The Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) took the unusual step Thursday of issuing an alert fingering the Russian government for targeting U.S. critical infrastructure with cyberattacks.
“The fact that the DHS and the FBI have attributed attempts to attack and compromise critical U.S. infrastructure to Russia is unprecedented and extraordinary,” said Amit Yoran, CEO at Tenable. “From my time as the founding director of the United States Computer Emergency Readiness Team (US-CERT) in the Department of Homeland Security, I have never seen anything like this. It’s a wake-up call for the industry and a reminder that we are still not doing the basics well and that our defense needs to constantly evolve and adapt.”
The alert details the Russian government’s actions in the DragonFly 2.0 campaign revealed last summer, in which hackers infiltrated energy facilities in North America and Europe and escalated its operations, possibly signaling a shift from intelligence gathering to industrial sabotage.
DHS and the FBI unveiled a “multi-stage intrusion campaign by Russian government cyber actors who targeted small commercial facilities’ networks where they staged malware, conducted spear phishing, and gained remote access into energy sector networks.” Once they obtained access, “the Russian government cyber actors conducted network reconnaissance, moved laterally, and collected information pertaining to Industrial Control Systems (ICS),” the alert said.
“This type of attack isn’t anything new, and the real story here is that the U.S. is choosing to acknowledge it (and in extreme detail),” said Bill Lummis, technical program manager at HackerOne. “It shows that while SCADA security can’t be neglected, the biggest risk to industrial infrastructure is through the conventional networks attached to them.”
Lummis called the indicators of compromise, or IOCs, provided in the US-CERT alert “an excellent starting point to determine if you were targeted by these same payloads,” but cautioned that “in the long term it’s important to remember that just because the target is infrastructure, it doesn’t mean that we have to forget everything we’ve learned about how to secure our assets,” including account audits, active detection and continuous security testing.
Naming Russia as culpable in the critical infrastructure attacks, coupled with sanctions imposed early Thursday on five Russian organizations and 19 individuals for interfering in the U.S. election and the NotPetya attack, mark a departure from the Trump administration’s reluctance to call out the Russian government over its malicious cyberactivities.