The Cybersecurity and Infrastructure Security Agency (CISA), the FBI and the Department of Energy (DOE) released a joint advisory in late March (Alert AA22-083A) that details intrusion campaigns conducted by state-sponsored Russian cyber actors against U.S. energy sector organizations.
In tandem with the advisory, the U.S. State Department announced a reward of up to $10 million for anyone who can supply information on any person “who is acting at the direction or under the control of a foreign government” and “participates in malicious cyber activities against U.S. critical infrastructure”.
Phishing and supply chain attacks led to major intrusions
CISA reports that hacking arms of the Russian Federal Security Service (FSB) and Russian Federation Central Scientific Research Institute of Chemistry and Mechanics conducted intrusion campaigns against several international and U.S. energy sector organizations (including oil refineries, nuclear facilities, and energy companies) between 2011 and 2018.
In one example (Havex malware), hackers sent spear phishing emails, redirecting targets to compromised websites (a watering hole attack) to download malicious versions of legitimate software updates. Once these software updates containing malware were installed, attackers gained remote access in target organizations and deployed malware to collect information and exfiltrate data such as system information, lists of files and installed programs, email address books and virtual private network (VPN) configuration files from compromised networks.
Cyberattacks against the U.S. energy sector were conducted in stages. The first stage involved targeting third-party supply chain organizations such as vendors, integrators and suppliers. Once supply chains were infiltrated, attackers conducted sophisticated spear phishing and watering hole attacks to harvest credentials. After credentials were obtained, attackers conducted extensive network reconnaissance and discovery, moved laterally, gained persistence and collected information pertaining to industrial control systems (ICS) from the compromised enterprise and possibly other information related to OT environments. It’s believed that the exfiltrated data included critical pieces of information such as vendor information, reference documents, ICS architecture and layout diagrams.
Guidance to protect energy sector networks
In the wake of the current Ukraine-Russia crisis, CISA alerted global energy organizations to immediately take precautions to help prevent compromise, including some of the following best practices:
- User training: Train users to be aware of potential manipulation attempts by adversaries. Security awareness training reduces the risk of phishing, social engineering and other techniques that involve unauthorized access to systems. Trained users can act as an additional layer of defense by detecting and alerting security teams of suspicious activity and catching a cyberattack in its early stages.
- Network segmentation between IT and ICS environments: Robust network segmentation limits the ability of attackers to move laterally to ICS environments in case the IT network gets compromised. Apply network segmentation (using VLANs) on portions of the network that are reliant on one another by functionality. Security teams should also implement perimeter between these segments so that attackers cannot make lateral movements. Organizations should use one-way communication diodes to prevent external access; set up demilitarized zones (DMZs) to create physical and logical subnetworks that can act as an intermediary for connected security devices and employ reliable network security protocols and services where feasible.
- Privileged account management: Energy organizations should pay extra attention to those user accounts that have elevated permissions such as access to restricted areas of the system or ability to execute highly privileged tasks. To protect privileged accounts, train account owners on security best practices and password management, enforce MFA and monitor every action and all such accounts closely to detect any suspicious activity. Along with securing and training privileged users, organizations should pay particular attention in deciding who receives privileged access and what they include in the incident response plan.
- Risk assessment strategy: Organizations should have a robust risk assessment strategy where organizations perform regular audits, scan systems, monitor permissions and check configurations to identify potential weaknesses, vulnerabilities and loopholes. Organizations should perform regular software patching and updates to ensure all systems are running up- to-date with the latest iterations. From an ICS perspective, organizations should use a risk-based approach to determine which ICS networks, assets and zones must participate in the patch management program. CISA also recommends that ICS patches are tested in out-of-band testing environments before they are implemented in production areas. End-of-life hardware and software should be replaced and all retired ports and services on ICS devices should be disabled.
Industrial control systems are complex and these best practices are not all- inclusive. As more and more ICS environments that were historically isolated or air-gapped connect to the internet, the threat from cyberattacks will only intensify. Moving forward, security team need to combine defense-in-depth technologies, best practices, and user awareness to reduce the risks associated with internet-exposed critical infrastructure.
When an organization gets exposed to a cyber incident, they should immediately report it to CISA’s operations center at [email protected] or (888) 282-0870 and to the FBI’s CyWatch at (855) 292-3937 or [email protected].
Stu Sjouwerman, founder and CEO, KnowBe4