Hackers Increasingly Probe North American Power GridBut Electric Sector, Driven by Regulators, Has Been Adapting, Experts Say
Hackers have been demonstrating fresh interest in the North American electric sector's network and computer infrastructure, security researchers warn. But experts also say that the sector is increasingly well-prepared to identify and repel attackers, and that launching disruptive or destructive attacks remains a difficult, laborious, time-consuming and geopolitically dangerous process for nation-state hackers.
See Also: Threat Briefing: Ransomware
The potential threat posed by attackers, however, continues to increase, based on increasing reconnaissance of electric sector networks, says industrial cybersecurity firm Dragos. It notes that 11 of the approximately 30 hacking groups that it tracks, which target critical infrastructure sectors and industrial control systems, now appear to have at least some focus on the electric sector in North America.
Such groups include Xenotime, which originally targeted oil and gas companies, including launching Trisis - aka Triton - malware against an undisclosed oil and gas firm in Saudi Arabia, before expanding its focus to targets in the U.S. as well as across Europe, Australia, and the Middle East. "This group also compromised several ICS vendors and manufacturers, providing a potential supply chain threat," Dragos says in a new report focused on the threats currently facing the North American electric sector (see: Xenotime Group Sets Sights on Electrical Power Plants).
Another group now focusing on the North American electricity generation sector is Magnallium, which since 2013 has been tied to attacks against energy and aerospace firms, Dragos says. "This activity group expansion and shift to the electric sector coincided with increasing political and military tensions in Gulf Coast countries."
Dragos says it prepared the report prior to U.S. President Donald Trump last week ordering the killing of Major General Qasem Soleimani, an Iranian military leader. The fallout from the incident led the White House to warn U.S. organizations to beware of Iranian reprisals, including cyberattacks (see: Analysis: Threat Posed by Pro-Iranian Hackers).
'The Sky is Not Necessarily Falling'
The imperative for electricity providers, as well as the broader critical national infrastructure, including any organization that operates ICS or supervisory control and data acquisition systems, remains the same, experts say: Be prepared.
"It's important to understand that the sky is not necessarily falling with regard to the power grid," says Bernie Cowens, who until recently served as the CISO for Pacific Gas and Electric Company, the nation's largest electric utility.
"It's easy to get the impression that people who operate the grid and are responsible for it are asleep at the wheel somehow, and there could be nothing further from the truth," Cowens, who's now the CSO of startup Utility Technology Solutions, tells Information Security Media Group. "There's an incredible amount of awareness, a lot of work and a lot of dedicated people who are focused on that problem every day."
"There's an incredible amount of awareness, a lot of work and a lot of dedicated people who are focused on that problem every day."
Dragos, in its report, also calls out the industry's overall good level of preparation. "The electric sector, as a whole, has been working for over a decade to address cyber threats through board level decisions, preparedness exercises like GridEx, the NERC CIP standards, and direct investment in ICS-specific security technologies," the company says. "However, adversaries will continue to evolve and the industry must be ready to adapt."
Ongoing Mandate: Don't Freak Out, Do Prepare
All power grid operators must ensure they have defenses in place against the latest types of online attacks - including the latest malware, not least because wiper and blended attacks have previously been leveled at utilities, as Robert M. Lee, CEO of Dragos, has previously told ISMG.
For example, the 2017 Industroyer - aka CrashOverride - attacks against utilities in Ukraine disrupted systems and demonstrated "the adversary’s intent and ability to target protection and safety operations to cause prolonged outages, equipment destruction, and human health and safety concerns," Dragos says.
Thankfully, however, from a technical standpoint, hacking power providers remains difficult (see: Power Grid Malware: Don't Freak Out, But Do Prepare).
To date, ICS environments have been relatively immune to online attacks because every environment is unique, meaning that attackers bent on crashing a local power grid or some other environment would need time, money and patience to study the network and determine how to disrupt it, Sergio Caltagirone, director of threat intelligence and analytics at Dragos, has told ISMG (see: How Triton Malware Targets Industrial Control Systems).
"Adversaries will continue to evolve and the industry must be ready to adapt."
That still holds true for organizations in North America, Dragos says in its new report. But that could change..
"Historically, adversaries have demonstrated the capabilities to significantly disrupt electric operations in large-scale cyber events through specialized malware and deep knowledge of targets’ operations environments," Dragos says in its report. "Although North America has not experienced similar attacks, ICS-targeting adversaries exhibit the interest and ability to target such networks with activities that could facilitate such attacks."
Know Your Charming Kittens
Dragos does not link any of the attack groups it follow to a specific nation-state and does not publish deep-dive details on malware or attack techniques "except in extraordinary circumstances in order to limit trade craft proliferation." But the groups it follows have been tied to Russia, North Korea and Iran.
Security experts say defenders are often well served by putting a name to the groups targeting their sector as part of ensuring they know how their industry and peers are being targeted (see: Ransomware School: Learn Lessons From How Others Fail).
"We all know that Iran has many APT groups, and that there is much more to watching for such activity then patching your systems and telling your users to be aware," says Gary Warner, director of research in computer forensics at the University of Alabama in Birmingham, in a blog post.
With all the talk about a possible #Iran #hardrevenge hack against US targets, I thought it would be useful to pull together a one-stop shop of #Iranian #APT #hacker groups that your team might want to look at as they do their risk re-assessment: https://t.co/upUDXLgY42— GarWarner (@GarWarner) January 10, 2020
"A large organization will want to know more about the behaviors of documented Iranian APT groups," he says. "Often these insights include known malware families used by the actor, or what sectors or countries this threat group historically has attacked."
As starting points, Warner recommends an "APT Groups and Operations" online spreadsheet maintained by Florian Roth (@Cyb3rops) as well as ThaiCERT's "amazing" Threat Actor Encyclopedia, which runs to 275 pages.
Warner notes, however, that attacker groups labeled by FireEye as "APT33, 34, 35, and 39 are all Iranian."
CrowdStrike nomenclature for these groups uses animals - as in bears for Russian, or kittens, as in Persian cats, for Iran. Iranian groups include Charming Kitten or Imperial Kitten, aka APT35; Flying Kitten or Rocket Kitten, or what other security firms call ClearSky, although that appears to overlap with Slayer Kitten and Copy Kittens; and Flash Kitten, aka Leafminer, or what Dragos calls Raspite.
"A large organization will want to know more about the behaviors of documented Iranian APT groups."
Roth, in his guide, cautions that "attribution is a very complex issue" and various security firms referring to various attack groups too often rely on "a single incident analysis," and thus may not provide a reliable big-picture view (see: Russian Hackers Co-Opted Iranian APT Group's Infrastructure).
"Groups often change their toolsets or exchange them with other groups," he says. "However, we decided that even an uncertain mapping is better than no mapping at all."