The real threat of unconventional cyberattacks
![Image Europol Head of Operations discusses [dismantling of LockBit]](https://incyber.org//wp-content/uploads/2023/12/incyber-news-water-cybersecurite-cybersecurity-885x690.jpg)
Hackers and other cybercriminals are constantly looking for new ways to breach the security infrastructure of corporations and organizations and attack their networks, especially power and utility companies and other critical networks. In order to do so, new approaches rely on electromagnetic waves or scout targets by measuring energy consumption. However, a number of other ways to hack networks also pose a great threat, including to civilians. Overview of these unconventional cyberattacks.
Due to its now highly digital nature, the energy sector is the world’s third most popular target for cybercriminals. According to investigations, Russian hackers have already targeted Ukrainian electric utilities. US and Israeli hackers used similar methods to carry out a cyberattack on an Iranian nuclear powerplant in 2009 (at least according to rumors).
US authorities are already focused on hacking tools that allow attackers to gain full access to the computer systems of utilities and other critical infrastructure networks. The big problem with these tools is that they can be used by inexperienced hackers, who thus benefit from the experience and knowledge of professional hackers.
Furthermore, such tools can also be used for terrorist attacks, including by states that do not shy away from relying on such methods. Security firms describe this as an « exceptionally rare and dangerous cyberattack opportunity. » The tools pose « the greatest threat to Ukraine, NATO member states and other states actively responding to Russia’s invasion of Ukraine, » Dragos and Mandiant analysts added.
But there are also other attack vectors. In a 2017 AI-based vishing attack, hackers impersonated a CEO’s voice to request a fraudulent transfer of a quarter million dollars. Authorities never found the cybercriminals. Experts believe AI deepfake attacks of this type will increase in the future. Users do not expect such attacks and, in many cases, security infrastructure is ill-equipped to deal with them. Authorities are often unable to trace the attacks and catch the culprits. And if the latter are state-sponsored players, it is almost impossible to bring them to justice.
Electromagnetic attacks are a very real danger
Attacks against companies and organizations can occur in a number of unconventional ways and, among other things, can lead to high-risk and protracted power outages. The Department of Energy, the FBI, the National Security Agency, and the Cybersecurity and Infrastructure Security Agency in the U.S. take the matter seriously and have issued a warning to this effect.
Electromagnetic pulses (EMPs) can quickly cripple critical infrastructure. Carried out with enough precision, such attacks could impact entire nations, and even the EU. In 2015-2016, an attack by Russian hackers on Ukraine’s power network was fortunately prevented. If such an attack were to succeed, however, the power network of the entire community of nations would be affected. In early January, 2021, Austria’s power grid experienced a severe drop in frequency as a result of a powerplant failure in Romania. Sensitive systems and machines are the first to shut down when this happens.
A power blackout lasting several days would have serious consequences on any country’s economy, which is why state-funded hacker groups focus on critical infrastructure. In February 2022, a hacker group attacked Vodafone in Portugal. The result was the failure of the wireless network, but also of many emergency numbers. Furthermore, such attacks can quickly affect other 5G connected infrastructure.
In 2019, attackers in Paris hacked gas station pumps and stole 120,000 liters of fuel. The hack was successful, not thanks to a fault injection attack, but rather to gas station managers forgetting to change the default “0000” password of their pumps. Hackers will exploit any vulnerability companies give them. And it is easy to see how gasoline pump hacks could quickly produce catastrophic situations and lead to widespread panic.
Electromagnetic pulses take advantage of security features and facilitate malware infiltration
At the REcon computer security conference, researchers presented new ways in which processors can be compromised using electromagnetic pulses.
Secure Boot can be activated on any processor via an EMP. From there, it is easy to introduce malware into the device. Such « fault injection attacks » cause disruptions to various security features, which in turn can be exploited by hacking tools. This type of attack can be carried out from start to finish without leaving a trace, as no mechanical handling of the targeted devices is required. Firewalls and other security solutions do not provide any protection in this case.
Fault injection attacks: the Internet-of-Things is Vulnerable to EMPs
Smaller devices in particular, such as those in the IoT realm, are vulnerable to such attacks because they are often not confined to a secure server room but out in the world. Nevertheless, these devices are also embedded in infrastructure and therefore represent a target for hackers. Statistics suggest that over 75 billion IoT devices will be in use by 2025. Fault injection attacks also impact secure boot of IoT devices. Incidentally, other devices can be attacked through this method, as we show in the following section.
Hackers can also compromise mobile networks
The Red Balloon company specializes in the security of IoT devices and has successfully tampered with the flash memory of VoIP phones using fault injection attacks. These attacks allowed researchers to execute commands on phones that could cripple entire networks. EMP pulses were also used in this case, affecting the phone’s processor in such a way that security features were undermined.
As part of the attack, researchers were able to load and execute their own code in a secure part of the processor. EMP components can be obtained at low cost to build devices for cyberattacks. And the EMPs are easily triggered, by holding a hand over a phone, for example. The attacks are therefore very easy to carry out and can only be prevented if devices are properly protected. But this is only possible if users are aware of these attacks and take the proper precautions.
Stealing data from a casino by hacking a smart fish tank
The examples and possibilities mentioned so far show that hackers are very resourceful and constantly coming up with new ways to penetrate networks. Ever-expanding networks only add to the problem. If IoT devices are not protected from all threats, hackers can exploit breaches. In 2017, hackers in the United States exploited a casino aquarium’s IoT sensors, thus gaining access to the casino’s network. From there, the attackers quickly discovered more gaps and ultimately stole a considerable amount of data. In Auburn Hills, Michigan, USA, two unknown perpetrators accessed a huge digital billboard at night and were able to manipulate its display. The same thing happened in Jakarta. In both cases the billboards were not properly protected.
Attacks of this sort can potentially pose a threat to the population. In 2019, emergency warning sirens in Dallas (USA) were hacked and triggered, which caused widespread panic. The attackers were never caught.