- The U.S. Department of Homeland Security and the Federal Bureau of Investigation last week issued a joint warning that described an "advanced persistent threat" targeting government entities and organizations in a wide range of sectors, including energy, nuclear, aviation and critical manufacturing.
- In September, security firm Symantec warned that a group of hackers known as Dragofly 2.0 had targeted the power sector in Europe and the United States, potentially gaining operational access.
- DOE and FBI said their technical alert aimed to provide "additional information about this ongoing campaign," and to educate network defenders to identify and reduce exposure to hacking attempts.
For at least five months now, federal officials have been monitoring attempts to hack critical systems in the United States and elsewhere — some of which have been at least partially successful, DOE and FBI said.
"Threat actors have targeted government entities and the energy, water, aviation, nuclear and critical manufacturing sectors, and, in some cases, have leveraged their capabilities to compromise victims’ networks," the alert said. " Historically, cyber threat actors have targeted the energy sector with various results, ranging from cyber espionage to the ability to disrupt energy systems in the event of a hostile conflict."
The agencies warned that hackers are using a variety of techniques and tactics, including: open-source reconnaissance; spear-phishing emails (from compromised legitimate accounts); watering-hole domains; host-based exploitation; industrial control system infrastructure targeting and ongoing credential gathering.
Despite the good intentions of federal officials, some experts say the warning is insufficient.
Satya Gupta, founder and CTO of Virsec Systems, said in a statement that while the DHS warnings "are warranted, their specific security recommendations are inadequate. The security mindset of watching for anomalies at the perimeter often becomes the equivalent of closing the barn door after the horses have bolted."
Perimeters are inevitably porous, Gupta said. "Our security focus needs to shift from the network perimeter to the applications themselves," he added. "By closely monitoring application flows, processes and memory, you can spot unusual behavior at the source and take action faster and more surgically, before damage occurs or spreads."
Earlier this month, cybersecurity firm FireEye confirmed that it detected and stopped spear phishing emails sent to United States power companies by "known cyber actors likely affiliated with the North Korean government" in September.
President Donald Trump has named cybersecurity a priority, issuing an executive order outlining a series of actions for federal agencies to strengthen protections for national cybersecurity, federal IT networks and critical infrastructure, including the power grid. GridEx IV, a biennial exercise designed to simulate a cyber and physical attack on electric and other critical infrastructures across North America, will launch next month.