Hackers are continuing to attempt to gain access to the networks of nuclear power companies and others involved with critical national infrastructure, raising concerns about cyber-espionage and sabotage.
A report compiled by the FBI and US Department of Homeland Security (DHS) has warned of an ongoing hacking campaign that has seen attackers infiltrate the networks of power companies and others to steal details of their control systems, including information from control systems within energy-generation facilities.
Hackers are targeting the systems of government agencies and companies working in energy, nuclear, water, aviation, and critical manufacturing sectors, according to the report.
While it has long been known that state-backed hackers are keen to access critical infrastructure, the report provides one of the most detailed looks at how state-backed hackers are attempting to gather data on critical national infrastructure through a sophisticated and multi-stage project.
It details how hackers work their way through the supply chain for these major companies, starting by attacking small companies with low security and small networks, which are then used as a stepping stone into the networks of “major, high value asset owners within the energy sector”.
DHS said these infiltration efforts are ongoing, and the attackers are “actively pursuing their ultimate objectives over a long-term campaign.” It said that in some cases the hackers have successfully managed to compromise their victims’ networks.
The energy sector has become an area of increased interest to cyber attackers recently, starting with the Ukrainian blackouts in 2015 and 2016, which were blamed on hackers, plus more recent reports of attempts to infiltrate the networks of power companies in Europe and the US.
While it did not speculate on the motives of the hackers behind this most recent campaign, the report warned: “Historically, cyber threat actors have targeted the energy sector with various results, ranging from cyber espionage to the ability to disrupt energy systems in the event of a hostile conflict. Historically, threat actors have also targeted other critical infrastructure sectors with similar campaigns.”
Researchers have long warned about increased activity from hackers – from many different countries – probing the systems and networks of their rivals for vulnerabilities that could be exploited at a later date, mapping out weaknesses that could be used in any potential future cyberwar conflict.
The attacks are made up of a number of stages. According to the analysis, published by the US computer emergency response team (CERT), the initial victims of the hacking campaign are suppliers with less secure networks.
DHS said the hackers appear to have deliberately chosen to target companies with an existing relationships with many of the actual intended targets, most likely discovering this through publicly available information.
The hackers are also looking for information about the network and organizational design, as well as control system capabilities, and often companies give away such sensitive information by mistake. In one instance, the hackers downloaded an apparently innocuous small photo from an publically accessible human resources page, CERT said.
“The image, when expanded, was a high-resolution photo that displayed control systems equipment models and status information in the background.”
After identifying targets the hackers then begin a spearphishing campaign to attempt to gain details of users, which could then be used to try to crack passwords the hackers could use to masquerade as authorized users.
The attackers use a slightly different spear-phishing email campaign against target networks, which included the subject line “AGREEMENT & Confidential”, and that contained a PDF document. A link in the PDF prompts the reader to click on a link should a download not automatically begin, however, doing so would actually download malware. All the emails referred to common industrial control systems, equipment or process control systems, reflecting the interests of the attackers.
The campaign also used the websites of trade publications and information websites as a way to leapfrog onto the networks of their final target, by altered them to contain malicious content.
Once inside the target network, the hackers searched for file servers belonging to their intended victim, looking for files about industrial control systems or Supervisory Control and Data Acquisition (SCADA) systems, such as files mentioning vendor names or reference documents with names like ‘SCADA Wiring Diagram’ or ‘SCADA panel layouts’.
It’s not entirely clear who is behind the attack. The analysis describes the hackers behind it as an ‘advanced persistent threat’ a phrase usually used to refer to cyber-attackers with state backing. The CERT alert also references work done by security company Symantec, which refers to the attackers are ‘Dragonfly’ – a group previously known as ‘Energetic Bear’. Symantec said the campaign bears the hallmarks of a state-sponsored operation, displaying a high degree of technical capability.
“The group is well resourced, with a range of malware tools at its disposal and is capable of launching attacks through multiple attack vectors while compromising numerous third party websites in the process. Its main motive appears to be cyber espionage, with potential for sabotage a definite secondary capability.”
The group has been blamed for attacks on the energy sector going back to at least 2011 according to Symantec. Energetic Bear is generally thought to be a Russian hacking group, but the security company also noted that while some code strings in the malware used by the group were in Russian, others were in French, “which indicates that one of these languages may be a false flag”.
More worryingly, the security company noted that sabotage attacks are typically preceded by an intelligence-gathering phase where attackers collect information about target networks and systems and acquire credentials that will be used in later campaigns. The firm warned that this new campaign could mean the attackers may be entering into a new phase, “with recent campaigns potentially providing them with access to operational systems, access that could be used for more disruptive purposes in future”.
Symantec’s earlier report said the “most concerning evidence of this” was the use of screen captures, apparently capturing data from operational systems. The CERT report goes into more detail, noting that: “In one instance, the threat actors accessed workstations and servers on a corporate network that contained data output from control systems within energy generation facilities,” and captured images from it. The CERT report also includes a number of recommendations for companies to implement to protect themselves from attack.