April 08, 2009, 4:38 PM — The hackers who reportedly planted malware on key parts of the U.S. electrical grid, perhaps with the intent to cripple the country's power infrastructure, most likely gained access like any other cybercriminal -- by exploiting a bug in software such as Windows or Office, a security researcher said Wednesday.
"Any computer connected to the Internet is potentially vulnerable," said Roger Thompson, the chief research officer of AVG Technologies. "Getting to the actual infrastructure devices directly, that's always possible, but a whole lot less likely. In any industry, critical or not, there are always plenty of PCs that have been compromised."
According to a report earlier Wednesday in The Wall Street Journal, unnamed national security sources say that hackers from China, Russia and elsewhere have penetrated the U.S. power grid, extensively mapped it and installed malicious tools that could be used to further attack not only the electrical infrastructure, but others as well, including water and sewage systems.
The discoveries were made by U.S. intelligence agencies, not the utilities' security teams, The Wall Street Journal said.
"I'm a bit bothered by all the anonymous sources [in the The Wall Street Journal story], one unnamed source here and another unnamed source there," said Thompson. "But I think there's a high likelihood that it has a strong basis in fact. Any infrastructure device that's connected to the Net is potentially hackable."
It's more likely, he added, that the power grid hackers exploited the same kinds of vulnerabilities -- but not the exact same bugs -- that have plagued consumers and businesses who run Microsoft Corp.'s Windows and its Office application suite.
"I have no doubt that there's been this kind of attack, or attempt to attack, for quite some time," said Thompson, "perhaps using the same kind of Office zero-days that have been coming out." In security parlance, a "zero-day" exploit is one that leverages an unpatched vulnerability Vulnerabilities in Microsoft's Office -- typically file format flaws that let attackers hijack a PC by duping users into opening a malformed Word, Excel or PowerPoint document -- are often used in targeted attacks that focus on just one company or organization, or even on only a few top-level executives in that company. The hackers' rationale: Get control of a senior official's machine because that's where the most important, and salable, information is located.
Microsoft has released two security advisories in the last six weeks for unpatched Office vulnerabilities that are already being exploited in similar targeted attacks. Neither the Excel bug, which was revealed in late February, or the more recent PowerPoint vulnerability, have been patched by Microsoft.
"[The general anti-virus industry] never ever get to see the best zero-days," Thompson continued. Although the community is well-known for sharing samples, there are always cases where a victimized organization -- a government agency, for example -- refuses to share the attack code with others for analysis. "You'll ask for a sample, and he'll say, 'Well ... no, I'm not allowed'," said Thompson.
Although information about Conficker, the 2008 worm that infected millions of PCs in 2009, was shared in the security community, Thompson cited it as an example of the kind of malware that poses a threat to any Windows machine, no matter whether it's in a home or running on the network of a major power utility. "Conficker, for example, was primarily a business problem, not a consumer problem, because it spread so easily across network shares," he said.
But there is a silver lining to the The Wall Street Journal report, Thompson argued. "I doubt that the problem is that serious," he said. "Because the worst hack is the one you don't discover. But even if it's exaggerated, it behooves us all to be careful and thoughtful about our critical devices."