The Russian government is behind an ongoing and deliberate cyber hacking campaign against the energy sector in the U.S. but so far attempts to access critical network systems have failed, senior national security officials said on March 15.
The Trump administration’s attribution the cyber-attacks against the energy grid were part of a larger announcement by the Treasury Department about new sanctions on organizations and individuals in Russia.
The new sanctions are just some of the “means” the U.S. is using to “fight back,” but it’s “not the end of our ongoing campaign to instruct Mr. Putin to change his behavior,” another senior national security official said, referring to Russian President Vladimir Putting. The officials spoke with reporters during a teleconferenced background call to discuss the sanctions and the hacking of the energy grid.
The second official said that “Russia’s behavior, or lack thereof, on the world stage is continuing to trouble us and we are continuing to press back in meaningful ways.”
The administration officials, and the Treasury Department, cited a number of activities by Russia that triggered the additional sanctions being imposed on government organizations and individuals. In February, the White House blamed the Russian military for the NotPetya cyber-attack in summer 2017 that infected computers worldwide, and one administration official said on the background call that the new sanctions are in part a response to that event.
“This cyber-attack was the most destructive and costly cyber-attack in history,” the Treasury Department said.
The department also said it is keeping pressure on Russia due to its occupation of Crimea, interference in elections, including in the U.S., ongoing corruption, and the recent nerve-agent attack in London in an attempt to murder two British citizens.
Regarding the threats to the U.S. energy grid, a senior national security official said in cases where victims and targets of the Russian hacking were identified, “We were able to identify where they were located within those business systems and remove them from those systems.”
The Department of Homeland Security and FBI on March 15 issued a joint Technical Alert about the Russian government hacking efforts. The alert says that Russia is targeting “U.S. Government entities as well as organizations in the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors.”
In addition to showing the tactics, techniques and procedures of the Russian government hackers, a senior official said the alert is aimed at further sharing information about the ongoing hacking to help identify other potential targets and victims.
The joint technical alert was published on the website of the DHS U.S. Computer Emergency Readiness Team, the department’s arm that helps protect federal civilian networks from cyber-attacks, responds to cyber incidents, and shares actionable information with the federal, state, local, tribal and territorial governments, the private sector, owners and operators of critical infrastructure, and international partners.
The alert cites a Sept. 2017 report by the software security firm Symantec [SYMC] on the Dragonfly cyber espionage group that has targeted the energy sector in Europe and North America, beginning in December 2015 and picking up in 2017 with a second iteration of their malware. For the government’s analysis of the Russian cyber intrusions, the alert says the DHS used a cyber kill chain model developed by Lockheed Martin [LMT].
The alert also says the hacking tactics included spearphishing emails, watering-hole domains, credential gathering, open-source and network reconnaissance, host-based exploitation, and the targeting of industrial control systems.
One official outlined two important aspects to the alert. The first is “that the cyber actors are using a multi-stage attack campaign with staging and intended targets involved and the campaign is long-term and ongoing. Second, after obtaining access, these actors conducted network reconnaissance, moved laterally and collected information pertaining to industrial control systems, the systems that run our factories and our grid.”
Another official said the government’s response to the hacking of the energy sector has been strong.
“The FBI has worked with DHS to respond in a robust and coordinated way to these threats,” the official said. “The efforts to respond to the threat represent one of the largest government cyber responses to this cyber threat that we’ve seen to date.”
The Trump administration has been developing a strategy for deterring cyber-attacks but the White House has yet to publish a specific deterrence doctrine. Tom Bossert, the assistant to the president for Homeland Security and Counterterrorism, in 2017 said that deterrence will likely focus on traditional means rather than the use of offensive cyber capabilities.
Traditional means would include sanctions. The new sanctions block property and related interests that are “subject to U.S. jurisdiction” and prohibit U.S. persons from engaging with the affected entities and individuals.
The entities being sanctioned include the Russia-based Internet Research Agency LLC, which interfered with the U.S. presidential election in 2016, Russia’s Federal Security Service intelligence organization, and the country’s Main Intelligence Directorate, which is a military intelligence organization. The two intelligence organizations and some individuals have previously been sanctioned.
Rep. James Langevin (D-R.I.), who maintains a strong focus on cyber security issues in Congress, said in a statement that the new sanctions will be ineffective.
“Relisting Russian intelligence agencies already sanctioned under different authority will not deter them,” Langevin said.
Rep. Ed Royce (R-Calif.), chairman of the House Foreign Affairs Committee, release a statement lauding the new sanctions, but said “more must be done.” He said the committee will continue to push to “counter Russian aggression.”