The US Department of Homeland Security (DHS) and the FBI are warning that Russian state-sponsored cyber-attackers are targeting critical infrastructure – and have been for quite some time.
The two agencies issued a joint alert saying that Russian government cyber-actors are actively targeting organizations in the US energy, nuclear, commercial facilities, water, aviation, government and critical manufacturing sectors. They characterized the activity as a “multi-stage intrusion campaign,” where the hackers first targeted peripheral organizations such as trusted third-party suppliers with less secure networks, before pivoting and gaining remote access into energy-sector networks. From there, they conducted network reconnaissance and launched spear-phishing and watering-hole efforts to move laterally and collect information pertaining to industrial control systems (ICS) across industries.
In all of this, the ultimate goal extends beyond espionage to include gaining access to the human-machine interfaces and other control platforms used to administrate critical infrastructure.
“Yesterday's DHS/FBI alert validates what the ICS community has known for months: Russian cyber-attackers have both the intent and the ability to successfully compromise our critical infrastructure networks, including in our nuclear facilities,” said Phil Neray, vice president of industrial cybersecurity at CyberX, via email. “It's easy to see how Russia could leverage these dangerous footholds to test our red lines and threaten us with sabotage in the event of escalating hostilities, such as new Russian incursions on former Soviet territories."
The activity goes back to at least March 2016, the agencies said, noting that among the APT groups involved are the Dragonfly group, aka Energetic Bear.
The tactics indicate sophistication. “The threat actors appear to have deliberately chosen the organizations they targeted, rather than pursuing them as targets of opportunity,” the alert noted.
“The threat actors sought information on network and organizational design and control system capabilities within organizations," according to the alert. "These tactics are commonly used to collect the information needed for targeted spear-phishing attempts. In some cases, information posted to company websites, especially information that may appear to be innocuous, may contain operationally sensitive information. As an example, the threat actors downloaded a small photo from a publicly accessible human resources page. The image, when expanded, was a high-resolution photo that displayed control systems equipment models and status information in the background.”
Analysis further revealed that the threat actors used compromised staging targets to download the source code for several intended targets’ websites; they also attempted to remotely access infrastructure such as corporate web-based email and virtual private network (VPN) connections. On the watering-hole front, about half of the sites belong to trade publications and informational websites related to process control, ICS or critical infrastructure, which have become victims of code injection.
"We've been tracking Energetic Bear for some time now,” said Yonathan Klijnsma, a threat researcher at digital threat management firm RiskIQ, via email. “As we reported in November, where we showed the entire chain of events for the attack against critical Turkish infrastructure, this group has been targeting individuals with ties to infrastructure companies around the globe with the goal of influencing areas of influence to the Russian Federation. Over the past few years, supply-chain attacks via watering-hole attacks are becoming more and more prevalent and are one of Energetic Bear's favorite tactics."