US warns of Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure

Thursday, March 22, 2018

The U.S. Department of Homeland Security has warned that for at least two years, Russian government cyber actors have targeted government entities and multiple U.S. critical infrastructure sectors, including the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors.

In a joint Technical Alert issued March 15, 2018 by the Department of Homeland Security's U.S. Computer Emergency Readiness Team (US-CERT) and the Federal Bureau of Investigation, the agencies warned of a "multi-stage intrusion campaign by Russian government cyber actors." The report follows an October 2017 alert by computer security firm Symantec of a re-emergence of a sophisticated cyber espionage group known as "Dragonfly."

According to the government agencies' report, the Russian cyber threat actors seem to have deliberately targeted specific organizations, as opposed to pursuing targets of opportunity. In an initial "staging" phase, the campaign used tools like malware, watering holes, and spear phishing to gain access to small commercial facilities' networks -- typically peripheral organizations like trusted third-party suppliers whose networks may be less secure. For example, the threat actors sent emails with malicious attachments appearing to be personnel resumes or contract documents. Clicking on links in the attachments exposed the victims to malware or data harvesting. In a subsequent phase, the threat actors made further use of the staging targets' networks as "pivot points and malware repositories" for use in targeting their final intended victims.

The report says that these Russian government cyber actors used this hacked access for network reconnaissance and collection of information pertaining to Industrial Control Systems (ICS). It describes multiple instances of threat actors accessing workstations and servers on corporate networks that contained data output from control systems within energy generation facilities.

Cyber security is now a significant concern, both domestically and abroad. A February 2018 report by the U.S. intelligence community described the targeting of national security information and proprietary information from US companies and research institutions involved with defense, energy, finance, dual-use technology, and other areas as "a persistent threat to US interests." Last month, U.S. electric grid reliability regulators imposed a $2.7 million penalty on an unidentified utility for its violations of mandatory reliability standards in connection with a data security breach -- the largest fine to date associated with U.S. utility cybersecurity regulation. In that case, a third-party contractor hired by the utility allegedly copied protected data from the utility's network to the contractor's unsecured network -- where it was accessible online without the need to enter a user ID or password, and where it was in fact accessed by one or more unknown outside entities.

In 2014, reports emerged that Russian hackers had found flaws in solar panel monitoring software that, if left unfixed, could allow malicious actors to damage the electric grid. Foreign state-sponsored cyber attacks in 2016 and 2017 against Ukraine and Saudi Arabia targeted multiple sectors across critical infrastructure, government, and commercial networks, causing disruption to Ukrainian energy distribution networks.

No comments:

Post a Comment