A US-CERT warning about Russian government activity targeting energy companies and other organizations has elevated concerns about the vulnerability of U.S. critical infrastructure sectors to damaging cyber attacks.
Many see the alert as validating, at the highest level, longstanding suspicions about nation state actors having access to critical industrial control systems and networks and of the tactics, techniques and procedures (TTP) they are employing to get there.
“The fact that the U.S. government is joining the security community and now naming the Russian government responsible is remarkable,” said Nick Bilogorskiy, cybersecurity strategist at Juniper Networks.
In the past, US-CERT has mentioned Russian hacker activity such as Grizzly Steppe but has stopped short of attributing it directly to the government. “This looks like a change of policy to me,” Bilogorskiy said.
The US-CERT advisory comes less than three months after FireEye and other security vendors warned of an intrusion into a critical infrastructure facility in the Middle East that triggered an accidental shut down of the operational network. The sophistication of the attack, and the potential for catastrophic consequences had it been fully successful, has already spooked organizations in critical infrastructure sectors quite a bit.
“With [the US-CERT] news, every critical infrastructure related company will be asking themselves the question, ‘Are we next? Are malicious entities already in our networks?’” Bilogorskiy said. “Companies will face increased pressure both internally from their boards and externally from their customers to show the extra security steps they are taking.”
According to the US-CERT, Russian government actors are targeting organizations in the government, energy, nuclear, water, aviation and other critical sectors in a sophisticated multistage intrusion campaign since at least March 2016.
The campaign, investigated by the FBI and the U.S. Department of Homeland Security, involves two separate categories of victims—staging targets and intended targets.
The staging targets are typically trusted third-party suppliers and partners with relatively insecure networks that are selected because of their pre-existing relationships with intended targets. The threat actors have been using these third-party networks to host malware and to eventually to pivot into the networks of their intended critical infrastructure targets.
In many incidents that the FBI and DHS investigated, the threat actors compromised the networks of trusted third parties—including suppliers and media sites—to develop watering holes that were then used to drop malware on the intended target.
Once they have gained access to an intended victim, the threat actors have conducted reconnaissance operations, collected network and system related data and mapped the network. “In multiple instances, the threat actors accessed workstations and servers on a corporate network that contained data output from control systems within energy generation facilities, ” the US-CERT advisory noted.
The investigations show that the Russia government-backed attackers accessed data and files—including wiring diagrams and panel layouts—pertaining to industrial control systems and supervisory control and data acquisition (SCADA) systems at several energy companies.
The actual TTPs being employed by the attackers to break into systems include a familiar combination of social engineering and phishing attacks, watering-hole domains, credential harvesting, open source and network reconnaissance and APT malware. There’s little in the DHS advisory to suggest any new or particularly sophisticated capability and at least some of the details in the report is based on a months-old Symantec advisory.
The reason it is important is because the alert validates what the ICS community has known for months, said Phil Neray, vice president of industrial cybersecurity at CyberX. “[The alert] is a big deal because it confirms the presence of Russian government threat actors in U.S. critical infrastructure networks, including in nuclear facilities,” he added, noting it should go a long way in raising awareness with critical infrastructure management teams. “They can no longer assume they’re protected by outdated notions like air-gapping and perimeter firewalls.”
The types of attacks described in the DHS/FBI alert themselves are hardly new or surprising to security experts, said Ray DeMeo, co-founder and chief operating officer at Virsec. Organizations in critical sectors in fact should expect nation state actors to probe for and exploit weaknesses on their network.
The reason to pay attention to the advisory all the same is because US-CERT is a fairly independent organization that is fact-driven and not politically biased or motivated. “They post alerts based on specific evidence of breaches,” DeMeo said.
The US-CERT advisory gives organizations information that they can use to defend themselves with. While it is not going to deter more attacks, the advisory does call out specific groups and locations that companies can set specific rules around, he said. From that standpoint, the forensics in the DHS/FBI alert should give organizations a bit of a short-term advantage.
However, a lot significant gaps exist in industrial control system cyber security. “The majority of infrastructure was designed a generation ago without modern security in mind, often built with the concept of isolation,” DeMeo said. “Isolation is an outdated idea that is rarely effective anymore. You’re only a USB stick away from an attack.”