The recently updated report by the United States Computer Emergency Readiness Team (US CERT) uncovers new information and interesting revelations regarding the advanced persistent threat (APT) activity targeting energy and other critical infrastructure sectors. Here are the some of more interesting revelations and updates from the previous technical alert:
1. Tactics, techniques and procedures revealed
In the initial alert, The Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) determined that the attacks were basic and not organized or advanced. The new report contains indicators of compromise (IOCs) and technical details that were significantly more organized and sophisticated than originally believed.
2. It’s the Russians
The original report identified unspecified “threat actors”. The new report explicitly identifies the actors as the “Russian Government”.
3. Attacks have started earlier than thought
Originally, threats were detected in May 2017, however earliest detection has now been amended to March 2016. This underscores that the threat and targeting of critical infrastructure began nearly 15 months earlier than previously thought. One thing that hasn’t changed in the updated alert is that the attack campaign is “still ongoing,” meaning targets are still vulnerable and at risk.
4. Clear and Present Danger
The new alert reneges from its original statement of “no compromise” detected and provides a very detailed description of how the Russians used malware to compromise industrial control system (ICS) networks. Moreover, the use of zero day, APT and backdoor techniques all indicate the sophistication and intent of the activity designed to take over US critical infrastructure.
Because it is infinitely easier to hack into a trade magazine website than into a critical infrastructure network, the report also notes the use of “watering hole” attacks; architected to compromise machines belonging to ICS personnel that visited popular online news outlets. Once installed this malware could be easily used for account takeovers.
As alarming as the revised alert is, perhaps most glaringly absent is a situational analysis of what the attackers did once they successfully gained access. The updated report only scratches the surface. To date, no detailed technical report – except for Stuxnet in 2010 – has been released detailing that last mile of malware inside of ICS networks, and specifically the damage caused by the attack.
What we can conclude from this new alert is that the Russians have been running a cyber campaign against industrial infrastructures for nearly a decade that can cause substantial damage, even greater than traditional armed conflict, that in many cases organizations and nations are less prepared to deal with it.
One thing that remained static in both reports is the target of the attack: “...campaign has affected multiple organizations in the energy, nuclear, water, aviation, construction, and critical manufacturing sectors.“
What can we do? Implementing the recommendations in the reports is a good first step; but that is only the beginning. The same way we have locked down IT environments, it is crucial to be proactive and lock down OT environments. It is essential to deploy capabilities that can (a) detect threats in real-time, (b) track assets and (c) find vulnerabilities before they are used as a launching point for an attack.
Whether it is a power plant, refinery, manufacturing facility or wastewater treatment plant, once a supervisory control and data acquisition (SCADA) system or distributed control systems (DCS) goes down, it’s too late. Now is the time to prepare for this increasingly serious threat. Doing so will literally keep the lights on.