By Joseph Menn
SAN FRANCISCO (Reuters) - Hacking attacks that destroy rather than steal data or that manipulate equipment are far more prevalent than widely believed, according to a survey of critical infrastructure organizations throughout North and South America.
The poll by the Organization of American States, to be released on Tuesday, found that 40 percent of respondents had battled attempts to shut down their computer networks, 44 percent had dealt with bids to delete files and 54 percent had encountered “attempts to manipulate” their equipment through a control system.
Those figures, provided exclusively to Reuters ahead of the official release, are all the more remarkable because only 60 percent of the 575 respondents said they had detected any attempts to steal data, long considered the predominant hacking goal.
By far the best known destructive hacking attack on U.S. soil was the electronic assault last year on Sony Corp's Sony Pictures Entertainment, which wiped data from the Hollywood fixture’s machines and rendered some of its internal networks inoperable.
The outcry over that breach, joined by President Barack Obama, heightened the perception that such destruction was an unusual extreme, albeit one that has been anticipated for years.
Destruction of data presents little technical challenge compared with penetrating a network, so the infrequency of publicized incidents has often been ascribed to a lack of motive for attackers.
Now that hacking tools are being spread more widely, however, more criminals, activists, spies and business rivals are experimenting with such methods.
“Everyone got outraged over Sony, but far more vulnerable are these services we depend on day to day,” said Adam Blackwell, secretary of multidimensional security at the Washington, D.C.-based group of 35 nations.
The survey went to companies and agencies in crucial sectors as defined by the OAS members. Almost a third of the respondents were public entities, with communications, security and finance being the most heavily represented industries.
The questions did not delve into detail, leaving the amount of typical losses from breaches and the motivations of suspected attackers as matters for speculation. The survey-takers were not asked whether the attempted hacks succeeded, and some attacks could have been carried off without their knowledge.
The survey did allow anonymous participants to provide a narrative of key events if they chose, although those will not be published.
Blackwell said that one story of destruction involved a financial institution. Hackers stole money from accounts and then deleted records to make it difficult to reconstruct which customers were entitled to what funds.
“That was a really important component” of the attack, Blackwell said.
In another case, thieves manipulated equipment in order to divert resources from a company in the petroleum industry.
Blackwell said that flat security budgets and uneven government involvement could mean that criminal thefts of resources, such as power, could force blackouts or other safety threats.
At security company Trend Micro Inc. , which compiled the report for the OAS, vice president Tom Kellerman said additional destructive or physical attacks came from political activists and organized crime groups.
“We are facing a clear and present danger where we have non-state actors willing to destroy things,” he said. “This is going to be the year we suffer a catastrophe in the hemisphere, and when you will see kinetic response to a threat actor.”
So-called “ransomware,” which encrypts data files and demands payment be sent to remote hackers, could also have been interpreted as destructive, since it often leaves information unrecoverable.
A spokesman for the U.S. Department of Homeland Security, SY Lee, said the department did not keep statistics on how often critical U.S. institutions are attacked or see destructive software and would not “speculate” on whether 4 out of 10 seeing deletion attempts would be alarming.
U.S. political leaders cite attacks on critical infrastructure as one of their greatest fears, and concerns about protecting essential manufacturers and service providers drove a recent executive order and proposed legislation to encourage greater information-sharing about threats between the private sector and government.
Yet actual destructive attacks or manipulation of equipment are infrequently revealed. That is in part because breach-disclosure laws in more than 40 states center on the potential risks to consumers from the theft of personal information, as with hacks of retailers including Home Depot Inc and Target Corp.
Under Securities and Exchange Commission guidelines, publicly traded companies must disclose breaches with a potential material financial impact, but many corporations can argue that even deletion of internal databases, theft and manipulation of equipment are not material.
Much more is occurring at vital facilities behind the scenes, and that is borne out by the OAS report, said Chris Blask, who chairs the DHS-led Information Sharing and Analysis Center for cybersecurity issues with the industrial control systems that automate power, manufacturing and other processes.
“I don’t think the public has any appreciation for the scale of attacks against industrial systems,” Blask said. “This happens all the time.”
(Editing by Ken Wills)