Hackers could crash power grids, but they’re mostly after…

September 14, 2022

EXECUTIVE SUMMARY:

The energy sector has a target on its back. Data reveals that 77% of assets within the energy sector retain porous Information Technology (IT) or Operational Technology (OT) boundaries, making them uniquely vulnerable to cyber threats.

Amidst rising geopolitical tensions, cyber attacks against critical infrastructure groups are liable to increase. The recent discovery of a new cyber espionage campaign targeting American, Canadian and Japanese energy companies brings this into sharp relief. Here’s what happened recently…

Recent energy grid attacks

Evidence indicates that the North Korean state-sponsored hacking group, known as Lazarus, targeted unnamed energy providers between February and July of this year. Lazarus leveraged a Log4j vulnerability (Log4Shell) to compromise certain types of servers. Hackers then weaponized this vulnerability to establish presence on victims’ networks, to deploy malware, and to gain continuous network access.

“In most instances, the attackers instrumented the reverse shell to create their own user accounts on the endpoints they had initial access to,” wrote cyber security researchers.

Lazarus attack group

The Lazarus group is known for its use of wide-ranging tactics, techniques and procedures. The group appears to maintain subgroups, which are allegedly responsible for recent attacks like H0ly Gh0st. In addition, Lazarus is also believed to be responsible for the infamous 2017 WannaCry attack, which encrypted over 200,000 devices and caused roughly $4 billion in global damages.

Many Lazarus intrusions target critical infrastructure with the intention of establishing long-term access to networks. This enables the hackers to exfiltrate data, harvest credentials, explore intellectual property and otherwise pursue nefarious activities.

In June, a blockchain analytics company suggested that Lazarus may be responsible for a $100M theft from the cryptocurrency firm known as Harmony. Since then, analysts have connected the group to Axie Infinity’s $600M hack.

Attacker objectives

As made clear through the cryptocurrency company hacks, Lazarus is financially motivated. However, the group is also driven by efforts to support North Korean state-backed objectives, including military R&D and evasion of international sanctions. In the past, stolen cryptocurrency and the theft of intellectual property has been used to support the country’s nuclear weapons program.

To compromise targets, Lazarus leveraged two known strains of malware. These are VSingle and YamaBot. Attackers also deployed a previously unknown remote access trojan that is now known as MagicRat.

Energy sector security

Nations around the world are investing in infrastructure development and security in order to increase resilience, provide appropriate levels of mitigation, and to respond proactively and efficiently in the face of cyber threats.

Last month, the US Department of Energy allocated an additional $45 million to protect the grid from cyber attacks. In the UK, the National Security and Investment Act recently emerged to provide new legislative powers that allow for stronger scrutiny of foreign investments, ensuring stronger national critical infrastructure security.

Actionable steps now

Recent attacks on energy sector entities reinforce the need for hyper vigilance and expanded security investment among government and critical infrastructure groups. Energy sector organizations can take a variety of steps to protect networks. For simple and straightforward starting points, look no further than the following:

Implement multi-factor authentication for remote access to systems within the OT network.
Scan for use of open source tools that have been used to target industrial entities (SSH.NET, MASSCAN and Impacket).
Review architecture to assess routing protocols between OT and external networks.
Leverage a Crown Jewel Analysis (CJA) model to identify risks.
Ensure that threat intelligence information is available to information security teams

Checking off these initial starting-point steps from a list of security activities can help provide everyone with greater confidence in an energy network’s security strategy and action plan. For more information about how to secure energy infrastructure, please see CyberTalk.org’s past coverage.

Lastly, to receive cutting-edge cyber security news, exclusive interviews, expert analyses and security resources, please sign up for the CyberTalk.org newsletter.