The Department of Homeland Security warned on June 25, 2018 that the Russian government likely has the ability to engage in disruptive and destructive attacks against U.S. critical infrastructure including the electric power grid. The report entitled “Russia Likely Capable of Disruptive or Destructive Cyber Attacks Against US Critical Infrastructure Networks” draws parallels to attacks in the Ukraine as being applicable for targeting of U.S. infrastructure. The report states that:
“Russian Government cyber actors likely have the capability to conduct disruptive or destructive attacks against US critical infrastructure networks. We base our assessment on the ability of Russian Government cyber actors to access critical infrastructure networks, conduct network reconnaissance, extract data pertaining to industrial control systems (ICS), and exploit routers to conduct man-in-the-middle attacks.b We further base this assessment on Moscow’s ability to conduct a range of disruptive and destructive cyber attacks, as likely demonstrated against Ukraine’s critical infrastructure. Our judgment is also supported by the assumption that the actors are capable of bypassing the security controls of US ICS networks in a similar manner to that in which they compromised critical infrastructure overseas.
Russian Government cyber actors in March 2016 obtained access to US critical infrastructure networks through a multi-stage intrusion campaign, compromising the infrastructure of peripheral organizations, such as trusted third-party suppliers, to reach intended targets, according to a March 2018 NCCIC joint technical alert that resulted from analytic efforts between DHS and FBI subject-matter experts. Once on the network, the Russian Government cyber actors conducted network reconnaissance, moved laterally through the network, and collected information pertaining to ICS, according to the same joint alert. On at least one occasion, the actors gained access to a human machine interface (HMI) via the corporate network; however, there is no indication they attempted to control the process, although they had access to do so, according to correspondence with DHS’s Hunt and Incident Response Team (HIRT) with direct knowledge of the event.
The US Government assessed cyber actors supported by the Russian Government since 2015 have exploited routers worldwide that the FBI has assessed with high confidence are being used to conduct man-in-the-middle attacks to support espionage, extract intellectual property, maintain persistent access to victim networks, and potentially lay the foundation for future offensive operations, according to an April 2018 NCCIC joint technical alert that is the result of analytic efforts between subject-matter experts from DHS, FBI, and the United Kingdom’s National Cyber Security Centre (NCSC).3 The compromise of a router between ICS sensors and controllers in a critical infrastructure sector could lead to the loss of service or physical destruction, according to the same joint technical alert.
Russian Government cyber actors in June 2017 used NotPetya ransomware to conduct a disruptive cyber attack predominately against Ukraine’s financial sector, according to a White House press statement providing direct attribution of the attack and a cybersecurity firm with expertise in cyber threat analysis. NotPetya affected US state and local government agencies and global entities in the financial services, transportation, energy, and utilities industries, according to a separate report from the same cybersecurity firm.6 The same cybersecurity firm, which tracks the activity of Russian-affiliated cyber actors, assessed with low confidence that Russia in December 2015 launched the disruptive cyber attack against the Ukrainian electric grid. The attack compromised ICS that resulted in a power outage affecting 225,000 customers before power was restored, according to joint technical analysis from a cybersecurity firm with expertise in cybersecurity research and an information sharing and analysis center with in-depth knowledge of cyber threats to the electric industry and an NCCIC alert derived from technical subject-matter experts corroborating the compromise of ICS environments on the Ukrainian electric grid. Suspected Russian cyber actors in December 2016 directed an attack against Ukrainian electric infrastructure, disrupting power by maliciously operating circuit breakers, deleting ICS-specific configuration files, and wiping HMIs, according to separate joint technical analysis from the same cybersecurity research firm and information sharing and analysis center.11 The malware used in this attack was modular and could be modified to also be effective against the North American grid, according to a separate private cybersecurity firm with expertise in cyber threat analysis and an NCCIC alert derived from technical subject-matter experts corroborating the potential use of the malware against critical infrastructure.”