There is undoubtedly no shortage of sophisticated and complex cyberattacks currently. Everything from no-interaction threats targeting Android smartphone users, 2FA bypass attacks that the National Cyber Security Centre in the U.K. is so concerned about that it has issued a global alert, and even the use of high-tech blobs and data-theft tunnels in password-stealing campaigns. Why, then, have two major U.S. security agencies released a strongly worded warning urging organizations to react to a threat from what they refer to as unsophisticated hackers?
What Are Unsophisticated Hackers Anyway?
Actually, let’s start with a slightly different question, namely, what is a hacker? The quick and dirty answer is me, I’m a hacker. I have been since the late 1980s, in fact, and proudly remain one to this very day. That doesn’t make me a threat or a criminal, because hacking isn’t a crime. Criminal hacking is a crime, as if that really needs saying out loud. A hacker is just someone using their skills to find ways to do something that wasn’t the intention of the programmer, hardware engineer, whatever. I have found any number of ways into software and systems over the years that really shouldn’t have existed. Those doorways have then been closed as a result. I guess you could say I am a sophisticated hacker, as I am totally self-taught, rather than relying upon downloadable scripts that someone else has created. The description as it applies in the CISA and FBI alert, however, is a little more generous than that, I suspect. What is being talked about here are not unsophisticated hackers, but hackers using “basic and elementary intrusion techniques” in their attacks. That, to me doesn’t equate to an unsophisticated hacker, it makes for a smart one. Why reinvent the wheel, especially when there’s a pile of them sitting just behind that open garage door?
Hackers Attack Energy And Transportation Systems Using Basic Techniques
The joint CISA and FBI advisory, titled Unsophisticated Cyber Actor(s) Targeting Operational Technology and published May 6, is all of a single, solitary, paragraph in length.
“CISA is increasingly aware of unsophisticated cyber actor(s) targeting ICS/SCADA systems within U.S. critical Infrastructure sectors (Oil and Natural Gas), specifically in Energy and Transportation Systems,” it begins. Going on to explain that while these attacks often simply exploit the presence of poor cyber hygiene and exposed assets, this can lead to “significant consequences such as defacement, configuration changes, operational disruptions and, in severe cases, physical damage.” As a result, CISA has said that it “strongly urges” anyone who meets the criteria of being a critical infrastructure asset owners or operator to review the detailed guidance it has released to reduce the instruction risk.
The recommended mitigations include:
- Remove OT connections to the public internet.
- Change default passwords immediately and use strong, unique passwords.
- Secure remote access to OT networks.
- Apply principles of least privilege for specific assets and user roles.
- Disable dormant accounts.
- Segment IT and OT networks.
- Practice and maintain the ability to operate OT systems manually.
Now those recommendations apply whether the hackers involved are sophisticated or not, so what are you waiting for?
