U.S. warns of Russian cyber intrusions of critical infrastructure

CISOs at critical infrastructure organizations in Canada are eying an alert issued by the U.S. Computer Emergency Readiness Team (US-CERT) that the Russian government has been targeting  American government entities as well as organizations in the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors for at least the past two years.

The allegations, made Thursday, said the Department of Homeland Security (DHS) and the FBI “characterize this activity as a multi-stage intrusion campaign by Russian government cyber actors who targeted small commercial facilities’ networks where they staged malware, conducted spear phishing, and gained remote access into energy sector networks. After obtaining access, the Russian government cyber actors conducted network reconnaissance, moved laterally, and collected information pertaining to Industrial Control Systems (ICS).”

Toronto Hydro CIO Robert Wong said the utility is aware of the alert that was issued yesterday. “So far, we have not detected any of the indicators of compromise listed in the document.” The Canadian Cyber Incident Response Cente and the Canadian Security Establishment (CSE), which is responsible for securing federal networks, warned the Canadian electricity sector last December of possible state-sponsored actors targeting critical infrastructure here, he added.

The threat actors appear to have chosen targets deliberately, the US-CERT alert says, and not by chance. The attacks appear to be aimed at gathering network intelligence.

The alert reads like a CISO’s nightmare — and, arguably, a blueprint for what to look for in a sophisticated attack.

The document includes a lengthy list of indicators of compromise, including Microsoft Word documents that would be attached to email for stealing credentials which may or may not have been protected by hashing.  Some of these messages were framed as what looked like legitimate résumés  for industrial control systems personnel, and invitations and policy documents to entice the user to open the attachment.

It concludes with 28 recommendations for securing networks against this campaign.

Techniques include using spear-phishing emails from compromised legitimate accounts, compromising web sites of trade publications and partners (so-called watering-hole domain attacks) to spread malware to targets, credential gathering, open-source and network reconnaissance,host-based exploitation, and targeting industrial control system (ICS) infrastructure.

And no, some target networks — including third parties — weren’t protected with multi-factor authentication. So it may come as no surprise that where possible the actors created local administrator accounts they could control.

In multiple instances, says the alert, new accounts were created to clean up their activities.  “The accounts created were used to clear the following Windows event logs: System, Security, Terminal Services, Remote Services, and Audit. The threat actors also removed applications they installed while they were in the network along with any logs produced.”

The two agencies recommend that network administrators review the IP addresses, domain names, file hashes, and YARA and Snort signatures provided and add the IPs to their watch list to determine whether malicious activity is occurring within their organization. Reviewing network perimeter netflow will help determine whether a network has experienced suspicious activity, they say. Network defenders and malware analysts should use the YARA and Snort signatures provided in the associated YARA and .txt file to identify malicious activity.

The alert also warns how seemingly innocent marketing materials can be used by threat actors. The investigation found the threat actors downloaded a small photo from a publicly accessible human resources page of an unidentified company. “The image, when expanded, was a high-resolution photo that displayed control systems equipment models and status information in the background.”

Some of the campaign was revealed by Symatec last September, which said North American and European energy sectors were being targeted by a group it dubbed Dragonfly.

The details in the alert aren’t a surprise, said Rick Kaun, vice-president of solutions at Calgary-based Verve Industrial Protection. Operational and industrial control systems “are not immune due to obscurity or air gaps,” he said in an interview this morning. “The only surprise for me is that we have yet another (attack). What remains to be seen is whether this is the one that finally pushes people to action … We still struggle to help clients figure out that you need to build a program over time to pay dividends. To wait until something happens is way too late.

While there have been a number of well-reported attacks on industrial control systems (ICS), there’s still a “huge amount of work to be done” securing critical infrastructure, he said.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Featured Articles

Empowering the hybrid workforce: how technology can build a better employee experience

Across the country, employees from organizations of all sizes expect flexibility...

What’s behind the best customer experience: How to make it real for your business

The best customer experience – the kind that builds businesses and...

Overcoming the obstacles to optimized operations

Network-driven optimization is a top priority for many Canadian business leaders...

Thriving amid Canada’s tech talent shortage

With today’s tight labour market, rising customer demands, fast-evolving cyber threats...

Staying protected and compliant in an evolving IT landscape

Canadian businesses have changed remarkably and quickly over the last few...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now