The Department of Homeland Security and the Federal Bureau of Investigation recently issued a joint statement concerning increased danger posed to infrastructure sectors by a malicious "multi-stage intrusion campaign.” According to the report, the targets that this campaign is honing in on include “government entities and organizations in the energy, nuclear, water, aviation, and critical manufacturing sectors.”
As eluded to in the report, these intrusion campaigns tend to have a specific pattern.
Hackers look for weak points within the broader infrastructure of a given industry, typically a small office or branch, or even a third party contractor with temporary access to official systems. Once the hackers are in, they can move laterally into other more sensitive areas, that if disrupted can have serious effects on vital utilities.
DHS stated that based on analysis of malware that has already been identified on government computers, they are confident that this campaign is still ongoing, utilizing a series of classic methods such as spear-phishing and watering-hole domains to gain illicit access.
The delivery of this report raises a couple of important points:
First, the fact that these industries are being targeted not just because of their high value, but also because of their vulnerability. Ironically, vital industry has been shown over the past several months to be highly susceptible to cyber attack. The WannaCry attacks in May, for instance, demonstrated how National Health Service (NHS) hospitals in the UK were open opportunities for hackers. In the United States, the Industrial Control System modules of the HAVEX trojan discovered three years ago were a major catalyst for the national discussion on critical infrastructure vulnerability.
There are many factors that have lead to this phenomenon. The most likely are cost and the organizational challenges inherent in any large governmental organization. Using WannaCry as an example, a group like the NHS that runs on a system designed to mitigate costs is likely going to have cybersecurity at the bottom of its list of budgetary priorities. Implementing best practices and training workers to interact with cybersecurity programs while maintaining efficiency in the workplace is often a ghastly challenge for government agencies, organizations often so large and complex that they are already on the verge of collapsing under their own bureaucratic weight.
One can only hope that with these series of attacks on public utilities and services and the investigations they spur, IT security will shift to become a major priority for critical infrastructure.
The second point for consideration is who is exactly is behind this “campaign” federal agencies claim to have detected, however, the possible identity of the culprits is not discussed in the recently released report. One can only turn to the list of usual suspects.
What is interesting to note is that the FBI and DHS have delivered this report shortly after threat indicators of cyber attacks from Iran began to emerge. Iran has shown itself capable of sophisticated cyber attacks in the past, and has re-demonstrated this recently in a highly publicized attack against UK Parliament members.
Iran also has a history of hitting American targets, including critical infrastructure, such as in the case of the Rye Dam hack in 2013. Could it be that this report is the first solid sign of the Iranian cyber threat re-emerging?
Speculation aside, there will almost certainly be follow-ups from the intelligence community regarding the discovery and subsequent development of this threat. Hopefully, this will give us a better idea of who is behind the hacking campaign, and what can be done to address it.