Critical Infrastructure Targeted
It would be must-see TV if it wasn’t happening in real-life – or if your TV could even be turned on. It’s a hack of the U.S. power grid. Intruders have gained hands-on control of critical infrastructure electrical operations along the East Coast and have induced a blackout from Boston to Washington D.C. The skilled folks in incident response jump into action, but a great deal of damage has already been done. Countless businesses have been disrupted costing the country billions of dollars with the flip of a switch. Could this happen? Yes. In fact, attacks like this are already happening. A recent joint report from the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI), points to hackers targeting government entities and the energy, water, aviation, nuclear, and critical manufacturing sectors.
The alert, released on October 20th, focuses on sophisticated threat actors, known as advanced persistent threats (APTs) specifically targeting the energy, nuclear, water, aviation, and critical manufacturing sectors through the use of multi-stage attacks. Bottom line, there is evidence of attackers targeting this sector via trusted third party suppliers with less secure networks as a way into high-value critical infrastructure targets. In essence, attackers are using these networks as a stepping-stone to more valuable Industrial Control System targets.
The DHS/FBI report, which highlighted specific activity since May 2017, noted the typical structure (commonly referred to as the cyber kill chain) of the type of attacks being used to target this sector:
- Open source reconnaissance. First, attackers do extensive research using open source information, such as company websites, to help create tailored and believable spear-phishing and other campaigns.
- Spear-phishing emails. Armed with information about their targets, the threat actors send out electronic communications scams targeted towards a specific individual, organization or business. The goal is generally to steal data, credentials, or access. In this case, threat actors used email with the subject line “AGREEMENT & Confidential”, and which contained a generic PDF document, titled “document.pdf”. The threat actors then likely used password-cracking techniques to obtain the plaintext password. Once actors obtain valid credentials, they are able to masquerade as authorized users with file access.
- Watering-hole attack. Another vector the threat actor has used involves hijacking a legitimate site and altering its content so that users, in this case, users from a target organization, are unaware that the site has been compromised. Approximately half of the known watering holes are trade publications and informational websites related to process control, ICS, or critical infrastructure.
- Host-based exploitation. Either of the above attack delivery methods allows the attackers to exploit the victims who click on the malicious email or website, redirecting them to sites that steal their credentials. The end result provides the threat actors access to their victims’ networks and essentially hijack them. In one example, after gaining remote access to the network of an intended victim, the threat actor carried out a number of nefarious actions.
- Installation. Once in the ICS networks, the threat actors are now able to install and execute malicious tools in the victims’ networks.
While the process of how a threat actor gets in is important for the technical team, the broader concepts of how this encapsulates cyber risk should be reviewed and discussed in boardrooms around the country. Leadership needs to be able to understand the external threats, the vulnerabilities in their own systems, as well as the mitigations available. What are the top five things critical infrastructure leadership should do right now?
- Ensure that the security teams are looking for these types of attacks and sharing information with DHS. Information is power and in this particular case the more we can share about the details of attacks the better we can prepare.
- Get trained. Learn about cybersecurity as an enterprise risk to your organization.
- Understand that there are choices and investment to make in managing your cyber risk – accept, avoid, mitigate, or transfer risk.
- Conduct an annual tabletop exercise to ensure you have the people, processes, and technology to effectively manage a crisis.
- Ensure your entire company is trained and cyber aware – and of course lead from the top.
Is your executive leadership cyber literate and prepared to handle a breach? Don’t just play an expert on TV, be well informed in real life. Contact us to learn more about our Cyber Resolve Board and Executive training programs.