March 15, 2018 the United States Department of Homeland Security (DHS) and Federal Bureau of Investigation (FBI) released a joint alert formally accusing a foreign government for being responsible for an ongoing intrusion campaign targeting U.S. critical infrastructure. The alert elaborates on how government sponsored hacking groups target U.S. Government entities as well as organizations in the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors.
According to DHS and FBI the activities can be characterized as multi-stage attacks where the perpetrators targeted the network of small commercial facilities. Using spear phishing and malware, the threat actors gained remote access into energy sector networks. After obtaining access, the cyber actors conducted network reconnaissance, moved laterally, and collected information pertaining to Industrial Control Systems (ICS) and Supervisory Control And Data Acquisition (SCADA) systems.
This campaign started no later than March 2016 and comprises two distinct categories of victims: staging- and intended targets. “The initial victims are peripheral organizations such as trusted third-party suppliers with less secure networks, referred to as “staging targets” throughout this alert. The threat actors used the staging targets’ networks as pivot points and malware repositories when targeting their final intended victims.”
Repeatedly, the DHS and FBI found evidence of the threat actors targeting ICS and SCADA infrastructure. The hackers stole wiring diagrams and profile- and configuration information needed to access the critical systems. They also accessed HMI’s (Human Machine Interface) and used advanced techniques to stay hidden including wiping traces of their malware tools and associated logs from exploited system.
The alert advices critical infrastructure owners on best practices and how to determine if they have been affected. Read the full alert here: https://www.us-cert.gov/ncas/alerts/TA18-074A.
Timely detection of ongoing hacking attempts is vital to securing ICS and SCADA systems. Continuous intrusion detection such as provided by Secure-NOK, provides situational awareness and can limit the attacker's success in gathering information, setting backdoors and removing traces of their activity. In many cases simple countermeasures such as two-factor authentication at critical endpoints in addition to continued close monitoring is effective at reducing the risk of harmful consequences of an attack.