The United States Department of Homeland Security (DHS) and Federal Bureau of Investigation (FBI) have detected a coordinated effort by malicious actors at compromising the country’s critical infrastructure. These infrastructures include those involved in government, aviation, power production, energy production, and some critical manufacturing sectors. Typically, part of these infrastructures include Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition (SCADA) systems that control the physical processes.
These attacks are ongoing.
The “ownership” of any one of these critical infrastructures by a malicious actor would cause significant economic and social distress to the United States. On October 20 and 21st, DHS and the FBI jointly published Technical Alert TA17-293A entitled “Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors”.
Let’s Look at These Attacks at a High Level
The attackers are carefully choosing high-value targets rather than just randomly looking for targets of opportunity. They are conducting “open source” research on the targets by studying publically available information, which reveals business partners, data on employees, data on infrastructure and so-on. All of this data is useful for identifying targets and designing attacks.
The present attacks follow a pattern of compromising weakly defended networks, typically operated by suppliers or contractors, that are connected to more strongly defended critical infrastructure targets. Once compromised, the partner/contractor network is used as a bridge to attack the critical infrastructure network. This effectively takes advantage of the trust relationship that exists between the subcontractors/partners and the primary objective of the attack, the critical infrastructure network. The attackers are also manipulating “watering hole” domains - for example, trade and informational websites that relate to Industrial Control, Process Control and Critical infrastructure.
Targeted, critical infrastructure specific spear-phishing attacks are used to collect user credentials by sending email attachments that leverage authenticating Microsoft Office functions to retrieve files from SMB servers under the control of the attackers. The SMB server may be owned by the malicious actors or may be a compromised machine owned by the victim. This allows the attackers to capture the authentication sequence that takes place between the client and server, allowing credentials to be harvested. A similar SMB credential-stealing technique is also used by the compromised watering hole domains.
Using the stolen credentials, the attackers access the victim network and:
- Download tools to establish presence, persistence and control.
- Create user accounts
- Attempt to escalate the privilege of these user accounts
- Disable any host firewalls
- Establish Remote Desktop Protocol access
- Install VPN Clients
As of this writing, no actual ICS/SCADA network has been maliciously manipulated. It appears as if the attackers are still in the analysis phase. For example, the attackers have viewed files related to wiring diagrams, SCADA panel layouts and so-on. That said, a foothold has been established within the target environments that could be leveraged for something far more sinister in the future.
Now that we’ve got a basic understanding of the attacks, let’s take a step back.
The Reality is That We’ve Seen This Movie Before
We observe that the current attacks are in many ways similar to those conducted against the Ukrainian power grid in late 2015. Open source research, credential harvesting, studying the internal infrastructure, establishing persistent presence and the installation of tools on the victim network were all performed many months before the actual attack against the ICS infrastructure. This appears to be exactly what the malicious actors are doing against United States targets. This is exactly why early detection is so important, and why these attacks are being taken so seriously.
In both the Ukrainian attacks and the current U.S. attacks, the “traditional” IT network was the initial vector of the attack. There are several reasons for this:
- The malicious operators harvested credentials from the IT network.
- The malicious operators conducted research on the infrastructure layout accessing systems using the harvested credentials.
- In most cases, there are connections between the traditional IT network and the ICS network that can be leveraged through the use of harvested credentials.
- In the case of the Ukrainian attack, the harvested credentials allowed devastating access into the ICS network.
To accomplish these objectives, the malicious actors had to:
- Exploit vulnerabilities
- Exploit weak endpoint configurations
- Install malware
- Create new user accounts
The reality is that “owning” the IT network is an effective way to ultimately “own” the ICS network, since for critical infrastructure operators the two are intimately related.
For operators of critical infrastructure, both the traditional IT environment and the ICS environment must be continuously monitored not only for indicators of compromise but also for proper configuration, the presence of vulnerabilities, and changes of state to the endpoints.
Some recommendations include:
- Discover all assets, all the time to understand and reduce risk due to “unknown unknowns”
- Continuously monitor devices for vulnerabilities
- Constantly search for the presence of unknown software or active unknown processes on endpoints
- Continuously monitor critical infrastructure devices for proper secure configuration and detect systems where the configuration has mysteriously changed
- Monitor for changes in critical directories or executable files to detect malicious modifications
- Monitor for new user accounts on endpoints which may have been created by malicious actors
- Continuously monitor the ICS environment for vulnerabilities and unusual traffic patterns
- Detect, monitor and understand in detail the connections that exist between the IT network and the ICS network
- Detect, monitor and understand in detail the connections that exist between “trusted” third parties and the IT network
- Detect, monitor and understand any outside connections that may exist directly to the ICS network
- Insist that “trusted” third parties comply with minimum security standards
- Consider universal adoption of two factor authentication
How Tenable Can Help
Tenable is uniquely positioned to help operators of critical infrastructure implement these recommendations and understand their Cyber Exposure. Nessus, the industry gold standard of vulnerability assessment and compliance auditing, serves as the foundational Tenable platform to help both IT Security and ICS Operations teams ensure they know what assets are on the network at any given time and continuously assess them for vulnerabilities. Nessus Network Monitor passively analyzes network traffic to provide continuous visibility into managed and unmanaged assets on the network, including IT, Operational Technology and IoT assets. Nessus Network Monitor includes capabilities for asset discovery and vulnerability identification on critical infrastructure and embedded systems, such as ICS and SCADA systems, which require a non-intrusive approach to vulnerability management.
Try Tenable.io Vulnerability Management, which includes Nessus Network Monitor, free for 60 days by requesting an evaluation.
Given that the threat is real and ongoing, there is now a sense of urgency for operators of critical infrastructure to be diligent in the configuration and monitoring of their IT and ICS environments.