The Department of Homeland Security and the FBI accused Russian hackers on Thursday of waging coordinated cyberattacks against the U.S. energy sector and other elements of critical infrastructure since at least March 2016.
Federal officials say that the Russian government conducted a “multi-stage intrusion campaign” that involved using malware and spearphishing attacks to compromise networks of small commercial facilities and gain remote access to U.S. energy sector networks.
{mosads}From there, Russian hackers were able to move “laterally” to other networks to collect information related to Industrial Control Systems (ICS), computer systems used to operate critical infrastructure.
The agencies released a joint alert on the intrusion campaign shortly after the Trump administration imposed new sanctions on Russia for its malign cyber activity, including last year’s global “notPetya” malware attack and its interference in the 2016 presidential election.
The alert describes a broad Russian intrusion campaign targeting U.S. critical infrastructure, including organizations involved in the energy, nuclear, water, aviation and critical manufacturing sectors.
It references research released in September by cybersecurity firm Symantec that detailed new activity tied to the “Dragonfly” cyber espionage group, which targeted energy sector components in the U.S., Turkey and Switzerland. The hacking group, also commonly known as “Energetic Bear,” has been linked by some security companies to the Russian government.
Homeland Security and the FBI released a technical alert on the new Dragonfly campaign last October but did not attribute the activity to the Russian government.
According to Homeland Security and the FBI, Russian hackers deliberately targeted and compromised networks of “staging” targets to gain access to their ultimate victims, higher-level networks containing data related to control systems.
“The initial victims are peripheral organizations such as trusted third-party suppliers with less secure networks, referred to as ‘staging targets,’” the alert says. “The threat actors used the staging targets’ networks as pivot points and malware repositories when targeting their final intended victims.”
Russian hackers “in multiple instances” gained access to networks containing data outputted from energy generation facilities, according to the analysis.
“The threat actors accessed files pertaining to ICS or supervisory control and data acquisition (SCADA) systems. Based on DHS analysis of existing compromises, these files were named containing ICS vendor names and ICS reference documents pertaining to the organization,” the alert says.
The new revelations come one day after lawmakers on Capitol Hill expressed concerns over threats to the U.S. energy grid during a congressional hearing focused on how to shore up energy infrastructure cybersecurity.
Worries about threats to energy assets have run high in the wake of separate cyberattacks on Ukraine’s power grid in 2015 and 2016, in both of which Moscow is suspected.
At that hearing, Undersecretary of Energy Mark Menezes warned of “constant” efforts to penetrate the Department of Energy and the grid.
“Our systems are constantly being attacked, constantly,” said Menezes. “Not only the DOE system, but also the energy system.”
“Those that want to penetrate our system try all segments,” Menezes said. “In that respect, we’re all vulnerable.”
The Trump administration on Thursday unveiled economic sanctions on 19 Russian individuals and five entities for destabilizing cyber activity. Some of the targets of sanctions are connected to the Russian troll farm known as the Internet Research Agency and have already been indicted by special counsel Robert Mueller in his investigation into Russian interference in the election.
The sanctions also aim to penalize the Russian military for the June “notPetya” global malware attack, for which the United States and Great Britain blamed Moscow in February.
“The administration is confronting and countering malign Russian cyber activity, including their attempted interference in U.S. elections, destructive cyber-attacks, and intrusions targeting critical infrastructure,” Treasury Secretary Steven Mnuchin said.
“These targeted sanctions are a part of a broader effort to address the ongoing nefarious attacks emanating from Russia.”