On March 24, 2022, the Department of Justice unsealed two indictments charging four Russian government
employees in two hacking campaigns that targeted critical
infrastructure in the energy sector. We cover these indictments in
depth here. Concurrently, the Cybersecurity and
Infrastructure Security Agency (CISA), the Federal Bureau of
Investigation (FBI), and the Department of Energy (DOE) jointly
published a Cybersecurity Advisory (CSA) relating to the hacks.
The CSA, titled "Tactics, Techniques, and
Procedures of Indicted State-Sponsored Russian Cyber Actors
Targeting the Energy Sector," details the campaigns conducted
by state-sponsored Russian actors, outlines the techniques,
tactics, and procedures used by the hackers, and provides a variety
of mitigation strategies for energy sector entities to protect
their own networks from similar attacks.
This CSA was released just days after the FBI issued an advisory to US businesses, warning
that hackers associated with Russian internet addresses had been
scanning the networks of five US-based energy sector companies,
potentially in advance of initiating hacking defenses, as well as a
warning from President Biden that
Russian-linked hackers may target US organizations as part of its
continued attack against Ukraine and in light of the sanctions
imposed on Russia.
As pressure on Russia mounts, experts expect the energy sector
to remain particularly vulnerable to attack-and anticipate that the
US government will continue to urge business leaders to strengthen
cybersecurity to protect against such attacks.
The key points in the CSA and highlight the mitigation tactics
that CISA, FBI, and DOE recommend in light of these threats are
summarized below.
Techniques, Tactics, and Procedures of Hackers Targeting
the Energy Sector
The CSA describes the technical details of both the Global
Energy Sector Intrusion Campaign and the compromise of a Middle
East-based energy sector organization.
The Global Energy Sector Intrusion Campaign took place from at
least 2011 through 2018, in which the Russian Federal Security
Service (FSB) conducted a multi-stage campaign and gained remote
access to numerous US and international energy sector networks,
deployed malware that attacked infrastructure control systems
(ICS), and collected and exfiltrated enterprise and ICS-related
data. This campaign included use of:
- Spear phishing emails (emails claiming to be from a known or
trusted sender to induce a targeted individual to reveal
confidential information); - Watering hole tactics (infecting websites that actors in a
specific industry commonly visit to lure users to a malicious site,
infect the user's computer, and gain access to the network);
and - Supply chain attacks (when a cyber-threat actor infiltrates a
software vendor's network and employs malicious code to
compromise the software before it is sent to the customer).
Together, these three types of tactics were used to harvest
energy sector credentials, gain access to the networks, and collect
and exfiltrate information about the enterprise, ICS, and
operational technology (OT) environments.
These tactics highlight several common tools used by hackers to
access energy sectors' networks and disrupt or damage critical
infrastructure. The CSA then provided several recommendations to
prevent and mitigate future cyber-attacks.
Mitigation Recommendations
The CSA recommends a variety of mitigation measure entities can
take related to enterprise environment and ICS environment. Three
key actions are highlighted at the top of the CSA as actions energy
sector entities should take today to protect their networks:
- Implement and ensure robust network segmentation between IT and
ICS networks; - Enforce multifactor authentication (MFA) to authenticate a
system; and - Manage the creation, modification, and use, as well as the
permissions associated with, privileged accounts.
The CSA also offered addition actions for entities looking to
impose additional layers of protections.
The CSA also includes mitigations measure to harden ICS and OT
environments, including:
- Network segmentation mitigations, such as:
- Implementing and ensuring robust network segmentation between
IT and ICS networks; - Implementing a network topology for ICS that has multiple
layers; - Using one-way communication diodes to prevent external access,
whenever possible; - Setting up demilitarized zones (DMZs) to create a physical and
logical subnetwork; - Employing reliable network security protocols and services
where feasible; - Using virtual local area networks (VLANs) for additional
network segmentation, - Implementing perimeter security between network segments;
- Controlling traffic between network segments by using
firewalls, intrusion detection systems (IDSs), and rules for
filtering traffic on routers and switches - Implement network monitoring at key chokepoints;
- Configuring an IDS to create alarms for any ICS traffic outside
normal operations; - Configuring security incident and event monitoring to monitor,
analyze, and correlate event logs from across the ICS network to
identify intrusion attempts.
- Implementing and ensuring robust network segmentation between
- Employing ICS Best Practices, including:
- Updating all software;
- Testing all patches in out-of-band testing environments;
- Implementing application allow listing on human machine
interfaces and engineering workstations; - Hardening software configuration on field devices;
- Replacing all end-of-life software and hardware devices;
- Disabling unused ports and services on ICS devices;
- Restricting and managing remote access software;
- Configuring encryption and security for network protocols;
- Disallowing vendors to connect their devices to the ICS
network; - Disallowing any devices that do not live solely on the ICS
environment from communicating on the platform; - Maintaining an ICS asset inventory of all hardware, software,
and supporting infrastructure technologies; - Maintaining robust host logging on critical devices within the
ICS environment; - Ensuring robust physical security is in place; and
- Regularly testing manual controls.
***
While cyber threats to this sector are nothing new, the mounting
pressure on Russia has already resulted in an increase in attacks,
and outdated cyber infrastructure continues to leave the energy
sector highly vulnerable. This CSA provides timely and useful
recommendations for how to mitigate these vulnerabilities, but
getting this infrastructure up to snuff in the face of increasingly
sophisticated hackers will be no easy task. As a result, the
industry should buckle up and get ready for a rocky road ahead.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
Gloss