March 26, 2018//Ellen Neveux
Exploiting the lack of secure remote access between US energy providers and their smaller third-party partners, Russian state actors breached the American power grid.
In an Alert, the US Computer Emergency Readiness Team (US-CERT) bluntly outlined the “multi-stage intrusion campaign” by Russian actors that has been ongoing for at least two years. Infrastructure targets included:
The well-organized campaign used the weak cybersecurity practices of third-party providers to gain access to its “intended targets.” According to the Alert, the Russian actors used these third-party vendors “as pivot points and malware repositories when targeting their final intended victims.”
Use of third-party vendors no surprise to cybersecurity experts
Using vulnerable third-party vendors to gain access to enterprise networks is a common, opportunistic exploit. In this campaign, Russian actors chose their targets, rather than surveying for weak security links. By purposefully selecting third-parties operating without secure remote access, actors downloaded website source code from institutional targets, harvested credentials, and gained remote access to industry virtual private networks (VPNs) and web-based email.
By breaching third-party vendors, and using information publicly available on the websites of targets, Russian operatives were able to gain organizational information on networks, control systems, and HR. As noted in the CERT Alert, this type of information is “commonly” used to carry out focused spear-phishing activities.
In addition to third-party vendors, the hackers breached trade publications and legitimate information websites to create watering hole domains for referral to malicious content.
Once inside the system of intended targets, actors created multiple accounts to obtain and manipulate information, plant codes, and download tools through VPN, Outlook Web Access, and RDP.
In the energy industry, Russian operatives gained access to workstations and servers containing sensitive schematics used in critical industrial control systems. The Department of Homeland Security was able to digitally recreate a screenshot taken during the operation.
When exiting systems, Russian actors took efforts to delete applications they used, erase their tracks and clear event logs relating to remote services, audit, and much more.
As of yet, there has been no known federal response to this complex and insidious cyber attack. By itself, the US-CERT Alert took unusual action by identifying Russia as the perpetrator. This quiet cyber war on the US likely continues today.
The Alert provides a considerable list of recommended measures to protect against intrusions. Many of these best practices are readily available through the use of a secure remote access platform, like SecureLink.
While sophisticated, organized, and deliberate, the Russian actors who conducted this successful campaign used easily available tools and the sloppy security of third-party vendors to maliciously infiltrate critical US infrastructure. It is an old story, but instead of brand liability and exposed consumer data, the infrastructure of this country could be irreparably damaged in a progressive or all-out cyber attack.
The technology to prevent cyber assault through a secure remote access platform already exists. Take advantage of the safety and security offered by SecureLink. Find out about our secure third-party remote access solution today.
Our sole focus is secure third-party remote access. For highly regulated enterprise organizations, SecureLink Enterprise has pioneered a secure remote access platform. SecureLink for enterprise allows an organization to identify, control, and audit third-party vendors. For vendors, SecureLink is the gold standard remote access support platform because it is easy, efficient, and ensures compliance and reduces liability when supporting customers.