Russia compromised core router in US energy attacks

The US last week accused Russia of carrying out a two-year cyber attack campaign on US power suppliers and other critical infrastructure, and now researchers say they have identified one of the key tools used, which should raise alarms for governments and businesses.

The US condemnation of Russia coincided with a New York Times report that a petrochemical company with a plant in Saudi Arabia was hit by a new kind of cyber assault in August 2017 that was not designed to destroy data or shut down the plant, but to sabotage the firm’s operations and trigger an explosion, which was avoided only because of an error in the attack code.

Research by security firm Cylance shows that the use of a compromised core router was one of the tools used in the cyber attack campaign against the US.

In the wake of news of the attacks against US critical infrastructure providers, including energy, nuclear, water, aviation and manufacturing firms, the same sectors in the UK have been placed on alert by the National Cyber Security Centre (NCSC).

UK electricity, gas and water firms, nuclear power plants, government departments and the NHS have all been warned to prepare for a state-sponsored cyber attack that could cause disruptions, according to The Times, amid heightened political tensions with Russia over the nerve gas poisoning in Salisbury.

According to the Cylance researchers, the discovery of Russia’s use of a compromised core router is significant because such compromises are considerably harder to detect, analyse, patch and remediate than compromises of PCs.

The Russian group believed to be responsible for the recently-reported series of attacks on US infrastructure has been under investigation since 2013 by various security researchers and, as a result, the group is known by various names, including Dragonfly, Energetic Bear, Crouching Yeti and Group 24.

Since 2015, the group has been linked to various attacks on energy companies in several countries, including Ireland, Turkey, Kazakhstan, Vietnam and the US.

According to the Cylance researchers, a near-end-of-life core Cisco router relied upon by one of Vietnam’s largest oil rig manufacturers was compromised by the threat group to harvest credentials that were later used to attempt to penetrate a handful of energy companies in the UK around March of 2017.

In mid-July 2017, the UK was identified as one of several countries targeted by cyber attackers seeking to compromise industrial control systems (ICS), according to a leaked document from the NCSC.

The document contained an alert aimed at the UK’s energy sector warning of “connections from multiple UK IP addresses to infrastructure associated with advanced state-sponsored hostile threat actors, who are known to target the energy and manufacturing sectors” which “likely” resulted in compromise, beginning in early June 2017.

The NCSC document warned that the infrastructure in targeted organisations was connecting to a set of malicious IP addresses using the SMB (server message block) data transfer protocol and HTTP (hypertext transfer protocol) as part of attempts by attackers to capture usernames and passwords.

The Cylance researchers said use of compromised routing infrastructure for collection or command and control purposes is not new, but its detection is relatively rare.

“That is because the compromise of a router very likely implicates the router’s firmware and there simply aren’t as many tools available to the forensic investigator to investigate them,” they wrote in a blog post. “Analysis is further challenged by the lack of system logs.”

The researchers said the fact that the threat actor is using this type of infrastructure is a “serious and worrisome discovery” because, once exploited, vulnerabilities in core infrastructure such as routers are not easily closed or remediated.

“While the end goals of these campaigns can only be speculated upon, their very existence across an array of power companies in several countries should be of great concern to governments, the companies themselves, and all those who rely on their critical services,” they said.

Mat Clothier, CEO, CTO and founder of UK technology company Cloudhouse, said the attacks on US infrastructure highlight the challenge of securing IT operations in this sector because of the amount of legacy IT software within it.

“This makes it a slow-moving, easy target,” he said. “No matter how advanced cyber security becomes, it will be of little benefit to those running their IT operations on legacy platforms that no longer receive the latest security patches and updates.”

According to Clothier, Cloudhouse is among the technology companies, including Airbus and Honeywell, that are working with utility providers, public sector bodies and private organisations to improve their cyber defences.