Two statements of fact stand out in Symantec’s new report on intrusions into U.S. and European energy companies. First, the adversaries have been campaigning to access these critical infrastructure systems since at least 2015. Second, the attackers did not use any zero day vulnerabilities to get in.
A zero day is a vulnerability that has been found but never used, making it highly unlikely that anyone is watching for breaches using that particular vulnerability.
“The energy sector in Europe and North America is being targeted by a new wave of cyber attacks that could provide attackers with the means to severely disrupt affected operations,” Symantec begins its report by writing.
The company does not reveal which facilities were compromised in the breaches it found, nor how many different companies the attackers were able to access. It does say that it has worked with each to clear out malware and deploy countermeasures against the breaches. It has also updated its software to aid in automated detection of similar attacks.
In June, Wired published a sweeping report on attacks on Ukraine’s power grid. Those attacks were seen both as part of the larger hostilities between Russia and the Ukraine, but also potentially as a dress rehearsal for attacks that could be conducted in other parts of the world, such as against Russia’s main adversary over the last the century, the United States.
That report warned that the U.S. grid might be somewhat more vulnerable than Ukraine’s. On the one hand, power infrastructure here has stronger digital defenses than similar systems in the Ukraine. On the other hand, because engineers here have become so reliant on automation, they might not be as well versed in switching to manual controls when and if that’s necessary.
In the Ukraine, when cybercriminals shut down a power plant remotely, local engineers were able to restore power in a few hours by switching the automation off and running it by hand.
In these large scale systems, the stakes can be considerably higher than simply switching lights on or off. In 2007, one of the Department of Energy’s national laboratories demonstrated how an entirely digital attack against a generator could actually destroy the device, by sending instructions in sequences that cause the machine to break down in a violent fashion.
Stuxnet, a cyberweapon believed to have been developed by the U.S. and/or Israel, is known to have destroyed nuclear centrifuges in Iran by causing them to spin so fast that they fell apart.
Symantec declined to attribute the attack to a specific nation-state, only stating that the exploit appeared to be an updated version of one observed by the company in 2014, which it attributed to a group it calls “Dragonfly.” Some aspects of the code and malware files included words in French and Russian.
Symantec’s report only describes breaches. It does not describe any evidence of actual attacks against these facilities. It appears that the cybercriminals have simply accessed the systems, built multiple backdoors in order to ensure continued access and conducted intelligence gathering in order to prepare for an eventual operation.
In at least one case, attackers got deeply enough inside a system that it was able to take screen captures of its administrative controls. This behavior suggest a disciplined organization looking at long-term strategic gains over short term objectives.
Symantec found evidence of multiple attack vectors used to secure credentials of staff at these facilities.
One was a simple phishing attack. Staff were sent emails with invitations to a New Year’s Eve party, but the link led to a compromised site.
Another was a watering hole attack. In this attack, criminals look for websites many people in a targeted group visit. These secondary sites may be less secure than the targeted group, but by compromising the website, attackers may be able to inject malware onto a targeted machine.
Symantec observes that because the attackers used a combination of known strategies to get access to these critical infrastructure facilities, that could be an indication that the group does not have rich resources. For example, the attackers never used a zero day, which are the most advanced weapons that cybercriminals have. Zero days quickly lose value after they have been used, because impacted companies report the new vulnerability and patches are issued to secure the weakness.
The fact that the hackers never used a zero day may be a sign of incredible resources, as well. It shows an organization with the depth and the patience to slowly and methodically probe vulnerabilities without burning its most valuable assets. The fact that the attackers never appeared to have exploited their access to extort impacted companies further supports this conclusion.
In its best practices, Symantec advises management running critical infrastructure to require staff to use two-factor authentication. By using two keys to access systems, it doesn’t matter if an attacker manages to somehow steal a target’s password, because it’s not enough to access the system. The second key is usually something that changes, such as code sent over SMS or via an app, or something physical, such as a Yubikey.
It’s more than a little alarming that U.S. facilities needed this reminder.