A huge story about Russian hacking got lost amid all the Trump administration staffing drama and Stormy Daniels news over the past week: On March 15, the US government released a report describing a massive Russian hacking campaign to infiltrate America’s “critical infrastructure” — things like power plants, nuclear generators, and water facilities.
The joint report from the FBI and Department of Homeland Security claims that Russian hackers gained access to computers across the targeted industries and collected sensitive data including passwords, logins, and information about energy generation. While the report doesn’t specify any identifiable sabotage, the intrusion could set up future attacks that do more than just record observations.
The day after the report was released, Energy Secretary Rick Perry told lawmakers at an appropriations hearing that cyberattacks are “literally happening hundreds of thousands of times a day,” and warned that the Department of Energy needs an “office of cybersecurity and emergency response” in order to be prepared for threats like this in the future.
This report is a big deal: It’s the first time the US government has publicly blamed Russia’s government for attacks on energy infrastructure. Explicitly pinning the attack on the Kremlin means that rather than targeting the hackers as individuals, the United States can now respond against Russia as a whole.
By tying the attacks to Russian intelligence agencies, the US government can then sanction high-level members of those agencies for the actions of their subordinates. This makes further hacking operations a lot riskier for not just the hackers themselves but also their bosses and the government that authorized them. It’s a first step toward establishing deterrence in cyberspace.
The Russian hackers used decades-old tactics to gain access
The report says that Russia targeted “Energy and Other Critical Infrastructure Sectors,” an unhelpfully large category. But these weren’t actually the first targets.
To gain access to the power plant computers and internal networks, the hackers first attacked smaller, less secure companies — like ones that make parts for generators or sell software that power plant companies use, for instance.
The Russian hackers then repeated some of those same techniques again to gain access to the primary targets.
One way they did that was to send emails from a compromised account that the receiver trusted and had interacted with before, to get the person receiving the email to reveal confidential information. This is known as “spearphishing.” For example, if the email looks like it’s coming from Bob from marketing, then Alice will be more likely to open it, even if the email was actually sent by Eve from Russia.
Another method they used was “waterholing.” The hackers altered websites that people in the energy industry regularly visit, so that those websites could collect information, like logins and passwords, and relay them back to the hackers.
Some targeted users were induced to “download enticing word documents,” as the report phrases it, about control process systems (programs that watch other programs work, essentially). But those documents turned out to be more malicious than enticing. By opening them, the targets ran programs that gave hackers access to their computers.
After acquiring the logins needed to fool the computers into letting the attackers in, the intruders set up local administrator accounts (the kind with permissions to do things like install programs) and used them to place more malware in the networks. The code they used also contained steps to cover the intruders’ tracks, like automatically logging out of the administrator accounts every eight hours.
“The bad news is this attack used a lot of the old methods to get in,” says Bob Gourley, founder and chief technology officer of the tech consultancy firm Crucial Point and author of the book The Cyber Threat.
“Trickery, getting people to click on links, the other kind of social engineering, phishing to get a foothold somewhere, this was the same kind of basic attack pattern that’s been going on for a decade now,” Gourley says. “It was just better resourced and better targeted, and they had more focused intelligence.”
The attacks were all about scouting, not sabotage
Once inside the computers of a primary target, like a power company, the attackers primarily set up programs that collected information. These programs captured screenshots, recorded details about the computer, and saved information about user accounts on that computer.
The report doesn’t say that the attackers were able to control how power plants generated power. Instead of messing up power generation, the intruders watched and recorded information from computers that received the data from the energy generation systems.
Essentially, this attack provided Russia a peek into how US power plants work and report data. That peek turned into a prolonged observation.
The DHS and FBI report is cagey about the impact, simply stating that the campaign “affected multiple organizations in the energy, nuclear, water, aviation, construction, and critical manufacturing sectors.”
But how did it affect them? We don’t really know. The report doesn’t name any companies, and they’re allowed to remain anonymous in public releases about the attacks — that way, the companies can share and access reports of hacking with others, without fear that public knowledge of the attacks will panic investors or customers.
Nothing in the report speaks to the sabotage or damaging of any equipment. But if intruders were able to get into computers the same way they did for this scouting mission, and to modify code on the targeted computers as easily as they did, then there’s no reason they couldn’t stage another attack.
The report also notes that the hackers tried to mask evidence of their intrusion on the way out, and advises the targeted companies to take precautions in case any malicious code was left behind.
Are we sure it was Russia, and what was its goal?
The DHS and FBI are characterizing it as a Russian attack, noting that this was a multiyear campaign started in March 2016 by Russian government “cyber actors.”
An October 2017 report on the attack, published by Symantec and cited in the government report, notes that “some code strings in the malware were in Russian. However, some were also in French, which indicates that one of these languages may be a false flag.”
When the US Treasury Department issued new sanctions against several Russian individuals and organizations on March 15, it named these cyberattacks as one of the reasons for doing so. The Treasury Department statement specifically names and sanctions individuals involved with Russia’s Internet Research Agency and the GRU, Russia’s military intelligence branch, though it declines to specifically link any of the individuals named to this latest hacking campaign.
Former intelligence officials and analysts interviewed by the Cipher Brief regarding the report all reached a similar conclusion: The intrusion looks like a scouting mission, which tells us a lot about what kind of information was gathered, and not a whole lot about what Russia intends to do with all that information.
Chris Inglis, former deputy director of the National Security Agency, put it most succinctly: “[T]his is not an opportunistic foray on the part of the Russians. They seem to be intent on getting into the critical infrastructure; they didn’t simply get there because they’ve taken a shotgun approach.”
As for what Russia intends to do once inside that critical infrastructure, that’s much harder to say.
What can the United States do?
The DHS-FBI report includes suggestions, like specific code for targeted companies to run to root out some problems and step-by-step guidelines for how to find and eliminate malware.
Beyond that, there’s a list of cybersecurity tips and common sense advice, like setting limits on the functions a regular user can access on a computer, leaving other functions to secure administrator accounts. That would minimize the damage an intruder could do by compromising a normal user.
The report also includes tips like “Establish a password policy to require complex passwords for all users.” (Just what everyone wants — yet another complex password involving letters, numbers, and symbols that you have to change every month.) Annoying as they may be, there’s a reason that complex passwords are such a common recommendation after cyberattacks: Not everyone uses them yet, and setting your password as “password” still lets attackers in the front door.
To protect against attacks like this in the future, Gourley, the Crucial Point founder and chief technology officer, recommends that companies adopt multifactor authentication to mitigate the harm from stolen logins and passwords. That means that instead of just using a password to get into a system, a user also has to type in an additional code that they receive via text message or plug in an ID card into a card reader hooked up to the computer.
Every additional means of verifying that a user is who they say they are makes it harder for an attacker to replicate all the credentials required and log in to the network.
Welcome to the new era of cyberwar
The biggest problem is that countries the world over are rapidly learning just how much vital or even lucrative information they can obtain from hacking, and are constantly figuring out new ways to circumvent security measures they encounter.
Sanctioning officials involved in authorizing attacks certainly punishes those involved. But it’s worth noting that more than a third of the individuals named in these latest sanctions had already been sanctioned by the US — and that apparently didn’t stop them from carrying out these new attacks. Which means that the deterrence or retaliatory effect of sanctions alone may not be as great as perhaps desired.
But cyberattacks like these fall in the gray area between network security, espionage, and crime, making it harder to figure out how to respond in a way that actually makes a real difference. Intrusions like these still fall short of sabotage or war, but that doesn’t mean we have to like them.
Kelsey Atherton is a defense technology journalist based in Albuquerque, New Mexico. Find him on Twitter @athertonkd.