It made the headlines in early January; Russia is targeting U.S. nuclear scientists and research facilities. While certainly not a news flash—given that Russia’s (and the USSR’s) history of targeting U.S. nuclear technologies dates back more than 75 years. But the tools used in the latest foray remind us of the need to pay more attention to our cybersecurity hygiene.
The recent attack, which was brought to our attention via Reuters, highlighted how the Russian hacking group known as Cold River targeted three of the United States’ national labs: Brookhaven (BNL), Argonne (ANL) and Lawrence Livermore (LLNL).
What Cybersecurity Hygiene?
The methodology was not particularly sophisticated, as it combined a targeted phishing attack with a pre-prepared landing page. The landing page was made to look like the respective laboratory’s landing page. When the target clicked through, they landed on the ‘login page,’ and it was there that targets at the various labs would be fleeced of their login credentials.
Crowdstrike’s Adam Meyers, senior vice president of intelligence, told Reuters that “[Cold River] is one of the most important hacking groups you’ve never heard of. They are involved in directly supporting Kremlin information operations.”
Itay Glick, VP of products at OPSWAT, an entity focused on protecting critical infrastructure, said “The Cold River campaign against U.S. nuclear facilities was likely cyberespionage, as it directly correlates with geopolitical conflicts—as are other activities by this group.”
Glick told Security Boulevard that cyberespionage was the most likely motivation because, he said, “There is no evidence of actual breach, but according to resources, domain links and the attacker—also sometimes referred to as Callisto—showed ties to the Russian government and the use of spear phishing campaigns against the U.S. government and defense targets. Targeting research could make for a good supply chain attack—reaching from a research scientist to the army or other defense facilities, for example, via email attacks.”
As noted, the Cold River phishing operation required their target to click through to a landing page prepared for their arrival. This begs the question: What sort of cybersecurity awareness program is in place within the Department of Energy, the entity which has oversight of the national laboratories?
“We may not know what the actual security awareness training details and tools of the DOE Cybersecurity Awareness and Training (CSAT), National Training Center, or other programs are, but we hope that the DOE and other critical infrastructure invest in adequate training for all personnel—not just for those dealing with IT but also for those who run the operational technology and industrial control systems,” Glick said.
It would appear a return to basics may be in order within the DOE and their various entities including LLNL, ANL and BNL, on basic cybersecurity hygiene 101: think before you click. Similarly, when the dust has settled, the DOE would do do well to share how the spear phishing emails were able to bypass security controls in place and land in the email inboxes of the targets without detection.