Last October, the United States Computer Emergency Readiness Team issued an alert describing how unidentified threat actors were carrying out a cyber attack campaign against energy and other critical infrastructures. The advisory described the activity as a multi-stage intrusion that targeted low-security and small networks operated by third-party suppliers before moving laterally to infrastructure networks of high value within the specified business sectors.
Fast forward to last month, and the same federal investigators issued an updated alert about this campaign with new and much more explicit, alarming detail on what had occurred. First, the attackers are acknowledged to be “Russian government cyber actors.” The update revised the original timeline, stating activity had been underway since March 2016 and possibly earlier; the first report started the timeline at May 2017. The attack methodology was also much more sophisticated than first acknowledged.
While the updated alert provides far more insight than the one issued last October, there are a few elements of missing information that are worthy of further exploration.
It’s Much Worse Than Expected
How long has the cyber campaign actually been going on? It appears the Russians have been targeting western industrial infrastructures for nearly a decade.
It’s obvious the Russian cyber attackers aren’t planning to stop their activities anytime soon. In fact, they are creating administrative accounts, establishing staging networks from which to launch targeted attacks, and establishing persistence with backdoors.
What is the impact of the attacks to date? The US CERT report mentions the “campaign has affected multiple organizations in the energy, nuclear, water, aviation, construction, and critical manufacturing sectors.” The unanswered question, however, is what did the attackers do once those networks were compromised? To date, no detailed technical report has been released that provides specifics about malware activity inside ICS networks, and specifically what the resulting damage was on these facilities.
What Can We Expect Next?
What are the Russians trying to accomplish with these attacks? In all probability, they are looking to acquire a “red button” capability that can shut down parts of the power grid or other critical infrastructure in the U.S. It could be used at some point in the future as leverage in diplomatic negotiations, to support a physical war, or demonstrate Russia’s military might.
The Russian government is not the only nation state targeting the U.S. power grid and critical infrastructures. According to the Idaho National Laboratory (INL) report Cyber Threat and Vulnerability Analysis of the U.S. Electric Sector, “threat actors on multiple fronts continue to seek to exploit cyber vulnerabilities in the U.S. electrical grid.” The report says China and Iran, in addition to Russia, as well as non-state actors including foreign terrorist and hacktivist groups, pose varying threats to the power grid. What’s more, North Korea has demonstrated both an interest and the ability to cause damage to the U.S. through cyber attacks.
Political tensions are rising around the world. Nation-states have developed cyber capabilities capable of compromising critical infrastructures, including energy, utilities, manufacturing and other industrial sectors. It’s not hard to imagine a day when countries attack each other by sabotaging industrial installations to cause physical and environmental damage. In fact, it already happened in 2015 and 2016, when Russian cyber attackers shut down parts of the power grid in Ukraine.
We have made significant investments to protect our IT systems from cyber threats. The same can’t be said for our critical infrastructure and industrial facilities. The CERT Alert should be a wake-up call. Things have to change. Fortunately, the technology to protect critical infrastructures exists today.
The views expressed here are the writer’s and are not necessarily endorsed by Homeland Security Today, which welcomes a broad range of viewpoints in support of securing our homeland. To submit a piece for consideration, email HSTodayMag@gtscoalition.com. Our editorial guidelines can be found here.