Understanding Russian Hacking Tactics to Power Up Security in the Energy Sector

By Chip Epps, VP of Product Marketing, OPSWAT

Every critical infrastructure sector depends on energy to operate, yet the energy industry reports one of the highest rates of cyber incidents. Operational Technology (OT) is often the target of cybercriminals given that it controls the critical physical processes within industrial facilities, and gaining control of it can cause catastrophic damage. Coupled with the critical nature of these environments is the vulnerability of aged legacy systems that operate on air-gapped and isolated OT networks which require physical access to manage and deploy system updates.

Recent news coverage on the indictment of Russian spies for conducting a global hacking campaign that targeted hundreds of energy organizations has intensified the ongoing conversation about the security of critical infrastructure, especially since one of the targets of this campaign hit close to home at a nuclear facility in Kansas. While the indictment was retroactive to the activities that occurred between 2012 and 2018, the six-year hacking campaign serves as a great case study for industry leaders in the energy sector to understand the attack vectors and learn how to prevent threats to OT in the future.

A Watering Hole of Tactics

The first tactic used by the Russian hackers is known as a “watering hole attack,” or a “drive-by attack.” This type of attack lures victims to a website that looks similar to known vendors’ websites, but it is actually spoofed and contains malicious files through application updates. A layered approach is important for threat mitigation for this type of attack, and there are many best practices that energy organizations should adopt.

The first step would be to implement Remote Browser Isolation (RBI) solutions to prevent malware from being delivered to the user’s endpoint. Additionally, scanning all files that are downloaded to both the IT and OT networks within the organization, and then using either static scanning for known malware, or sandbox dynamic analysis which can detect malicious behavior in unknown files, are effective ways to stay ahead of threats. Organizations can also introduce URL/domain reputation and sandboxing capabilities to detect network communications to known bad hosts as part of the behavior analysis.

Further, proper network architecture and complying with NERC and NRC requirements can help prevent the propagation of threats from entering the OT domain. Safeguarding the OT network also entails network segmentation using unidirectional gateways and a protocol break to ensure OT assets are protected from outside threats.

While the above prevention protocols are best practices, hackers may still find their way into networks, so it’s important to deploy intrusion prevention systems right before critical assets, such as PLCs, RTUs and other industrial appliances.

Finally, an organization can deploy automated workflows to scan for malicious links and file scanning to prevent human error.

A Chain of Attacks

As we’ve seen with SolarWinds and Log4j compromises, software supply chain attacks are another common tactic used by cybercriminals and one that has been leveraged by the Russian espionage groups. In this case, the hackers worked to hide malware in software updates used by systems that control the equipment in power plants.

To mitigate this common type of attack, organizations should adopt a zero-trust philosophy and consider software updates from third-party vendors to be suspect and thoroughly inspected until considered safe. This entails disabling automatic software updates in OT networks, validating all updates in a test environment prior to delivery in production, checking software against known malware and vulnerabilities and running them through dynamic analysis, and inspecting the software component’s country of origin for compliance.

As U.S. legislation and global conversations on contingency planning for attacks on critical infrastructure evolve—and as these types of cyber incidents increasingly play out— the security of the energy sector should be at the top of everyone’s mind and mitigation list.

About the Author

Chip Epps is the VP of Product Marketing at OPSWAT.  He joined OPSWAT in 2021 with a 15+ year security career in both Product Management and Product Marketing, having been CISSP certified. He’s focused primarily on emerging product categories and associated go-to-market strategies spanning security domains including Endpoint, Datacenter, Network, Gateway, Cloud, IAM, SOAR and Threat Intelligence. Prior to a career in security, Chip spent 10+ years in IT operations and service delivery across numerous market segments including Healthcare, Finance, and Government, being ITIL certified. Chip received his BME (Mechanical Engineering) from Georgia Tech, was certified Chief Engineer by Naval Reactors (submarine qualified) and obtained his MBA with a focus on new ventures from University of San Diego.

Chip can be reached at [email protected]  and at our company website https://www.opswat.com/.