Profile picture
Robert M. Lee @RobertMLee
, 14 tweets, 3 min read Read on Twitter
Thread: It’s easy to understand why people come to the conclusion that Russia and China have “implants” to cause blackouts buried throughout our grid. It’s not true though. A few thoughts...
First, if you read the articles and click through to the stories they cite. The claim is actually never supported. Specifically this notion that there are hundreds of utilities with malware waiting to br activated to cause blackouts. Legitimately isn’t even sourced
So the burden of proof is entirely on the authors. The rest of us don’t have to disprove anything - the claim isn’t supported. Unfortunately, hype spirals and spreads quickly. So let’s diagnose a few key points.
First, the articles cite various intelligence officials (anonymously) noting concern. And public DHS comments noting concern. This isn’t mapped to the claim but I’ll denote that their concern is real (they see threats) but uninformed (they aren’t operating in the utilities)
Or said more simply. USG folks get all the fear because they see national level threats all the time, but they don’t see the day-to-day work by infrastructure operators who defend and understand the resiliency. So the fear is unchecked and is often over hyped.
Second, it’s reasonable for people to be concerned because the number and aggressivensss of the threats is increasing. But “placing digital implants to activate to cause blackouts” isn’t how it actually works. The “implant” is the first stage, to then get access, to learn, etc.
We’ve seen this in every cyber intrusion against electric companies. Even in the attacks of 2015 and 2016 on Ukraine’s grid. It wasn’t widescale prolonged blackouts and it’s wasn’t some long left implant. It was human operations enabled by malware. It was after lots of learning
The ability to reliably scale attacks is very difficult. The US electric grids as an example are so complex and heterogenous that the idea of having a single piece of malware or even a handful that could be reliably used to achieve the effect is out of touch with reality.
There would have to be a significant amount of tailoring done per site targeted. Not a trivial amount. And the adversary couldn’t be positive it’d even work at scale.
Third, the idea that malware is laying around to be activated for a blackout (opposed to espionage which does occur) is ridiculous. The risk to the adversary of any 1 site finding the malware risks their entire operation across everyone. So deploying too far in advance is risky
Fourth, there are truly only a small handful of people that have done incident response and hunting at more than 1-2 infrastructure companies. So these insights are rare which allows the hype to go unchecked
As an example, and this isn’t meant as a pitch but as an explanation of size and scope, thr @DragosInc team has the largest most experienced ICS specific incident response team in the US (could be more but at least the US).
I.e. we have more ICS specific incident responders than the US’ DHS. The people in the Intelligence Community aren’t doing response. So, speaking from experience, our insight at Dragos > USG’s on what happens from threats in the utilities themselves.
I say this only to then say that if the Dragos team is going “no that’s not how these attacks work” and “no we’ve never found this mythical implanted blackout malware in apparently hundreds of utilities that defies logic, operations, and physics in its use” then the article is BS
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Robert M. Lee
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

More from @RobertMLee see all

Profile picture
Thread: the same Bloomberg journalists that covered the Super Micro story have covered technical stories that I’ve been involved in calling out before. I have nothing to add on the Super Micro story but here’s my experience with the journalists (1/x)
There are likely other examples but the first time I remember reading anything from these journalists was the Chattanooga APT story where a cybersecurity company pitched them “ICS honeypots” (opening ICS ports shouldn’t be considered ICS honeypots) and connections to them.
The story can be found here bloomberg.com/news/2014-09-3… and essentially (before its correction) was extremely hyped up and biased while pushing you could do attribution based off IP addresses alone. If positioned Chattanooga as a hub of cyber attacks on ICS
Read 16 tweets
Profile picture
The warnings of the threats are extremely important as they are becoming more frequent. But much of the language in these articles is not helpful and often misleading
As an example this article, and many like it, use subtle word choices like noting that penetrating the control centers was “easy” and that it was “hundreds of victims” but not necessarily hundreds of control centers which is what they’re referring to when discussing “black outs”
Then there’s the almost mocking note that supposedly these networks were supposed to be air gapped; except no one serious in the discussion considers control centers for electric grid functionality air gapped. It’s subtle but positions that this is a shock but it’s not
Read 8 tweets
Profile picture
In plain English what does the XENOTIME (actors behind TRISIS/TRITON) info we released mean, why’d we release it, and what are the implications? Here’s a thread with my thoughts.
We didn’t release much new actually it’s just the new material is significant. The XENOTIME blog largely documents their behavior as it related to TRISIS. The new info is that the team is active in multiple locations and has moved beyond just targeting one vendor’s safety systems
That “is active” and “beyond one vendor” language should bother everyone. It means the adversary is, predictably, continuing to evolve and target safety systems outside just the Middle East and if you have any safety system you should consider the risk.
Read 8 tweets

Related threads

Profile picture
#THREAD

Yesterday's indictment is a major signal that we're nearing the end of the #TrumpRussia prologue.

I interviewed @Mimirocah1 about the story which she said indicates that "prosecutors are putting the pieces together."

I agree.

Here's my $0.02.

washingtonpress.com/2019/01/08/a-m…
Why is Natalia Veselnitskaya's link to the Kremlin so important?

1 - SDNY provides Mueller with apolitical evidence sent from the target that predates all investigations.
2 - Proves Don Jr. met a Kremlin Agent
3 - Burns the Russian prosecution against @Billbrowder

2/
Natalia Veselnitskaya had been working on the Prevezon case for years, but in 2014 she involved herself drafting of the official response to the DoJ's invocation of a treaty for legal assistance.

She sent the evidence that she worked with the Kremlin to SDNY prosecutors.

3/
Read 15 tweets
Profile picture
THREAD.
Ok so let's start analyzing a bit what could happen tomorrow. All the docs, images and videos are previously published by #GiletsJaunes protesters in #France (#Paris, #Nice and other cities).
One of the first things I noticed is that many #GiletsJaunes will be in #Paris tomorrow to protest #Macron's presidency.
People here have different political opinions and sometimes they started arguing on Telegram channels. Sometimes they even threaten each other.
Despite small quarrels between few members, #GiletsJaunes' admins are pretty organized (or at least they look so). Some useful maps and schemes are shared with members.
1st pic: how to avoid policemen and why a militant must not talk with them.
2nd pic: metro stations in #Paris.
Read 68 tweets
Profile picture
#Russia is absolutely violating the #INFTreaty. If @RusEmbUSA is counting on the @StateDept to not provide evidence on this one, I bet they’re going to be very disappointed. But the real issue is #China… who isn’t a party to the treaty & who must be included in any new one.
… moreover, #Putin is a bonafide expert on missiles (& on #MissileDefense). If you speak Russian, this video shows him demonstrating his expert-level knowledge of these systems, particularly on #Romania’s #NATO Missile Defense System, a #Bush/#Obama plan.
… the truth is that #Russia’s flagrant violations of the #INFTreaty are a response to our #MissileDefense plans… which of course will only make use pursue such defenses even faster, & so on. Here’s another video where he threatens “retaliation.”
Read 4 tweets
Profile picture
🎃EpicFail🎃

📌Stone claims he was "in touch" with J-Ass b/4 the Podesta GRU hacked emails were released via Wikileaks

SCO Alerts FBI Of Scheme To Pay Women To Accuse Mueller Of Misconduct

MAGA Trolls' Efforts to Take Down Mueller Flame Out in Hilarious & Spectacular Fashion:
🎃EpicFail🎃

📌10/3/16: Stone Says He’s Been “Assured” Through An Assange Intermediary (“Back Channel Credico”) That “The Mother Lode Is Coming”

📌10/3/16: Roger Stone Promises That WikiLeaks Release Will “Roil The Waters” And “Change The Whole Complexion Of The Race”
🎃EpicFail3🎃

📌8/9/16: Roger Stone Confirms That He's In Comms With Wikileaks J-Ass.

📌@StateDept’s Global Engagement Center has obligated $40 million to support initiatives that counter disinfo spread by foreign countries abroad, including #Russia, #Iran, and #China.🤗
Read 84 tweets
Profile picture
#Thread: Rough translation on Rajini's recent statement on RMM activities.

I'd like to clarify the false rumors stating RMM works are happening without my permission. All activities regarding RMM are happening with my knowledge & permission.

#RajinikanthPoliticalRevolution
Already by last year May month, I said that "I won't allow people near me who have thoughts of getting posts & earning money when I enter politics. So, those people stay away right now."

#RajinikanthPoliticalRevolution #Thread #Rajinikanth
Didn't say it for word-sake. We are entering politics to bring out a new political culture for a good political change. If we've to do politics like others, why should we enter politics?

#RajinikanthPoliticalRevolution #Thread #Rajinikanth
Read 15 tweets
Profile picture
THREAD on #Russia's stance in Eastern #Ghouta:
1.#Putin convened a National Security Council meeting today to discuss the situatiion,;directed all RUS agencies involved in #Syria abide by the 2401 #UNSC Resolution, emphasized "terrorists [in the area] continue their provocations"
2. Despite the UN vote #Moscow stands firm in its position:Western media campaign around East #Ghouta is "crocodile tears","they been silent on militants shelling of #Damascus for 2 years now that #SAA,RU go after militants (yes,not only HTS)everyone suddenly cares for civilians"
3.Yet the scale of humanitarian tragedy demanded urgent action.The decision to let civilians out seen as temporary fix since many radicals will flee along w/ them, amass in other parts of town,thus humanitarian tragedies where radical shild w/ civilians doomed to repeat
Read 8 tweets

Trending hashtags

#universal #Assad #Washington #MagnitskyAct #Schumer #WakeUp #Manorama #Iran #Christianity #Senate #FinancialCrash #SAA #safe #Russia #socialist #JIM #HR #quiet #FP #dream #clergy #EXITPolls #nwo #Erickson #SaudiLobby

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member and get exclusive features!

Premium member ($3.00/month or $30.00/year)

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!