It came like a bolt from the blue, but it actually wasn’t to those paying attention.
In mid-March, the Department of Homeland Security reported that it, along with the FBI, had determined that “Russian government cyber actors” had launched “a multi-stage intrusion campaign” that targeted the networks of small commercial facilities in the energy and other critical infrastructure sectors.
During the attacks, which have been going on since at least March 2016, the malicious actors “staged malware, conducted spear-phishing, and gained remote access into energy sector networks.” After obtaining access, the Russians “conducted network reconnaissance, moved laterally and collected information pertaining to Industrial Control Systems” at unidentified power plants.
The attacks were not exactly surprising. In June, DHS and the FBI had reportedly “sent a joint alert to the energy sector stating that ‘advanced, persistent threat actors’ — a euphemism for sophisticated foreign hackers — were stealing network log-in and password information to gain a foothold in company networks,” as The Washington Post reports. At the time, the agencies did not name Russia as the source of the attacks.
As The New York Times notes, “The hackers never went so far as to sabotage or shut down the computer systems that guide the operations of the plants.” Now that the attacks are out in the open, and the U.S. government has squarely blamed Russia, what can utilities do to protect themselves?
DHS and the FBI recommend several detection and prevention measures aimed at blocking the specific spear-phishing, watering hole, web shell and remote access activities associated with the attacks. Their report also provides numerous general cybersecurity best practices for utilities to follow. In addition to specific steps IT security teams can take, the agencies note that affected organizations should “contact DHS or law enforcement immediately to report an intrusion and to request incident response resources or technical assistance.”
What Did Russians Do to Hack Utility Plants?
According to the DHS report, in the reconnaissance phase of the attack, the Russian threat actors “appear to have deliberately chosen the organizations they targeted, rather than pursuing them as targets of opportunity.” They then sought information on network and organizational design and control system capabilities within organizations.
“These tactics are commonly used to collect the information needed for targeted spear-phishing attempts,” DHS says. “In some cases, information posted to company websites, especially information that may appear to be innocuous, may contain operationally sensitive information.” The threat actors also attempted to remotely access infrastructure such as corporate web-based email and virtual private network (VPN) connections.
Throughout the attackers’ spear-phishing campaign, the threat actors used email attachments to leverage legitimate Microsoft Office functions for retrieving a document from a remote server using the Server Message Block Protocol.
As a part of the standard processes executed by Microsoft Word, DHS notes, this request authenticated the client with the server, and sent the user’s credential hash to the remote server before retrieving the requested file. After the attacker obtained a credential hash, the threat actors could “use password-cracking techniques to obtain the plaintext password.” Then, with valid credentials, the attackers were able to masquerade as authorized users in environments that use single-factor authentication.
DHS says the attackers also developed what are known as “watering holes,” in which attackers seek to compromise a specific group of users by infecting websites that members of the group are known to visit, as TechTarget notes. About half of the known watering holes in the attacks were trade publications and informational websites related to process control, industrial control systems or critical infrastructure.
The attackers used spear-phishing emails that contained documents with shortened URLs that redirected users to websites where they were prompted for their email address and password. Then, they used compromised credentials to access victims’ networks where multifactor authentication was not used, according to DHS. “To maintain persistence, the threat actors created local administrator accounts within staging targets and placed malicious files within intended targets,” DHS says.
The threat actors usually created web shells on the intended targets’ publicly accessible email and web server, DHS says. A web shell, as DHS notes, is a script that can be uploaded to a web server to enable remote administration of the machine. The attackers used remote access services and infrastructure such as VPN, Remote Desktop Protocol and Outlook Web Access.
Once inside users’ systems, the attackers conducted internal reconnaissance, accessed workstations and servers on a corporate network that contained data output from control systems within energy generation facilities, accessed files pertaining to ICS or supervisory control and data acquisition systems, and targeted and copied profile and configuration information for accessing ICS systems on the network.
What Can Utilities Do to Protect Themselves?
For this specific attack, DHS recommends that users and administrators try to detect spear-phishing, watering hole, web shell and remote access activity by comparing all IP addresses and domain names associated with the indicators of compromise (IOC) to numerous logs they have on hand, such as network intrusion detection system or network intrusion protection system logs, web content logs, proxy server logs, domain name server resolution logs and more.
To detect the presence of web shells on external-facing servers, utility IT leaders should compare IP addresses, file names and file hashes listed in DHS’ IOC packages with the following locations: application logs, IIS/Apache logs, file system, intrusion detection system/intrusion prevention system logs, PCAP repositories, firewall logs and reverse proxy.
To detect spear-phishing, utilities can search workstation file systems and network-based user directories for attachment file names and hashes found in the IOC packages. Utilities can detect persistence in virtual desktop infrastructure environments by searching file shares containing user profiles for all “.lnk” files, according to DHS.
Further, utilities can detect evasion techniques used by the threat actors by identifying deleted logs, which can be done by reviewing last-seen entries and by searching for event 104 on Windows system logs.
IT demonstrators can detect persistence by reviewing all administrator accounts on systems to identify unauthorized accounts, especially those created recently.
Among other steps, IT admins can also detect the malicious use of legitimate credentials by validating all remote desktop and VPN sessions of any user’s credentials suspected to be compromised.
In general, DHS advises numerous best practices for IT security that can help guard against these attacks. They include monitoring VPN logs for abnormal activity; deploying web and email filters on the network; segmenting any critical networks or control systems from business systems and networks in accordance with industry best practices ensuring adequate logging and visibility on ingress and egress points; using PowerShell version 5, with enhanced logging enabled; establishing least-privilege controls; using multifactor authentication for all authentication, and completing independent security risk reviews.