After what initially appeared to be reluctance on the part of the US White House to condemn Russia over the use of a nerve agent in the UK, the US, France, Germany and the United Kingdom issued a joint statement yesterday, joined by Australia today, condemning Russia's actions, and the US has now upped the ante, disclosing details of Russian cyber-attacks on Western critical infrastructure.
"The fact that the DHS and the FBI have attributed attempts to attack and compromise critical US infrastructure to Russia is unprecedented and extraordinary,” said Amit Yoran, CEO at Tenable. “From my time as the founding director of the United States Computer Emergency Readiness Team (US-CERT) in the Department of Homeland Security, I have never seen anything like this. It's a wake-up call for the industry and a reminder that we are still not doing the basics well and that our defence needs to constantly evolve and adapt."
The alert details the Russian government's actions in the DragonFly 2.0 campaign revealed last summer, in which hackers infiltrated energy facilities in North America and Europe and escalated its operations, possibly signaling a shift from intelligence gathering to industrial sabotage.
DHS and the FBI unveiled a "multi-stage intrusion campaign by Russian government cyber actors who targeted small commercial facilities' networks where they staged malware, conducted spear phishing, and gained remote access into energy sector networks.” Once they obtained access, “the Russian government cyber-actors conducted network reconnaissance, moved laterally, and collected information pertaining to Industrial Control Systems (ICS)," the alert said.
"This type of attack isn't anything new, and the real story here is that the US is choosing to acknowledge it (and in extreme detail),” said Bill Lummis, technical programme manager at HackerOne. “It shows that while SCADA security can't be neglected, the biggest risk to industrial infrastructure is through the conventional networks attached to them.”
Lummis called the indicators of compromise, or IOCs, provided in the US-CERT alert “an excellent starting point to determine if you were targeted by these same payloads,” but cautioned that “in the long term it's important to remember that just because the target is infrastructure, it doesn't mean that we have to forget everything we've learned about how to secure our assets,” including account audits, active detection and continuous security testing.
Naming Russia as culpable in the critical infrastructure attacks, coupled with sanctions imposed early Thursday on five Russian organisations and 19 individuals for interfering in the US election and the NotPetya attack, mark a departure from the Trump administration's reluctance to call out the Russian government over its malicious cyber-activities.
In an email to SC Media UK, Edgard Capdevielle, president and CEO of Nozomi Networks commented: "Today the US-Cert issued an alert that confirms and provides advice for protection against Russian government “threat actors” targeting energy and other critical infrastructure sectors in the United States. According to the alert, since at least March 2016, Russian government threat actors targeted government entities and multiple U.S. critical infrastructure sectors, including the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors.
"The Department of Homeland Security and the FBI characterise this activity as a multi-stage cyber-intrusion campaign by Russian government cyber-actors who targeted small commercial facilities' networks where they staged malware, conducted spear phishing, and gained remote access into energy sector networks. After obtaining access, the Russian government cyber-actors conducted network reconnaissance, moved laterally, and collected information pertaining to Industrial Control Systems (ICS)
"This alert makes it even more imperative for industrial operators to focus on .their cyber -resiliency measures. Real-time monitoring of ICS systems for anomalous behaviour that provides early warning of activities indicating the presence of an advanced attack is vital to understanding what is happening, the impact and how to mitigate the threat. Such activity could include unusual network connections, unusual communication messages, new or unusual commands from new sources, or new network flows. Furthermore, the presence of known indicators of compromise should be immediately identified by ICS monitoring solutions, giving operators a clear warning to take action on malware in their systems."