Trump administration officials on Thursday accused the Russian government of staging a multi-year cyberattack campaign against the energy grid and other elements of critical infrastructure in the United States.
The alert from the Department of Homeland Security and the FBI coincided with the administration’s decision to unveil new sanctions on Russia for 2016 election meddling and other cyber activities — developments that are sure to ramp up tensions between the U.S. and Moscow.
Here are five things to know about Russian cyberattacks against U.S. infrastructure.
A ‘multi-stage intrusion campaign’
Russian government hackers conducted a “multi-stage intrusion campaign” against U.S. energy infrastructure, according to the joint Homeland Security and FBI report.
The campaign, which dates back to at least March 2016, involved hackers targeting lower-level victims — networks belonging to small commercial facilities that had less security — in order to ultimately compromise their intended targets in the energy sector.
Officials said Russia targeted organizations across several sectors, including government, energy, nuclear, water, aviation and critical manufacturing. The victims were not named.
The hackers used spear-phishing emails — fraudulent messages that purport to come from a known sender and contain malicious links or documents. According to the alert, the hackers also in some cases leveraged their initial targets to develop “watering holes,” an attack method in which hackers infect a trusted domain that the ultimate victim will visit.
The attacks were tailored to target those in the industry. The spear-phishing messages, for instance, included references to industrial control equipment or malicious attachments that appeared to be policy documents or invitations.
“They’re trying to target the engineers and people working on those control systems, not just the public in general,” observed Sergio Caltagirone, director of threat intelligence at Dragos, an industrial network security firm.
The Russians accessed information on Industrial Control Systems
Once inside energy sector networks, the hackers moved laterally to ultimately gain information on Industrial Control Systems and supervisory control and data acquisition systems outputted from energy generation facilities.
These systems are used to operate critical facilities and make them run more efficiently. The files accessed by the Russians would provide information that could ultimately be used to stage destructive or disruptive attacks on energy systems, experts say.
“Getting into networks is the first step if you either want to carry out a destructive attack or be able to for a political decision,” said Ben Read, senior manager of cyber espionage analysis at cybersecurity firm FireEye. “That’s going to allow you to more effectively manipulate them.”
The alert shows that, in one case, hackers accessed a Human Machine Interface, which is used by an individual to control a large industrial control system.
Eric Chien, technical director at cybersecurity firm Symantec, observed that, based on the Homeland Security alert, the hackers could have shut off power if they wanted to — but didn’t.
“They were on machines that were on the operational network that had the control panel not only monitoring but also control for systems that were generating power, generating electricity,” said Chien. “They could have shut off the power.”
A U.S. official told reporters Thursday that the hackers have been kicked out of networks belonging to the victims and targets they identified.
The security community warned about this activity last year
The alert released Thursday contains information about a cyber campaign that security researchers have been tracking for several months.
Symantec released a report last September detailing a cyberattack campaign against the energy sector in Europe and North America tied to the “Dragonfly” cyber espionage group, a group also known as “Energetic Bear,” that some security firms say is connected to the Russian government.
Symantec’s report described a broader campaign dating back to late 2015 in which hackers targeted organizations located in the U.S., Turkey and Switzerland, with some minimal activity in other countries.
“They were much more aggressive, and we saw them on the operational side,” said Chien. Symantec has tracked the group’s activity back to 2011.
Researchers at FireEye have been tracking the activity for at least a year, according to Read.
“[It] didn’t just target the United States, we saw targeting of Middle Eastern countries, Turkey, Israel, Ireland,” said Read. “This was a global campaign in a way that is interesting.”
Homeland Security blaming Russia for the attacks is significant
The Homeland Security alert contained little new information for the security community, aside from some details about how the hackers moved through energy sector networks.
But the alert does attribute the cyberattacks to the Russian government — a rare declaration for the U.S. government.
“It’s highly unusual — not unprecedented — but highly unusual when the government provides the type of attack attribution like they have in this alert,” said Amit Yoran, CEO of Tenable and the founding director of Homeland Security’s Computer Emergency Readiness Team.
“Usually that’s a strong signaling statement between governments when that happens.”
The attribution, coupled with the sanctions announced on Thursday, is likely to ratchet up tensions with Moscow, already running high over the situation in Ukraine and Moscow’s alleged poisoning of an ex-spy in Britain.
This is the second time this year that the U.S. has blamed Russia for a cyberattack. Last month, the Trump administration accused Moscow of launching last June’s global “notPetya” malware attack, labeling it the “most destructive and costly cyber-attack in history.”
The Trump administration has appeared increasingly willing to call out foreign governments publicly for malicious cyber activity. In December, officials blamed North Korea for the May 2017 “Wanna Cry” cyberattack.
Cyber threats to energy grid and infrastructure run high
The latest revelation is a reminder that hackers are targeting critical infrastructure, with the potential for staging destructive attacks.
Foreign hackers have previously launched cyberattacks against critical infrastructure. The Justice Department indicted seven Iranian hackers in 2016 for conducting distributed denial of service attacks against the U.S. financial system and trying to shut down a New York dam.
Energy sector attacks have attracted increasing attention in the United States, particularly in Washington, following successful cyber sabotages of Ukraine’s power grid in 2015 and 2016 believed to have been carried out by Russia.
Under Secretary of Energy Mark Menezes warned lawmakers this week that U.S. energy systems are “constantly being attacked.”
Those in the security community say critical infrastructure operators — most of which are private sector companies — need to adjust their risk management approach to account for the threat from persistent nation-state hackers that are constantly adjusting and evolving their tactics.
“We’ve seen Russia use these types of critical infrastructure exploits previously and cause outage. I’m not saying that’s the ultimate objective here, but it’s certainly in the U.S. interest that we are in control of our critical infrastructure,” said Yoran. “This is cause for concern.”