The kill chain, the phishing attack and the broken trust graph
The Wall Street Journal published an explosive story about how state-sponsored Russian hackers used a variety of techniques and a spider web of compromised accounts to ultimately gain access to the control infrastructure that monitors and controls the flow of electricity in the US power grid.
While the attack was complex and well planned, the core strategy was simple: exploit the trust graph.
Instead of attacking the high-value target directly, you first get inside lower value, less protected partners — and then use simple tactics like phishing, using existing trusted relationships to compromise your final target.
In short, every business relationship is a potential vulnerability.
The story is as chilling as it is fascinating. It reads like a heist novel where multiple threads intersect into a cohesive attack conceived and executed by a skilled perpetrator. By the latest reckoning (and the dust is nowhere near settled), 60 utilities were targeted, about two dozen were breached, and the attackers reached industrial control systems in at least eight of those cases.
The attack unfolds over the course of several months and exposes how most organizations remain vulnerable to the most basic of hacks and sounds a loud warning about the criticality of at least covering the most obvious areas of cybersecurity — things like using multi-factor authentication, raising awareness of security issues through your employee base, and yes, taking a strong and proactive stance towards the scourge of phishing attacks.
It’s 2019, we have self-driving cars and cotton sprouting on the Moon — we should be able to trust email, the most foundational part of organizational communication.
Anatomy of the Hack: What Happened?
The attack appears to have been designed with the end-goal clearly in mind — gain access to the infrastructure that monitors and manages the power grid. Ultimately, the Russian hackers were able to gain access to jump boxes or jump servers, which are meant to isolate the actual electrical control infrastructure from the corporate networks of the electric utilities whose technicians need to access it. But the attack began about as far away from the utilities as you can imagine.
The story begins at a professional development website called Control Engineering, dedicated to helping people who work in that very specific technical niche access educational content, learn about employment opportunities, and stay up-to-date in their industry. Sometime before March 2017, the attackers were able to hack that website so that they could harvest credentials (passwords) from the people accessing that website.
Sometime later an employee from All-Ways Excavating accessed that site and the hackers were able to gain control of his email account. The details of how this happened aren’t revealed in the article but one of the banes of our industry is that users frequently use the same passwords across many or most, if not all, of the websites that they access.
In March the hackers used that compromised email to email All-Ways’ customers, herding them to another website, imageliners.com, designed to capture their passwords. One of the customer firms that fell victim to this phishing attack was based in Corvallis, Oregon and became a launchpad for the next phase of the attack. Two weeks later, a similar wave of emails from All-Ways was sent to Dan Kauffman Excavating. We’ll come back to Kauffman in a moment.
In June, the hackers went to town on the Corvallis company’s site, opening a hole in their firewall and granting themselves administrative privileges. They used that access to reconnoiter targets much closer to their desired prize, probing networks at utilities such as ReEnergy and Atlantic Power.
More critically, the attackers used this access to compromise another firm, DeVange Construction. They used this access to create a fake email account and used that persona to engage utilities under the guise of sending a resume to seek employment opportunities. The attachments contained malware that would send login credentials for the utilities back to the hackers. Specific utilities that were targeted in this wave included Dairyland Power and New York State Electric & Gas.
Back to Kauffman — By October, the attackers had compromised at least one email account there, and used it to email 2,300 contacts with a malware link designed to compromise passwords. They targeted utilities including PacifiCorp, Bonneville Power, and the Army Corps of Engineers.
From there, it was on to the jump boxes and access to the power grid.
In summary, the hackers started with a basic attack on an esoteric website and used that foothold to work their way to accessing our most critical infrastructure. They targeted low-sensitivity firms that had no reason to adopt DoD-grade security and exploited that soft underbelly to work their way to our critical infrastructure.
Phishing Played a Pivotal Role
This was a highly orchestrated, multi-faceted, multi-tiered attack. Different companies were victimized in different ways. But the overarching pattern shows that email was the recurring attack vector.
- All-Ways had a compromised email account blast out phishing emails to their customers
- A second wave of emails from All-Ways compromised Kauffmann Excavating
- Kauffmann themselves fell victim to a phishing attack from All-Ways
- The DeVange address was used to directly phish utilities
- Finally, the Kauffman address was also used to phish their utility customers
What Can You Do
Here are several ways this attack could have been mitigated. There are too many cracks in the armor for any one-size fits all solution. To begin, everyone should not only implement a two or multi factor authentication 2FA/MFA solution but choose one that actually does the job well. Uniken is one of my favorites along with Cisco’s Duo Security espeically when used with a hardware key like Yubikey.
- Zero Trust Communications: You can no longer trust all communications — emails, invoices, files — coming from your business partners. You must take on a zero trust posture with each communication, and test it against historically accurate master data. This is why Clearedin is building the Trust Graph.
- Don’t become a PhishBot — All-Ways and DeVange got compromised and allowed themselves to send phishing emails. Business Email Compromise is as much an outbound problem as an inbound one. Use a solution like Clearedin that flags when your account has been botted.
- Stranger Danger — Find a phishing solution that will catch phish from accounts that have been “botted”. Are they filtering out the white noise while still seeing that, for example, the geo-path for a particular email from a trusted sender doesn’t smell right.
- Raise Awareness, the right way — Had everyone at All-Ways and DeVange and all the other infected firms been properly educated about phishing attacks, this all may have been preventable. But education only works in the teachable moment. Find a provider that can actually educate your users without making it seem like training.
At Clearedin, we have taken on the mission of building the business communications trust graph so you can take on the zero trust posture and stop most kinds of phishing attacks.
Just the Beginning: More Attacks Possible
This story demonstrates that even the most innocuous of vulnerabilities and breaches can serve as a stepping stone to a devastating attack. It’s worth noting that CFE Media, which owns the Control Engineering website, also owns similar professional development sites called Oil & Gas Engineering and Plant Engineering, at least raising the possibility of similar highly orchestrated attacks against those critical industries as well.
The WSJ article closes with this ominous line:
Industry experts say Russian hackers likely remain inside some systems, undetected and awaiting further orders.
It’s high time to start covering your bases. Turn on MFA, scan your systems and endpoints for malware on an ongoing basis, and take a strong stance to protect yourself against phishing attacks.