By penetrating the networks of downline vendors, Russian hackers gained access to a reportedly secure, isolated network, allowing them to eventually reach the control rooms of US utilities, according to the Wall Street Journal.
The state-sponsored hacking group, which poses a serious threat to critical infrastructure, has been on the watch list of the Department of Homeland Security (DHS) since 2014. Using stolen credentials gained through spear-phishing emails and watering-hole attacks, the hackers's activity long went undetected, which allowed them to steal confidential information and “familiarize themselves with how the facilities were supposed to work,” WSJ reported.
The activity of the Russian hacking group took place in the summer of 2017, according to an email from DHS spokesperson Lesley Fulop. Additionally, Fulop wrote that DHS hosted a webinar on 23 July to share actionable information with its industry and government partners in an effort to help them protect their networks and improve the nation’s collective defense against cyber threats.
"While hundreds of energy and non-energy companies were targeted, the incident where they gained access to the industrial control system was a very small generation asset that would not have had any impact on the larger grid if taken offline," said Fulop. "Over the course of the past year as we continued to investigate the activity, we learned additional information which would be helpful to industry in defending against this threat. We will continue our strong public–private partnership and remain vigilant in defending critical infrastructure."
"Protecting our nation’s critical infrastructure is a shared responsibility between DHS and our public and private sector partners. Industry has invested significant resources in defending against nation state actors and this investment is working."
Part of that investment includes empowering service providers to identify weaknesses in third-party vendors, a critical security strategy intended to prevent these types of attacks. “If they beat you just once by finding a single exploitable weakness within a single vendor, supplier or contractor, the results can be catastrophic. Rather than reacting to breaches like this after they occur, utilities providers need to take a more proactive approach to managing third-party risk,” said Fred Kneip, CEO, CyberGRX.
“That means identifying third parties with weak security controls before they’re exploited, and working with them to mitigate the risk of attacks and breaches before they become a target for attackers.”
In order to defend against Russia and other nation-state attacks, the cybersecurity community and the US government need to act, said Steve Kahan, CMO, Thycotic. “The NIST framework presents IT security professionals with guidelines to improve critical infrastructure cybersecurity. However, to be truly effective, the NIST regulation must compel operators of essential services to deliver higher levels of cybersecurity and require that these essential services remain available during an attack.”