The Wall Street Journal published an explosive story about how state-sponsored Russian hackers used a variety of techniques and a spider web of compromised accounts to ultimately gain access to the control infrastructure that monitors and controls the flow of electricity in the US power grid.
While the attack was complex and well planned, the core strategy was simple: exploit the trust graph.
Instead of attacking the high-value target directly, you first get inside lower value, less protected partners — and then use simple tactics like phishing, using existing trusted relationships to compromise your final target.
In short, every business relationship is a potential vulnerability.
The story is as chilling as it is fascinating. It reads like a heist novel where multiple threads intersect into a cohesive attack conceived and executed by a skilled perpetrator. By the latest reckoning (and the dust is nowhere near settled), 60 utilities were targeted, about two dozen were breached, and the attackers reached industrial control systems in at least eight of those cases.
The attack unfolds over the course of several months and exposes how most organizations remain vulnerable to the most basic of hacks and sounds a loud warning about the criticality of at least covering the most obvious areas of cybersecurity — things like using multi-factor authentication, raising awareness of security issues through your employee base, and yes, taking a strong and proactive stance towards the scourge of phishing attacks.
It’s 2019, we have self-driving cars and cotton sprouting on the Moon — we should be able to trust email, the most foundational part of organizational communication.
The attack appears to have been designed with the end-goal clearly in mind — gain access to the infrastructure that monitors and manages the power grid. Ultimately, the Russian hackers were able to gain access to jump boxes or jump servers, which are meant to isolate the actual electrical control infrastructure from the corporate networks of the electric utilities whose technicians need to access it. But the attack began about as far away from the utilities as you can imagine.
The story begins at a professional development website called Control Engineering, dedicated to helping people who work in that very specific technical niche access educational content, learn about employment opportunities, and stay up-to-date in their industry. Sometime before March 2017, the attackers were able to hack that website so that they could harvest credentials (passwords) from the people accessing that website.
Sometime later an employee from All-Ways Excavating accessed that site and the hackers were able to gain control of his email account. The details of how this happened aren’t revealed in the article but one of the banes of our industry is that users frequently use the same passwords across many or most, if not all, of the websites that they access.
In March the hackers used that compromised email to email All-Ways’ customers, herding them to another website, imageliners.com, designed to capture their passwords. One of the customer firms that fell victim to this phishing attack was based in Corvallis, Oregon and became a launchpad for the next phase of the attack. Two weeks later, a similar wave of emails from All-Ways was sent to Dan Kauffman Excavating. We’ll come back to Kauffman in a moment.
In June, the hackers went to town on the Corvallis company’s site, opening a hole in their firewall and granting themselves administrative privileges. They used that access to reconnoiter targets much closer to their desired prize, probing networks at utilities such as ReEnergy and Atlantic Power.
More critically, the attackers used this access to compromise another firm, DeVange Construction. They used this access to create a fake email account and used that persona to engage utilities under the guise of sending a resume to seek employment opportunities. The attachments contained malware that would send login credentials for the utilities back to the hackers. Specific utilities that were targeted in this wave included Dairyland Power and New York State Electric & Gas.
Back to Kauffman — By October, the attackers had compromised at least one email account there, and used it to email 2,300 contacts with a malware link designed to compromise passwords. They targeted utilities including PacifiCorp, Bonneville Power, and the Army Corps of Engineers.
From there, it was on to the jump boxes and access to the power grid.
In summary, the hackers started with a basic attack on an esoteric website and used that foothold to work their way to accessing our most critical infrastructure. They targeted low-sensitivity firms that had no reason to adopt DoD-grade security and exploited that soft underbelly to work their way to our critical infrastructure.
This was a highly orchestrated, multi-faceted, multi-tiered attack. Different companies were victimized in different ways. But the overarching pattern shows that email was the recurring attack vector.
Here are several ways this attack could have been mitigated. There are too many cracks in the armor for any one-size fits all solution. To begin, everyone should not only implement a two or multi factor authentication 2FA/MFA solution but choose one that actually does the job well. Uniken is one of my favorites along with Cisco’s Duo Security espeically when used with a hardware key like Yubikey.
At Clearedin, we have taken on the mission of building the business communications trust graph so you can take on the zero trust posture and stop most kinds of phishing attacks.
This story demonstrates that even the most innocuous of vulnerabilities and breaches can serve as a stepping stone to a devastating attack. It’s worth noting that CFE Media, which owns the Control Engineering website, also owns similar professional development sites called Oil & Gas Engineering and Plant Engineering, at least raising the possibility of similar highly orchestrated attacks against those critical industries as well.
The WSJ article closes with this ominous line:
Industry experts say Russian hackers likely remain inside some systems, undetected and awaiting further orders.
It’s high time to start covering your bases. Turn on MFA, scan your systems and endpoints for malware on an ongoing basis, and take a strong stance to protect yourself against phishing attacks.