This post originally appeared on LinkedIn.
Yesterday’s unprecedented DHS/FBI announcement states that, since at least March 2016, “Russian government cyber actors — hereafter referred to as “threat actors”—targeted government entities and multiple U.S. critical infrastructure sectors, including the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors.”
The attackers demonstrated sophistication by using a variety of techniques — from phishing to website ‘watering hole’ attacks — to steal credentials from control system engineers, and covered their tracks by deleting logs and other digital breadcrumbs that could reveal their presence.
Some of the techniques had previously been reported by Cisco Talos in July 2017. The Cisco team described “template injection” as a mechanism for silently harvesting credentials by attaching malicious documents that connect to an external SMB server controlled by the attacker. (Unlike common phishing attacks, the document themselves do not contain malicious code.) And the documents were typically resumes purporting to be from control system engineers with experience in “Siemens, Rockwell, SCADA, HMI,” etc.
And echoing Stuxnet (thank you Kim Zetter for the detailed explanations), the attackers manipulated LNK files, commonly known as Microsoft Windows shortcut files, to conduct malicious activities. (In this case, the attackers used LNK files to gather user credentials when the LNK file attempted to load its icon from a remote SMB server controlled by the attackers.)
The DHS/FBI report includes a reconstructed screenshot taken by the threat actors of a Human Machine Interface (HMI) in one of the energy generation facilities they compromised — indicating that they successfully pivoted from the IT network to the OT network. HMIs are used to monitor and control the actual physical processes in an industrial facility, like turbines and compressors.
Conclusions? As Thomas Rid, War Studies professor at King’s College, stated in Andy Greenberg‘s eerily-prescient article in WIRED about How An Entire Nation Became Russia’s Test Lab for Cyberwar, perhaps “They’re testing out red lines, what they can get away with. You push and see if you’re pushed back. If not, you try the next step.”