US-CERT- AA22-083A: Tactics, Techniques, and Procedures of Indicted State-Sponsored Russian Cyber Actors Targeting the Energy Sector

[Netwörkheäd]

AA22-083A: Tactics, Techniques, and Procedures of Indicted State-Sponsored Russian Cyber Actors Targeting the Energy Sector

[html]Original release date: March 24, 2022

Summary

Actions to Take Today to Protect Energy Sector Networks:

• Implement and ensure robust network segmentation between IT and ICS networks.

• Enforce MFA to authenticate to a system.

• Manage the creation of, modification of, use of—and permissions associated with—privileged accounts.

This joint Cybersecurity Advisory (CSA)—coauthored by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Energy (DOE)—provides information on multiple intrusion campaigns conducted by state-sponsored Russian cyber actors from 2011 to 2018 and targeted U.S. and international Energy Sector organizations. CISA, the FBI, and DOE responded to these campaigns with appropriate action in and around the time that they occurred. CISA, the FBI, and DOE are sharing this information in order to highlight historical tactics, techniques, and procedures (TTPs) used by adversaries to target U.S. and international Energy Sector organizations.

On March 24, 2022, the U.S. Department of Justice unsealed indictments of three Russian Federal Security Service (FSB) officers and a Russian Federation Central Scientific Research Institute of Chemistry and Mechanics (TsNIIKhM) employee for their involvement in the following intrusion campaigns against U.S. and international oil refineries, nuclear facilities, and energy companies.[https://www.justice.gov/opa/pr/four-russian-government-employees-charged-two-historical-hacking-campaigns-targeting-critical">1]

   
• Global Energy Sector Intrusion Campaign, 2011 to 2018: the FSB conducted a multi-stage campaign in which they gained remote access to U.S. and international Energy Sector networks, deployed ICS-focused malware, and collected and exfiltrated enterprise and ICS-related data. 
  
     
  
        
  • One of the indicted FSB officers was involved in campaign activity that involved deploying Havex malware to victim networks. 
  
        
  • The other two indicted FSB officers were involved in activity targeting U.S. Energy Sector networks from 2016 through 2018.
  
     
  
     

   
• Compromise of Middle East-based Energy Sector organization with TRITON Malware, 2017: Russian cyber actors with ties to the TsNIIKhM gained access to and leveraged TRITON (also known as HatMan) malware to manipulate a foreign oil refinery's ICS controllers. TRITON was designed to specifically target Schneider Electric's Triconex Tricon safety systems and is capable of disrupting those systems. Schneider Electric has issued a patch to mitigate the risk of the TRITON malware's attack vector; however, network defenders should install the patch and remain vigilant against these threat actors' TTPs.
     
  
        
  • The indicted TsNIIKhM cyber actor is charged with attempt to access U.S. protected computer networks and to cause damage to an energy facility.
  
        
  • The indicted TsNIIKhM cyber actor was a co-conspirator in the deployment of the TRITON malware in 2017.
  
     
  
     

This CSA provides the TTPs used by indicted FSB and TsNIIKhM actors in cyber operations against the global Energy Sector. Specifically, this advisory maps TTPs used in the global Energy Sector campaign and the compromise of the Middle East-based Energy Sector organization to the MITRE https://attack.mitre.org/versions/v10/matrices/enterprise/">ATT&CK for Enterprise and https://collaborate.mitre.org/attackics/index.php/Main_Page">ATT&CK for ICS frameworks.

CISA, the FBI, and DOE assess that state-sponsored Russian cyber operations continue to pose a threat to U.S. Energy Sector networks. CISA, the FBI, and DOE urge the Energy Sector and other critical infrastructure organizations to apply the recommendations listed in the Mitigations section of this advisory and Appendix A to reduce the risk of compromise. 

For more information on Russian state-sponsored malicious cyber activity, see CISA's https://www.cisa.gov/uscert/russia">Russia Cyber Threat Overview and Advisories webpage. For more information on the threat of Russian state-sponsored malicious cyber actors to U.S. critical infrastructure as well as additional mitigation recommendations, see joint CSA https://www.cisa.gov/uscert/ncas/alerts/aa22-011a">Understanding and Mitigating Russian State-Sponsored Cyber Threats to U.S. Critical Infrastructure and CISA's https://www.cisa.gov/uscert/shields-technical-guidance">Shields Up Technical Guidance webpage. 

Rewards for Justice Program

If you have information on state-sponsored Russian cyber operations targeting U.S. critical infrastructure, contact the Department of State's (DOS) Rewards for Justice program. You may be eligible for a reward of up to $10 million, which DOS is offering for information leading to the identification or location of any person who, while acting under the direction or control of a foreign government, participates in malicious cyber activity against U.S. critical infrastructure in violation of the Computer Fraud and Abuse Act (CFAA). Contact +1-202-702-7843 on WhatsApp, Signal, or Telegram, or send information via the Rewards for Justice secure Tor-based tips line located on the Dark Web. For more details refer to https://rewardsforjustice.net/rewards/foreign-malicious-cyber-activity-against-u-s-critical-infrastructure/">rewardsforjustice.net.

https://us-cert.cisa.gov/sites/default/files/publications/AA22-083A_TTPs_of_Indicted_State-Sponsored_Russian_Cyber_Actors_Targeting_the_Energy_Sector.pdf">Click here for a PDF version of this report. 

Technical Details

Note: This advisory uses the MITRE ATT&CK® for Enterprise framework, version 10, and the ATT&CK for ICSs framework. See the https://attack.mitre.org/versions/v10/matrices/enterprise/">ATT&CK for Enterprise and https://collaborate.mitre.org/attackics/index.php/Main_Page">ATT&CK for ICS frameworks for all referenced threat actor tactics and techniques.

Global Energy Sector Intrusion Campaign, 2011 to 2018

From at least 2011 through 2018, the FSB (also known as Berserk Bear, Energetic Bear, TeamSpy, Dragonfly, Havex, Crouching Yeti, and Koala) conducted an intrusion campaign against international and U.S. Energy Sector organizations. The threat actor gained remote access to and deployed malware designed to collect ICS-related information on compromised Energy Sector networks, and exfiltrated enterprise and ICS data.

Beginning in 2013 and continuing through 2014, the threat actor leveraged Havex malware on Energy Sector networks. The threat actor gained access to these victim networks via spearphishing emails, redirects to compromised websites, and malicious versions of legitimate software updates on multiple ICS vendor websites. The new software updates contained installations of Havex malware, which infected systems of users who downloaded the compromised updates.

Havex is a remote access Trojan (RAT) that communicates with a command and control (C2) server. The C2 server deploys payloads that enumerate all collected network resources and uses the Open Platform Communications (OPC) standard to gather information about connected control systems devices and resources within the network. Havex allowed the actor to install additional malware and extract data, including system information, lists of files and installed programs, e-mail address books, and virtual private network (VPN) configuration files. The Havex payload can cause common OPC platforms to crash, which could cause a denial-of-service condition on applications that rely on OPC communications. Note: for additional information on Havex, see to CISA ICS Advisory https://us-cert.cisa.gov/ics/advisories/ICSA-14-178-01">ICS Focused Malware and CISA ICS Alert https://us-cert.cisa.gov/ics/alerts/ICS-ALERT-14-176-02A">ICS Focused Malware (Update A).

Beginning in 2016, the threat actor began widely targeting U.S. Energy Sector networks. The actor conducted these attacks in two stages: first targeting third-party commercial organizations (such as vendors, integrators, and suppliers) and then targeting Energy Sector organizations. The threat actor used the compromised third-party infrastructure to conduct spearphishing, watering hole, and supply chain attacks to harvest Energy Sector credentials and to pivot to Energy Sector enterprise networks. After obtaining access to the U.S. Energy Sector networks, the actor conducted network discovery, moved laterally, gained persistence, then collected and exfiltrated information pertaining to ICS from the enterprise, and possibly operational technology (OT), environments. Exfiltrated information included: vendor information, reference documents, ICS architecture, and layout diagrams.

For more detailed information on FSB targeting of U.S. Energy Sector networks, See CISA Alert https://us-cert.cisa.gov/ncas/alerts/TA18-074A">Russian Government Cyber Activity Targeting Energy Sector and Other Critical Infrastructure Sectors.  

Refer to Appendix A for TTPs of Havex malware and TTPs used by the actor in the 2016 to 2018 targeting of U.S. Energy Sector networks, as well as associated mitigations.

Compromise of Middle East-based Energy Sector Organization with TRITON Malware, 2017

In 2017, Russian cyber actors with ties to TsNIIKhM gained access to and manipulated a foreign oil refinery's safety devices. TsNIIKhM actors used TRITON malware on the ICS controllers, which resulted in the refinery shutting down for several days. 

TRITON is a custom-built, sophisticated, multi-stage malware affecting Schneider Electric's Triconex Tricon, a safety programmable logic controller (PLC) (also referred to as a safety instrumented system [SIS]), which monitors industrial processes to prevent hazardous conditions. TRITON is capable of directly interacting with, remotely controlling, and compromising these safety systems. As these systems are used in a large number of environments, the capacity to disable, inhibit, or modify the ability of a process to fail safely could result in physical consequences. Note: for additional information on affected products, see to CISA ICS Advisory https://us-cert.cisa.gov/ics/advisories/ICSA-18-107-02">Schneider Electric Triconex Tricon (Update B).

TRITON malware affects Triconex Tricon PLCs by modifying in-memory firmware to add additional programming. The extra functionality allows an attacker to read/modify memory contents and execute custom code, disabling the safety system. 

TRITON malware has multiple components, including a custom Python script, four Python modules, and malicious shellcode that contains an injector and a payload. For detailed information on TRITON's components, refer to CISA Malware Analysis Report (MAR): https://us-cert.cisa.gov/ics/MAR-17-352-01-HatMan-Safety-System-Targeted-Malware-Update-B">HatMan: Safety System Targeted Malware (Update B).

Note: the indicted TsNIIKhM cyber actor was also involved in activity targeting U.S. Energy Sector companies in 2018, and other TsNIIKhM-associated actors have targeted a U.S.-based company's facilities in an attempt to access the company's OT systems. To date, CISA, FBI, and DOE have no information to indicate these actors have intentionally disrupted any U.S. Energy Sector infrastructure. 

Refer to Appendix A for TTPs used by TRITON as well as associated mitigations. 

Mitigations

Enterprise Environment

CISA, the FBI, and DOE recommend Energy Sector and other critical infrastructure organizations implement the following mitigations to harden their corporate enterprise network. These mitigations are tailored to combat multiple enterprise techniques observed in these campaigns (refer to Appendix A for observed TTPs and additional mitigations).

Privileged Account Management 

   
• Manage the creation of, modification of, use of—and permissions associated with—privileged accounts, including SYSTEM and root.

Password Policies

   
• Set and enforce secure password policies for accounts.

Disable or Remove Features or Programs

   
• Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.

Audit 

   
• Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc., to identify potential weaknesses.

Operating System Configuration 

   
• Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.

Multifactor Authentication

   
• Enforce multifactor authentication (MFA) by requiring users to provide two or more pieces of information (such as username and password plus a token, e.g., a physical smart card or token generator) to authenticate to a system.

Filter Network Traffic    

   
• Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.

Network Segmentation

   
• Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a demilitarized zone (DMZ) to contain any internet-facing services that should not be exposed from the internal network.

Limit Access to Resources over the Network

   
• Prevent access to file shares, remote access to systems, and unnecessary services. Mechanisms to limit access may include use of network concentrators, Remote Desktop Protocol (RDP) gateways, etc.

Execution Prevention

   
• Block execution of code on a system through application control, and/or script blocking.

Industrial Control System Environment

CISA, the FBI, and DOE recommend Energy Sector and other critical infrastructure organizations implement the following mitigations to harden their ICS/OT environment.

Network Segmentation

   
• Implement and ensure robust network segmentation between IT and ICS networks to limit the ability of cyber threat actors to move laterally to ICS networks if the IT network is compromised. 
     
  
        
  • Implement a network topology for ICS that has multiple layers, with the most critical communications occurring in the most secure and reliable layer. For more information refer to National Institute of Standard and Technology https://csrc.nist.gov/publications/detail/sp/800-82/rev-2/final">Special Publication 800-82: Guide to Industrial Control Systems (ICS) Security. Further segmentation should be applied to portions of the network that are reliant on one another by functionality. Figure 5 on page 26 of the https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf">CISA ICS Defense in Depth Strategy document describes this architecture.
  
        
  • Use one-way communication diodes to prevent external access, whenever possible.
  
        
  • Set up DMZs to create a physical and logical subnetwork that acts as an intermediary for connected security devices to avoid exposure.
  
        
  • Employ reliable network security protocols and services where feasible.
  
     
  
     

   
• Consider using virtual local area networks (VLANs) for additional network segmentation, for example, by placing all printers in separate, dedicated VLANs and restricting users' direct printer access. This same principle can be applied to segmentation of portions of the process for which devices are used. As an example, systems that are only involved in the creation of one component within an assembly line that is not directly related to another component can be on separate VLANs, which allows for identification of any unexpected communication, as well as segmentation against potential risk exposure on a larger scale.

   
• Implement perimeter security between network segments to limit the ability of cyber threat actors to move laterally. 
     
  
        
  • Control traffic between network segments by using firewalls, intrusion detection systems (IDSs), and rules for filtering traffic on routers and switches.
  
        
  • Implement network monitoring at key chokepoints—including egress points to the internet, between network segments, core switch locations—and at key assets or services (e.g., remote access services).
  
        
  • Configure an IDS to create alarms for any ICS traffic outside normal operations (after establishing a baseline of normal operations and network traffic).
  
        
  • Configure security incident and event monitoring to monitor, analyze, and correlate event logs from across the ICS network to identify intrusion attempts.
  
     
  
     

ICS Best Practices

   
• Update all software. Use a risk-based assessment strategy to determine which ICS networks, assets, and zones should participate in the patch management program. 

   
• Test all patches in out-of-band testing environments before implementation into production environments.

   
• Implement application allow listing on human machine interfaces and engineering workstations.

   
• Harden software configuration on field devices, including tablets and smartphones.

   
• Replace all end-of-life software and hardware devices.

   
• Disable unused ports and services on ICS devices (after testing to ensure this will not affect ICS operation).

   
• Restrict and manage remote access software. Enforce MFA for remote access to ICS networks.

   
• Configure encryption and security for network protocols within the ICS environment.

   
• Do not allow vendors to connect their devices to the ICS network. Use of a compromised device could introduce malware. 

   
• Disallow any devices that do not live solely on the ICS environment from communicating on the platform. 'Transient devices' provide risk exposure to the ICS environment from malicious activity in the IT or other environments to which they connect.

   
• Maintain an ICS asset inventory of all hardware, software, and supporting infrastructure technologies. 

   
• Maintain robust host logging on critical devices within the ICS environment, such as jump boxes, domain controllers, repository servers, etc. These logs should be aggregated into a centralized log server for review. 

   
• Ensure robust physical security is in place to prevent unauthorized personal from accessing controlled spaces that house ICS equipment.

   
• Regularly test manual controls so that critical functions can be kept running if ICS/OT networks need to be taken offline.

Contact Information

All organizations should report incidents and anomalous activity to CISA 24/7 Operations Center at https://us-cert.cisa.govmailto:report@cisa.gov">report@cisa.gov or (888) 282-0870 and/or to the FBI via your https://www.fbi.gov/contact-us/field-offices">local FBI field office or the FBI's 24/7 CyWatch at (855) 292-3937 or https://us-cert.cisa.govmailto:CyWatch@fbi.gov">CyWatch@fbi.gov.

References

[1] https://www.justice.gov/opa/pr/four-russian-government-employees-charged-two-historical-hacking-campaigns-targeting-critical">https://www.justice.gov/opa/pr/four-russian-government-employees-charged-two-historical-hacking-campaigns-targeting-critical

[2] https://collaborate.mitre.org/attackics/index.php/Software/S0003