On March 24, 2022, the Department of Justice unsealed two indictments charging four Russian government employees in two hacking campaigns that targeted critical infrastructure in the energy sector. We cover these indictments in depth here. Concurrently, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Energy (DOE) jointly published a Cybersecurity Advisory (CSA) relating to the hacks.
The CSA, titled “Tactics, Techniques, and Procedures of Indicted State-Sponsored Russian Cyber Actors Targeting the Energy Sector,” details the campaigns conducted by state-sponsored Russian actors, outlines the techniques, tactics, and procedures used by the hackers, and provides a variety of mitigation strategies for energy sector entities to protect their own networks from similar attacks.
This CSA was released just days after the FBI issued an advisory to US businesses, warning that hackers associated with Russian internet addresses had been scanning the networks of five US-based energy sector companies, potentially in advance of initiating hacking defenses, as well as a warning from President Biden that Russian-linked hackers may target US organizations as part of its continued attack against Ukraine and in light of the sanctions imposed on Russia.
As pressure on Russia mounts, experts expect the energy sector to remain particularly vulnerable to attack—and anticipate that the US government will continue to urge business leaders to strengthen cybersecurity to protect against such attacks.
The key points in the CSA and highlight the mitigation tactics that CISA, FBI, and DOE recommend in light of these threats are summarized below.
Techniques, Tactics, and Procedures of Hackers Targeting the Energy Sector
The CSA describes the technical details of both the Global Energy Sector Intrusion Campaign and the compromise of a Middle East-based energy sector organization.
The Global Energy Sector Intrusion Campaign took place from at least 2011 through 2018, in which the Russian Federal Security Service (FSB) conducted a multi-stage campaign and gained remote access to numerous US and international energy sector networks, deployed malware that attacked infrastructure control systems (ICS), and collected and exfiltrated enterprise and ICS-related data. This campaign included use of:
- Spear phishing emails (emails claiming to be from a known or trusted sender to induce a targeted individual to reveal confidential information);
- Watering hole tactics (infecting websites that actors in a specific industry commonly visit to lure users to a malicious site, infect the user’s computer, and gain access to the network); and
- Supply chain attacks (when a cyber-threat actor infiltrates a software vendor’s network and employs malicious code to compromise the software before it is sent to the customer).
Together, these three types of tactics were used to harvest energy sector credentials, gain access to the networks, and collect and exfiltrate information about the enterprise, ICS, and operational technology (OT) environments.
These tactics highlight several common tools used by hackers to access energy sectors’ networks and disrupt or damage critical infrastructure. The CSA then provided several recommendations to prevent and mitigate future cyber-attacks.
The CSA recommends a variety of mitigation measure entities can take related to enterprise environment and ICS environment. Three key actions are highlighted at the top of the CSA as actions energy sector entities should take today to protect their networks:
- Implement and ensure robust network segmentation between IT and ICS networks;
- Enforce multifactor authentication (MFA) to authenticate a system; and
- Manage the creation, modification, and use, as well as the permissions associated with, privileged accounts.
The CSA also offered addition actions for entities looking to impose additional layers of protections.
The CSA also includes mitigations measure to harden ICS and OT environments, including:
- Network segmentation mitigations, such as:
- Implementing and ensuring robust network segmentation between IT and ICS networks;
- Implementing a network topology for ICS that has multiple layers;
- Using one-way communication diodes to prevent external access, whenever possible;
- Setting up demilitarized zones (DMZs) to create a physical and logical subnetwork;
- Employing reliable network security protocols and services where feasible;
- Using virtual local area networks (VLANs) for additional network segmentation,
- Implementing perimeter security between network segments;
- Controlling traffic between network segments by using firewalls, intrusion detection systems (IDSs), and rules for filtering traffic on routers and switches
- Implement network monitoring at key chokepoints;
- Configuring an IDS to create alarms for any ICS traffic outside normal operations;
- Configuring security incident and event monitoring to monitor, analyze, and correlate event logs from across the ICS network to identify intrusion attempts.
- Employing ICS Best Practices, including:
- Updating all software;
- Testing all patches in out-of-band testing environments;
- Implementing application allow listing on human machine interfaces and engineering workstations;
- Hardening software configuration on field devices;
- Replacing all end-of-life software and hardware devices;
- Disabling unused ports and services on ICS devices;
- Restricting and managing remote access software;
- Configuring encryption and security for network protocols;
- Disallowing vendors to connect their devices to the ICS network;
- Disallowing any devices that do not live solely on the ICS environment from communicating on the platform;
- Maintaining an ICS asset inventory of all hardware, software, and supporting infrastructure technologies;
- Maintaining robust host logging on critical devices within the ICS environment;
- Ensuring robust physical security is in place; and
- Regularly testing manual controls.
While cyber threats to this sector are nothing new, the mounting pressure on Russia has already resulted in an increase in attacks, and outdated cyber infrastructure continues to leave the energy sector highly vulnerable. This CSA provides timely and useful recommendations for how to mitigate these vulnerabilities, but getting this infrastructure up to snuff in the face of increasingly sophisticated hackers will be no easy task. As a result, the industry should buckle up and get ready for a rocky road ahead.