The Most Comprehensive Data Protection Solution

Discover, classify, and protect your data from all threats with the only Gartner Magic Quadrant DLP and Forrester Wave EDR Leader.

First and Only Solution to Converge:

  • Data Loss Prevention
  • Endpoint Detection and Response
  • User and Entity Behavior Analytics
DATAINSIDER

Digital Guardian's Blog

DHS Report on Hacked Electric Utilities Highlights Supply Chain Fragility

by Chris Brook on Tuesday July 24, 2018

Contact Us
Free Demo
Chat

The Department of Homeland Security confirmed this week that Russian hackers successfully infiltrated the control rooms of U.S. electrical utilities after compromising the networks of their corporate suppliers.

Russian hackers were able to infiltrate the control rooms of U.S. electrical utilities last year to steal confidential information, the U.S. Department of Homeland Security said this week.

Federal officials held an unclassified briefing Monday, according to the Wall Street Journal, in which it was disclosed that there were hundreds of victims. That runs counter to a statement previously issued in which the DHS said there were only a few dozen.

The attackers, working for the APT Dragonfly a/k/a Energetic Bear a/k/a Crouching Yeti, primarily used spear phishing and watering hole attacks to dupe employees at electric utilities into giving up their password.

The DHS issued a technical alert last fall around the group, essentially making it clear that the U.S. government was aware of victims in the energy sector. The alert said the group was also targeting government entities and organizations in the nuclear, water, aviation, and critical manufacturing sectors, as well.

Monday's news follows up an alert that DHS' United States Computer Emergency Readiness Team (US-CERT) fired out in March, warning the Russian government was targeting organizations in those industries.

Specifics of the WSJ report, namely that attackers could have "thrown switches," disrupted power flows and caused blackouts, have been contested in the hours since its publication.

Robert M. Lee, an industrial control system (ICS) expert who founded Dragos Inc. tweeted early Tuesday that while the warnings are helpful, the wording in the articles hasn't been. According to Lee, phrases like throwing switches and noting it would cause blackouts "is in no way representative of what was seen in these intrusions.”

Instead the researcher says the attackers were taking screenshots of HMIs, or human-machine interfaces, central dashboards that allow managers to monitor operations, receive alerts, and resolve issues quickly.

datasheets

Digital Guardian for Manufacturing

In the WSJ article, according to Jonathan Homer, the department's chief of industrial control system analysis, the attacks took advantage of relationships utilities have with vendors who have special access to "update software, run diagnostics on equipment and perform other services that are needed to keep millions of pieces of gear in working order."

The innerworkings of the campaign sound like the textbook definition of a supply chain attack, in which less-secure pieces of a supply network, usually vendors who lack the funds to spend on cybersecurity, are targeted. From there, once the attackers are in, they move laterally.

According to Homer, the attackers’ activity mimicked that of " people who touch these systems on a daily basis," something that helped them evade detection.

The supply chain ecosystem has many challenges, namely the fact that it’s so interconnected and can often lack transparency. Industries in which critical infrastructure is present, like manufacturers and electrical utilities, need to have a plan in place that can guarantee the free flow of data but not without protections in place to ensure that data is shared securely.

It’s plausible that a combination of user activity monitoring and user and entity behavior analytics (UEBA) could have – and potentially still can - lessen the blow for these utilities.

The WSJ article claims the group took information on how utility networks were configured, what equipment was in use, and how it was controlled, in addition to familiarizing themselves with how the facilities work.

Having a data loss prevention solution implemented could have prevented the exfiltration of sensitive data, like schematics and processes, and prevented screenshots from being taken. Through user activity monitoring, an organization could determine whether a user has captured files, keystrokes, or carried out a smorgasbord of other malicious activities - and investigate further.

UEBA, an emerging technology, can be used to detect anomalous behavior or deviations from the norm. In this instance it’s possible that by comparing and contrasting each users' activities, the organizations could have identified attackers masquerading as legitimate insiders before the damage was done.

Tags: Industry Insights, Manufacturing, Security News

Chris Brook

Chris Brook is the editor of Data Insider. He is a technology journalist with a decade of experience writing about information security, hackers, and privacy. Chris has attended many infosec conferences and has interviewed hackers and security researchers. Prior to joining Digital Guardian he helped launch Threatpost, an independent news site which is a leading source of information about IT and business security for hundreds of thousands of professionals worldwide.