The Hackers' Playbook
Power grid breaches offer critical lessons for cyber defenders
On its face, the hack was so bad you'd think no one would even want to acknowledge it.
Russian operatives had slithered so deep into the control systems of U.S. utilities that "they could have thrown switches," a Department of Homeland Security official later told The Wall Street Journal.
But rather than downplay the breach, the U.S. government did the opposite. A team of specialists from the Department of Homeland Security and the Federal Bureau of Investigation dissected the whole thing, then published their findings. The idea was that exposing the tradecraft of the hacking group, known both as Dragonfly and Energetic Bear, would help defend against potentially catastrophic attacks in the future.
"When you take out the grid, you cripple society," said Paul F. Steidler, a senior fellow at the Lexington Institute who specializes in energy. "Factories don’t work. Streetlights don't work. Transportation is very difficult. Water and sewer systems are impacted. It's a great way to cause a large amount of chaos in a very efficient manner.”
Here’s how the experts broke down the campaign – and advice on how businesses can protect themselves.
DIVIDE AND CONQUER
The attackers started by splitting targets into two groups: intended targets, or the energy companies themselves; and staging targets – ancillary organizations like vendors, suppliers, even trade journals and industry websites.
Rather than going straight after the larger and better-protected big targets, the hackers instead wormed their way into the smaller, less secure companies' networks, then used that access to gather intelligence and set traps.
That's common, said Mark Orlando, chief technology officer for cyber services at Raytheon. He recommends monitoring computer networks for unusual activity, installing security patches regularly and developing a response plan to disclose breaches and limit damage.
“Really it just comes down to managing your systems and being as vigilant as you can,” he said.
The vastness of the energy industry makes it especially vulnerable, Steidler said.
"It's a big, big chain, and there's just inherently a lot of entry points," he said.
EYES ON THE TARGET
Like the bank robbers of old, hackers start by researching their targets. That includes scouring the Internet to see how an organization works, identify its business partners and look for weak spots.
It's simple, it's effective, and it helps attackers stay under the radar, Orlando said.
“Often, that gives you much richer information than technical activity,” he said. “That’s far more efficient than trying to scan a network or doing the other things that might tip a network off that they’re being targeted.”
In the power company hack, for example, one target company's human resources website showed a photo that gave attackers a valuable piece of information: the manufacturer and model of a certain piece of control-systems equipment. That gave away insight on how the plant runs, it gave the attackers another target to go after, and it helped them with another phase of the attack – "spearphishing," or the use of manipulative emails to load malware onto a network.
The best defense, Orlando said, is for companies to limit the level of detail they publish about themselves – “a certain level of vagueness,” as he put it, “especially when you’re talking about certain parts of your infrastructure.”
THE ART OF ESPIONAGE
Just as spies learn the customs and habits of the people they’re watching, hackers study their targets and find ways to exploit patterns of behavior.
In their report, the government said the attackers went after their big targets with several types of emails – resumés, curricula vitae, policy documents – and in each, they made reference to control systems. In other words, they were using the intel they collected from their surveillance to create a plausible, well-informed email likely to fool someone into opening the malware-laced attachment.
One of the ruses: An invitation to a New Year’s Eve party.
“Nothing is off the table,” Orlando said. “It doesn’t have to be related to a business, or a partner. There’s no specific look or feel or subjects of focus. Attackers can and do change them up to find something that’s successful.”
POISONING THE WELL
Spearphishing works – it’s one of the oldest tricks hackers have – but it’s far from the only way to get malware onto a machine. Another common method, called a watering-hole attack, plants malicious code on a site the targets trust, then waits for them to come pick it up.
In attacks on the energy sector, the hackers used many of their staging targets to develop watering holes. About half were trade publications and websites that focused on the energy industry. The hackers corrupted those sites behind the scenes and "altered them to contain and reference malicious content," the government wrote, meaning those sites were serving up malware but giving the targets no reason to suspect anything was amiss.
“It’s a low-complexity, low-effort, high-yield attack,” Orlando said. “It allows you to cast a wide net. With relatively little effort, you can target lots and lots of users.”
The best defense, he said, is for a company to monitor its own networks for signs that a user may have unwittingly stumbled into a watering-hole attack.
ATTACKING FROM WITHIN
Much malware is designed to capture user credentials, the digital identity of someone authorized to use a network. With credentials, hackers no longer have to lie, fool or finagle their way to what they want. They can simply find it and take it.
“If I’m able to harvest credentials from a supplier and gain access to my primary target, I don’t even have to use any kind of attack,” Orlando said. “If I can come into your environment using authorized credentials, detecting that just became exponentially more difficult.”
Credential harvesting includes usernames and passwords – often stolen by creating fake login pages for familiar sites – but it also includes less familiar digital loot such as hashes, or the “secret handshakes” that networks perform whenever one attempts a transaction with another.
Here's how hackers steal hashes: their spearphishing emails contain documents that order the target's computer to retrieve data from a server – one the hackers either own themselves, or commandeer. Once the hackers have the target’s hash, they can apply techniques to reveal the password in plain text. Sometimes that password is all they need; that's why security experts recommend setting network to require secondary means of authentication, such as a thumbprint or a code from a security token.
That's one way to steal login information. Another method: To imitate the login page itself.
In a separate phishing campaign that focused on staging targets, the attackers planted a link that redirected users several times, ultimately landing on a page whose "username" and "password" fields fed credentials straight to them.
A NEW TWIST
At least one element of the spearphishing campaign in the earlier breach showed these hackers were innovating as well.
Rather than emailing attachments infected with malware, they did something likely to catch savvier targets off-guard. They sent a completely harmless document but made sure it didn't download properly. Then they programmed in a prompt for users to click if they were having trouble with the attachment.
And that's where the malware lived.
“Attackers are getting savvier,” Orlando said. “It’s just evidence that these kinds of social engineering attacks have gotten a little more clever and a lot less obvious that there’s anything malicious going on.”
There are two main lessons from the power-grid hack, Orlando said. First, he said, businesses should know that small hacking attempts like suspicious emails are often part of a larger campaign. Also, he said, they should understand that truly cyber-secure businesses look beyond their own networks.
“Your network isn’t just your network. It’s your network, plus your trusted partners, plus your suppliers,” he said. “If you’re not mitigating risk across the entire ecosystem, you’re potentially missing a very large exposure to your business.”