“This type of organized cyberattack is usually conducted before a military action.”
Those are the alarming words of Sensato CEO and cybersecurity expert John Gomez, who was talking about the ongoing Russian attack on U.S. critical infrastructure. Gomez had recently been briefed by the U.S. Department of Homeland Security (DHS) about the attack.
His words echoed those of Director of National Intelligence Dan Coats, who told the Hudson Institute in Washington, D.C., “The digital infrastructure that serves this country is literally under attack.”
Sensato conducted its own investigation, ultimately verifying the disturbing state of affairs.
What makes this attack especially hair-raising is the fact that it’s so simple, and yet it has been incredibly effective at breaching hundreds of organizations in the electric, nuclear, aviation, manufacturing, government, and other critical infrastructure sectors.
And it was achieved by using social engineering and open source intelligence to compromise partner and supplier systems. Once the attackers were inside those networks, they simply generated phishing emails from those trusted businesses, bypassing traditional security controls and systems.
A Familiar Tactic; An Unknown Goal
Despite the fact that this attack has been underway for at least 18 months, no information has been exfiltrated; no systems have been damaged or destroyed; no ransom has been demanded.
Sound familiar? It should. Orangeworm similarly infiltrated hundreds of healthcare organizations via vulnerabilities in medical devices.
And, like Orangeworm, this attack hasn’t yet revealed its ultimate goal. For over a year, attackers have had access to turn off firewalls, grant administrative privileges, manipulate ports and networks, enable concurrent systems, add terminal server configurations, map networks, locate jump machines that create bridges to segregated networks, archive data, catalogue IP addresses, and create blueprints of entire systems.
“Usually you see this type of reconnaissance as a precursor to a military attack or another type of warfare, perhaps economic,” says Gomez. “They’ve been inside our critical infrastructure systems long enough to know how to shut them down and create a serious crisis.”
Was Ukraine the Blueprint?
For example, as Russia has waged a relentless invasion on Ukraine, military assault has been coordinated with cyber assaults aimed at destabilizing the country. Before Russia forcibly annexed Crimea in 2014, Russia tampered with the Central Election Commission. After the annexation, Russian cyber attackers hobbled three Ukraine utilities in the middle of winter. In 2016, they took out another utility in Kiev. The cyber assault on Ukraine has been relentless, systematically undermining energy, transportation, military, finance, media, and political sectors.
The DHS didn’t go so far as to speculate about what the Russian attack on U.S. infrastructure means, but the alarm bells are loud enough to have not only the DHS issuing warnings, but also the FBI and other governmental agencies.
One of the cybersecurity best practices Sensato always recommends is a risk assessment and security certification of all suppliers and partners, and this Russian infiltration perfectly illustrates why this is so important.
However, Sensato’s experts know that this is one area where most organizations fall short; understandably, as most hospitals, for example, will have from 700 to 1,500 vendors, on average.
Architect for Defense
That’s why Sensato also recommends architecting networks for defense. That means limiting application executables, blocking access to noncritical websites, disabling local admin access, limiting single sign-on, instituting dual and multi-factor authentications, rethinking fault tolerance, locking down jump machines, segmenting sensitive data and systems, installing a honeypot, and educating every person who has access to your network.
“One of the most helpful ways we’ve found to keep users from clicking on links in phishing emails is just showing them how they can become human firewalls for your company,” says Gomez. “Just a lunch-and-learn with a phishing simulation is all it takes to get people thinking more critically when they’re responding to their email.”
Tried-and-True: The Honeypot
Another gold standard is the honeypot, because your best chance for stopping an attack is during the intel-gathering stage. As Gomez notes, the Russian attackers started to inventory systems once they were inside – which means they started to ping and Nmap (network map) the environment. A honeypot solution like Sensato’s Nightingale would have detected that activity.
“Attackers repeat themselves, so we know that they’ll continue using these same tactics that have been so successful,” says Gerry Blass, CEO of compliance management solutions provider ComplyAssistant and chair of the New Jersey Healthcare Information and Management Systems Society Privacy, Security, and Compliance Committee. “Turn their tactics against them with a honeypot, which allows you to not only detect the breach but also to gather information about the attack so you can fine-tune your response to it.”