Cyberattacks and threats against critical infrastructure industries have been on the rise, but up to now we've only been able to speculate on who the actors are, or what their motives may be. This all changed recently when the U.S. government released an important cybersecurity alert confirming Russian government cyberattacks are targeting energy and other critical infrastructure sectors in the United States.
In a rare move, the U.S. Computer Emergency Readiness Team (US-CERT) alert confirms the threat actor and their strategic intent. It also provides descriptions of each stage of the attack, detailed indicators of compromise (IOCs), and a long list of detection and prevention measures.
This US-CERT alert is a milestone. It makes it perfectly clear that the U.S. infrastructure and critical manufacturing sectors, and likely the same sectors in other countries, are under high vulnerability for Russian attacks. Here we will examine what critical infrastructure organizations should learn from this incident and offer clear steps on how they can protect themselves moving forward.
Understanding This Multi-Stage Campaign
It's known that nation-state threat actors have been infecting and doing reconnaissance on systems such as the power grid for a number of years. US-CERT issued an alert on this last October. There have been threats against U.S. critical infrastructure, especially in the energy sector, for almost two decades. It's become clear in recent years, however, that the frequency and sophistication of these attacks has been increasing.
In this case, The US-CERT alert characterizes this attack as a multi-stage cyber intrusion campaign where Russian cyber actors conducted spear phishing to gain remote access into targeted industrial networks. After obtaining access, the threat vectors conducted network reconnaissance, moved laterally and collected information pertaining to Industrial Control Systems (ICS).
Let's break this down. Russian attackers started by infecting staging targets, which are peripheral organizations, such as trusted third-party suppliers. Attackers used a multitude of tactics involving information relevant to industrial control professionals for initial infection, including:
- Altering trade publication websites, indicating inadequate security practices
- Sending emails containing resumes for ICS personnel as infected Microsoft Word attachments
- Analyzing publicly available photos that inadvertently contained information about industrial systems
The credentials of staging targets' staff were in turn used to send spear phishing emails to the staff of the intended targets. They received malicious .docx files, which communicated with a command and control (C2) server to steal their credentials.
The credentials of the intended targets were used to access victim's networks. From there, the malware established multiple local administrator accounts, each with a specific purpose. The goals ranged from creation of additional accounts to clean-up activity.
Next, tools were downloaded from a remote server, which manipulated Microsoft Window's shortcut files and registries to gather and store user credentials. They also used the infrastructure of staging targets to connect to intended targets using the stolen credentials and remote access services. From there, the threat actors performed ICS reconnaissance and conducted activity to hide their tracks, such as clearing logs and removing malware applications, registry keys and screen captures.
What to Do Now: Increasing Human and System Defenses
Whenever the government puts out a warning like the alert it issued last week, organizations must take notice and prioritize increasing cybersecurity defenses. Action should be taken immediately to increase both human and system defenses.
On the human side, security teams should communicate the seriousness of the situation to the staff. Everyone within the organization should be on guard for suspicious emails, activities or people at the facilities. The security team should direct workers to change their passwords – especially passwords related to critical systems and administrator passwords. And if it's not in place already, two-factor authentication should be implemented wherever possible. The organization should review its incident response and outage plans, and key staff should be in standby emergency mode.
On the system side, the security team should review all administrator accounts, and identify and disable those that are unauthorized. Make sure that physical defenses are high. If there are hardware keys to prevent programming of ICS, they should be checked and not left in program mode (as was the case in the Triton attack). Prioritize checking networks for anomalous behavior and IOCs. Fortunately, there is technology available for passive network monitoring that can be rapidly deployed and that can automatically and quickly check for IOCs. Once IOCs are identified and eradicated from networks, the security team should harden firewall rules, restricting both inbound and outbound communication between networks and segments within the industrial networks.
Not only will it happen again, but it's likely the next attack is already underway and we just haven't heard about it yet. Cyber threats to national critical infrastructure is a reality that most likely will never go away. With more unprotected devices making their way into operational networks, and with ransomware, hacktivism and nation-state attacks on the rise, owners of critical infrastructure can no longer afford to play Russian roulette when it comes to ICS security. They must take steps to reduce risk and improve resilience.