US Department of Homeland Security issues report detailing Russian cyber attacks on critical control systems
20 March 2018
Alert (TA18-074A) from the Department of Homeland Security (DHS), issued on March 15, gives details of Russian Government cyber activity targeting energy and other critical infrastructure sectors in the USA. Analysis by DHS and the Federal Bureau of Investigation (FBI) resulted in the identification of distinct indicators and behaviors related to this activity.
The Alert overview is as follows:
This joint Technical Alert (TA) is the result of analytic efforts between the DHS and FBI. This alert provides information on Russian government actions targeting US Government entities as well as organizations in the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors. It also contains indicators of compromise (IOCs) and technical details on the tactics, techniques, and procedures (TTPs) used by Russian government cyber actors on compromised victim networks. DHS and FBI produced this alert to educate network defenders to enhance their ability to identify and reduce exposure to malicious activity.
DHS and FBI characterize this activity as a multi-stage intrusion campaign by Russian government cyber actors who targeted small commercial facilities’ networks where they staged malware, conducted spear phishing, and gained remote access into energy sector networks. After obtaining access, the Russian government cyber actors conducted network reconnaissance, moved laterally, and collected information pertaining to Industrial Control Systems (ICS).
Targeting of ICS and SCADA Infrastructure
In multiple instances, the threat actors accessed workstations and servers on a corporate network that contained data output from control systems within energy generation facilities. The threat actors accessed files pertaining to ICS or supervisory control and data acquisition (SCADA) systems. Based on DHS analysis of existing compromises, these files were named containing ICS vendor names and ICS reference documents pertaining to the organization (e.g., “SCADA WIRING DIAGRAM.pdf” or “SCADA PANEL LAYOUTS.xlsx”).
The threat actors targeted and copied profile and configuration information for accessing ICS systems on the network. DHS observed the threat actors copying Virtual Network Connection (VNC) profiles that contained configuration information on accessing ICS systems. DHS was able to reconstruct screenshot fragments of a Human Machine Interface (HMI) that the threat actors accessed.
To see the whole Alert on the DHS website, click on the link below.