Skilled Hackers Gaining Access to U.S. Energy Systems
Cyberattacks targeting computer control operators at U.S. energy facilities have risen sharply over the past two years, as a sophisticated hacking group attempted to gain a foothold in networks that run the nation's critical infrastructure, a recent cybersecurity analysis shows.
A highly skilled and likely well-funded group of hackers has launched an ongoing campaign of online attacks against U.S. energy, nuclear, water, aviation and manufacturing operations since at least March 2016, primarily using spear-phishing emails and watering-hole attacks against administrators and engineers with access to industrial control systems, according to an analysis by iDefense, the cyber-threat intelligence division of Accenture Securities.
The nature of the attacks implies the group, which iDefense calls "Black Ghost Knifefish," has tried to figure out how to manipulate vital control systems and test the response of federal authorities if they were to launch an attack aimed at disrupting operations or damaging facilities, said Jim Guinn, global lead of Accenture's natural resources cybersecurity practice.
"They're gaining access to our systems," Guinn said. "They're able to test our response."
For the U.S. energy industry, vital assets include refineries, power plants, petrochemical facilities, pipelines and drilling rigs.
In private reports prepared for cybersecurity clients and shared with the Houston Chronicle, iDefense, which has tracked the sophisticated hacking group for about two years, said the online assaults against U.S. companies were almost certainly successful because of operators' lack of proper security segmenting networks and basic firewall implementations, among other common lapses.
The firm said the hacking group has gained access to U.S. systems with increasing frequency and is "very likely to continue" prying into operational networks. The hacking campaign, it said, is likely an attempt to establish a "backdoor" into industrial controls "with the intended goal of having the capability to disrupt, degrade or destroy the production of those" critical infrastructure and key resources assets, "at will."
iDefense hasn't said who it believes may be behind the attacks. But U.S. federal agencies last month said hackers backed by the Russian government have targeted U.S. energy and other industries in a new wave of attacks since March 2016. That report marked the first time U.S. agencies blamed the Kremlin for the attacks.
Last year, cybersecurity experts learned of two new families of malware targeting industrial control systems, in addition to the three others discovered in prior years. They identified two major attacks aimed at disrupting industrial operations and five separate threat actor groups -- findings that imply hacker groups targeting industrial controls are far more numerous than previously believed, cybersecurity firm Dragos said in a recent report.
"The number of adversaries targeting control systems and their investment in ICS-specific capabilities is only growing," Dragos said. "There are now five current active groups targeting ICS systems -- far more than our current biases with respect to the skill, dedication and resources required for ICS operations would have us believe possible."
Last year, Dragos estimated computer controls at industrial facilities, including in the oil business, get infected by non-targeted malware at least 3,000 times a year. It arrived at what it believes is a conservative estimate after studying 30,000 samples of infected control system files submitted over the past decade and a half to a publicly available database owned by Google.
"While any of these infections could cause issues in operational environments, none represented the type of disruption that would come from the latest generation of ransomware worms," the firm said.
© 2018 Houston Chronicle under contract with NewsEdge/Acquire Media. All rights reserved.
Image credit: iStock/Artist's concept.