Andrea Danti - Fotolia
The FBI and Department of Homeland Security issued a joint technical alert detailing Russian government hacking activity targeting U.S. critical infrastructure, and the Treasury Department levied sanctions on Russia for those attacks and interference in the 2016 presidential election.
The U.S. Department of the Treasury's Office of Foreign Assets Control's sanctions listed Russian government hacking efforts, including interference in the 2016 election, the NotPetya attacks and attacks targeting "the energy, nuclear, commercial facilities, water, aviation and critical manufacturing sectors."
"The administration is confronting and countering malign Russian cyber activity, including their attempted interference in U.S. elections, destructive cyberattacks and intrusions targeting critical infrastructure," Treasury Secretary Steven Mnuchin said in a public statement. "These targeted sanctions are a part of a broader effort to address the ongoing nefarious attacks emanating from Russia. Treasury intends to impose additional [Countering America's Adversaries Through Sanctions Act] sanctions, informed by our intelligence community, to hold Russian government officials and oligarchs accountable for their destabilizing activities by severing their access to the U.S. financial system."
A joint technical advisory from the FBI and Department of Homeland Security (DHS) included details and indicators of compromise of the attempted Russian government hacking of critical infrastructure systems and referenced the Dragonfly 2.0 investigation by Symantec from September 2017.
"DHS and FBI characterize this activity as a multi-stage intrusion campaign by Russian government cyber actors who targeted small commercial facilities' networks where they staged malware, conducted spear phishing, and gained remote access into energy sector networks. After obtaining access, the Russian government cyber actors conducted network reconnaissance, moved laterally, and collected information pertaining to industrial control systems (ICS)," the FBI and DHS wrote in the advisory. "This campaign comprises two distinct categories of victims: staging and intended targets. The initial victims are peripheral organizations such as trusted third-party suppliers with less secure networks ... The threat actors used the staging targets' networks as pivot points and malware repositories when targeting their final intended victims."
Phil Neray, vice president of industrial cybersecurity at CyberX, based in Framingham, Mass., said the alert and sanctions against the Russian government hacking attempts "validate what the ICS community has known for months."
"Russian cyberattackers have both the intent and the ability to successfully compromise our critical infrastructure networks, including in our nuclear facilities. The attackers demonstrated sophistication by using a variety of techniques to steal credentials from control system engineers -- from phishing to website 'watering hole' attacks -- and especially in the way they covered their tracks after intruding our networks, by deleting logs and other digital breadcrumbs that could reveal their presence," Neray told SearchSecurity. "It's easy to see how Russia could leverage these dangerous footholds to test our red lines and threaten us with sabotage in the event of escalating hostilities, such as new Russian incursions on former Soviet territories."
Nick Bilogorskiycybersecurity strategist at Juniper Networks
Ashton Mozano, CTO of Circadence, based in Boulder, Colo., said although ICS attacks have happened for over a decade, "the frequency and level of effort behind such attacks have significantly increased in the past few years, particularly after Stuxnet, Duqu, Flame and others entered the public lexicon."
"Despite the sophistication of many of these attacks, the initial attack vectors are fairly basic: They rely on social engineering via email phishing," Mozano told SearchSecurity. "With widespread and up-to-date training on cybersecurity hygiene, a vast majority of these attacks could be successfully thwarted for now, until the attackers develop more advanced means of initial entry into these target environments."
Nick Bilogorskiy, cybersecurity strategist at Juniper Networks, based in Sunnyvale, Calif., said the accusations regarding Russian government hacking and the resulting sanctions are especially significant, given the inherent difficulty in cyberattack attribution.
"Generally, cyberattacks are notoriously difficult to attribute because they often use proxies, third parties and fake artifacts in malware code to obfuscate their true origin. It is easier to understand who attacked you than it is to be able to prove it. So, officials have been reluctant in the past to call out such activity. In this case, the Department of Homeland Security and the FBI publicly condemned Russian government cyberactors, which to me means that they found significant evidence of Russian involvement," Bilogorskiy told SearchSecurity. "It is not publicly shared what this evidence is. At times in the past, the U.S. has learned about foreign spying through something the intelligence community calls fourth-party collection -- when our allies penetrate the attackers and 'watch over their shoulder' as the attacks are performed and gather evidence of the attacks, which they share with the U.S."