inside-the-nsa

Public Intelligence – Nation-State Cyber Actors Focused on “Maintaining Persistent Access” to U.S. Energy Infrastructure

Damaging cyber attacks against the U.S. energy infrastructure do not currently pose a significant threat according to an intelligence assessment released by the Department of Homeland Security and Industrial Control Systems Computer Emergency Response Team (ICS-CERT) in January.  While cyber actors backed by a number of nation-states are actively “targeting US energy sector enterprise networks,” these activities are focused primarily on supporting cyber espionage activities to acquire and maintain “persistent access to facilitate the introduction of malware” in the event of “hostilities with the United States.”

The restricted DHS assessment titled “Damaging Cyber Attacks Possible but Not Likely Against the US Energy Sector” was obtained by Public Intelligence and reveals that at least seventeen intrusions against the U.S. energy sector were traced back to APT actors in FY 2014.  The attacks never resulted in damage or disruption, but were instead focused on “data theft from enterprise networks” and “accessing and maintaining presence on ICS” networks and systems.  One example cited in the assessment is a piece of malware called Havex that was “likely developed by Russian state-sponsored cyber actors.”  The existence of the malware was first disclosed in a June 2014 blog post by Finnish security firm F-Secure which described how the remote access tool (RAT) was being used as part of an industrial espionage campaign.  DHS states that this campaign dates back to 2011 and that while the “main function is to gather information,” Havex can also run “specialized plug-ins for additional capabilities.”

The assessment also mentions an attack on the Ukrainian energy sector in December 2015 that resulted in at least 80,000 customers losing power for up to six hours.  At the time the assessment was written, ICS-CERT stated that they were “unable to confirm” the event was triggered by cyber means, but that a sample of the malware provided by the Ukranian Government had the capability to “enable remote access and delete computer content, including system drives.”  While DHS does not attribute the attack to any specific cyber actor, the assessment states that the attack is “consistent with our understanding of Moscow’s capability and intent, including observations of cyber operations during regional tensions.”

A month after the DHS assessment was published, ICS-CERT released an alert describing the attack in much greater detail and relaying the findings of a team that included representatives of the U.S. Computer Emergency Readiness Team (US-CERT), Department of Energy, FBI and North American Electric Reliability Corporation.  The alert increased the number of those affected by the attack to more than 225,000 customers, noting that the attack was “reportedly synchronized and coordinated, probably following extensive reconnaissance of the victim networks.”  The attackers reportedly “acquired legitimate credentials and leveraged valid remote access pathways” to cause 50 regional substations to experience “malicious remote operation of their breakers conducted by multiple external humans.”

ICS-CERT also released a restricted version of the alert marked For Official Use Only that included non-public details and analysis of the vulnerabilities exposed by the attack.  An updated version of the restricted alert from March was also obtained by Public Intelligence and states that “critical infrastructure [industrial control system or ICS] networks, across multiple sectors, are vulnerable to similar attacks.” ICS-CERT argues that the “incident highlights the urgent need for critical infrastructure owners and operators across all sectors to implement enhanced cyber measures that reduce risks” that could result from the use of a number of different techniques that were employed by the attackers, including:

• Theft of legitimate user credentials to enable access masquerading as approved users,
• Leveraging legitimate remote access pathways (VPNs),
• The remote operation of human-machine interface (HMI) via company installed remote access software (such as RDP, TeamViewer or rlogin)
• The use of destructive malware such as KillDisk to disable industrial control systems (ICSs) and corporate network systems
• Firmware overwrites that disable/destroy field equipment
• Unauthorized scheduled disconnects of uninterruptable power supplies (UPS) to devices to deny their availability
• The delivery of malware via spear-phishing emails and the use of malicious Microsoft Office attachments
• Use of Telephone Denial of Service (TDoS) to disrupt operations and restoration.

During the attacks, “remote human operators” accessed the workstations of dispatchers at the facilities using legitimately installed tools for remote access.  They used this access to trip the breakers, change the passwords for key systems, corrupt firmware of serial-to-ethernet converters used for substation communication and leverage backup battery systems to trigger shutdowns of connected servers and devices.  In one instance, the attackers used an uninterruptible power supply (UPS) to target an internal telecommunications server which cut off “all internal communications with regional offices and distribution substations.”

Despite the risks demonstrated in the Ukrainian attack, the DHS assessment from January tries to downplay the threat posed by state actors, noting that 63 percent of malicious cyber activity in FY 2014 was “unattributed, low-level activity” related to cybercrime using methods such as ransomware and denial-of-service attacks.  The assessment’s authors also include a section criticizing the media’s over-hyping of cyber attacks and cyber warfare as leading to “misperceptions about the cyber threat to the US energy sector.”  The term “cyber attack” is often used by the media and private sector to refer to incidents and activities that are not necessarily intended to “cause denial, disruption, destruction, or other negative effects” which would better be described as “cyber espionage, and even low-level, untargeted incidents of cybercrime.”  The assessment even speculates that overuse of the term could lead to “alarm fatigue” which could lead to less reporting of incidents and longer response times.