By: Morgan Chalfant – thehill.com – March 18, 2018
Trump administration officials on Thursday accused the Russian government of staging a multi-year cyberattack campaign against the energy grid and other elements of critical infrastructure in the United States.
The alert from the Department of Homeland Security and the FBI coincided with the administration’s decision to unveil new sanctions on Russia for 2016 election meddling and other cyber activities — developments that are sure to ramp up tensions between the U.S. and Moscow.
Here are five things to know about Russian cyberattacks against U.S. infrastructure.
A ‘multi-stage intrusion campaign’
Russian government hackers conducted a “multi-stage intrusion campaign” against U.S. energy infrastructure, according to the joint Homeland Security and FBI report.
The campaign, which dates back to at least March 2016, involved hackers targeting lower-level victims — networks belonging to small commercial facilities that had less security — in order to ultimately compromise their intended targets in the energy sector.
Officials said Russia targeted organizations across several sectors, including government, energy, nuclear, water, aviation and critical manufacturing. The victims were not named.
The hackers used spear-phishing emails — fraudulent messages that purport to come from a known sender and contain malicious links or documents. According to the alert, the hackers also in some cases leveraged their initial targets to develop “watering holes,” an attack method in which hackers infect a trusted domain that the ultimate victim will visit.
The attacks were tailored to target those in the industry. The spear-phishing messages, for instance, included references to industrial control equipment or malicious attachments that appeared to be policy documents or invitations.
“They’re trying to target the engineers and people working on those control systems, not just the public in general,” observed Sergio Caltagirone, director of threat intelligence at Dragos, an industrial network security firm.
The Russians accessed information on Industrial Control Systems
Once inside energy sector networks, the hackers moved laterally to ultimately gain information on Industrial Control Systems and supervisory control and data acquisition systems outputted from energy generation facilities.
These systems are used to operate critical facilities and make them run more efficiently. The files accessed by the Russians would provide information that could ultimately be used to stage destructive or disruptive attacks on energy systems, experts say.
“Getting into networks is the first step if you either want to carry out a destructive attack or be able to for a political decision,” said Ben Read, senior manager of cyber espionage analysis at cybersecurity firm FireEye. “That’s going to allow you to more effectively manipulate them.”
The alert shows that, in one case, hackers accessed a Human Machine Interface, which is used by an individual to control a large industrial control system.
Eric Chien, technical director at cybersecurity firm Symantec, observed that, based on the Homeland Security alert, the hackers could have shut off power if they wanted to — but didn’t.
To see the remainder of this article, click read more.