The United States has not been hit by a paralyzing cyberattack on critical infrastructure like the one that sidelined Ukraine in 2015. That attack disabled Ukraine's power grid, leaving more than 700,000 people in the dark.
But the enterprise IT networks inside energy and utilities networks have been infiltrated for years. Based on an analysis by the U.S. Department of Homeland Security (DHS) and FBI, these networks have been compromised since at least March 2016 by nation-state actors who perform reconnaissance activities looking industrial control system (ICS) designs and blueprints to steal.
There is a difference between attacks that probe enterprise IT networks for information and access to critical infrastructure versus attacks against the ICS on which the critical infrastructure operates. The two are interconnected, but the targeted assets are different.
NIST published an abstract topology of the electric-grid energy delivery system, which shows how the power system (primary equipment) interconnects with IT systems (information management). The topology highlights the growing importance and scale of enterprise IT networks within energy and utilities as the industry pivots toward two-way communication within the smart grid, including the use of IT devices and communication that combine IoT networks with ICS networks.
Inside these information management networks, cybercriminals for years have been testing and mapping-out attacks against energy and utilities networks. These slow, quiet reconnaissance missions involve observing operator behaviors and building a unique plan of attack. The attack that shut down Ukraine’s power grid in 2015 was reportedly planned many months in advance by skilled and sophisticated cybercriminals.
This underscores the importance of identifying hidden attackers inside enterprise IT networks before they cause damage to the ICS and steal information related to the critical infrastructure. The Vectra 2018 Spotlight Report on Energy and Utilities focuses on the unique threat behaviors used in the latest attack campaigns to steal vital ICS information.
These and other key findings underscore the importance of detecting hidden threat behaviors inside enterprise IT networks before cyberattackers have a chance to spy, spread and steal. These threat behaviors reveal that carefully orchestrated attack campaigns occur over many months.
When attackers move laterally inside a network, it exposes a larger attack surface that increases the risk of data acquisition and exfiltration. It’s imperative to monitor all network traffic to detect these and other attacker behaviors early and consistently.
Remote attackers typically gain a foothold in energy and utilities networks by staging malware and spear-phishing to steal administrative credentials. Once inside, they use administrative connections and protocols to perform reconnaissance and spread laterally in search of confidential data about industrial control systems.
The covert abuse of administrative credentials provides attackers with unconstrained access to critical infrastructure systems and data. This is one of the most crucial risk areas in the cyberattack lifecycle.
Other key findings in the 2018 Spotlight Report on Energy and Utilities include:
- During the command-and-control phase of attack, 194 external remote access behaviors were detected per 10,000 host devices and workloads.
- 314 suspicious remote execution behaviors were detected per 10,000 host devices and workloads.
- In the exfiltration phase of the cyberattack lifecycle, 293 data smuggler behaviors were detected per 10,000 host devices and workloads.
It is also important to note that the attackers covered their tracks to defeat log-based alerting systems. Accounts and applications used in the attacks were removed and deleted.
For example, VPN clients installed at commercial facilities were deleted along with the logs that were produced from its use. It was only through an extensive forensic analysis that the DHS was able to determine that the threat actors were able to remove evidence after the attacks already succeeded.
Lesson learned: Detect the first signs of a cyberattack as it happens, not after the damage is done.