Serious Cyber Exposures For the Energy Sector
The energy sector is especially vulnerable to cyberattacks. Hackers associated with Russian internet addresses have been scanning the networks of five U.S. energy companies in a possible prelude to hacking attempts, the FBI said in a March 18 advisory to U.S. businesses. The FBI’s notice was days before The White House publicly warned that Kremlin-linked hackers could target U.S. critical infrastructure as the Russian military continues to suffer heavy losses.
Adding to the recent headlines, on March 24th the Department of Justice unsealed two indictments charging four Russian nationals with crimes related to attempted hacks of critical infrastructure both abroad and within the United States.
One of the indictments accuses three Russian individuals of being part of the DragonFly group, also known as Energetic Bear and Crouching Yeti, which conducted a two-phased campaign targeting and compromising the computers of hundreds of entities related to the energy sector worldwide.
According to a few reports, DragonFly used more generally available malware and “living off the land” tools, such as administration tools like PowerShell, PsExec, and Bitsadmin, which may be part of a strategy to make attribution more difficult. The Phishery toolkit became available on Github in 2016, and a tool used by the group—Screenutil—also appears to use some code from CodeProject. Of note is that the attackers did not use any zero days. As with the group’s use of publicly available tools, this could be an attempt to thwart attribution deliberately, or it could indicate a lack of resources. Lastly, some code strings in the malware were in Russian. However, some were also in French, which indicates that one of these languages may be a false flag.
The second indictment alleges another Russian national was part of the Triton hacker group, helping the group carry out two separate emergency shutdowns at a Schneider Electric facility based in the Middle East.
The DOJ indictments accuse the suspects of targeting the global energy sector between 2012 and 2018. All four suspects worked for the Russian government. “In total, these hacking campaigns targeted thousands of computers, at hundreds of companies and organizations, in approximately 135 countries,” according to the DOJ.
Over the past few years, the energy sector has become an area of increased interest to threat actors. In 2015 and 2016 Ukraine experienced cyber-attacks linked to Russian actors, including one attack that took out the electricity for almost a quarter-million Ukrainians.
These attacks have led to increased calls for U.S. energy companies to improve their cybersecurity. Recently, there have been reports of attempted cybersecurity attacks on the electricity grids in Europe and companies that manage nuclear facilities in the U.S.
As the Russia/Ukraine conflict continues, the likelihood of Russian retaliation on U.S. critical infrastructure grows. As a company that has been monitoring the vulnerabilities and cybersecurity exposures across the energy sector for a decade, we dove into our data to provide important research findings that energy companies can use to get ahead of the threat.
Security Exposures Violating Cyber Best Practices in the Energy Sector
Threat actors are looking to cause panic and disrupt the economy through cyber-attacks on the energy sector. The energy sector has unique interdependencies between physical and cyber infrastructure that make these companies more vulnerable to exploitation. This can mean everything from billing fraud with wireless “smart meters” to the commandeering of operational technology systems to stop the generation, transmission, and distribution of energy.
It is more important than ever to be extra vigilant due to the additional cyber risks to energy sector organizations, such as open ports, vulnerable products, or risky services. In a recent report, LookingGlass highlighted five security exposures seen across the energy sector that could be leveraged for a Russian cyberattack. We call out two cybersecurity exposures here that are disturbing and should cause energy executives and the federal government concern:
- Default passwords for Telnet: Default passwords are a major attack vector. Not changing the default password for Telnet feels egregious, because it can give an attacker complete access to a machine and allow them to move freely throughout a network.
- Port 161 – SNMP: In 2018, CISA released an alert noting that Russian state-sponsored cyber actors were targeting network infrastructure devices with the Simple Network Management Protocol (SNMP). SNMP may be abused to gain unauthorized access to network devices and to provide network information for network mapping that could help with future exploitation. The newer SNMPv3 should be used because it can authenticate and encrypt payloads.
For the full set of exposures, download our Energy Sector Cyber Profile by filling out the form to the right. >>>
Additional Vulnerabilities in the Energy Sector
Along with security exposures for the sector, LookingGlass also identified the most prevalent verified vulnerabilities seen over the past 30 days. Over 70 percent of the sector’s reported vulnerabilities came from CVE-2015-0204, CVE-2015-4000, and CVE-2020-0796.
With more than 30 percent of the reported vulnerabilities, CVE-2015-0204, also known as FREAK (Factoring Attack on RSA-EXPORT Keys), is a flaw that forces secure connections to use weaker encryption. This allows attackers to use man-in-the-middle (MiTM) attacks to steal or manipulate data.
LookingGlass also saw CVE-2015-4000, a.k.a Logjam. It was reported in more than 24 percent of the sector. Similar to FREAK, CVE-2015-4000 allows MiTM attack against a server to downgrade TLS connections and cipher strength. As this attack results in being able to read encrypted traffic, exploitation of this vulnerability aligns with the kinds of attacks governments and organizations hostile to private communications are known to implement.
Furthermore, CVE-2020-0796 was also seen across the sector. This vulnerability has wide appeal to a variety of nation-state actors and cybercriminals alike as it is remotely exploitable, can spread without user interaction, and can be used to install code on victim machines. While this vulnerability generated the most activity on Chinese forums when it was publicly disclosed, Russian-speaking actors have shown interest in the vulnerability and sharing information on how to successfully exploit it.
Download the Sector Cyber Profile: Energy Report
For complete details and additional crosswalks between vulnerabilities, exposures, and Russian threat actors, download our Sector Cyber Profile: Energy by filling out the form to the right. >>>
The energy sector can use this information to better what’s happening across their sector to peer organizations and what areas they can focus on to improve their cybersecurity defenses.