Hundreds of U.S. utilities were penetrated by Russian hackers who could have disrupted the nation’s power grid.
The attacks were launched last year by threat actors belonging to a group known as “Dragonfly” or “Energetic Bear,” which is sponsored by the Russian government, The Wall Street Journal reported Monday.
The hackers used Black Hat tools such as phishing and waterhole traps to obtain credentials from legitimate users and leverage them to gain access to the utilities, the Journal noted, citing federal government officials.
“We’ve seen phishing and spearphishing used against energy and utility companies by foreign actors for more than decade,” said Rohyt Belani, CEO of Cofense, a maker of antiphishing solutions, based in Leesburg, Virginia.
Phishing emails are used to trick targets into exposing their credentials or other sensitive information. Spearphishing does the same thing but is aimed at a narrower target audience.
“So this is a lot more of the same, although it seems to be happening at greater frequency,” Belani told TechNewsWorld.
“The underlying technique is still spearphishing,” he continued, “although the attackers are constantly modifying those techniques to get by the latest and greatest defense mechanisms.”
To Freak Out or Not
While these utility intruders could disrupt electrical power in the United States, Belani doesn’t think they will.
“I don’t think nations like Russia or China would go down that path given the potential ramifications,” he said, “but hacking like this gives those countries some levers to pull should tensions build.”
The cyberattacks on U.S. utilities should be a source of concern, but they aren’t “something to necessarily freak out about,” remarked Emily S. Miller, director of national security and critical infrastructure programs at Mocana, a San Francisco-based company that focuses on embedded system security for industrial control systems and the Internet of Things.
“The electric grid is highly resilient,” she told TechNewsWorld.
Resilient or not, the threat from these hackers to the grid appears to be very serious, maintained Barak Perelman, CEO of Indegy, a New York-based maker of security solutions for industrial systems.
“Russia has its finger on a big red button,” he told TechNewsWorld. “If someone decides it’s time to press that button, they can shut off significant portions of the U.S. power grid.”
Not Intended to Disrupt Power
The intrusions DHS reported were not intended to disrupt power sources, noted Joe Slowik, an adversary hunter for Dragos, a maker of security software for the critical infrastructure community, based in Hanover, Maryland.
“Throughout, the adversaries in question limited operations to information gathering, network survey and reconnaissance,” he told TechNewsWorld.
“There is no evidence that the adversaries were in position or intended to cause a widespread disruption event,” Slowik said. “Furthermore, based on the tradecraft exhibited and methods observed, any such action would need to be ‘manual’ in nature, meaning even if this access was translated into an attack, it would scale poorly and result in limited utility impacts.”
All large nation-state adversaries have been hacking each other’s power grids as a matter of routine to preposition assets, said Ross Rustici, senior director of intelligence services for Cybereason, an endpoint protection, detection and response company based in Tel Aviv, Israel.
“There isn’t going to be any bolt-out-of-the-blue attack,” he told TechNewsWorld.
“The Russians aren’t scheming to disrupt the power grid tomorrow,” he continued, “but if tensions boil over, if there’s a direct conflict between us and them, this is absolutely a tool that Russia knows how to use and has demonstrated its willingness to use it in hybrid warfare in the Ukraine.”
Mutually Assured Destruction
It’s unusual for the DHS to call out a nation-state attacker by name, said Mocana’s Miller, who previously worked at DHS as chief of process management, measurement and exercise planning.
That suggests it had a high degree of certainty before fingering Russia.
DHS has not commented publicly on The Wall Street Journal‘s report.
“Based on the level of detail presented in the Mueller indictments of July 13, I would be hard-pressed to doubt the intelligence and law enforcement communities,” Michael Magrath, director of global regulations and standards at OneSpan, told TechNewsWorld.
OneSpan, a provider of security, authentication, fraud prevention and e-signature services, is based in Chicago.
Although the U.S. doesn’t brag about it, there is a widespread assumption that it has hacked the critical infrastructure of nations that launched cyberattacks on America’s infrastructure. Some believe this sets up a mutual-destruction stalemate reminiscent of the Cold War. That may not be the case, however.
“It’s dangerous to assume that this fits the Cold War model of a balanced standoff because of ‘mutually assured destruction,'” said Ray DeMeo, COO of Virsec, a San Jose, California-based provider of protection against memory-based cyberattacks.
“Many of these hacking groups have some nation-state sponsorship, but also pursue their own agendas,” he told TechNewsWorld. “This is a very distributed threat, and relying on centralized control to keep things in check probably won’t work.”
What’s more, neither side is concerned about the mutual destruction they will wreak on each other, maintained Chris Stoneff, vice president of security solutions at Bomgar, a secure remote support and privileged access management company, based in Johns Creek, Georgia.
“Both sides feel they could withstand some kind of power disruption, at least long enough to launch other cyberattacks or create a military response if they so desire,” he told TechNewsWorld.
What Can Utilities Do?
Utilities can be more aggressive in assessing vulnerabilities, updating systems, and adding new security strategies, Virsec’s DeMeo said.
“They need to assume that hackers already have a footprint somewhere within their networks and bypassed their legacy perimeter defenses,” he explained. “The focus needs to shift from guarding the gate to proactively protecting critical applications and making sure they only do the right thing.”
Critical national infrastructure should not be directly available to the Internet, Bomgar’s Stoneff recommended.
A combination of rotating passwords and multifactor authentication also could help reduce the risks that these systems could be penetrated, he said.
“It may seem obvious, but greater diligence in educating staff and the public broadly about being vigilant regarding email, social media and the websites they visit and links they click has never been more important,” said Sigfus Magnusson, vice president for product management at Men & Mice, a Kopavogur, Iceland-based maker of DNS, DHCP and IP Address management software.
That is particularly true “for critical system administrators or those who may control automated systems,” he told TechNewsWorld.
Still, it remains to be seen if the tough decisions needed to secure U.S. infrastructure will be made.
“It’s hard to imagine that we will be able to summon the courage to harden our critical infrastructure to anything like what it would take to stop the threat,” said Jeff Williams, CTO of Contrast Security, a maker of self-protecting software solutions, based in Los Altos, California.
“We built our defenses for lone script-kiddies looking to have some fun,” he told TechNewsWorld, “and we’re being targeted by highly trained state-sponsored attack forces.”