The Russian DragonFly APT group, which last year broke into air-gapped networks run by US electric utilities in a likely ongoing campaign that victimised hundreds, accessed the providers' control rooms where they could have caused blackouts and other damage.
The group, which also goes by Energetic Bear, used phishing and waterhole attacks to gain access to supplier networks, steal credentials and then access the utilities, the Wall Street Journal cited Department of Homeland Security (DHS) as confirming.
"Hackers, including state-sponsored Russian hackers, exploit the weakest link in the security chain – the people. This was noted in great detail in the Mueller Investigation's indictments against 12 Russian nationals on 13 July where they spearfished unsuspecting users to steal passwords to gain access to the Clinton Campaign and DNC systems," said Michael Magrath, director, global regulations and standards at OneSpan, Inc. "Do we really expect Russian hackers to exclude critical infrastructure?"
His colleague, David P. Vergara, head of security product marketing OneSpan, agreed. This is "big game hunting" for cyber-criminals. The motivation may pivot between political and monetisation, but the impact to the target is the same, terror through vulnerability and exposure," he said. "It's not difficult to extrapolate the outcome when an entire power grid goes offline during peak hours and the attack follows the weakest link, unsophisticated utility vendors or third parties."
The hackers were "very successful" in penetrating "completely through to the utility control rooms where they had the ability to disrupt power flows," said Pravin Kothari, CEO of CipherCloud.
The big questions remain open. We still don't know how many of these utilities, if any, were nuclear powered but the implications obvious," he said. "If they had the ability to "throw switches" per an official at DHS, exactly how could they disrupt the operation of nuclear power plants and what risks did this present? How long were they inside the networks of any nuclear-powered plants?"
The US may be in the midst of a Cyber Cold War, where all sides may be tamping back on the destruction that "they are truly capable of," said Nozomi Networks Founder Andrea Carcano, who found it telling that the hackers didn't compel blackouts. That "makes us question if the attackers intentionally only went so far," said Carcano.
"Attacks on the grid will be difficult to control and will undoubtedly lead to lots of collateral damage," which when "combined with the risk of retaliation, may be keeping attackers at bay," he said. "It is reminiscent of the mutually assured destruction model of the Cold War when restraint was used on all sides."
"The fact that the DHS and the FBI have attributed attempts to attack and compromise critical US infrastructure to Russia is unprecedented and extraordinary," Amit Yoran, CEO at Tenable, said at the time. "From my time as the founding director of the United States Computer Emergency Readiness Team (US-CERT) in the Department of Homeland Security, I have never seen anything like this. It's a wake-up call for the industry and a reminder that we are still not doing the basics well and that our defence needs to constantly evolve and adapt."
The alert detailed the Russian government's actions in the DragonFly 2.0 campaign revealed last summer, in which hackers infiltrated energy facilities in North America and Europe and escalated its operations, possibly signaling a shift from intelligence gathering to industrial sabotage.
Director of National Intelligence (DNI) Dan Coats recently warned of Russia's "ongoing, pervasive efforts to undermine our democracy," noting that the "lights are blinking red again" as they did prior to 9/11, cautioning that critical infrastructure was at risk.
The WSJ revelations come after a tumultuous week for the Trump administration during which the president expressed both support for the intelligence community's findings that Russia President Vladimir Putin ordered interference in the US presidential election and confidence that Russia was no longer a threat to the US after his summit with Putin in Helsinki.
"Any company that interacts with thousands of third parties is in a race with hackers, whether they know it or not – and that certainly applies to utilities," said Fred Kneip, CEO at CyberGRX, with organisation needing to identify vulnerabilities in their ecosystems before the attackers do.
"If they beat you just once by finding a single exploitable weakness within a single vendor, supplier or contractor, the results can be catastrophic," said Kneip, calling on utilities to "take a more proactive approach to managing third-party risk, including "identifying third parties with weak security controls before they're exploited, and working with them to mitigate the risk of attacks and breaches before they become a target for attackers."
While the Journal report said DHS is trying to determine if Russian hackers have learned how to defeat multifactor authentication, Magrath said MFA is not "‘one size fits all" there are numerous approaches and technologies available," such as biometrics and adaptive authentication, "with varying degrees of security and usability."
Steve Kahan, CMO at Thycotic, said it's time for the US to take its head out of the sand and "defend against Russian attacks." The DragonFly campaign "puts the pressure on the cyber-security community and the US government to act on this issue and defend against attacks on American soil," said Kahan.
Securing the nation's infrastructure requires collaboration between the public and private sectors. "Unlike other countries, in the US the private sector owns and operates a vast majority of the nation's critical infrastructure," said Magrath. "NIST's Framework for Improving Critical Infrastructure Cybersecurity (CSF) is voluntary consisting of standards, guidelines, and best practices to manage cyber-security-related risk."
Version 1.1 of the framework includes a "recommendation for a risk-based approach to identity proofing and authentication," he said. "With lives at risk coupled with the repeated successful attacks, it is negligent if a facility relies on easily compromised passwords to gain entry."
The warning lights are indeed blinking red, "and an attack against the grid is no longer ‘if', but ‘when,'" said David Ginsburg, vice president of marketing at Cavirin. "We've got to take this seriously, and ensure that every vendor who touches our critical infrastructure – power, water, transportation, etc. – is ensuring their cyber-posture by adopting best practices such as those outlined in the NIST CSF."
But if the NIST regulation is to be effective, it "must compel operators of essential services to deliver higher levels of cyber-security and require that these essential services remain available during an attack," said Kahan.
And, unfortunately, Ginsburg said, "there is no effective oversight," something that "must change."
"Moving forward, security teams need full knowledge of connected and interconnected assets, configurations, and the integrity of communications to successfully protect critical infrastructure," said Chris Morales, head of security analytics at Vectra, adding that industrial critical infrastructure was once "thought to be impervious to cyber-attacks" because its computers didn't link to the internet and remained separate from corporate networks, neither of which necessarily hold true today.
"Many ICS are now interconnected with enterprise IT or external networks and are becoming increasingly attractive targets for attackers," said Steve Durbin, managing director of the Information Security Forum (ISF).
"In today's modern, interconnected world, the potential impact of inadequately securing ICS can be catastrophic, with lives at stake, costs extensive and corporate reputation on the line," said Durbin. "As a result, senior business managers and boards are encountering growing pressure to improve and maintain the security of their organisation's ICS environments."
Magrath said that "given the potential catastrophic harm that could be carried out by a hacker on a power plant or water supply, critical infrastructure facilities should patch all software, encrypt all data and deploy the latest identity management and authentication technologies."
Durbin called for organisations to "immediately implement a tailored, collaborative and risk-based approach," including "a practical and structured method for enabling actions that deliver advantages over adversaries and competitors alike."
Tim Helming, director of product management at DomainTools commented: "The goals of nation-state actors are various, but in the case of Russian cyber actions against the United States, it is known that among their chief aims is to destabilise American institutions and to sow uncertainty and fear. With the recent reports of Russian adversaries gaining access to electric utilities in the United States last spring, we could be seeing the leading edge of what most security practitioners have predicted for years--that the next attack on our nation will be one of cyber, rather than kinetic, warfare. However, it is important to note some subtleties in the reporting--it is far from certain that these attacks have resulted in the actual ability to achieve a destructive attack. (There may be hundreds of *victims* but it's not clear that they breached hundreds of control centers; also, the screenshots that the attackers showed do not necessarily prove that they are able to seize actual control.)"