20 March 2018

Russians Targeting the “Achilles Heel” of Critical Infrastructure


The Trump administration has accused Russia of a coordinated “multi-stage intrusion campaign” to hack into critical U.S. infrastructure networks and conduct “network reconnaissance” while attempting to delete evidence of their intrusions. Homeland Security officials say they have helped the affected companies remove the Russian hackers from their compromised networks, but the Russians keep trying to hack into these critical systems.

In parallel, the Treasury Department announced a new series of sanctions on companies and individuals including Russian intelligence chiefs who were already sanctioned in December 2016 by the Obama administration. The sanctions also included employees of the Russian Internet Research Agency for involvement in the campaign to influence the 2016 U.S. presidential election. Others included Russian intelligence officers who were indicted in March 2017 for their involvement in the Yahoo breach beginning in January 2014.

The new sanctions also referenced the June 2017 NotPetya cyberattack that locked the computers of major shipping company Maersk and other critical industries around the globe. The White House formally attributed NotPetya to Russia’s Main Intelligence Directorate (GRU) in February 2018, calling it the “most destructive and costly cyberattack in history.”

We spoke to former NSA officials Rhea Siers and Chris Inglis, and James Lewis, Senior Vice President of CSIS, to break down the threat posed by these attacks—and the U.S. response. Their answers are adapted for print below.

What I found noteworthy in the DHS notice was that this is not an opportunistic foray on the part of the Russians. They seem to be intent on getting into the critical infrastructure; they didn’t simply get there because they’ve taken a shotgun approach.

Also, classic computer network reconnaissance here is to find the weak flank, and use that then as a foothold to then get yourself into, by moving laterally, those things that are more significant, and to the degree that all of these systems have supply chains and are increasingly connected to the digital infrastructure, that’s a risk area for us that we should be concerned about. The DHS notice is properly flagging that there’s a set of practices to try to create mitigations for that.

Typically, there are three segments of the network that are attributable to critical infrastructure. One might be the administrative component, where they essentially set up new accounts, bill accounts, place orders to the generation or distribution of whatever that service might be. Second is where the coordination or the distribution of whatever service is provided takes place, and the third would be the actual generation of that service. So, in the electrical sector, you’ve got a front office, a distribution apparatus, and you’ve got the actual power generation.

In the case of the Ukrainian attack in December 2015, the Russians originally got into the administrative component, the front office. They then moved laterally into the distribution component, but there’s no evidence that they got into the generation component.

In this case, it’s not clear what they got into, but my assessment is it’s very likely they got into the administrative, possibly the distribution components, much like their experience in December 2015. It’s more worrisome if an actor gets into the generation components, but those tend to be harder to get to and better protected.

Do the Russians’ prior experiences in Ukraine and elsewhere, and toolsets like CrashOverride, translate to greater efficiency in their penetrations of U.S. systems?

Of course. One, experience and muscle memory matter. This is the same crowd, and so if they’ve done it before, this becomes for them a much more straightforward proposition every time. Two, to the degree that they’ve automated this or created a tool suite that allows them to do this with greater efficiency, that ups the possibility that they might then find that weak flank or get into something because they’re spreading their net wider and wider.

Is the idea to essentially to gain a foothold in these systems to exploit in case of crisis, or is it to message that the U.S.’s critical infrastructure is at risk?

It’s hard to say with certainty, but what I read out of the DHS note is that it’s a pretty broad effort to get into a number of critical infrastructures: energy; nuclear; commercial facilities; water; aviation; critical manufacturing—there’s almost nothing off the list. So the Russians are doing a fairly broad penetration.

They also took some efforts to remove their tracks by removing items in the registry or by establishing secondary accounts by which they might remove evidence of the primary accounts. That shows that this is not, in my view, likely just a messaging campaign. I think it’s more than that.

There’s a foreign intelligence motivation to simply understand how America uses its critical infrastructure. That therefore leads me to the more dangerous possibility, which is that this is an attempt to understand U.S. critical infrastructure such that if they ever wanted to, they might then hold that at risk. There’s no evidence that they have attempted to hold critical infrastructure at risk at the moment, but it nonetheless is a latent possibility, and we shouldn’t discount it.

How significant is not only the attribution of these efforts, but also the sanctions that followed on some of these groups—or at least some of the FSB and GRU officials?

I think it is significant from two counts. One, it begins to connect the dots on who is engaged in this, not simply what they’re engaged in. The willingness of the United States government to name names is important, and the idea that this was a coordinated release by the U.S. government—with DHS releasing detailed information about the technical underpinnings—that then enables a much broader slot of private sector entities to participate in the further reconnaissance and intelligence gathering on this, which might then enable us to find all the places where the Russians have inserted themselves, and in so doing root it back out again.

At the same time, you’ve got [Secretary of the Treasury] Steven Mnuchin and other parts of the government announcing these sanctions. It’s a clearly coordinated and synchronized action, and therefore not simply a message to the Russian government, but also a message to the private sector that the U.S. government intends to stand in and provide material assistance to the private sector’s defense of itself.

Do you have any thoughts on the political dynamics with the Trump administration and Russia, and how in the past they might have been hesitant to attribute certain malicious activity to Russia?

I would just say that the accusations against Russia are that they’re playing in a number of different things, and there’s been concern that this administration has not been willing or able to say much about the Russian involvement in the election system, but clearly in this case there’s been no reticence whatsoever to call out the Russians’ engagement in intrusions into U.S. critical infrastructure of other sorts.

I thought it was noteworthy that in the press release, they also took pains to identify Russia once again as the perpetrator of the NotPetya attacks, which unleashed last summer and had billions of dollars of impact on the larger global infrastructure. That’s an important designation, and Russia increasingly should be held to account for that.

There is no question that the Russian cyber activity as reported Thursday, but observed for years, should be interpreted both as preparation of the battlefield and as a message to the U.S. of Russia’s cyber capabilities, and possible use of kinetic cyber activity in response to a U..S action such as, for example, a strike against Syrian leader Bashar Assad.

The key concept to understand here is that the Russians don’t believe a deterrence protocol exists in the cyber realm as it does in strategic arms. Although both the U.S. and Russia are clearly superpowers in the cyber context, the Russians consider the U.S. (and the West more broadly) as disproportionately vulnerable to cyber threat compared to Russia.

In short, we can hurt them in cyber but they can cripple us. Hence we have no deterrence against them and we should thus not be surprised at Russia’s use of a tool where they feel they have a comparative advantage and do not feel deterred and when it suits their interest, they use the tool as in the December 2015 attack on the Ukrainian power grid.

Moreover, the Russian cyber recce (reconnaissance) referenced yesterday has been going on for years, with special emphasis on probing of targets in the U.S. financial sector. Their thinking being if you want to hurt the U.S., go after economic targets—frankly, our greatest strength and biggest vulnerability.

Obviously the action by the Trump administration is an important step in both acknowledging the threat of Russian cyber capability and increasing public awareness of the risk. While some might believe the U.S. response is inadequate, perhaps it is a significant first step in the building of a deterrence regime. But it is only a first step. Russia will not be deterred by half measures.

Why might network reconnaissance of industrial systems be alarming, but not necessarily suggest imminent disruption of those systems?

Reconnaissance of Industrial Control Systems (ICS) has to occur before any successful attack can be launched; In fact, this is a pattern we have seen for years from the Russians, and others, such as the Iranians. In fact, DHS and the FBI have been consistently issuing alerts to energy and utilities companies, warning them of their vulnerabilities. For example, in 2014 DHS warned about the presence of Black Energy malware in U.S. systems – the same malware that had a role in the disruption to electric power in the Ukraine, cutting off electricity to 700,000 across a fairly large area.

The activity described in the US-Cert alert depicts an adversary probing for vulnerabilities and preparing to use them, including advancing malware, if and when they deem it advantageous. This is not new – it continues a pattern of activity, but the alert provides additional details and direct attribution to Russia. People often refer to Ukraine as a test bed for Russian cyberattacks against critical infrastructure.

What attacks have you seen there that you think could be used here in the U.S.?

The Sandworm attacks (Sandworm is often associated with Russia) using Black Energy against the Ukrainian power grid could also be deployed against U.S. targets. However, many experts believe that the malware alone cannot take down the utilities and that other methods must also be deployed to cause widespread damage. One has to assume that while these attacks might not be successful against a range of targets across the U.S., they could cause enough disruption to precipitate economic damage and endanger the civilian population.

What is Russia getting at by probing these systems? Is it a form of preparing the battlespace should a geopolitical crisis arise or more of a messaging technique against the U.S.?

Both. To prepare the battle space, they need to know the critical systems and be able to explore their potential vulnerabilities. Note that the reports discuss the targeting of small commercial facilities, often seen as the “Achilles heel” of U.S. critical infrastructure. Sometimes these smaller companies simply do not have the resources to mount a dynamic cyber defense.

Further, there is so much open-source information available about these companies that targeting becomes considerably less challenging. Of course, the Russians are known for clearly sending messages through their cyber activity — not always covering up all their fingerprints—to let us know they’ve visited us. Perhaps Russia also thinks this is one way to engage in cyber deterrence.

How significant is it that the Trump administration has attributed this activity to the government of Russia?

Given this administration’s somewhat limited record in attributing any negative activity to Russia, this is an important development. It demonstrates that despite the ambiguity towards Russian President Vladimir Putin at the top, the U.S. government is continuing its intelligence collection and its assistance to these smaller companies to ramp up their defenses.

Perhaps the U.S. is ready to pursue its own deterrence against Russian probes and attacks, including economic sanctions. But to ensure the success of U.S. deterrence, we need to see a more consistent effort that comes from the top. This alert and sanctions are a helpful and pragmatic step forward, but they need to be part of a consistent and clear policy.

In the Cold War, Russia and the U.S. floated reconnaissance satellites over each other to identify targets for attack. This cyber reconnaissance is the same thing. It identifies targets and sends a threatening message. It’s a more subdued form of the actions against the Ukrainian power facilities, which were temporary in their effect, reversible and a signal to the Ukrainians intended to put pressure on them. The U.S. is different, in that one nuclear power does not actually damage another nuclear power’s critical infrastructure – the risk is just too great. The Russians will only pull the trigger if they want a war. But people are willing to play a game of chicken to see who backs down first. The Russians do reconnaissance as a warning (and to prepare the battlefield), and we out them as a warning. It’s not war, at least old-style war, but it is conflict.

No comments: