Adversaries Most Likely Want to Acquire a “Red Button” Capability That Can be Used to Shut Down the Power Grid
Last October the United States Computer Emergency Readiness Team (US-CERT) published a technical alert on advanced persistent threat (APT) activity targeting energy and other critical infrastructure sectors. Recently, it was updated with new information uncovered since the original report, and there are some interesting revelations this time around.
Since the initial alert, The Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI), working with U.S. and international partners, determined that attacks were already underway and being carried out by unspecified threat actors. The new report contains indicators of compromise (IOCs) and technical details on the tactics, techniques, and procedures (TTPs) used by APT actors on compromised victims’ networks.
The boldest revelation is the decisive manner in which the unspecified “threat actors” are explicitly identified. There is no equivocation; what was once believed to be an amorphous “threat actor” has now been identified as the “Russian Government”.
Also eye opening is the update of the campaign timeline. In the original alert, the earliest detection of the threat was May 2017. It has been subsequently amended to March 2016. This underscores that the threat and targeting of critical infrastructure began nearly 15 months earlier than previously thought. One thing that hasn’t changed in the updated alert is that the attack campaign is “still ongoing,” meaning targets are still vulnerable and at risk.
As for reconnaissance and weaponization, in the original alert DHS identified the then “threat actor” as being interested in website and open source material pertaining to critical infrastructure. The report stated that no compromise was detected. The new alert reneges the “no compromise” statement and provides a very detailed description of how the Russians used malware to compromise industrial control system (ICS) networks. Moreover the use of zero day, APT and backdoor techniques all indicate the sophistication and intent of the activity designed to take over US critical infrastructure.
The breadth of these attacks are not only deeper but also broader than originally thought. Because it is infinitely easier to hack into a trade magazine website than into a critical infrastructure network, the report also notes the use of “watering hole” attacks; architected to compromise machines belonging to ICS personnel that visited popular online news outlets. Once installed this malware could be easily used for account takeovers.
The updated alert also reveals the effort put into exploitation. The October alert stated, “there is no indication that threat actors used Zero Day exploits to manipulate the sites.” This statement has been removed from the March report, meaning the Russians were specifically targeting and significantly investing in advanced exploits in order to access U.S. critical infrastructure. Also new, for the first time, the attackers attempted to cover their tracks, making it much harder to understand exactly what facilities were compromised.
One thing that remained static in both reports is the target of the attack: “…campaign has affected multiple organizations in the energy, nuclear, water, aviation, construction, and critical manufacturing sectors.”
As alarming as the revised alert is, perhaps most glaringly absent is a situational analysis of what the attackers did once they successfully gained access. The updated report only scratches the surface. To date, no detailed technical report – except for Stuxnet in 2010 – has been released detailing that last mile of malware inside of ICS networks, and specifically the damage caused by the attack.
What we can conclude from this new alert is that the Russians have been running a cyber campaign against industrial infrastructures for nearly a decade. Most likely, they and others want to acquire a “Red Button” capability that can be used to shut down the power grid, or cause other infrastructure damage, at some point in the future. Having these capabilities can cause more damage and disruption that a traditional armed conflict and in many cases organizations and nations are less prepared to deal with it.
What can we do? Implementing the recommendations in the reports is a good first step; but that is only the beginning. The same way we have locked down IT environments, it is crucial to be proactive and lock down OT environments. It is essential to deploy capabilities that can (a) detect threats in real-time, (b) track assets and (c) find vulnerabilities before they are used as a launching point for an attack.
Whether it is a power plant, refinery, manufacturing facility or wastewater treatment plant, once a supervisory control and data acquisition (SCADA) system or distributed control systems (DCS) goes down, it’s too late. Now is the time to prepare for this increasingly serious threat. Doing so will literally keep the lights on.