Energy & Critical Infrastructure Alert: Industrial Control System Data Stolen
The latest technical alert from the Department of Homeland Security (DHS) and Federal Bureau of Investigation (FBI) warns the energy and critical infrastructure sectors about a multi-stage intrusion campaign, reportedly said to be conducted by Russian government threat actors.
The malware, spear phishing and remote access attacks affect U.S. government entities and organizations in the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors.
After the threat actors obtained remote access to energy sector networks, they moved laterally to collect information about Industrial Control Systems (ICS), the computer systems used to operate critical infrastructure.
Much of the alert's description of the phishing attempts are the same as those I wrote about in New Office of Cybersecurity Proposed in Response to Attacks on U.S. Energy & Critical Infrastructure, based on information from Symantec’s research report.
How Attackers Gained Remote Access to Energy Networks
Compromised credentials were used to access networks where multi-factor authentication wasn't implemented. They also used scripts to create local admin accounts (disguised as backup accounts). Then they disabled the host-based firewall and opened up a port for RDP (Remote Desktop Protocol) access.
In addition to disabling perimeter-based controls once they gained access to networks with stolen passwords, the threat actors used virtual private network (VPN) software, like the free version of FortiClient to connect to target networks. They also used open-sourced, free brute-force password-cracking tools to harvest even more credentials.
And, they manipulated Windows files to redirect user paths to their own remote server, leveraging the Server Message Block (SMB) authentication process to steal users' credentials.
The threat actors targeted workstations, servers and corporate networks with data output from control systems within energy generation facilities - they accessed ICS and supervisory control and data acquisition (SCADA) system files, and copied Virtual Network Connection (VNC) profile and configuration info on how to access ICS systems on the network, according to the alert.
The Need for a Zero-Trust Security Model
The combination of stolen user credentials (identity) and easy bypassing or disabling of perimeter-based controls allowed these attackers to gain access (and maintain persistent access) into energy organizations' networks.
The alert contains a lengthy list of detection, prevention and mitigation strategies to take - including tips on log monitoring and what to look out for; which TCP ports to block; specifics around deploying web and email filters, and more.
But shifting your organization's focus on policies and controls from network and IP-based to user identity and device health can also help. With the perimeter expanding outward to include identity, securing remote access to organizations' networks becomes more important than ever.
Ensuring a zero-trust environment means to assume that no traffic within an enterprise's network is any more trustworthy than traffic coming from outside the network. Insider risks, vulnerable endpoints, policy gaps and other potential threats require this type of zero-trust security model.
Download Moving Beyond the Perimeter: The Theory Behind Google’s BeyondCorp Security Model to learn more about the philosophy of the new framework.
And read Moving Beyond the Perimeter: How to Implement the BeyondCorp Security Model to learn how Duo Beyond can help you:
- Identify corporate vs. personal devices
- Easy certificate deployment
- Block untrusted endpoints
- Give users secure access to internal applications
In addition to gaining visibility and control over endpoints accessing your networks, you should also deploy technology to provide additional checks to verify your users’ identities (multi-factor authentication). The combination of both healthy endpoints and authenticated users can help prevent potential compromises and data leaks.