,

inching toward cyberwar with Russia

Has Russia hacked the U.S. energy grid? This could be bigger than Stuxnet, the cyberattack that damaged uranium-enriching centrifuges in Iran back in 2010 – and demonstrated, to the public at least, that cyberattacks could do more than erase hard drives and steal peoples’ banking passwords.

For the first time, the United States has officially accused Russia of breaking into critical infrastructure. That’s not only a shocking admission of vulnerability, but also pointing the finger at a specific country.

While there may be geopolitical reasons for the timing of the accusation, let’s look at what’s going on from the tech perspective. On March 15, the U.S. Computer Emergency Response Team (US-CERT) put out an alert entitled, “Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors.” It’s not blaming hackers, or hackers based in Russia, it’s blaming the Russian government.

The danger couldn’t be clearer. “Since at least March 2016, Russian government cyber actors—hereafter referred to as “threat actors”—targeted government entities and multiple U.S. critical infrastructure sectors, including the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors.”

The Targets: System Controllers

What were the attackers doing? Reconnaissance, looking for information on the critical controller in the energy facilities, also known as SCADA systems. The US-CERT alert explains,

In multiple instances, the threat actors accessed workstations and servers on a corporate network that contained data output from control systems within energy generation facilities. The threat actors accessed files pertaining to ICS or supervisory control and data acquisition (SCADA) systems. Based on DHS analysis of existing compromises, these files were named containing ICS vendor names and ICS reference documents pertaining to the organization (e.g., “SCADA WIRING DIAGRAM.pdf” or “SCADA PANEL LAYOUTS.xlsx”)

The threat actors targeted and copied profile and configuration information for accessing ICS systems on the network. DHS observed the threat actors copying Virtual Network Connection (VNC) profiles that contained configuration information on accessing ICS systems.

The Attack Vendor: User Accounts

How did the attackers manage to get into these energy systems? First, they carefully chose which companies or facilities to target, says US-CERT: “The threat actors appear to have deliberately chosen the organizations they targeted, rather than pursuing them as targets of opportunity.” The attackers then using spear phishing (custom-crafted malicious emails) and watering holes (hacks into trusted websites that employees of those energy sites would visit). For example, says the report,

One of the threat actors’ primary uses for staging targets was to develop watering holes. Threat actors compromised the infrastructure of trusted organizations to reach intended targets. Approximately half of the known watering holes are trade publications and informational websites related to process control, ICS, or critical infrastructure. Although these watering holes may host legitimate content developed by reputable organizations, the threat actors altered websites to contain and reference malicious content.

These hacks into user accounts were delivered via malicious .docx files that energy employees opened – and which captured user credentials. The attackers then used those credentials to get into the energy systems, create new accounts, and begin their work. The US CERT reports that the attackers weren’t able to get into systems that require multi-function authentication, by the way.

A History of Targeting Energy

We don’t know what Russia was doing, or why – assuming that it was Russia, of course. Dustin Volz and Timothy Gardner, writing for Bloomberg, say,

It was not clear what Russia’s motive was. Many cyber security experts and former U.S. officials say such behavior is generally espionage-oriented with the potential, if needed, for sabotage.

Russia has shown a willingness to leverage access into energy networks for damaging effect in the past. Kremlin-linked hackers were widely blamed for two attacks on the Ukrainian energy grid in 2015 and 2016, that caused temporary blackouts for hundreds of thousands of customers and were considered first-of-their-kind assaults.

As political issues escalate between Russia and the West, these types of reports and unanswered questions are indeed troubling.