Any lingering notion that the Trump administration is in bed with the Russians was nuked this week as the administration leveled a series of accusations and sanctions against Vladimir Putin's regime. On Thursday, for the first time publicly, the U.S. blamed the Russian government for a years-long cyber attack campaign targeting the U.S. power grid.
On Thursday, the administration issued a security alert detailing Russia's orchestrated attempts to hack into our energy grid via government-employed hackers. The technical alert, a result of analyses by the Department of Homeland Security and the FBI, concluded that the Russian government conducted a "multi-stage intrusion campaign" targeting "U.S. Government entities as well as organizations in the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors."
"DHS and FBI characterize this activity as a multi-stage intrusion campaign by Russian government cyber actors who targeted small commercial facilities’ networks where they staged malware, conducted spear phishing, and gained remote access into energy sector networks," the alert's overview reads. "After obtaining access, the Russian government cyber actors conducted network reconnaissance, moved laterally, and collected information pertaining to Industrial Control Systems (ICS)."
The administration says the attacks have been taking place since at least March 2016.
"This campaign comprises two distinct categories of victims: staging and intended targets," the alert explains. "The initial victims are peripheral organizations such as trusted third-party suppliers with less secure networks, referred to as 'staging targets' throughout this alert. The threat actors used the staging targets’ networks as pivot points and malware repositories when targeting their final intended victims. NCCIC and FBI judge the ultimate objective of the actors is to compromise organizational networks, also referred to as the 'intended target.'"
The report lists the following hacking methods employed by the cyber actors:
- spear-phishing emails (from compromised legitimate account),
- watering-hole domains,
- credential gathering,
- open-source and network reconnaissance,
- host-based exploitation, and
- targeting industrial control system (ICS) infrastructure.
The alert goes on to provide details about how the cyber actors used those methods on companies and examples of specific campaigns. It concludes by providing a best practices for protecting against such campaigns. (Read the security alert here.)
In its coverage of the alert, Reuters underscores the historic nature of the accusation:
The decision by the United States to publicly attribute hacking attempts of American critical infrastructure was “unprecedented and extraordinary,” said Amit Yoran, a former U.S. official who founded DHS’s Computer Emergency Response Team.
“I have never seen anything like this,” said Yoran, now chief executive of the cyber firm Tenable, said. [...] U.S. officials have historically been reluctant to call out such activity in part because the United States also spies on infrastructure in other parts of the world.
This week, the Trump administration also slapped Russia with sanctions against a total of 19 Russians for their role in attempting to meddle with the 2016 election. "We're going to be tough on Russia until they decide to change their behavior," White House spokeswoman Sarah Huckabee Sanders told reporters Thursday.
The sanctions and alert came one day after U.S. Ambassador to the U.N. Nikki Haley slammed the Russians for a nerve agent attack against a former spy and warned that Russia might one day use chemical weapons against the U.S. "If we don't take immediate concrete measures to address this now, Salisbury will not be the last place we see chemical weapons used," Haley told the U.N. Security Council. "They could be used here in New York, or in cities of any country that sits on this Council. This is a defining moment."