Russian Hackers Breach US Utility Networks via Trusted Vendors

WSJ, GreenTech Media, IS Buzz, Journal of Cyber Policy, ECT News and the WSJ, July 24-25, 2018, with comments by Ray DeMeo;

Hackers accessed confidential information, including equipment in use and how utility networks are configured.

If this sounds familiar, it’s because it is. Russian hackers broke into the U.S. electric grid last year in a similar way, though the networks of key vendors that service power companies, relayed by homeland security officials said on Monday.

The Wall Street Journal was the first to report DHS officials announcing that the hackers could have done even more, including causing blackouts, in their continuing efforts to gain access to U.S. electric utility control rooms.

Jonathan Homer, chief of industrial-control-system analysis for the Department of Homeland Security (DHS), said that attackers “got to the point where they could have thrown switches” and disrupted the grid.

The attacks surfaced in the spring of 2016 and continued throughout 2017. Officials believe the campaign is likely still ongoing.

Current defenses are not enough

While some in the security space feel reconnaissance mission was more the intention than imminent blackouts, many news reports over the last year have shown that critical infrastructure is at high risk from multiple attack sources. At the very least, this latest news is another wake up call to ICS facilities that threat of are real. These continuing break-ins demonstrate current security practices are not sufficient.

Ray DeMeo, co-founder and COO of Virsec, a San Jose, California-based provider of protection against memory-based cyberattacks, said that vendors need to do more to bridge a wide gap between IT and OT - information technology and operational technology - (i.e., SCADA). He added that creating an “air gap,” a security measure employed to physically isolate one or more computers from unsecured networks, such as the public Internet, provides insufficient protection for utilities.

“We are far too dependent on air-gapping as our primary defense, despite the fact that systems are increasingly connected,” said DeMeo. “We also need to change our defense strategy, away from conventional perimeter defense. These latest attacks have easily bypassed the perimeter — we need to focus on detecting and stopping attacks in progress."

When asked about the severity of the threat utilities face from foreign hackers, he said that outcomes may vary depending on the motivation, but that recent attacks around the world have been significant. They include ransoming critical data, service disruptions, or serious damage to control systems and physical equipment.

He referenced the multiple attacks on Ukraine’s power grid, a recent cyberattack on a petrochemical company with a plant in Saudi Arabia, and an attack on a water treatment plant in the Middle East.

"The threat of disruption to our critical infrastructure is very real,” DeMeo said. “The outcomes may depend on the motivations of the hackers, but recent attacks have included ransoming critical data, service disruptions, or serious damage to control systems and physical equipment.”

DeMeo continued to say more needs to be done. “The government is raising awareness, but responses need to be more aggressive and coordinated. Defense strategies need to pivot away from sole focus on conventional perimeter defenses – the latest attacks have easily bypassed the perimeter. It’s crucial to detect and stop attacks in progress. There needs to be a shift from chasing endless elusive external threats, to directly protecting systems from attack in real time."

Who are they and how’d they get in?

We’re not talking just a few U.S. utilities. Hundreds were invaded. The threat actors are part of group known as “Dragonfly” or “Energetic Bear,” supported by the Russian government. They used Black Hat methods and tools such as phishing and spearphishing, which is the same only targeting a smaller group of people. Despite widespread corporate training, phishing campaigns continue to be highly effective at stealing credentials from legitimate users, giving the thieves easy access that often doesn’t even set off alarm bells.

Mutual assured destruction

Since the cold war, nation states, including the U.S., have spied on each other. Some believe it’s assumed hackers won’t cross beyond the line of spying given many countries have a posture of “mutual assured destruction” But there a point at which this thinking is naïve and overlooks real threats.

"It's dangerous to assume that this fits the Cold War model of a balanced standoff because of 'mutually assured destruction,'" Ray told TechNewsWorld (ECT News). "Many of these hacking groups have some nation-state sponsorship, but also pursue their own agendas. This is a very distributed threat, and relying on centralized control to keep things in check probably won't w Utilities can be more aggressive in assessing vulnerabilities, updating systems, and adding new security strategies.

He continued, "They need to assume that hackers already have a footprint somewhere within their networks and bypassed their legacy perimeter defenses," he explained. "The focus needs to shift from guarding the gate to proactively protecting critical applications and making sure they only do the right thing.

Virsec has partnered with Raytheon to deliver cybersecurity products for critical infrastructure, including the grid.

Read full articles:

GreenTech Media: Russian Hackers Breach US Utility Networks via Trusted Vendors

IS Buzz: Russian Hackers Breach US Utility Networks

Journal of Cyber Policy: Russian Hackers Penetrated Networks of U.S. Electric Utilities

ECT News: Russian Hackers Have Invaded Hundreds of US Utilities: Report

The Wall Street Journal (requires sign-in): Russian Hackers Reach U.S. Utility Control Rooms, Homeland Security Officials Say