Researcher: Power Grid Hackers Probably Attacked Typical PC Flaws

The hackers who reportedly planted malware on key parts of the U.S. electrical grid, perhaps with the intent to cripple the country’s power infrastructure, most likely gained access like any other cybercriminal — by exploiting a bug in software such as Windows or Office, a security researcher said today.

“Any computer connected to the Internet is potentially vulnerable,” said Roger Thompson, chief research officer at AVG Technologies USA Inc. “Getting to the actual infrastructure devices directly — that’s always possible, but a whole lot less likely. In any industry, critical or not, there are always plenty of PCs that have been compromised.”

According to a report earlier today in The Wall Street Journal, unnamed national security sources said that hackers from China, Russia and elsewhere have penetrated the U.S. power grid, extensively mapped it, and installed malicious tools that could be used to further attack not only the electrical infrastructure, but others as well, including water and sewage systems.

The discoveries were made by U.S. intelligence agencies, not the utilities’ security teams, the Journal said.

“I’m a bit bothered by all the anonymous sources [in the Journal story]: one unnamed source here and another unnamed source there,” said Thompson. “But I think there’s a high likelihood that it has a strong basis in fact. Any infrastructure device that’s connected to the Net is potentially hackable.”

It’s more likely, he added, that the power-grid hackers exploited the same kinds of vulnerabilities — but not the exact same bugs — that have plagued consumers and businesses that run Microsoft Corp.’s Windows and its Office application suite.

“I have no doubt that there’s been this kind of attack, or attempt to attack, for quite some time,” said Thompson, “perhaps using the same kind of Office zero days that have been coming out.” In security parlance, a “zero-day” exploit is one that leverages an unpatched vulnerability.

Vulnerabilities in Microsoft Office — typically file-format flaws that let attackers hijack PCs by duping users into opening a malformed Word, Excel or PowerPoint document — are often used in targeted attacks that focus on just one company or organization, or even on only a few top-level executives in that company. The hackers try to get control of a senior official’s machine because that’s where the most important and salable information is located.

Microsoft has released two security advisories in the past six weeks for unpatched Office vulnerabilities that are already being exploited in similar targeted attacks. Neither the Excel bug, which was revealed in late February, nor the more recent PowerPoint vulnerability has been patched by Microsoft.

“[The general antivirus industry] never ever get to see the best zero days,” Thompson continued. Although the community is well-known for sharing samples, there are always cases in which a victimized organization — a government agency, for example — refuses to share the attack code with others for analysis. “You’ll ask for a sample, and he’ll say, ‘Well … no, I’m not allowed’,” said Thompson.

Although information about Conficker, the 2008 worm that infected millions of PCs in 2009, was shared in the security community, Thompson cited it as the kind of malware that poses a threat to any Windows machine, no matter whether it’s in a home or running on the network of a major power company. “Conficker, for example, was primarily a business problem, not a consumer problem, because it spread so easily across network shares,” he said.

But there is a silver lining to the Journal report, Thompson argued. “I doubt that the problem is that serious,” he said. “Because the worst hack is the one you don’t discover. But even if it’s exaggerated, it behooves us all to be careful and thoughtful about our critical devices.”