White House breached: Russian hackers suspected

News by Tim Ring

Russian hackers are allegedly behind a breach at the US President's office, while Russia's BlackEnergy malware has been used to attack US SCADA system suppliers.

Russian cyber-attacks on the West have seemingly reached the highest level with ‘suspicious cyber activity' being reported on a White House computer network.

Meanwhile, the Russian BlackEnergy malware – which has been plaguing victims including NATO, European governments and industrial companies – has been found attacking at least three US-based SCADA industrial control system suppliers.

The White House breach was revealed by Reuters and The Washington Post late yesterday. Reuters said that ‘suspicious cyber activity' was spotted in recent weeks on an unclassified computer network used by employees of the Executive Office of the President (EOP).

According to The Washington Post, the hackers were thought to be working for the Russian Government and their breach resulted in service disruptions while cyber security teams worked to contain the intrusion.

But White House officials said the intruders did no damage and no classified network was hacked.

Reuters quoted an anonymous official as saying: "In the course of assessing recent threats we identified activity of concern on the unclassified EOP network. We took immediate measures to evaluate and mitigate the activity. Our actions are ongoing.”

According to the Post, the US was informed of the breach by an ally country. The FBI, Secret Service and National Security Agency are all investigating.

Meanwhile, on the same day, the US Government's ICS-CERT (Computer Emergency Response Team) revealed that users of industrial systems made by GE, Advantech and Siemens have all been infected by Russian BlackEnergy malware, in a campaign that stretches back at least three years and is ongoing.

The systems infected are the GE Cimplicity, Advantech/Broadwin WebAccess and Siemens WinCC. The CERT said: “It is currently unknown whether other vendors' products have also been targeted. ICS-CERT is working with the involved vendors to evaluate this activity and also notify their users of the linkages to this campaign.”

The CERT found no attempts to damage or disrupt the victims' industrial control processes, and has not been able to verify if the intruders moved beyond the compromised systems into the remainder of the underlying control system.

But it warns: “Typical malware deployments have included modules that search out any network-connected file shares and removable media for additional lateral movement within the affected environment.”

The CERT said the attacks are linked to the so-called ‘Sandworm' BlackEnergy-based campaigns spotted earlier this month by Trend Micro and iSIGHT Partners, explaining: “Linkages in the shared command and control infrastructure between the campaigns suggest both are part of a broader campaign by the same threat actor.”

Like the CERT, Trend found the malware infecting users of GE's CIMPLICITY system. But that attack was carried out via a spear-phishing email that exploited the dangerous CVE-2014-4114 Microsoft Windows-based zero-day vulnerability.

iSIGHT also identified attacks using BlackEnergy and the same zero-day bug. It also noted attacks from the same threat actor stretching back to 2009 against the North Atlantic Treaty Organisation (NATO) and several European industries and sectors.

SCADA systems are typically used to monitor and control large-scale industrial processes, including nuclear power plants, and the US CERT is calling on other SCADA users to check for breaches. “ICS-CERT strongly encourages asset owners and operators to look for signs of compromise within their control systems environments,” it said.

The agency has produced a YARA security tool-based signature to help users identify whether the malware is present on their systems, available at: https://ics-cert.us-cert.gov/sites/default/files/file_attach/ICS-ALERT-14-281-01.yara

Commenting on the SCADA attacks, TK Keanini, CTO at Lancope, warned that some users may not have the necessary incident response processes needed to respond to the CERT's alert.

He told SCMagazineUK.com via email: “Industrial control systems continue to be targeted, and these alerts are informative and actionable if the organisation receiving them has the appropriate incident response readiness. This is where the process may succeed or fail.

“Incident response readiness means that an alert like this containing indicators of compromise (IoCs) can be used immediately and an action plan around it can be executed without much disruption to the business.

“If you are reading this alert, and you have no way of leveraging the IoCs with the recommended tools or something similar, you may want to stop and examine your incident response readiness.”

David Harley, senior research fellow at ESET, which has previously investigated BlackEnergy, told SCMagazineUK.com: “BlackEnergy has been associated with bank fraud, spam campaigns and DDoS and targeted attacks - its technical sophistication and modular architecture make it suitable for a wide range of attacks.

“It's possible that this is a further case of a targeted attack. Where an ICS installation has a more-or-less direct connection to an internet-facing systems, there is a clear risk that such an attack could be successful, and while the ICS-CERT alert includes a number of very relevant suggestions of how to mitigate potential attacks and recognise attack indicators, I'd also encourage sites that could be a target – and not just ICS sites – to instil in users awareness of the risk of targeted attacks and some hints on possible indicators of such an attack.”

Commenting on the White House breach, Chris Boyd, malware intelligence analyst at Malwarebytes, told journalists via email: “It's no surprise the White House has been targeted as it presents a very rich target. Whilst political tensions are often played out in public, it seems that highly specialist cyber-incursions have become a popular and lower-profile offensive tactic. Whilst this particular breach doesn't seem to have compromised any sensitive information, it is still a sign of how geopolitical tensions are expressed in the modern world.”

Boyd added: “It underlines the growing success of advanced attacks. Traditional security solutions are continually being left wanting as advanced exploits, social engineering and other complex attacks develop too fast.”

* US Think Tanks were among the victims of watering-hole attacks using the ScanBox key logger exploit kit, identified this week by PricewaterhouseCoopers researchers. The other victims of ScanBox – which steals information without needing to use malware – include members of the Uyghur population in China, the Japanese industrial sector and Korean hospitality firms.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews