With a joint alert from the FBI and DHS, the Trump administration has formally accused the Russian government of a “multi-stage intrusion campaign” targeting the U.S. energy grid for the first time. The alert provides some specifics about an emerging threat that could translate a cyberattack into practical chaos for a country in the crosshairs of such an attack.
The alert elaborates on “Russian government actions targeting U.S. Government entities as well as organizations in the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors” — a goal consistent with suspected Russian cyberattacks like last year’s NotPetya malware which focused on industrial targets and past hacks of energy systems in Ukraine. The joint report by FBI and DHS links to Symantec research from October 2017 that detailed efforts by a “sophisticated attack group” then only known as Dragonfly which “[appeared] to be interested in both learning how energy facilities operate and also gaining access to operational systems themselves.”
It’s clear from the alert that Russian reconnaissance efforts to probe critical infrastructure systems were also paired with an effort to override control for those systems:
“DHS and FBI characterize this activity as a multi-stage intrusion campaign by Russian government cyber actors who targeted small commercial facilities’ networks where they staged malware, conducted spear phishing, and gained remote access into energy sector networks. After obtaining access, the Russian government cyber actors conducted network reconnaissance, moved laterally, and collected information pertaining to Industrial Control Systems (ICS).”
To carry out their aims, the attackers employed a blend of technical attacks, social engineering and basic online sleuthing. In one instance, the report describes how the hackers downloaded a small image displayed on a target’s public human resources page. By blowing up the photo, the attackers revealed a “high-resolution photo that displayed control systems equipment models and status information in the background” — a considerable oversight and evidence of just how unevenly implemented basic operational security precautions can be in the energy sector.
During the early stage of compromising a system, the alert states that the threat actors used spear-phishing attacks originating from an already hacked legitimate account and watering hole domains, among other methods. After infiltrating a system, the attackers made organized efforts to cover their tracks, deleting logs and removing installed applications, including the VPN software FortiClient.
More technical detail is available in the document itself on the US-CERT website.