittner: The attacker is believed to have obtained access to the water treatment plant's TeamViewer software, WIRED reports, adding that the city disenabled TeamViewer shortly after it noticed the attack. TeamViewer is also relatively easy to use, and it can be accessed with stolen credentials. And some have seen this as another indication that the attack was not a sophisticated one.
Dave Bittner: Bryson Bort, founder and CEO of SCYTHE, commented in an email that, quote, "TeamViewer is a common remote desktop protocol solution in ICS, and the water attack was most likely simple access with stolen credentials. Using the software means everything is visible to the user - hence the operator saw the mouse move and settings changed. Who and why is still the question," end quote.
Dave Bittner: What have other control system attacks looked like? Last spring, Israeli authorities warned that Iranian operators made an attempt on water treatment and wastewater facilities in two rural districts in Israel. They weren't fully successful. The Council of Foreign Relations has a summary of that incident on its site. There was another incident in which the controls of a small flood-control dam in Rye, New York, were remotely accessed. In 2013, the Bowmen Street Dam's controls were accessed. The US would ultimately indict an Iranian cyber operator for that action.
Dave Bittner: Many have commented that leaving the supervisory controls of a water treatment system open to remote access is extraordinarily risky - see, for example, comments to that effect by TechCrunch's Zach Whittaker. Such systems had long been relatively immune to cyberattack because their age and the legacy control systems they employed effectively air-gapped them.
Dave Bittner: Austin Berglas is former head of FBI New York cyber and currently global head of professional services at BlueVoyant. He offered some perspective - quote, "digitization and IoT expansion have allowed for previously isolated infrastructure to be remotely accessed. For example, water and utilities need to balance security while allowing operators the ability to remotely access treatment plant SCADA systems from phones, work and computers in order to react to alarms and respond to incidents without having to be physically on site," end quote.
Dave Bittner: As was the case with the Florida incident, no real harm was done by the Bowmen Street Dam hack. Berglas thinks it likely that the attack on the small sluice gate in Rye just afforded "a proving ground to test capabilities and techniques." And again, when asked about possible attribution of the Oldsmar attack, he sensibly said, simply, "Too early to tell."
Dave Bittner: Dragos CEO Robert M. Lee also cautioned against both premature speculation about attribution and thinking that a challenge like this could be addressed with any single, simple solution. It's a systemic problem with many interdependent aspects - quote, "hiring, workforce development, culture shifts, working within national priorities and regulations, state and local regulations, resourcing other areas that are organizational challenges, modernizing infrastructure beyond cyber and so on - there's not one easy answer, tech or not," end quote.
Dave Bittner: It's troubling, for example, to think that, in this case, the safety of a water supply depended upon one watch-stander happening to notice that something was briefly unusual on his screen. Dragos has published a set of considerations and recommendations other utilities might well consider, a sensible mix of suggestions for blocking remote access and improving user training.
Dave Bittner: Palo Alto Networks' Unit 42 published this morning an account of a polymorphic malicious shellcode they're calling BendyBear. They associate the code with the activities of BlackTech, a threat actor widely believed to be run by Chinese intelligence services. BendyBear has some similarities with the WaterBear family of malware, in use since 2009.
Dave Bittner: Huawei CEO Ren Zhengfei has said, CNBC reports, that he would welcome a phone call from U.S. President Biden - one sovereign to another. And just as it is with handshakes, the junior sovereign would call upon the senior sovereign. They could talk about international cooperation and mutually beneficial development and stuff.
Dave Bittner: The Army Cyber Institute at West Point, the ACI, was created to provide the U.S. Army with research on cyber-related challenges and to provide a mechanism for collaboration between the government's military branches and the private sector. To learn more about their mission, I checked in with ACI's chief of staff and technical director, Colonel Stephen Hamilton.
Stephen Hamilton: It was started at West Point in 2012. And the idea was - it was before we had the cyber branch. We were - the Army was trying to get its handle around how to employ cyber. And the institute was stood up here by - I believe it was General Odierno when he was the chief of staff of the Army. And the idea was to harness some of the intellectual power and capital at West Point to be able to put toward this difficult problem that a lot of Army leaders just didn't have awareness of and didn't understand because we were still trying to figure it out.
Stephen Hamilton: So it was created in 2012 with a small team. It was kind of born out of the electrical engineering and computer science department, which used to be - have this organization called the ITOC, the Information Technology and Operations Center. So it was born out of that. That's where some of the personnel came from. And we've slowly built it up over the years, and it's become its own standalone entity outside of a department. We do have a few personnel that teach within the departments at West Point, but we're a standalone organization that reports directly to the superintendent. So we don't fall under the dean's office.
Dave Bittner: And what role does it play now in terms of the interaction with the cadets and the staff there at West Point? What is the Army Cyber Institute's place there?
Stephen Hamilton: So we have - we're kind of multifaceted. So with regards to West Point, as I said, we do teach. And we also sponsor various projects. We sometimes work with capstone projects that the cadets work on.
Stephen Hamilton: But in the big Army scheme, if you look at the cyber organizations, there's Army Cyber Command, which is the cyber force that we have. Then we also have the Army Cyber Center of Excellence, which is our - the training piece, so the initial training that cyber operators get when they come into the Army or when they get commissioned from here from - even from West Point. So once they get the training, then they go into Army Cyber Command from there.
Stephen Hamilton: We fall outside of both of those organizations. And the idea is that while CCOE is actually doing the training and the - cyber is actually conducting operations, we're outside of both of those realms so that we can kind of look ahead and figure out what are strategic problems, what are things that need to be solved that just can't be solved by somebody who's - if you were to say in the fight.
Stephen Hamilton: So you think of the cyber operators, they're doing the day-to-day mission. We're not conducting cyber operations from here. Instead, we're looking out, like, what are the things that we need to be researching and informing the Army on to better enable us to be prepared in the future?
Dave Bittner: For folks who want to learn more about what you're up to, it, I'm thinking of some of our listeners who may be parts of other organizations, academic institutions or otherwise, what's the best way for them to reach out?
Stephen Hamilton: If they go to our website, that would be one way. And they could reach out on there, which is cyber.army.mil. And we have a pretty good PAO presence. Our PAO is really good about getting us on social media. So I think we have a Facebook and a Twitter account as well. They could follow us there and get information. But, yeah, we definitely welcome industry partners if they have any interest in working with us. In fact, yesterday we just had a call with FireEye to discuss opportunities to partner with them.
Stephen Hamilton: So, yeah, we're actively looking at, you know, just trying to figure out what is the latest, what's the things we need to be letting the future leaders know - which is our cadets here - and then what is it that we need to be talking to the Army directly about? So we can filter all that out and get people connected the right way, so we can advance our mission.
Dave Bittner: That's Colonel Stephen Hamilton from the Army Cyber Institute at West Point.
Dave Bittner: And joining me once again is Ben Yelin. He's from the University of Maryland Center for Health and Homeland Security, also my co-host over on the "Caveat" podcast. Hello, Ben.
Ben Yelin: Hello, Dave.
Dave Bittner: You and I have been, I would say, perhaps obsessively tracking this whole story about the surveillance plane that flies over Baltimore...
Ben Yelin: Yes, obsessively, definitely.
Dave Bittner: ...The Cessna eye in the sky and what that could mean to privacy and surveillance and all those things. Interesting article here from The Baltimore Sun. It's titled "Texas Philanthropists Say They're Backing Out Of Financing Surveillance Plane Technology That Flew Over Baltimore." What's going on here, Ben?
Ben Yelin: Yeah, so I think this might be the coda, the endnote to the era of the surveillance Cessna in Baltimore City. So the first thing that happened was that the new mayor of Baltimore, Brandon Scott, has always been opposed to this program. He was when he was president of the Baltimore City Council. So he decided to discontinue this program after its two trial runs, saying, you know, not only was this program - did this program potentially produce constitutional concerns, but also, most crimes of Baltimore happen at night, when these planes are not flying above the city.
Ben Yelin: What this article gets at is the philanthropists from Texas who funded this surveillance system, this network, are backing out of financing this type of technology. And this presents some problems.
Ben Yelin: These philanthropists were named Laura and John Arnold. They are billionaires. They had set up Arnold Ventures in Texas to help support these programs. And even though this surveillance program is being discontinued in Baltimore City, the founder of this program, a former military guy named Ross McNutt, is trying to introduce it in other high-crime cities across the country, including St. Louis, Mo. And even though St. Louis was about to vote on whether to adopt, at least for a trial run, the surveillance system, the Arnold Ventures has now pulled the rug out in terms of monetary support. So Mr. McNutt is going to have to look elsewhere - perhaps other venture capitalists, billionaires with a lot of money who are willing to fund this program.
Ben Yelin: But this potentially, in my view, could be the death knell for the aerial surveillance system. It certainly already has been in Baltimore, and it'll be interesting to see if it is across the country as well.
Dave Bittner: Yeah. It's interesting. They did an audit of this system. It was an audit from the Policing Project of New York University. So they did an independent audit, and one of the things they note in this article is the audit also found police relied on supplemental reports to justify following suspects beyond the point of an initial crime. It said that police used the planes to track suspects long after the initial crime, sometimes for multiple days, which was not approved by the initial agreement. So it's kind of that thing you and I talk about when it comes to the slippery slope of surveillance...
Ben Yelin: Yes.
Dave Bittner: ...Where if you give someone a tool that enables them to do something...
Ben Yelin: They're going to do it.
Dave Bittner: ...And you agree upon - well, you agree upon a set of guidelines - guardrails, if you will. So often is the case that they press against those guardrails or step right over them.
Ben Yelin: Yeah, absolutely. And you know, this is certainly something that's foreseeable. Obviously, law enforcement is going to benefit from this technology. But if it exists and if there isn't proper oversight and if the court system moves slowly as it relates to particular cases, then it certainly is ripe for misuse or potentially abuse. So that's why you just have to be very careful before you're willing as any jurisdiction to employ this type of tool because, you know, there's always going to be that potential that it's going to be used beyond the original scope of authorization.
Dave Bittner: What do you think about the process here - I mean, the outcome that - somebody had an idea. They got someone to fund that idea. The idea was tried. It turned out to not be successful. The people who it was supposed to benefit have said, we're not really interested in that. The funding gets pulled. I mean, did things play out in the way that they're supposed to?
Ben Yelin: In some ways, yes. You know, this was adopted through a democratic process, at least in Baltimore City. I mean, it was a decision that was made by elected leaders. So it's not like Mr. McNutt just started flying the plane himself.
Dave Bittner: (Laughter) Right. Right. Right.
Ben Yelin: You know, there is something that maybe rubs me the wrong way about billionaires that are not from the jurisdiction funding a project, you know, where a city can potentially spy on its citizens. I don't know if that's a flaw in the process or just sort of something that instinctively makes me a little bit skeptical, if that makes sense.
Dave Bittner: Yeah. Yeah. Yeah, absolutely. All right, well, if you're interested, the article is over in The Baltimore Sun, written by Emily Opilo. It's "Texas Philanthropists Say They're Backing Out of Financing Surveillance Plane Technology That Flew Over Baltimore." Ben Yelin, thanks for joining us.
Ben Yelin: Thank you.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. Keep your head in the clouds and your feet on the ground. Listen for us on your Alexa smart speaker, too.
Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.