For the first time on record, the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) publicly blamed Russia for attempting to hack U.S. energy infrastructure.

On 15 March, DHS and FBI published a joint Technical Alert (TA) via the United States Computer Emergency Readiness Team (US-CERT). In it, officials say Russian government digital actors are targeting American energy organizations along with government entities and other critical infrastructure sectors.

As revealed by the TA, Russia is approaching its hacking attacks against U.S. targets in stages:

This campaign comprises two distinct categories of victims: staging and intended targets. The initial victims are peripheral organizations such as trusted third-party suppliers with less secure networks, referred to as “staging targets” throughout this alert. The threat actors used the staging targets’ networks as pivot points and malware repositories when targeting their final intended victims. NCCIC and FBI judge the ultimate objective of the actors is to compromise organizational networks, also referred to as the “intended target.”

The campaigns begin with Russian actors conducting reconnaissance of staging targets that at some point maintained relationships with their intended targets. Using the information they acquire, the individuals launch spear-phishing attacks against the staging targets, compromise their web-based infrastructure with malicious content, and develop watering holes to infect their intended target. Once inside their intended target’s network, they create web shells on the entity’s email and web servers and conduct reconnaissance against ICS and supervisory control and data acquisition (SCADA) systems.

Russian black-hat hackers then create other accounts inside the intended target’s network to help remove signs of the intrusion.

Amit Yoran, a former U.S. official who founded US-CERT, told The New York Times that (Read more…)