A report from the U.S. Computer Emergency Readiness Team (US-CERT) provides a detailed look at how alleged Russian attackers planned and executed a long-term cyber-attack against unprepared energy installations.
The attacks started by compromising a partner and then using the partner’s IT systems to stage an attack on the ultimate-power generation stations.
“DHS and FBI characterize this activity as a multi-stage intrusion campaign by Russian government cyber actors who targeted small commercial facilities’ networks where they staged malware, conducted spear phishing, and gained remote access into energy sector networks,” the report explains.
The US-CERT report said that once the hackers gained access, “the Russian government cyber actors conducted network reconnaissance, moved laterally, and collected information pertaining to Industrial Control Systems (ICS).”
The report includes a step-by-step description of the hackers’ activities, including the specific methods, the specific IP addresses of their servers and repositories and complete indicators of compromise (IOC) details.
As is the case with many state-sponsored attacks, the alleged Russian hackers started with a poorly defended contractor to gain access to the ultimate target’s network. They used phishing emails from legitimate accounts, loaded malware and credential-gathering exploits on watering-hole domains and they examined information in the public domain that would reveal important details about the target.
For example, in one case, a member of a target organization’s staff was pictured at work on the company human resources page. A close look at the background of the photo revealed information on the industrial control system in use, as well as an image of a computer screen that revealed the specific control software in use, including its revision level.
Other information used by the hackers included publicly available email addresses and the names of senior staff members. This information was used to create credible phishing emails.
Once inside the partner’s system, the hackers set it up as a staging area for the attack on the ultimate target. The steps included creating repositories for software, creating fake accounts, and conducting surveillance.
Once the hackers gained access to their ultimate target, the goal in this case was to conduct surveillance so that the hackers could gather information on the software in use, the credentials being used, and the control processes being used. This information was exfiltrated to remote servers using SMB protocol. Once the surveillance was complete, the hackers launched a series of processes designed to cover their tracks.
Unfortunately, it probably wasn’t as much of a challenge as it should have been to break into the control systems described by US-CERT. “These networks are insecure by design,” said Phil Neray, vice president of industrial cyber-security at CyberX. “They’ve relied on outdated notions like air-gapping. We’ve found that in a lot of air gapped networks, there are connections to the internet.”
Much of the problem is also due to obsolete equipment and unsupported operating systems. “Organizations are reticent to change existing systems because they perform their original functions reliably,” explained Ray DeMeo, co-founder and COO of Virsec. But the conditions around them have changed, and they’re remaining unprotected.
The result is that the systems can’t be patched and run applications that may not be able to work properly if the operating system is updated. DeMeo suggested that the industrial systems be patterned after the security in the financial industry. “Wall street wouldn’t survive if they didn’t have the security they do,” he said.
Neray suggested that ICS networks adopt practices such as continuous monitoring of activities on the network, including workstation activities such as creating users, changing permissions or changing the registry, both of which were common activities conducted by the hackers.
DeMeo also suggested that a long term fix would be to include security readiness in an organization as part of the annual audit and that it be disclosed to stockholders. He also suggested that insurance premiums be tied to security readiness. Those actions would encourage companies to make themselves more secure because it would affect their bottom line.
On a more immediate basis, US-CERT included a list of best practices at the end of its report, along with a detailed list of detection and prevention measures. Those best practices include:
- Blocking all versions of SMB protocols, as well as TCP ports 139 and 445 and UDP port 137.
- Blocking Web-based distributed authoring and versioning (WebDAV) protocol on border gateway devices.
- Monitor VPNs for abnormal activity.
- Segmenting critical networks and systems from business systems.
- Using only PowerShell v. 5 with advanced logging.
- Blocking external access for admin accounts.
- Implementing two-factor authentication.
US-CERT also included a complete set of YARA rules for use with that open-source malware pattern-matching utility, along with instructions on using YARA for malware detection.
“You should assume that you’re being targeted if you have something of value,” DeMeo said. “You have to assume that they’re already in your system. The question is how do you get them out?”
The answer is that you will need to hire an industrial security firm to find out what the hackers have done, and find ways to remove them and their back doors from your systems.
Then Neray said you need to make sure your new systems don’t have the same problems by specifying systems that can be updated and software that’s not tied to a specific configuration of Windows or another operating system.
“Three out of four industrial sites are running unsupported versions of Windows,” Neray said. Clearly that has to change.