Most cyber attacks on energy and utilities firms take place within enterprise IT networks rather than industrial control systems, new research has revealed.
In a new report, researchers at security vendor Vectra outline how hackers infiltrate systems and then move laterally across networks over a period of several months to gather intelligence and plan their attack.
Sign up to Emerging Threats, our weekly cyber security newsletter
Attackers tend to use malware and spear-phishing to steal admin credentials, before performing reconnaissance exercises and spreading across networks in search of sensitive data about industrial control systems, the research revealed.
“The covert abuse of administrative credentials provides attackers with unconstrained access to critical infrastructure systems and data,” said David Monahan, managing research director of security and risk management at Enterprise Management Associates. “This is one of the most crucial risk areas in the cyberattack lifecycle.”
During the “command-and-control phase”, 194 malicious external remote access behaviours were identified per 10,000 host devices and workloads. In the exfiltration phase, 293 data smuggler behaviors were detected per 10,000 host devices and workloads.
“When attackers move laterally inside a network, it exposes a larger attack surface that increases the risk of data acquisition and exfiltration,” said Brandon Kelley, CIO of American Municipal Power, a nonprofit electric-power generator utility. “It’s imperative to monitor all network traffic to detect these and other attacker behaviors early and consistently.”
In April, GCHQ confirmed that Russian state actors had been targeting engineering and industrial control systems since March 2017.
Speaking at a conference in Manchester shortly after the announcement, the former director of GCHQ, Robert Hannigan, warned that Russia’s intent had “clearly changed” in recent months.
Referring to the poisoning of Sergei and Yulia Skripal in Salisbury in March, Hannigan said that a country which is “prepared to use chemical weapons on the streets of a UK town may want to do reckless things in cyberspace”.