The Department of Homeland Security and FBI issued rare public alert warning owners of U.S. critical infrastructure to battle an ongoing campaign of cyber attacks against their information and control networks.
Energy and industrial firms were notified Friday and again Saturday that sophisticated hackers are attempting to penetrate industrial control systems used by the electrical and nuclear power industry, as well as water, aviation, and manufacturing sectors.
"DHS assesses this activity as a multi-stage intrusion campaign by threat actors targeting low security and small networks to gain access and move laterally to networks of major, high value asset owners within the energy sector," the notice said.
An analysis of malware used in the campaign and indicators of compromised networks reveals that "this campaign is still ongoing, and threat actors are actively pursuing their ultimate objectives over a long-term campaign," the alert said.
The hackers behind the cyber attacks were not identified by DHS or the FBI.
An FBI spokeswoman declined to comment.
DHS spokesman Scott McConnell said the joint alert "provides recommendations to prevent and mitigate malicious cyber activity targeting multiple sectors" while emphasizing the DHS commitment to remain vigilant against new threats.
"The Department of Homeland Security works with the public and private sectors to ensure the security and resilience of the nation's infrastructure from both physical and cyber risks," he said.
Private security specialists, however, said the cyber campaign against American infrastructure bore the hallmarks of Russian cyber-intrusion activities.
The detailed technical analysis of the cyber campaign highlights the growing danger of foreign states' efforts to map networks that control critical infrastructures in preparation for future operations that could shut down the electric grid and other infrastructures.
Adm. Mike Rogers, Cyber Command commander and director of the National Security Agency, told Congress in May he is concerned about foreign nations using attacks against critical infrastructures that run the electric grid, financial systems, communications networks, the transportation systems, and others.
"We assess that several countries, including Iran, have conducted disruptions or remote intrusions into critical infrastructure systems in the United States," Rogers said.
Rogers said that infiltrations can appear as preparation for future attacks intended to harm Americans.
Worst-case scenarios in a future cyber war include destruction of critical infrastructure that would be difficult to repair and cause mass casualties.
"The pace of international conflict and cyberspace threats has intensified over the past few years," Rogers told the Senate Armed Services Committee. "We face a growing variety of advanced threats from actors who are operating with ever more sophistication and precision."
A Pentagon report by the Defense Science Board warned that American infrastructure such as the electrical grid will remain vulnerable to cyber attacks from Russia and China for at least 10 years.
"A large-scale cyber attack on civilian critical infrastructure could cause chaos by disrupting the flow of electricity, money, communications, fuel, and water," the Pentagon board said. "Thus far, we have only seen the virtual tip of the cyber attack iceberg."
"Russia and China have both been part of the problem to date, and could take this threat to the next level by using cyber in sustained campaigns to undermine U.S. economic growth, financial services and systems, political institutions (e.g., elections), and social cohesion," the report noted.
In addition to Russia and China, North Korea has been engaged in targeting critical U.S. infrastructure.
"This is very aggressive activity," said Robert Lee, chief executive of cyber-security firm Dragos, told Reuters of the recent infrastructure campaign. Lee added that the report appeared to describe activities by hackers supporting Russian government interests.
The alert said the hackers have targeted both government and private sector entities since at least May, including companies involved in energy, water, aviation, nuclear, and critical manufacturing sectors.
In some cases the hackers have compromised networks used by the entities.
"Historically, cyber threat actors have targeted the energy sector with various results, ranging from cyber espionage to the ability to disrupt energy systems in the event of a hostile conflict," the notice from the DHS's U.S. Computer Emergency Readiness Team said.
"Historically, threat actors have also targeted other critical infrastructure sectors with similar campaigns."
The alert said the Symantec security firm has code-named the group behind the campaign that has targeted cyber attacks against North American and European energy companies Dragonfly 2.0.
"The Dragonfly group appears to be interested in both learning how energy facilities operate and also gaining access to operational systems themselves, to the extent that the group now potentially has the ability to sabotage or gain control of these systems should it decide to do so," Symantec said in a September report on the intrusion campaign.
According to DHS and the FBI, the hackers are using a two-pronged approach to penetrate critical infrastructure networks: staging operations and penetration of targets.
The hackers prepare for cyber attacks against bigger targets through networks that can be taken over and used as pivot points and malware repositories.
From these staging networks, cyber attacks are then carried out against intended targets.
Among the methods used are open-source reconnaissance, spear-phishing emails sent from compromised legitimate accounts, and watering-hole domains—websites that are set up to trick users into providing information used to penetrate target networks.
Other methods involve targeting of industrial control system (ICS) infrastructure.
"Email messages include references to common industrial control equipment and protocols," the alert said.
"The emails leveraged malicious Microsoft Word attachments that appear to be legitimate résumés or curricula vitae (CVs) for industrial control systems personnel, as well as invitations and policy documents that entice the user to open the attachment."
The DHS said the hackers' campaign "has affected multiple organizations in the energy, nuclear, water, aviation, construction, and critical manufacturing sectors."
Another cyber security firm, CrowdStrike, believes the attacks are the work of a Russian-affiliated group it calls Energetic Bear or Berserk Bear that have been implicated in cyber strikes on energy firms.
"We have not observed any destructive action by this actor," CrowdStrike Vice President Adam Meyers told Reuters.