Don’t Be A Victim

Published in

Antonym Research Team

6 min readSep 10, 2019

The mission of Antonym and our HashRegistry is to ensure data integrity for our users. We live in a world reliant on data, electronic records, and access. I can show you how easy it is to keep these things safe from manipulation.

As an example, here are three instances of companies that have been harmed by malicious data manipulation — the Kemuri Water Company, Ukrenergo, and EnerVest. The details of each case are below:

KEMURI WATER COMPANY

In 2016, a “hacktivist” group linked to Syria hacked into an anonymous water treatment plant’s utility control system and “changed the levels of chemicals being used to treat water.”
Verizon Security Solutions, the company charged with finding a solution to the data breach, stated, “Due to the sensitive nature of the breach, which gave the hackers access to the personal and financial records of over 2.5 million customers, Verizon is not releasing the name of the water company or the country it resides in, referring to the company by the fake moniker ‘Kemuri Water Company’ (KWC).”
Kemuri Water Company was tipped off to the hack by “unusual movements at valves and ducts”, and called in Verizon Security Solutions to identify the problem.
The hack involved “SQL injection and phishing… and exposed KWC’s aging AS/400-based operational control system because login credentials for the AS/400 were stored on the front-end web server.”
Using the credentials they found on the web server, the hackers were able to “interface with the water district’s valve and flow control application, also running on the AS400 system.”
Once they were in the system, the hackers “managed to manipulate the system to alter the amount of chemicals that went into the water supply and thus handicap water treatment and production capabilities so that the recovery time to replenish water supplies increased.”
KWC was fortunate to have quickly identified the changes made to the chemicals and was able to reverse the damage, “largely minimizing the impact on customers.”

UKRENERGO

In late 2016, Ukrenergo, a Ukranian electric utility company, had its computer systems infiltrated by malware known as either “Industroyer” or “Crash Override.”
This attack represented just the second-known case of malicious code that was built specifically to “disrupt physical systems.”
The malware was able to automate a mass power outage, which caused a blackout of “a portion of the Ukrainian capital equivalent to a fifth of its total power capacity.” Tens of thousands of Ukrainians in Kiev lost power.
The blackout lasted only about an hour, but the event represented “a dangerous advancement in critical infrastructure hacking.”
According to investigators, the malware included “swappable, plug-in components that could allow it to be adapted to different electric utilities, easily reused, or even launched simultaneously across multiple targets.”
Crash Override was uniquely different from previous attacks in that it was fully automated. It was “programmed to include the ability to ‘speak’ directly to grid equipment, sending commands in the obscure protocols those controls use to switch the flow of power on and off.”
The most frightening part of Crash Override is that it is much more scalable than any previous infrastructure attack attempt. What has traditionally required about 20 people to pull of now requires far less human involvement.
Although it is unknown for sure how the malware was initially introduced to the Ukrenergo system, a similar attack in 2015 used targeted phishing emails and experts suspect “the hackers may have used the same technique a year later.”
Crash Override had a “swappable component design,” which means it could have used any one of four protocols to communicate with grid systems in different countries, including Europe and the United States.
A later analysis of Crash Override found that the malware “does manipulate data streams and data control, but it doesn’t destroy things.”
The attack was deemed to be a test for “refining attacks on critical infrastructure around the world.

ENERVEST

In 2012, Ricky Joe Mitchell, an employee at EnerVest, a company that “manages oil and gas exploration and production operations,” learned he was going to be fired.
Mitchell remotely accessed EnerVest’s computers and “reset the company’s network servers to factory settings, essentially eliminating access to all of the company’s data and applications for the eastern US operations.”
In the process, Mitchell also deleted all of EnerVest’s phone system accounts and accounting data.
Prior to losing access to the EnerVest facilities, Mitchell also entered the building after hours and “disconnected critical pieces of computer-network equipment and disabled the equipment’s cooling system.”
As a result, EnerVest was “unable to fully communicate or conduct business operations for nearly 30 days.”
Moreover, EnerVest spent hundreds of thousands of dollars attempting to recover the historical data that Mitchell deleted from the system. Unfortunately, some data could not be restored at all.
Overall, the harm caused to EnerVest as a result of Mitchell’s sabotage totaled over $1 million.
The prosecuting U.S. attorney named the company, its employees, and its customers as victims of the attack, stating, “In this day and age, that kind of attack is devastating. And this defendant didn’t just hurt EnerVest. He hurt his former co-workers, he hurt EnerVest’s customers, and, ultimately, he hurt consumers.”
Mitchell received a four-year prison sentence for his actions and was ordered to “pay $428,000 in restitution to the company and pay a $100,000 fine.”

If you are a company, government, or organization of any kind that has data of consequence on your hands, do not put the people you serve at risk. Harden your system security and by installing a provable data integrity check. This can be done by securing “Metadata Hash Values” with a third-party.

NOTE: This should be done in addition to your current cyber-security practice.

Hash Values DO NOT, AT ALL, NO MATTER WHAT ANYONE TELLS YOU (Seriously, they are lying, #DYOR) CONTAIN ANY OF YOUR BUSINESS DATA! In fact, that the best place to actually put a metadata hash value is public blockchain (Ethereum, Bitcoin, etc.). This way you have the most immutable record of that hash.

That being said, sometimes a public-only blockchain solution is not right for the job. Just as you would never whittle a toothpick with a chainsaw, storing a hash value on Ethereum is similar to that. In other cases a private/public solution may be right in that situation. In others, a totally private ledgering and data base solution works great, either way, we don’t care, but you should have those hashes logged and accessible (for validation) with a third-party.

Why do I need to store hashes with a third party like Antonym or public blockchain?

It serves the same function as registering your website with a certificate authority. You get a SSL so that someone can’t pretend to be your website and steal from your customers. This is the same strategy you should be applying to all of your critical data, at scale. Store a record of your data (a hash) with a data registry (blockchain). When you need to validate it, you just check it against the HashRegistry. Voila! Data Integrity.