Global Weekly Executive Summary, 20 March 2018

DHS and FBI Alert Warns of Russian Government Cyberattacks Targeting Critical Infrastructure

On Thursday, March 15, 2018, The Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) released a joint Technical Alert warning about “Russian government actions targeting U.S. Government entities as well as organizations in the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors.”

The DHS and FBI describe these cyberattacks as a “multi-state intrusion campaign by Russian government cyber actors” that has been in operation since at least March 2016. The Wall Street Journal quoted an unnamed senior national security advisor as stating that “The campaign is long-term and still ongoing.”   

The target of the attacks are described as “small commercial facilities’ networks” which were used as a platform from which to stage malware, conduct spearphishing attacks, “and gain remote access into energy sector networks.” Upon gaining access to these networks, the threat actors conducted network and host reconnaissance, moved laterally, and gathered more information on Industrial Control systems. The alert included indicators of compromise (IOC) and outlined tactics, techniques, and procedures (TTPs) used to target the victims.

The technical alert also references the Symantec report “Dragonfly: Western energy sector targeted by sophisticated attack group” from September 2017, a report detailing the activities related to a cyberespionage campaign  (also known as Energetic Bear) that has been in operation since at least 2011, originally targeting U.S. and Canadian defense and aviation companies before shifting focus to US and European energy firms in 2013.

An Associated Press article reported that the Nuclear Regulatory Commission issued a statement that “corporate networks at some of the 99 nuclear power plants licensed by the Nuclear Regulatory Commission were affected by the 2017 hack aimed at the energy grid and other infrastructure, but no safety, security or emergency preparedness functions were impacted.” The attacks “did not compromise operations at any of the nation’s power plants, federal regulators and the industry said…,” and “the Federal Energy Regulatory Commission also said the incident had no operational impacts on interstate transmission of electricity.”

The US-CERT Technical Alert is significant because it plainly and pointedly attributes these attacks to “Russian government actions targeting U.S. Government entities” and repeatedly states that the actions were perpetrated by “Russian government cyber actors.”

On the same day as the Technical Alert was released, the Trump administration and the U.S. Department of the Treasury announced economic sanctions against Russian entities and individuals in response to the 2016 U.S. election interference, the costly NotPetya global ransomware attacks, and the cyberattacks targeting US government entities and multiple US critical infrastructure sectors. A statement by Treasury Secretary Steven T. Mnuchin reads “The Administration is confronting and countering malign Russian cyber activity, including their attempted interference in U.S. elections, destructive cyber-attacks, and intrusions targeting critical infrastructure. These targeted sanctions are a part of a broader effort to address the ongoing nefarious attacks emanating from Russia.”  

Also on Thursday, the U.S., Britain, France, and Germany issued a joint statement denouncing Russia’s role in the nerve-gas poisoning attack of a former Russian spy and his daughter on British soil.

Sources:

US-CERT, Alert (TA18-074A), Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors

US Department of the Treasury, Actors for Interference with the 2016 U.S. Elections and Malicious Cyber-Attacks

Wall Street Journal, Trump Administration Sanctions Russia for Interference in U.S. Elections

Washington Post, Trump administration hits Russian spies, trolls with sanctions over U.S. election interference, cyberattacks

Associated Press, US says Russian hack did not compromise power grid, plants

Symantec, Dragonfly: Western energy sector targeted by sophisticated attack group

Symantec, Emerging Threat: Dragonfly / Energetic Bear – APT Group