How hackers are targeting the energy grid
- By Mark Rockwell
A top Department of Homeland Security analyst said the Russian cyberattack that has been targeting hundreds of corporate and federal victims in a campaign to access energy infrastructure in the U.S. is supported by an extensive network of human intruders.
The attackers infiltrated the networks and control systems of "quite a number" of energy providers last summer by using trusted electronic identities gathered during a stealthy spearphishing and watering-hole campaign from 2016 to 2017, said Jonathan Homer, chief of industrial control system analysis at DHS.
DHS later clarified that the hackers were not close to being able to take control of the energy infrastructure.
In a webcast describing the tactics used, Homer described a patient, diligent set of human attackers willing to wait a year before activating at least one compromised vendor's network to begin trying to work its way into its primary critical infrastructure company target. Humans at keyboards were used, instead of relying on data scraping and other automated techniques.
The details come from the second DHS National Cybersecurity and Communications Integration Center webcast on "Russian Activity Against Critical Infrastructure" on July 25. The NCCIC is conducting four webcasts on the attacks, with the same content, to spread the word on the novel techniques used to gain operations-level access to critical infrastructure providers' industrial control systems.
Although the campaign has been attributed to the Russian-backed "Energetic Bear" groups, Homer declined to answer a question about the specific identity of the Russian group involved in the campaign during the July 25 webcast.
The attackers, said Homer, didn't come at infrastructure providers directly, but hijacked electronic credentials of trusted organizations, such as vendors and even a government agency, to get into critical infrastructure networks where they then stole credentials of employees there to move further into that network.
Homer didn't name the government agency targeted with initial spearphishing emails. The identities leveraged by the attackers to get into the target critical infrastructure providers didn't really matter to the attackers, he said, only their pre-existing relationship with the infrastructure provider. The agency, he said, reported the questionable traffic to DHS, however.
Once the threat actors were in critical infrastructure networks, they needed to get up to speed on how the infrastructure worked. They targeted and stole the electronic credentials of technicians and operational personnel, as well as technical data and operational schematics of industrial processes.
They also leveraged online digital photos of seemingly benign corporate events, such as ribbon cuttings, or photos of executives, but only those photos that included actual industrial equipment or systems in the background, according to Homer.
Those infrastructure schematics and details from publicly available sources were critical for attackers to understand the intricacies of how to manipulate a particular system, since industrial control systems are highly individual and can vary tremendously from site to site.
Ultimately, said Homer, no infrastructure was actually manipulated in the campaign.
The campaign is apparently ongoing, since Homer warned his audience to let DHS know if they see similar tactics, such as remote server message block attacks or attempts to get into the system via virtual private networks.
He also advised companies to scrutinize the contact on their trusted "whitelist" of acceptable traffic to limit any threat actor's access to credentials that are automatically accepted by networks.