Cyber ‘Intrusion Campaigns’ Increasingly Target Utilities

Cyberattacks increasingly target and succeed inside energy and utility companies’ IT networks, rather than their critical infrastructure, according to a new report from cybersecurity firm Vectra.

In the past, the energy and utility industry’s cyber efforts have focused on preventing disruption of power availability via industrial control networks.

But the Department of Homeland Security issued a technical alert in March warning the industry of a “multi-stage intrusion campaign” originating in Russia targeting IT networks in the U.S. energy sector.

“I don’t think [utilities] have watched enough for this,” Chris Morales, head of security analytics at Vectra, told Route Fifty. “They need to monitor actual IT networks a lot closer.”

While no major U.S. city has seen its energy grid taken down with malware, Russia successfully committed the first such attack on Ukraine in 2015.

That event coupled with the reports from DHS and the private sector indicating critical infrastructure is a target has seen utilities increase their cyber investments, said Branndon Kelly, chief information officer for American Municipal Power, Inc. The nonprofit utility serves cities across nine states that own their electric system and includes Vectra’s Cognito threat-detection platform in its security posture.

Vectra identified seven behaviors that comprise a complete attack, using Cognito to monitor the network traffic and collect metadata from more than 250 energy and utility companies between January and June.

Hackers begin by staging malware and spear-phishing to steal administrative credentials needed to access critical servers.

“Employees are absolutely the first line of defense,” Kelly said. “We can spend a lot of money, and the simplest thing can make that investment worthless.”

Emails are sent to staff until someone gives up enough information for the hacker to create a login.

Then begins the command-and-control stage, where attackers use remote access services like Fortinet VPN, remote desktop protocol or Outlook Web Access to install tools on existing systems to carry out operations. During this stage of attack, 194 malicious external remote access behaviors were detected per 10,000 host devices and workloads, according to Vectra’s report.

Once inside, hackers build a list of host users to map the environment. They conduct reconnaissance looking for remote desktops they can log in to.

Next comes the lateral movement stage of the attack, where attackers use the credentials they’ve obtained to access servers and workstations containing critical data. A total of 314 lateral movement attack behaviors were detected per 10,000 host devices and workloads, during this stage.

The final stage is exfiltration, where file servers—often Windows file servers—with information on industrial control systems like architectural blueprints are collected and sent off to the nation-state or other bad actor committing the attack. Cognito detected 293 data smuggler behaviors per 10,000 host devices and workloads, during this stage.

“Every one of these is an indicator of an attack if you’re watching for it,” Morales said. “All combined is a strong indicator of an attack if you’re watching for it.”

But tight budgets limit what utilities can spend on cyber defense.

Morales recommends utilities rethink policies like the actions they permit over remote VPN access—tightening controls to safeguard against attacks.

Utilities should also invest in machine-learning software that can see every device on the network in real time and run network behavior analytics to monitor for suspicious behavior, Morales added.

AMP added Vectra to look for suspicious behavior during the lateral movement stage of an intrusion campaign.

“Primarily, we got it to monitor east-west traffic—things that are moving within the network like an internal threat,” Kelly said. “Maybe someone has gotten past the perimeter network, laid dormant, and is now moving across networks.”