How hackers got into the energy grid
Connecting state and local government leaders
Using trusted third-party identities compromised in spearphishing and watering hole campaigns, the attackers accessed networks and control systems of "quite a number" of energy infrastructure providers last summer.
The recent Russian cyberattack targeting energy critical infrastructure providers was supported by an extensive network of human intruders, a top Department of Homeland Security analyst said.
The attackers got access to networks and control systems of "quite a number" of energy infrastructure providers last summer by using the trusted identities of third-party organizations compromised in spearphishing and watering hole campaigns over 2016 and 2017, according to Jonathan Homer, chief of industrial control system analysis at DHS.
Homer described how human attackers waited a year before activating at least one compromised vendor's network, from which they worked their way to the critical infrastructure company that was their ultimate target. Humans at keyboards were used, instead of relying on data scraping and other automated techniques.
The details come from the second DHS National Cybersecurity and Communications Integration Center webcast on "Russian Activity Against Critical Infrastructure" on July 25. The NCCIC is conducting four webcasts on the attacks, with the same content, to spread the word on the novel techniques used to gain operations-level access to critical infrastructure providers' industrial control systems.
Although the campaign has been attributed to the Russian-backed "Energetic Bear" groups, Homer declined to answer a question about the specific identity of the Russian group involved in the campaign during the July 25 webcast.
The attackers, said Homer, didn't come at infrastructure providers directly, but hijacked electronic credentials of trusted organizations, such as vendors and even a government agency, to get into critical infrastructure networks where they then stole credentials of employees there to move further into that network.
Homer didn't name the government agency targeted with initial spearphishing emails. The identities leveraged by the attackers to get into the target critical infrastructure providers didn't really matter to the attackers, he said, only their pre-existing relationship with the infrastructure provider. The agency, he said, reported the questionable traffic to DHS, however.
Once the threat actors were in critical infrastructure networks, they needed to get up to speed on how the infrastructure worked. They targeted and stole the electronic credentials of technicians and operational personnel, as well as technical data and operational schematics of industrial processes.
They also leveraged online digital photos of seemingly benign corporate events, such as ribbon cuttings, or photos of executives, but only those photos that included actual industrial equipment or systems in the background, according to Homer.
Those infrastructure schematics and details from publicly available sources were critical for attackers to understand the intricacies of how to manipulate a particular system, since industrial control systems are highly individual and can vary tremendously from site to site.
Ultimately, said Homer, no infrastructure was actually manipulated in the campaign.
The campaign is apparently ongoing, since Homer warned his audience to let DHS know if they see similar tactics, such as remote server message block attacks or attempts to get into the system via virtual private networks.
He also advised companies to scrutinize the contact on their trusted "whitelist" of acceptable traffic to limit any threat actor's access to credentials that are automatically accepted by networks.
This article was first posted to FCW, a sibling site to GCN.