The Hackers' Playbook
How an embarrassing breach became a master class in cybersecurity
On its face, the hack was so bad you’d think no one would even want to acknowledge it.
Criminals had slithered into computer networks across the energy industry, infiltrating some so deeply that experts believed they had the power to throw entire regions into darkness. The intrusion provided powerful evidence of the threat hackers pose to the industries that underpin modern life, including energy, finance, healthcare, manufacturing and transportation.
But the breach, first reported by the cybersecurity company Symantec in September 2017, also revealed much about the way these attacks work. So much, in fact, that the U.S. government turned it into a cautionary tale. In a 16-page report, a team of cyber specialists from the Department of Homeland Security and Federal Bureau of Investigation dissected the hackers’ tradecraft, hoping the information would help prevent similar attacks – and keep this one from getting any worse.
Experts say that kind of communication is crucial in an age when hackers, whether motivated by mischief or bent on waging full-on cyber warfare, are constantly finding ways to infiltrate, corrupt and weaponize whatever touches the internet – often bit by bit.
“It’s important to raise awareness,” said Mark Orlando, chief technology officer for cyber services at Raytheon. “These details, if taken by themselves, might not seem that impactful. When presented with the entire story, we can see it was part of a larger, sustained campaign, potentially causing a lot of damage.”
The potential for that damage is far-reaching, said Constance Douris, who studies cybersecurity for the Lexington Institute, a Washington, D.C. think tank that focuses on defense. She said hacking the power grid is essentially a newer way of attacking a traditional military target.
"Everyone understands cyber is important, but they don't quite understand why it needs to be protected," she said. "Hospitals, banks, pipelines, military bases – all of these cannot operate without electricity. Protecting the grid from cyberattacks should not be neglected by any means."
Here’s how the cyber experts broke down the hack – and how businesses can protect themselves.
DIVIDE AND CONQUER
One of the attackers' main strategies was to divide targets into two groups: intended targets, or the energy companies themselves; and staging targets – ancillary organizations like vendors, suppliers, even trade journals and industry websites.
Rather than going straight after the larger and better-protected big targets, the hackers instead wormed their way into the smaller and less secure companies' networks, then used that access to gather intelligence and set traps.
Smaller companies should take note, Orlando said: They are often a hacker's first stop on the way to a bigger target. He recommends monitoring computer networks for unusual activity, installing security patches regularly and developing a response plan to disclose breaches and limit damage.
“Really it just comes down to managing your systems and being as vigilant as you can,” he said.
The power-grid hackers knew they wanted to go after small companies. Now they just had to figure out precisely where to strike.
EYES ON THE TARGET
Like the bank robbers of old, hackers start by researching their targets. That includes scouring the Internet to see how an organization works, identify its business partners and look for weak spots.
It's simple but effective, Orlando said. No sense in trying to steal something that's readily available, as long as you know where to look.
“Often, that gives you much richer information than technical activity,” Orlando said. “That’s far more efficient than trying to scan a network or doing the other things that might tip a network off that they’re being targeted.”
In the power company hack, for example, the attackers looked on one company’s human resources site and found a photo that seemed harmless but in reality contained extraordinarily valuable information: the manufacturer and model of a certain piece of control-systems equipment.
That, in turn, provided insight on how the plant runs. It also gave the attackers another potential staging target, and it helped them with another phase of the attack – "spearphishing," or the use of customized, highly deceptive emails designed to deliver malware.
The best defense, Orlando said, is for companies to be judicious about the level of detail they put out there – “a certain level of vagueness,” as he put it, “especially when you’re talking about certain parts of your infrastructure.”
THE ART OF ESPIONAGE
Just like spies learn the customs and habits of the people they’re watching, hackers study their targets and find a way to use that information to their advantage.
In the report, the government said the attackers went after their big targets with several types of emails – resumés, curricula vitae, policy documents – and in each, they made reference to control systems. In other words, they were using the intel they collected from their surveillance to create a plausible, well-informed email likely to fool someone into opening the malware-laced attachment.
One of the ruses: An invitation to a New Year’s Eve party.
“Nothing is off the table,” Orlando said. “It doesn’t have to be related to a business, or a partner. There’s no specific look or feel or subjects of focus. Attackers can and do change them up to find something that’s successful.”
POISONING THE WELL
Spearphishing works – it’s one of the oldest tricks hackers have – but it’s far from the only way to get malware onto a machine. Another common method, called a watering-hole attack, plants malicious code in a place the targets trust, then waits for them to come pick it up.
In the energy-sector attack, the hackers used many of their staging targets to develop watering holes. About half were trade publications and informational websites that dealt with matters specific to the energy industry. The hackers corrupted those sites behind the scenes and "altered them to contain and reference malicious content," the government wrote, meaning those sites were serving up malware but giving the targets no reason to suspect anything was amiss.
“It’s a low-complexity, low-effort, high-yield attack,” Orlando said. “It allows you to cast a wide net. With relatively little effort, you can target lots and lots of users.”
The best defense, he said, is for a company to monitor its own networks for signs that a user may have unwittingly stumbled into a watering-hole attack.
ATTACKING FROM WITHIN
Much of the malware in the energy-sector attack was designed to capture user credentials, or the digital identity of someone authorized to use a target network. With credentials, hackers no longer have to lie, fool or finagle their way to paydirt. They can simply find it and take it.
“If I’m able to harvest credentials from a supplier and gain access to my primary target, I don’t even have to use any kind of attack,” Orlando said. “If I can come into your environment using authorized credentials, detecting that just became exponentially more difficult.”
Credential harvesting includes usernames and passwords – usually stolen through tricking someone at a false login page for a familiar site – but it also includes less familiar digital loot such as hashes, or the “secret handshakes” that networks perform whenever one attempts a transaction with another.
Here's how the hackers stole the hashes: their spearphishing emails contained documents that ordered the target's computer to retrieve data from a server – one the hackers either owned themselves, or had commandeered. Once the hackers had the target’s hash, they could apply techniques to reveal the password in plain text. With that password, unless the network required multiple modes of authentication to sign on such as a thumbprint or a code from a security token, the attackers were in.
That's one way to steal login information. Another method: To imitate the login page itself.
In a separate phishing campaign that focused on staging targets, the attackers planted a link that redirected users several times, ultimately landing on a page whose "username" and "password" fields fed credentials straight to them.
A NEW TWIST
The attack, while successful, was also simple – built with tricks and techniques familiar to the Department of Homeland Security and FBI. But at least one element of the spearphishing campaign showed these hackers were innovating as well.
Rather than emailing attachments infected with malware, this time they did something likely to catch savvier targets off-guard. They sent a harmless document, but they made sure it didn't download properly. Then they programmed in a prompt for users to click if they were having trouble.
And that's where the malware lived.
“Attackers are getting savvier,” Orlando said. “It’s just evidence that these kinds of social engineering attacks have gotten a little more clever and a lot less obvious that there’s anything malicious going on.”
There are two main lessons from the power-grid hack, Orlando said. First, he said, businesses should know that small hacking attempts like suspicious emails are often part of a larger campaign. Also, he said, they should understand that truly cyber-secure businesses look beyond their own networks.
“Your network isn’t just your network. It’s your network, plus your trusted partners, plus your suppliers,” he said. “If you’re not mitigating risk across the entire ecosystem, you’re potentially missing a very large exposure to your business.”