Cyberattackers are increasingly targeting energy and utilities companies through their enterprise IT networks, according to a report released today by cybersecurity company Vectra.
Hackers have long been targeting energy and utility companies, with the goal of causing disruption to infrastructure. In extreme cases, critical infrastructure failure could result in a nuclear reactor meltdown.
The FBI, National Cybersecurity & Communications Integration Center (NCCIC) and the United States Department of Homeland Security (DHS) have noted that since at least March 2016 there has been a notable increase of energy and utilities cyberattacks from Russian operatives targeting US critical infrastructure sectors.
Between January and June 2018, Vectra’s Cognito cyberattack detection platform scanned the networks of over 250 companies that opted in for monitoring. They collected metadata from more than 4 million devices, data servers and enterprise environments.
When looking specifically at the enterprise networks of energy and utility companies, they detected 194 command-and-control attack behaviours against energy and utility companies for every 10,000 host devices – 25 more attack behaviours than the average across all industries.
Matt Walmsley, EMEA Director at Vectra, told Verdict that while most discussions around energy cybersecurity threats tend to focus on the catastrophic consequences of a breach, the latest research shows the important part that reconnaissance plays in such attacks.
"It’s here that well-resourced and motivated attackers, such as nation-states, will research and prepare themselves for taking down or disrupting critical services," he explained.
"The attackers’ pre-cursor behaviours can often look like legitimate actions that in many organisations would go undetected through a lack of resources such as time, people, and technical capability.
"Our analysis shows the propensity of these behaviours, and how AI can be used to identify, prioritise, and respond to them at a speed and scale beyond traditional manual threat hunting techniques.”
How hackers gain access to an energy and utilities company
In March this year, the DHS issued a government alert known as TA18-074A. It outlined how Russian cyberattackers are targeting energy and critical infrastructure sectors.
The alert explains that there are two types of target. The first is the intended target, in this case, the energy or critical infrastructure company. The other is a ‘staging’ target, which could be a third party supplier. These are used as a means to gain access to the intended target.
To gain access to either of these targets, cyberattackers use what’s known as a web shell, a computer script that enables remote access to a machine.
These are created on the intended target’s publicly accessible email and web servers and use tools such as VPNs, Remote Desktop Protocol (RPD) and Outlook Web Access (OWA) to gain external remote access.
Because organisations often legitimately use remote access, it is easier for cyberattackers to go unnoticed.
Once the threat actors have access, they browse the network in a type of reconnaissance mission. This is known as file-share enumeration and RDP recon.
Using information gained during reconnaissance, the cyberattackers move around the network laterally, using batch scripts to gain additional information from devices.
The Vectra report found that in “multiple instances, threat actors accessed workstations and servers on a corporate network that contained data output from the ICS inside energy generation facilities”.
From these workstations and servers, hackers glean files. During the extraction phase of the cyberattack lifecycle, Vectra detected 293 data smuggler behaviours per 10,000 host devices and workloads.
Energy and utilities cyberattacks are often difficult to detect
These attacks are often slow, taking place over many months, and are difficult to detect.
"The covert abuse of administrative credentials provides attackers with unconstrained access to critical infrastructure systems and data," said David Monahan, managing research director of security and risk management at Enterprise Management Associates. "This is one of the most crucial risk areas in the cyberattack lifecycle."
Elsewhere the report detected 314 lateral movement attack behaviours per 10,000 host devices and workloads.
"When attackers move laterally inside a network, it exposes a larger attack surface that increases the risk of data acquisition and exfiltration," said Branndon Kelley, CIO of American Municipal Power, a nonprofit electric-power generator utility that serves municipalities in nine states that own their own electric system.
"It's imperative to monitor all network traffic to detect these and other attacker behaviours early and consistently."