Russian Government Sponsored Hacking Groups Target US Critical Infrastructure
The US Computer Emergency Readiness Team (US CERT) released an alert today that reveals a lot about the future path of cybersecurity, especially as it relates to cyberwarfare and nation state sponsored critical infrastructure attacks. In Alert (TA18-074A) “Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors”, US CERT lays out the myriad ways that Russian “government actors” have recently targeted US critical infrastructure, from US government entities to key industries like “energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors.”
The announcement is particularly noteworthy because it calls out the Russian government specifically, specifically outlines the sophisticated, multi stage attacks on critical US infrastructure and manufacturing sectors, and highlights how they leverage compromises on suppliers and support organizations to gain information about and access credentials for the final ICS targets. DHS used the Lockheed-Martin Cyber Kill Chain model to “analyze, discuss, and dissect malicious cyber activity. Phases of the model include reconnaissance, weaponization, delivery, exploitation, installation, command and control, and actions on the objective.”
Nation states like Russia are funding highly capable hacker groups that can mount sophisticated attacks, from reconnaissance to spear phishing, water holes, remote network access, malware staging, and remote control of industrial control systems (ICS) and supervisory control and data acquisition systems (SCADA).
These attacks were documented over the past few years. US CERT cites the Symantec report on the group known as Dragonfly, which was responsible for many attacks on the energy sector, most notably in the Ukraine in 2015 and 2016, but also on US nuclear assets. These groups seem to be interested in learning more about how the ICS and SCADA infrastructure operates and establishing footholds in specific systems that can be used for future disruptions to operations and wreaking havoc in systems.
Reconnaissance is big part of these attacks both during the staging process and after the attackers have penetrated the ICS networks. Once inside the plant or control system network, attackers will conduct network reconnaissance, moving laterally throughout the system and collecting information on configuration and other aspects of the system.
The US CERT announcement contains many information files that detail how these attacks are conducted. ARC recommends that its clients in the US subscribe to these alerts and avail themselves of the IOC files included and resources for mitigating potential attacks.