According to a Reuters article today, code associated with the recent Russian campaign called Grizzly Steppe, was found on a laptop at Burlington Electric Department in Vermont, USA. Details remain vague at this time, but the company issued a statement on its home page noting that the laptop containing the indicators of compromise (IOCs) associated with the Grizzly Steppe campaign was not connected to its industrial control systems (ICS).
Grizzly Steppe is the Russian cyber campaign, attributed by the U.S. Government to Russian Intelligence Services (RIS), that was active during the recent U.S. presidential elections and targeted other public and private sectors including critical infrastructure entities. The association between Grizzly Steppe and Burlington Electric was made public Thursday evening with a warning to power companies by National Cybersecurity and Communications Center (NCIC) within the U.S. Department of Homeland Security.
It is still too early to draw specific conclusions from this recent announcement but Claroty Research will continue to monitor events and follow up this blog up with new details and “lessons learned”.
It is unknown whether the malware found on the Burlington Electric Department laptop was associated with a recent RIS cyber operation or whether it may be a remnant of prior campaigns conducted by associated Russian threat actor groups – see reports about Sandworm Team and on the targeted attack on Ukrainian Power Authority. It is also unclear whether the malware found was designed to target the ICS network specifically. However, in either case, Claroty Research believes organizations with critical ICS infrastructure will remain a target – whether adversaries are simply seeking intelligence about the ICS networks for future use, or “prepping the battlefield” by inserting malware that will give them a foothold to launch future attacks is to be determined.
The status quo for industrial networks is that they are not effectively segmented, are built with technology and network protocols that were not designed with security in mind, and are unmonitored from a cyber security perspective. So, the current situation, with rogue actors targeting organizations who rely on industrial control systems, is a bit like shady folks being arrested near a schoolyard with limited fence lines and no video cameras – you know if the get into the school yard that bad things are going to happen. The fact that they are active nearby is important.
Thus, one immediate takeaway for executives and network defenders at companies with critical ICS assets is to remain vigilant. As we noted in a recent predictions blog (see below), Claroty believes that attacks on ICS networks will continue in 2017 and beyond. Given the particularly vulnerable state of many industrial control system networks and the disparity between the relatively good level of protection and detection capabilities within traditional IT networks and the more vulnerable posture and lack of visibility into many ICS environments, the chance of a compromise going undetected remains elevated.
3. ICS attacks are coming–Mr. Robot and traditional IT security tools may be to blame
The "red lines" that conventional wisdom taught us would prevent disruptive or destructive attacks in critical infrastructure are dimming. With the Ukraine incident and the fact that no apparent repercussions followed, rogue nations and those embroiled in geopolitical conflicts will be more emboldened to use cyber-attacks against critical infrastructure. One or more state-level actors may use an ICS network attack as an instrument of foreign policy, to shake up or destabilize another country or region. Global terrorist organizations have also discussed these types of attacks and these rogue groups can purchase skills, tools and infrastructure to launch their own efforts. Thus, we believe it is likely that another ICS related incident will occur in the coming year.
Further, we believe rogue nations will continue “prepping the battlefield” – using reconnaissance techniques and APTs to map critical infrastructure and infiltrate industrial networks with malware that can be activated later. Also, as we have viewed in the popular, and not altogether unrealistic TV show Mr. Robot, building automation, HVAC and data center infrastructure can be used as attack vectors, either taking down buildings and data centers, or serving as attack vectors into IT networks–Domo Arigato Mr. Roboto.