US-CERT: hackers are targeting our critical infrastructure

The US Department of Homeland Security (DHS) doesn’t often go public with warnings about cyber threats to the energy grid and other critical infrastructure. But it did last week.

US-CERT (US Computer Emergency Readiness Team), which operates under DHS, and the FBI, issued an “alert” titled, “Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors” last Friday, focused on what it said were, “APT actions targeting government entities and organizations in the energy, nuclear, water, aviation, and critical manufacturing sectors.”

Which, in general, sounds like very old news. There have been warnings about such threats – espionage plus potential and actual cyberattacks – on US critical infrastructure, especially in the energy sector, for going on two decades. Among the examples:

DHS’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) reported in 2013, that there were a third more cyber incidents (111) reported by the energy sector in just the six-month reporting period ending that May than in the previous 12 months (81).

About a year later, ICS-CERT said it had received reports of 245 ICS incidents in 2014, more than half of which were APTs.

And USA Today reported in September 2014 that cyber attackers had successfully breached the US Department of Energy (DoE) 159 times between October 2010 and October 2014.

So, what’s different? Why issue an alert now?

DHS isn’t saying. Spokesman Scott McConnell declined to comment on the information in the alert, but told Reuters last week that the alert provided, “recommendations to prevent and mitigate malicious cyber activity targeting multiple sectors and reiterated our commitment to remain vigilant for new threats.”

Joseph Weiss, managing partner at Applied Control Systems and an industrial control systems (ICS) expert (speaking from the ICS Security Conference in Atlanta), is a bit mystified as well. “When it comes to APTs and ICS, I’m really lost about what is new here – at least when it comes to what’s in the report,” he said. “If there’s something that’s really interesting, it’s not in there.”

But Robert M. Lee, CEO of Dragos and a former US Air Force cyber warfare operations officer, said while the types of threats and the tactics, techniques and procedures (TTPs) being used – spear-phishing emails, watering-hole domains, credential gathering, open-source reconnaissance – are long established, what is different is the level of activity.

“The level of aggression has changed,” he said. “It’s not usual to have this many adversaries being this active. The amount of threat data we’re seeing is novel.”

But this, he added, shouldn’t lead to overstating the immediate threat. “None of this is going to take out the power,” he said, calling the US grid, “very robust and resilient. These adversaries are not in position to create significant disruption. But they are looking to steal data that could be used to build that kind of capability.”

The alert didn’t name suspected attackers or victims, and Lee wouldn’t get specific on attribution either, but did say that among the attackers being tracked are, “a group active in benefiting Russia and another active in benefiting North Korea.”

Both nation states would be obvious suspects – the New York Times recently reported that North Korea now has an “army” of more than 6,000 hackers focused on espionage, sabotage and money.

According to the alert, the spike in threat activity has been going on at least since May 2017, and focuses on two categories of victims: staging and intended targets.

The initial victims are peripheral organizations such as trusted third-party suppliers with less secure networks. The initial victims are referred to as “staging targets” throughout this alert. The threat actor uses the staging targets’ networks as pivot points and malware repositories when targeting their final intended victims.

It said the threat actors also “appear to have deliberately chosen the organizations they targeted, rather than pursuing them as targets of opportunity.”

And once they had successfully penetrated a staging target, they turned them into “command and control points” to connect to their intended targets.

Upon gaining access to intended victims, the threat actors conducted reconnaissance operations within the network. (They) viewed files pertaining to ICS or Supervisory Control and Data Acquisition (SCADA) systems.

Dale Peterson, founder of Digital Bond and S4 Events, said while he thought the alert generally had, “good, basic IT and ICS security information,” he had a problem with the lack of specifics surrounding the ICS and SCADA information. “Were the threat actors searching for the ICS information on file servers or did they stumble across it?” he wrote in a post on LinkedIn.

Read as written it appears that the threat actors found a file server, looked through the folders and files, and came across some files with ICS. They then chose to view and exfiltrate those files. Was this a high percentage of what was exfiltrated? Or was it one of a large number of files that was Hoovered from one or more compromised file servers?

Whatever the overall merits of the alert, it did come with offers of assistance. It included a list of indicators of compromise (IOCs) they found, and recommended that network administrators, “review the IP addresses, domain names, file hashes, network signatures, and YARA rules provided and add the IPs to their watchlist to determine whether malicious activity has been observed.”

It also urged organizations that found any of those IOCs in their networks to report it to DHS and to contact the National Cybersecurity and Communications Integration Center (NCCIC) for help with incident response.

And that last offer, while it sounds helpful, remains a tricky proposition. Lee is one of many experts who say that, “government, writ large, has a fanaticism around information sharing that isn’t good. Trying to pressure companies into giving up information at no benefit to them is absurd.”

Indeed, retired NCCIC director Lawrence Zelvin told Federal News Radio in 2013 that some ICS operators are loathe to share information with the government or even one another.

There seems to be a misperception out there that everybody’s going to share. No, they’re not. They’re just not, because in some cases this is their business, in other cases this is about their reputation, and in some cases they’re worried about government regulation. These are valid fears, and we have to understand that.