, 25 tweets, 2 min read Read on Twitter
Lots of buzz about Symantec's Dragonfly 2.0 so I'd like to add some first impression thoughts in this thread. (1/X)
The public links in the Symantec report of this activity to Dragonfly are a bit weak but Symantec has historically done awesome work
So there are likely non-public details helping the link. Malware or malware uniqueness though isn't enough.
However, Symantec has said over 100 sites have been compromised including many in the operational (ICS) networks which is concerning
Some of the reporting I saw though was about the ability to cause blackouts or take down portions of the grid - nothing here indicates that
The adversary is in operational networks, taking HMI screenshots, gathering data, etc. just like Dragonfly did in 2014. That part isn't new
All that information is exactly what you'd want to collect (and engineering documents which Symantec has said were stolen) to design attacks
But simply having access & being able to click on an HMI isnt enough. Youd have to design a new capability (e.g. CRASHOVERRIDE) or go manual
Manual meaning target lots of locations at once and the adversaries put people on keyboards clicking on HMIs (e.g. Ukraine 2015)
The problem is that's highly ineffective. And while Ukraine 2015 style attack could work in the US in distribution it'd be more difficult
The impact would also likely not be as big - even in Ukraine it was only 6 hours. It would likely elicit a very strong govt response tho
In short it really doesnt make a lot of sense (though we can't discount it because we don't know for sure what makes sense to the adversary)
But regardless it wouldn't cause blackouts. Also it's FAR more difficult to do in U.S. Transmission which is where you'd impact more places
I mean look at the linemen and others keeping lights on and restoring power after Harvey. With HMI access alone you'd be far less impactful
In short: Symantec has made a very important find. And an increased targeting of energy infrastructure in US & other countries is concerning
And we need to do more about it especially politically. The fact that Ukraine 2015 & CRASHOVERRIDE went unanswered even in condemnation
and now increased targeting that reaches the ICS networks exists in the US. Simply put people shouldn't be scared but the govt needs to act
Energy companies are doing a lot of hard work. Our infrastructure is pretty awesome. But it is a targeted threat that needs countered
And it's not about downplaying its about being nuanced. We should be concerned. But the public shouldn't be afraid.
Any team inside ICS networks they weren't invited to is wrong. NSA, SVB, 8200, PLA, it doesn't matter.
Civilian infrastructure should be off limits to everyone. Even being inside them introduces risk unintentionally.
And nations around the world really need to take that stance. No it wont prevent assholes from existing but an official stance gives options
And we don't want to try setting precedence and figuring out what to do WHEN a major attack has just occurred
But in the meantime let's not pretend threats with access equates intention or capability to cause blackouts. But thx to Symantec. Good work
SVR*
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Robert M. Lee
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member and get exclusive features!

Premium member ($3.00/month or $30.00/year)

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!