The Department of Homeland Security has issued an intelligence assessment regarding the likely impact of cyber attacks against the energy sector. The report notes:
“APT actors were responsible for at least 17 intrusions against the US energy sector in FY 2014, according to ICS-CERT incident report data—the last full year for which this data was available.1 Included in these intrusions are incidents of data theft from enterprise networks and accessing and maintaining presence on ICS. APT actors did not cause any damage or disruption in any of the 17 reported incidents, according to the same ICS-CERT incident report”
Of particular concern are Russian state sponsored attacks against Industrial Control Systems (ICS) using the Havex malware. These attacks date back to 2011 and the main function of the malware is gather system information, though it can also run specialized plug-ins for additional capabilities. According to the assessment, APT actors were responsible for two confirmed intrusions against U.S. petroleum companies in 2014 and successfully exfiltrated data in at least one case.
Outside of the APT attacks, 63% of the other intrusions involved unattributed, low-level activity against enterprise networks. In one enterprise attack against a North Carolina fuel distribution company attackers compromised payroll login credentials and stole $800k before the attack was identified.
One group of unknown attackers used the Bang malware to infect at least four U.S. electricity organizations and the Cryptolocker ransomware was successful used in attacks against three U.S. energy companies.
Despite the identified APT attacks, the Department of Homeland Security assesses that the risk of a damaging or disruptive attack against the U.S. energy sector is low.
“We assess the threat of a damaging or disruptive cyber attack against the US energy sector is low. We judge advanced persistent threat (APT) nation-state cyber actors are targeting US energy sector enterprise networks primarily to conduct cyber espionage. The APT activity directed against sector industrial control system (ICS) networks probably is focused on acquiring and maintaining persistent access to facilitate the introduction of malware, and likely is part of nation-state contingency planning that would only be implemented to conduct a damaging or disruptive attack in the event of hostilities with the United States.”