IT attacks on companies are piling up and experts say the automotive industry, a prime target for hackers, isn‘t properly prepared. The damage cyber attacks can do is often substantial and the methods of the attackers are becoming more and more perfidious. Stuxnet was just the beginning.
A steel plant in Germany suffered the fate that experts were warning about after the sophisticated attack on Iranian centrifuges. It became the victim of a targeted IT attack that led to physical damage to the facility. It came in the wake of Stuxnet, becoming the second confirmed case of its kind. With spear phishing (targeted phishing) and clever social engineering, the attackers gained access to the steel plant’s office network. From there, they worked their way into the production network. After malfunctions in the control components piled up, a blast furnace could not be shut down in a controlled manner. The result was massive damage to the facility.
A recent status report of Germany’s Federal Agency for the Security of Information Technology rates the attackers’ technical capacity as “very advanced.”Their know-how is not limited to classic IT security but extends to a detailed expert knowledge of industrial controls and production processes.
Experts call such attacks advanced persistent threats (APTs). They involve a systematic network attack in which the perpetrators proceed purposefully and make a major effort to penetrate more deeply into the victim’s IT infrastructure after the intrusion. The goal is to steal sensitive information by spying or cause damage in other ways.
Like an arms race, the attackers up the ante when defensive measures are taken. Experts have identified an increase in APTs over the last two years. The reason could be the increase in networking and the new vulnerable surfaces accompanying the trend. “Many companies only identify an APT by chance,” said Timo Kob, management board member of the Alliance for Security in the Economy (ASW) and the information security consultancy HiSolutions. “So the first attack often dates back months. The damage starts out small and keeps getting larger.”
Over time,the perpetrators can secure administrative rights and backdoors. On average it takes 243 days for such cyber attacks to be discovered. Governments and military organizations may have been the source of the attacks at the outset, but you don’t need to be an IT specialist to carry them out today. On the dark net, you can download special search engines to rent contract hackers. “There is still no remedy for APTs,” said Sandro Gaycken, a researcher at Berlin’s European School of Management and Technology for Cyber Espionage and War. “The only precaution is to take business-critical data and processes off the network.” The major offensive against the Bundestag, Germany’s lower house of parliament, recently showed how hard it is to suppress the data flow even after the discovery of an intrusion.
Another case shows the perpetrators’ professionalism and the magnitude of their efforts as they carry out their attacks. First, the attackers reconnoitered how the target company is structured, who is responsible for what, and what the IP addresses are. Then an alternative launch page is created with a slightly altered address line. The marketing manager gets an email with the request to approve the online posting of images from the summer festival. But when he clicks on the link, the website doesn’t open. He calls the listed fake hotline and asks for technical help. The hotline contact asks for his dial-in information. With this information, the perpetrators were able to install malwarein the system.
Email is back
Emails are a classic gateway. The addresses are found on social networks ahead of time. Then the message is tailored and the recipient is misled into clicking on the prepared link or to open the attached file. Or the email is camouflaged as an internal communication and asks for the entry of data or registration.
“I’ve noted the return of email as a means of attack. In a second step, the hackers take advantage of weak points inthe system software to create very extensive authorizations for themselves,” said Michael George, the author of “Geh@ckt –How Attacks from the Net Threaten Us All” and director of theCyber Alliance Center of the Bavarian State Office for the Protection of the Constitution. The agency is unique in Germany as a contact entity for businesses. It also offers consulting for automotive companies.
The manipulation of data-package routings is another popular weapon in the attackers’ arsenal. Falsified routing information can send the packet to the wrong destination or through networks where it can be changed or become the target of espionage. Email can also be changed in this way. On the other hand, the DNS spoofing method attacks the Domain Name System(DNS). This involves falsifying the correlation between the domain name and the associated IP address. The data traffic isinvisibly diverted to another computer to attack or to eavesdrop on communications. This instrument is part of the tool kit of the NSA’s Quantum program, though far less powerful attackers use it as well.
“Ten percent of DNS clients send inquiries to servers abroad, although they should be sent to servers in Germany,” said Haya Shulman, department manager for cyber security analysis at Germany’s Fraunhofer Institute for Secure Information Technology. And Gaycken notes that the NSA and its techniques, which have been known since 2013, provide other pointers for hackers. “The NSA tactics are used to exploit weak points in the security plan, for example,” he said.
A recent study by Germany’s high-tech association Bitkom shows how serious the attacks are. It says half of all companies in Germany have fallen victim to digital economic espionage, sabotage or data theft in the last two years. Based on the association’s conservative assessments, the damage to the German economy amounts to 51 billion euros a year. The main factors are declines in revenue due to plagiarism and the loss of competitive advantages, patent infringement, the theft of devices, and expenditures due to the breakdown of IT systems and the disruption of processes.
Car industry targeted
The most endangered economic sector is the auto industry with 68 percent of its companies affected. The most frequent crime is the theft of IT and communication devices. “The motive is often unknown, so we have included it in the statistics,” said Bitkom spokesman Maurice Shahd. “In China in particular, devices are often stolen during business trips. The auto industry is affected in multiple ways. The number of exposed surfaces will increase even more with the growth of connectivity. One real danger is the siphoning-off and modification of design data. “I think the issue of sabotage via things like networked, autonomous driving, the smart home, smart cities, smart grids and e-health is becoming increasingly important,” George, the Bavarian cyber security specialist, warns. “Damage to IT security can then result in fatal accidents.”
Experts say the car industry is poorly positioned for present risks. “German auto companies are not in the vanguard of IT security,”said Arne Schoenbohm, president of the Cyber Security Council of Germany. “The plans for it are not in the best state. Daimler, BMW and VW don’t know how to deal with cyber security. How often are employees trained? That is trivial. So far there has been little undertaken at VW. The understanding is just now developing.”
The situation at suppliers is considered to be even worse than at the automakers. After inquiries, automakers and suppliers declined to comment to automotiveIT on this sensitive issue. The classic categories of offenders are current and former employees, competitors, business partners, hackers, organized crime and foreign intelligence services. For the company, however, the identity of the perpetrator is secondary.
In any case,the attackers can no longer be classified according to their tools. “An intelligence service can even be the organization behind garden-variety methods,” George said. “They are also trying to conserve resources in their work and use simple, inexpensive measures.” The backers are mostly hard to identify as many countries work with criminals and have become a professional market for cyber mercenaries. Russia and China are especially active in economic espionage. Said Schoebohm “The NSA has also become a source of concern to automakers in light of their factories in the US. ”Experts now consider an earlier goal to be out of date: totally sealing off company networks against intrusion. Today the issues largely involve discovering a cunning intrusion as soon as possible, analyzing the path of the intruder and blocking it off against further data theft or acts of sabotage. But experience shows that this is anything but easy.
-By Ulrich Hottelet
-Illustrations: Sabina Vogel Photos: Deutscher Bundestag/Simone M. Neumann, iStockphoto/Jacob Ammentorp Lund, 77studio
(This story was previously published in automotiveIT magazine. To receive a complimentary subscription, please go to: www.automotiveIT.com/subscribe)