December 30, 2016, the Washington Post broke the story: “Russian hackers penetrated U.S. electricity grid through a utility in Vermont, U.S. officials say”. There are numerous questions and concerns that arise from this incident. I will focus on the technical issues and leave political discussions to others.
I want to make clear the Russians did download malware onto the US electric grids starting at least in the 2014 time frame and even DHS acknowledged this in their June 2015 DHS ICS CERT Monitor: “Some asset owners may have missed the memo about disconnecting control system from the Internet. Our recent experience in responding to organizations compromised during the BlackEnergy malware campaign continues to bring to light this major cyber security issue—Internet connected industrial control systems get compromised. All infected victims of the BlackEnergy campaign had their control system directly facing the Internet without properly implemented security measures. The BlackEnergy campaign took advantage of Internet connected ICS by exploiting previously unknown vulnerabilities in those devices in order to download malware directly into the control environment. Once inside the network, the threat actors added remote access tools, along with other capabilities to steal credentials and collect data about the network. With this level of access, the threat actor would have the capability to manipulate the control system.” This should look familiar as this was the approach used by the Russians in the 2015 Ukrainian cyber attack.
Additionally, in 2015, NATO discusses Russian cyber threats against control systems in “Beyond ‘Cyber War’: Russia’s Use of Strategic Cyber Espionage and Information Operations in Ukraine” by Jen Weedon. According to Jan, “Is Russia preparing for future cyber attacks on Western critical infrastructure? This is difficult to prove, but the Sandworm group has reportedly targeted supervisory control and data acquisition (SCADA) equipment, which is used in industrial and critical infrastructure settings, with the BlackEnergy toolkit. The victims were production systems, not vendor-owned prototypes or systems that contained financial information, intellectual property, or political intelligence. Given the targets seemed to be production systems, there would likely be no benefit from an espionage perspective to infect these systems. Rather, the actors using the malware may have been looking for weaknesses to exploit in a future disruptive scenario. In addition, the use of a crimeware toolkit offers a degree of anonymity or plausible deniability for actors with more destructive purposes.”
Specific to the Washington Post story:
(1) There appears to be no validation of the specific malware on the infected laptop from Burlington Electric Department nor when it was infected. The infection could be the Russian-modified HMI downloaded in early 2014, Havex, BlackEnergy2, BlackEnergy3, or the Grizzly Steppe APT.
(2) The list of APTs that are related to Grizzly Steppe have not been substantiated.
(3) Was the infected laptop used, or could it have been used, for technician's work (e.g., calibration or setpoint changes of substation or power plant equipment), or was it only used by the IT department for localized, administrative work. According to the Burlington Electric Department, the infected laptop was not used for electric operations.
(4) DHS has not only refused to acknowledge, but has refuted, many critical infrastructure cyber-related incidents including the Curran-Gardner 'event' (November 2011 Illinois water hack originating from Russia) and took a significant amount of time to acknowledge the Iranian hack of the Rye, New York dam. This raises trust and validation issues not only with the federal government, but also with the accuracy of the articles reported by news media and their sources.
(5) For the list of APTs identified within the DHS Joint Analysis Report (JAR), there were no statements indicating how the malware (i.e.; Havex, "BlackEnergy 2", or BlackEnergy 3) from one incident could be related to another. There is not much detail in the JAR but the identification of APT 28/29 malware shows the linkages between the 2014, 2015 and 2016 US and Ukrainian Grid attacks and the Russian government. Jan also discusses APT 28/29 in her 2015 NATO report mentioned above.
(6) Malware code often is shared and distributed on dark networks. However, how was this connection established? Were the conclusions based on network signatures observed, and if so, who observed them? Was there code analysis for any portion from the Grizzly Steppe APT?
If the malware on the infected laptop is BlackEnergy 2 or BlackEnergy 3 rather than the Grizzly Steppe APT, there are very significant problems. That is because the malware infections can be far more wide-spread throughout the US electric grid and far more long-lived. This means that detailed reconnaissance has been ongoing on US electric grids for a significant period of time.
Joe Weiss