DHS Report on Hacked Electric Utilities Highlights Supply Chain Fragility
The Department of Homeland Security confirmed this week that Russian hackers successfully infiltrated the control rooms of U.S. electrical utilities after compromising the networks of their corporate suppliers.
Russian hackers were able to infiltrate the control rooms of U.S. electrical utilities last year to steal confidential information, the U.S. Department of Homeland Security said this week.
Federal officials held an unclassified briefing Monday, according to the Wall Street Journal, in which it was disclosed that there were hundreds of victims. That runs counter to a statement previously issued in which the DHS said there were only a few dozen.
The attackers, working for the APT Dragonfly a/k/a Energetic Bear a/k/a Crouching Yeti, primarily used spear phishing and watering hole attacks to dupe employees at electric utilities into giving up their password.
The DHS issued a technical alert last fall around the group, essentially making it clear that the U.S. government was aware of victims in the energy sector. The alert said the group was also targeting government entities and organizations in the nuclear, water, aviation, and critical manufacturing sectors, as well.
Monday's news follows up an alert that DHS' United States Computer Emergency Readiness Team (US-CERT) fired out in March, warning the Russian government was targeting organizations in those industries.
Specifics of the WSJ report, namely that attackers could have "thrown switches," disrupted power flows and caused blackouts, have been contested in the hours since its publication.
Robert M. Lee, an industrial control system (ICS) expert who founded Dragos Inc. tweeted early Tuesday that while the warnings are helpful, the wording in the articles hasn't been. According to Lee, phrases like throwing switches and noting it would cause blackouts "is in no way representative of what was seen in these intrusions.”
So in short, please take cyber threats to industrial infrastructure serious. They are getting far more aggressive and numerous. But let’s not use word choices that mislead and hype up the issue. It’s bad enough without added fear.
— Robert M. Lee (@RobertMLee) July 24, 2018
Instead the researcher says the attackers were taking screenshots of HMIs, or human-machine interfaces, central dashboards that allow managers to monitor operations, receive alerts, and resolve issues quickly.
Digital Guardian for Manufacturing
In the WSJ article, according to Jonathan Homer, the department's chief of industrial control system analysis, the attacks took advantage of relationships utilities have with vendors who have special access to "update software, run diagnostics on equipment and perform other services that are needed to keep millions of pieces of gear in working order."
The innerworkings of the campaign sound like the textbook definition of a supply chain attack, in which less-secure pieces of a supply network, usually vendors who lack the funds to spend on cybersecurity, are targeted. From there, once the attackers are in, they move laterally.
According to Homer, the attackers’ activity mimicked that of " people who touch these systems on a daily basis," something that helped them evade detection.
The supply chain ecosystem has many challenges, namely the fact that it’s so interconnected and can often lack transparency. Industries in which critical infrastructure is present, like manufacturers and electrical utilities, need to have a plan in place that can guarantee the free flow of data but not without protections in place to ensure that data is shared securely.
It’s plausible that a combination of user activity monitoring and user and entity behavior analytics (UEBA) could have – and potentially still can - lessen the blow for these utilities.
The WSJ article claims the group took information on how utility networks were configured, what equipment was in use, and how it was controlled, in addition to familiarizing themselves with how the facilities work.
Having a data loss prevention solution implemented could have prevented the exfiltration of sensitive data, like schematics and processes, and prevented screenshots from being taken. Through user activity monitoring, an organization could determine whether a user has captured files, keystrokes, or carried out a smorgasbord of other malicious activities - and investigate further.
UEBA, an emerging technology, can be used to detect anomalous behavior or deviations from the norm. In this instance it’s possible that by comparing and contrasting each users' activities, the organizations could have identified attackers masquerading as legitimate insiders before the damage was done.