By Grant Geyer | March 25, 2022 

Since Russia’s invasion of Ukraine began in late February, the threat of cyberattacks being conducted in parallel has loomed. While that front has yet to open, the U.S. Department of Justice and CISA this week became more vocal about sharing intelligence on Russian adversaries and warned of increased reconnaissance of U.S.-based critical infrastructure

Yesterday, the drumbeat grew louder when DoJ unsealed indictments that revealed the names of four Russian government employees charged with attacks against global energy providers. Two of the individuals are accused of having developed the Triton malware, used in attacks in 2017, while the others are said to be members of an elite FSB hacking unit commonly known as Dragonfly or Energetic Bear, which developed the Havex backdoor. 

Triton is infamous for its targeting of industrial control systems (ICS)—one of a few malware strains purpose-built to disrupt automation processes and cause physical damage. Triton was used against unnamed foreign refineries and exploited Schneider Electric’s Triconex safety PLCs, also known as a safety instrumented system (SIS). Operators would see normal behavior on their screens, while in the background Triton attempted to damage refinery operations. Only a safety failover at one compromised site, which triggered an emergency shutdown of the refinery, saved it from damage. 

Havex, meanwhile, was used in attacks against the ICS supply chain. Providers’ customers who downloaded legitimate software updates were also installing Havex, giving the threat actors backdoor access to control systems. In later attacks, the threat actors used the watering hole technique, infecting websites frequented by ICS operators who would then be compromised by hidden scripts installing Havex. 

Raising Urgency for Asset Owners and Operators

While the U.S. government’s decision yesterday to name names may seem like old news, the industry benefit is more about raising urgency around Russian activities online rather than bringing these individuals to justice. CISA and the FBI are urging critical infrastructure owners and operators to take these warnings seriously and understand that retaliation for heavy economic sanctions imposed by the U.S. on Russia may come in the form of cyberattacks. 

In a companion advisory yesterday, CISA, the FBI, and the Department of Energy published an extensive list of tactics, techniques, and procedures (TTPs) associated with the aforementioned Russian state actors linked to Triton and Havex. The advisory also includes a lengthy list of recommended mitigations for both the enterprise and industrial control system environments. 

The enterprise controls are largely considered best practices and revolve around securing privileged access, credential management, and deploying multi factor authentication. On the network, companies are urged to ensure patch levels are current and configurations secure. Networks should be segmented logically and physically to keep critical assets isolated. Network traffic should be filtered and monitored, and unnecessary remote access should be limited. 

Within the ICS environment, some of the recommendations are more of a longtail. For example, replacing end-of-life software and hardware, while important, is expensive and challenging in the face of an immediate threat. Encrypting OT protocols also brings its own issues, especially for devices that aren’t robust enough to support encryption. 

Network segmentation is also a top recommendation for the ICS environment, in particular for those crossover points between the IT and OT networks where a threat actor is likely to move laterally to disrupt automation processes. The alert also recommends tightening firewall and detection rules, which is likely to increase the volume of alerts related to traffic from industrial devices. 

See Something, Say Something

Companies in the energy sector are being asked to be especially vigilant. Earlier this week, CISA and FBI warned the sector about increased vulnerability scanning emerging from Russia, and that five U.S. energy companies had been singled out by threat actors. 

CISA Director Jen Easterly asked providers to have a low threshold for information sharing, and to report even mundane scanning to CISA or the FBI. The agencies are connecting the dots on any intelligence they receive, and all of it can create a clearer picture of targets and campaigns, Easterly said. 

In addition to the TTPs made available yesterday, the government has posted numerous resources on CISA’s Shields Up website, including a catalog of free tools that could be of particular use to smaller, lesser-resourced critical infrastructure providers, as well as CISA’s Known Exploited Vulnerabilities Catalog, which is useful for patch prioritization and vulnerability management. 

What’s clear is that the unsealed indictments indicate the Russians have been relentlessly active in conducting operations against the energy sector worldwide, even during relatively peaceful periods of time. With the war in Ukraine and economic sanctions taking effect against Russian interests, the government’s alarm bells about cyber-related retaliation are not hyperbolic.