Officials described an intricate effort to get into infrastructure provider networks by stealing credential from known third-party suppliers and a government agency.
The Russian cyberattack that targeted hundreds of corporate and federal victims in a campaign to access energy critical infrastructure providers was, and is, backed by extensive legwork by human intruders, according to a top Department of Homeland Security analyst.
The attackers infiltrated the networks and control systems of "quite a number" of energy infrastructure providers last summer by leveraging the trusted electronic identities of victims targeted in a stealthy spearphishing and watering hole campaign between 2016 and 2017, according to Jonathan Homer, chief of industrial control system analysis at DHS.
DHS walked back published reports that the hackers were close to being able to actually take control of infrastructure targets.
In a webcast describing the tactics used, Homer described a patient, diligent set of human attackers willing to wait a year before activating at least one compromised vendor's network to begin trying to work its way into its primary critical infrastructure company target. Humans at keyboards were used, instead of relying on data scraping and other automated techniques.
The details come from the second DHS National Cybersecurity and Communications Integration Center webcast on "Russian Activity Against Critical Infrastructure" on July 25. The NCCIC is conducting four webcasts on the attacks, with the same content, to spread the word on the novel techniques used to gain operations-level access to critical infrastructure providers' industrial control systems.
Although the campaign has been attributed to the Russian-backed "Energetic Bear" groups, Homer declined to answer a question about the specific identity of the Russian group involved in the campaign during the July 25 webcast.
The attackers, said Homer, didn't come at infrastructure providers directly, but hijacked electronic credentials of trusted organizations, such as vendors and even a government agency, to get into critical infrastructure networks where they then stole credentials of employees there to move further into that network.
Homer didn't name the government agency targeted with initial spearphishing emails. The identities leveraged by the attackers to get into the target critical infrastructure providers didn't really matter to the attackers, he said, only their pre-existing relationship with the infrastructure provider. The agency, he said, reported the questionable traffic to DHS, however.
Once the threat actors were in critical infrastructure networks, they needed to get up to speed on how the infrastructure worked. They targeted and stole the electronic credentials of technicians and operational personnel, as well as technical data and operational schematics of industrial processes.
They also leveraged online digital photos of seemingly benign corporate events, such as ribbon cuttings, or photos of executives, but only those photos that included actual industrial equipment or systems in the background, according to Homer.
Those infrastructure schematics and details from publicly available sources were critical for attackers to understand the intricacies of how to manipulate a particular system, since industrial control systems are highly individual and can vary tremendously from site to site.
Ultimately, said Homer, no infrastructure was actually manipulated in the campaign.
The campaign is apparently ongoing, since Homer warned his audience to let DHS know if they see similar tactics, such as remote server message block attacks or attempts to get into the system via virtual private networks.
He also advised companies to scrutinize the contact on their trusted "whitelist" of acceptable traffic to limit any threat actor's access to credentials that are automatically accepted by networks.