Imagine one of your employees clicked on an email link that let attackers into your network. Imagine that you couldn’t produce energy, have lost control of your systems, and were sitting at the mercy of a ransom-seeking hacker or foreign nation-state intent on exercising political leverage. What to do…
“Espionage and sabotage attacks against Critical National Infrastructure (CNI) organizations have increased over the years, and I don’t think we have seen it all yet,” says Sami Ruohonen, Labs Threat Researcher at Finnish cyber security company F-Secure.
Various different adversaries are always trying to get into critical infrastructure company networks. Each attacker has their own motivations, each has their own techniques and tradecraft. Infrastructure companies are mainly at risk from criminal profiteers or nation-states with geopolitical motives.
Cyber criminals have got hold of sophisticated tools after the Shadow Brokers and Vault7 data breaches. They’ve also changed their way of operating. Money laundering techniques have changed considerably too, fueling ever-increasing ransomware demands.
Nation-state capabilities are now more accessible by other hacking groups, giving them similar capabilities to nation-state sponsored Advanced Persistent Threat (APT) groups.
CryptoLocker, active around 2013, was one of the most ‘lucrative’ ransomware campaigns. Over 250,000 computers were infected in the last four months of that year. Those who spread it netted over USD 3M before the Gameover ZeuS botnet, used for its distribution, was taken down.
Its success spawned a number of next-generation ones such as CryptoWall and TeslaCrypt. LockerGoga, one of the most recent ransomware campaigns, encrypted everything after infecting Norsk Hydro’s systems. The international Norwegian aluminum producer’s renewable energy arm wasn’t hit, however.
APT groups themselves continue trying to get into and stay in CNI networks for espionage opportunities so they can exercise political leverage as needed. Nation-state hackers are very professional and will hack a company even if it takes years, new research by F-Secure and Countercept shows.
Nine different threats facing the energy industry stand out:
- Operation Sharpshooter (Lazarus Group)
- GreyEnergy (the successor to the BlackEnergy group)
- BlackEnergy 1, 2 and 3 Malware
- Industroyer Malware – also known as CrashOverride
- Dragonfly/Dragonfly 2.0
- Havex Malware
- ICS sidechannel attack
- TRITON/TRISIS Malware
“The State of the Station: A report on attackers in the energy industry” also highlights that APTs research their targets properly. Attackers have more time than the defenders and will take months to plan their attack, identifying which employees fall for social engineering and testing whether known software security holes have been patched.
People are the weakest link in production, and company employees seem to be APT groups’ preferred target, with malware coming via malicious links in phishing emails (called ‘spear phishing’) instead of traditional e-mail attachments.
Users would either have to download malware or use login pages constructed for phishing. Attackers then moved on to the production network, then the ICS network. Another notable trend last year was e-mail based malware arriving on smartphones via e-mails, giving attackers access to a company’s internal networks or sensitive data via people’s mobile devices.
“Critical Infrastructure, due to its nature, is an interesting target for a foreign nation-state, even during peacetime,” Sami explains.
Many systems were built decades ago pre-Stuxnet, and before a 24/7 internet connection was usual. Cyber security wasn’t a realistic threat when these were manufactured, either. Old computer protocols and systems never had those built-in security controls that we take for granted today.
It is not a question of if, but when a network will be hacked. Energy industry firms are fighting an unseen and stealthy enemy with wide-ranging objectives deploying unseen tactics, techniques, and procedures (TTPs).
Organizations aren’t powerless, however, and have a choice of counter-measures. These include VUCA – an acronym coined by the U.S. Army to describe the volatility, uncertainty, complexity, and ambiguity of the post-Cold War era.
In brief, the VUCA framework for energy industry firms means looking at which external factors affect the risks to an organization, who might target it, why, and how, identifying which crucial IT assets need a strategy to protect them using security.
F-Secure’s Sami Ruohonen also advises energy sector companies to review the standard of their cyber security, and implement the latest technologies such as an endpoint detection and response (EDR) solution.
This is for organizations that don’t want to hire fully-qualified cybersecurity teams. It is also a quick way “to tremendously increase capabilities to detect and respond to advanced threats and targeted attacks which might bypass traditional endpoint solutions,” he says.
“Managed EDR solutions can provide monitoring, alerting, and response to cover the needs 24/7. This means organizations’ IT teams can operate during business hours to review the detections while a specialized cybersecurity team takes care of the rest,” concludes Sami.