Written by Teresa Polk, Attorney at Law, SMTD Law LLP

Foreign Intrusion is Happening

Russian infiltration of the U.S. national power grid is in the news again. On June 14, 2019, security firm Dragos reported that the hacker group Xenotime, behind previous intrusions into industrial facilities, has probed power grids in the U.S. and elsewhere. Xenotime is linked to the Russian government. In 2017, it created the Triton malware, called the “world’s most murderous malware.” In response, the U.S. has actually warned it will infiltrate the Russian power grid and prepare for a war of malware. Yet, there is no confirmation that Xenotime has yet succeeded in infiltrating the U.S. power grid.

Construction Industry is a Target

Perhaps it is time for a reminder that we, in the construction industry, have been identified as targets in those efforts by way of email “phishing” schemes. Let’s review how these work and raise office awareness of how expert and subtle some of these schemes can be. They don’t just want our credit card numbers. They don’t just want money sent to a fake African prince. They want our government contractor clients’ contact information and details about their business that can make a phishing email sent to them in order to gain their trust. Ultimately, through those clients, they want to reach people in the U.S. Government and in the power companies who may be persuaded to download the malware into a computer system giving nation-state hackers access to the power grid.

The Wall Street Journal reported on January 10, 2019 about the national security threat involving hacked email accounts within the construction industry.  The article is titled “America’s Electric Grid Has a Vulnerable Back Door – and Russia Walked Through It,” by Rebecca Smith and Rob Barry.

The U.S. Government confirmed the Russian hacking campaign in March. On June 15, 2019, the U.S. confirmed it is stepping up its own digital infiltration of the Russian power grid in response to the Russian hacks.

The end game involves controlling utility services such as power sources used to keep U.S. military bases operational when the civilian electrical supply is down.  Threats to 2 dozen utilities have been thwarted to date.  The scams are still ongoing.  The WSJ quotes Robert P. Silvers of Homeland Security as saying, “What Russia has done is prepare the battlefield without pulling the trigger.”

Email Scams

The pattern to watch for is the kind of individualized email ostensibly from someone we know. Scammers may use personalized information from LinkedIn and other sources to make them appear legitimate. We respond asking if this is from them (“Just received this from your email”) and receives a confirming reply (ostensibly from the recipient’s contact) saying “I did send it.” They are after the people you know, and the people they know, and ultimately the nation’s power grid. Kaspersky Labs defines such “Spear Phishing” as “an email or electronic communications scam targeted towards a specific individual, organization or business. Although often intended to steal data for malicious purposes, cyber-criminals may also intend to install malware on a targeted user’s computer.”

Are Security Programs Enough?

Various security features help, although none are sufficient to stop increasingly sophisticated efforts.  As one example, both dropbox.com and Citrix ShareFile now allow users to set up two factor authentication to protect documents stored on their sites. That requires a recipient of documents to actually log into the website with a password and then insert a code from their mobile phone app to gain access to the documents. If accessible to anyone with an email link, documents that are not attorney-client privilege information give potential hackers details about a client’s litigation matters that could be used to gain the target client’s trust in a future scam email to the client.

Security programs are not enough, as the increasingly sophisticated attacks get past them. Malwarebytes’ Blog on May 28, 2019 recommended educating all employees to be aware such attacks exist. “Be an example. . . Be clear. . . Be repetitive. . . Be positive.”  “Make people feel like they matter in the information you share with them so that they can be better, smarter, and more confident in their choices when faced with something potentially malicious.”

Taking Precautions To Prevent An Attack

Here is an action plan:

  1. Establish firm-wide procedures (1) to spot spear phishing emails and (2) to confirm the authenticity of email links and requests for client information, whether or not that information is privileged. For example, set a firm policy to confirm by phone that a particular attorney sent a link, or that a particular person requested a client’s email address, rather than trusting a reply email that may be from a hacker.
  2. Identify key clients who may be high-risk targets (i.e., utility contractors, government contractors,subcontractors who provide substantial services to them, and material suppliers who provide materials used in major electrical systems).Ensure that those clients’ information and documents are given special attention.
  3. Confer with key personnel who should set the example for the remainder of the firm in following these procedures.
  4. Discuss clearly and often, with all employees, the importance of each person’s role in following these procedures. Keep in mind that a nation state hacker may want your secretary’s computer to send them a corporate CEO’s secretary’s email address — more than they want the CEO’s own email address –since they may think the CEO’s secretary is an easier target for malware. Spear phishing often targets lower level employees, who need to understand their personal importance to national security.
  5. Do not share documents through insecure internet uploads. Consider which Dropbox type programs allow users to access documents through password-protected log-in and two-factor security (dropbox.com and Citrix ShareFile offer both.) Citrix ShareFile also offers encryption. Avoid sharing documents by links that can be opened without a password by anyone who obtains access to the email.
  6. Confer with your opposing counsel the importance of client security. Request that they set up two-factor authentication in the settings for any Dropbox type website you use to send them documents.
  7. Discuss with your photocopy service the importance of secure handling of documents being bates numbered, scanned or copied. Ensure that the photocopy service does not upload documents to an insecure internet-based system in its office.
  8. Ensure that all of these people – clients, opposing counsel, attorneys, staff, and outside agents – have a positive view of their contribution to national security and the importance of their efforts.