New Russian hacks raise alarms in US

[Boats]

New Russian hacks raise alarms in US
BY JACQUELINE THOMSEN - 10/26/18 06:02 PM EDT
RE: https://thehill.com/policy/technolog...e-alarms-in-us

Russian hackers have recently been linked to cyberattacks targeting critical infrastructure in other countries, raising concerns about the nation’s ability to target U.S. utilities.

Security firm FireEye this week said a Russian-linked research institute likely helped develop malicious software that was used to shut down a Saudi petrochemical plant last year. And research firm ESET said earlier this month that it uncovered a new hacking group, allegedly tied to Russia, that targeted companies in Ukraine and Poland.

Officials have been warning for months of a Russian campaign on the U.S. power grid. The new reports reveal the extent of the Moscow-tied hackers’ work, and the threat they pose to critical U.S. infrastructure.

Chris Krebs, the Department of Homeland Security’s (DHS) top cyber official, told The Hill this week that the department generally doesn’t comment on reports like the one released by FireEye, but that it does work closely with the Defense Department, U.S. Cyber Command and the National Security Agency (NSA) when determining the risks posed by different actors to U.S. critical infrastructure.

“We always work to update our understanding of what the risks are to critical infrastructure and how we deal with global geopolitics,” Krebs said. “Things that could tip the balance, create a more larger profile for a certain sector, in this case, perhaps, elections.”

“And those are parts of our conversations with NSA,” he added.

The New York Times reported this week that U.S. Cyber Command had begun its first overseas cyber operations to try to protect U.S. elections from foreign interference. Those operations involved contacting operatives behind Russian influence campaigns to let them know the U.S. was aware of their identities and presence, and that they could face sanctions or be indicted if they continued with the work.

However, the cyber agency was reportedly tempered in its response out of fears that Russia could retaliate with an attack on U.S. critical infrastructure.

Jeanette Manfra, undersecretary for cybersecurity and communications at DHS’s National Protection and Programs Directorate, said this week that the department works “very closely with DOD to make those assessments and ensure that options are taken with that perspective” of possible retaliation on U.S. systems.

DHS also announced earlier this year the creation of the National Risk Management Center, designed to protect critical assets like the power grid from both cyber and physical threats.

Officials earlier this year accused Russia of launching a years-long campaign on the U.S. energy grid and other aspects of critical infrastructure, and DHS said in July that Russian hackers were able to get into the control rooms of U.S. utilities.

While the most recently released research details Russia-tied activities in other nations, it lays the groundwork for the kinds of attacks the nation could carry out in the U.S.

The FireEye report found that the Russia-based lab known as Central Scientific Research Institute of Chemistry and Mechanics helped created the malware used by a hacking group against the Saudi plant last year.

It was one of the most direct attributions to a Kremlin-linked group in an attack on another country’s critical infrastructure.

And the ESET researchers revealed earlier this month that it had identified a new cyber espionage group that had targeted companies in Eastern Europe. The group, which they named GreyEnergy, was determined to be a successor to another group called BlackEnergy, which had attacked Ukraine’s critical infrastructure.

ESET did not identify a specific nation as being behind the new hacking group; but others, including the United Kingdom and firms like FireEye, have linked the cyberattacks on Ukraine to Moscow.

Experts have long pointed to Ukraine as a kind of testing ground for Russia, where the nation can see what kind of methods work best before targeting critical infrastructure in other countries.

Stephen Cobb, a senior security researcher at ESET, said GreyEnergy has displayed “serious capabilities,” notably because the team often keeps a low profile and is often undetected during its attacks.

He said that team, along with other actors tied to Russia, are creating a “fairly worrying picture of ongoing development of malicious code to target essential facilities, critical facilities, critical infrastructure.”

Kenneth Geers, a former U.S. cyber official currently with the Atlantic Council, said that it makes sense for a country like Russia to target adversaries like Ukraine “because it’s possible” and that it can hand them leverage if conflict breaks out between the two countries.

Geers said that an actor like Russia wouldn't necessarily have to launch an attack against another country's systems to make an impact. He said that, because of the amount of signaling that can take place in cyberspace, “the threat is worse than the execution.”

“You could plant something on the White House or in Pentagon or on Wall Street networks,” he said. “And then the fear is that you’re going to do something, and then you could coerce your adversary into political action just based on the fear that you’re going to do something.”

Lawmakers raised the alarm on the Russian activities after federal officials revealed the campaign directed toward utilities in the United States.

Energy Secretary Rick Perry testified before the Senate on the cyberattacks earlier this year, saying that the department is making “every effort to protect the electrical grid from those types of attacks.”

And this week, the Department of Energy awarded a grant to threat intelligence firm Drags to spearhead the creation of a program to identify and share information about threats to smaller energy providers. The program, known as Neighborhood Keeper, will also involve utility providers and federal agencies including Ameren, First Energy, Idaho National Laboratory, the North American Electric Reliability Corporation’s Electricity Information Sharing and Analysis Center and Southern Company, and other participants are expected to be added as it develops.

“Neighborhood Keeper represents an innovative and highly beneficial approach to providing security to smaller providers, as well as value to the entirety of the community, by sharing completely anonymized insights from threats detected in [operations technology and incident command system] networks,” Robert M. Lee, the CEO of Dragos, said in a release.

“Larger providers are coming together to ensure that we take care of all of our infrastructure, especially in smaller communities,” he added.

Cobb said that a country doesn’t necessarily have to target critical infrastructure in the U.S. itself to send a message to Americans about its capabilities, but rather can conduct the attacks in countries like Ukraine where they haven’t seen many consequences for their actions.

He added that U.S. utility companies have put in a great deal of effort of improving security for their systems in the past few years, but the fact that there is continued attempts to get into the power grid means that the country hasn’t done enough to keep actors like Russia out.

“I don’t think there’s any room for complacency, and there’s plenty of room for concern,” Cobb said.