On Oct. 20, the U.S. Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) issued a joint warning of “advanced persistent threat actions targeting government entities and organizations in the energy, nuclear, water, aviation, and critical manufacturing sectors.” In short, not only is energy infrastructure in the United States vulnerable to a potential cyberattack; these systems have likely already been accessed.
According to the warning, “threat actors” have been actively targeting these government entities and manufacturing sectors since at least May 2017. Threat actors have been able to target the energy sector in the past; sometimes for the purpose of mere espionage, other times seeking the ability to attack or disrupt these energy systems.
The agencies cite a specific report released by Symantec in September, which indicated that an attack group by the name of Dragonfly has been actively targeting the energy sectors in Europe and North America.
“The Dragonfly group appears to be interested in both learning how energy facilities operate and also gaining access to operational systems themselves, to the extent that the group now potentially has the ability to sabotage or gain control of these systems should it decide to do so,” according to the Symantec report.
The DHS and FBI say hackers often find a way in through peripheral organizations that might have less secure networks than the final, intended target. These attackers use the following tactics, techniques and procedures: open-source reconnaissance, spear-phishing emails, watering hole domains, host-based exploitation, industrial control system infrastructure targeting and ongoing credential gathering. Further technical details on these techniques can be found in the warning itself.
The DHS and FBI also provide a series of indicators of compromise (IOC) packages for network users and administrators looking to monitor their own security. It features various IP addresses that administrators can add to a “watch list.” Anybody that notices the use of these techniques, which indicates compromised security, should contact the DHS or law enforcement immediately.
Cybersecurity has been a hot topic in recent months, and there is little to suggest these attacks are going to taper off. In October, cybersecurity company FireEye said it stopped a series of spear phishing emails sent to U.S. power companies that likely originated in North Korea, though it claimed the emails were merely “early stage reconnaissance.” Either way, the threat is ongoing, and the DHS/FBI is urging network users and administrators to remain vigilant.