北美电力网络威胁透视报告（英文版）.pdf

Sumary The electric utility industry is a valuable target for adversaries seking to exploit industrial control systems (ICS) and operations technology (OT) for a variety of purposes. A power disruption event from a cyberatack can occur from multiple components of an electric system including disruptions of the operational systems used for situational awarenes and energy trading, targeting enterprise environments to achieve an enabling attack through interconected and interdependent IT systems, or through a direct compromise of cyber digital assets used within OT environments. Atacks on electric systems like atacks on other critical infrastructure sectors can further an adversarys criminal, political, economic, or geopolitical goals. As adversaries and their sponsors invest more effort and money into obtaining effects-focused capabilities, the risk of a disruptive or destructive atack on the electric sector significantly increases. The number of publicly known attacks impacting ICS environments around the world continues to increase, and corespondingly the potential risk due to a disruptive cyber event impacting the North American electric sector is curently assessed as high. This report highlights multiple threats and adversaries focusing on critical infrastructure and their capabilities. Dragos anticipates the threat landscape asociated with the sector wil remain high as the detected intrusions continue to rise. Of the activity groups that Dragos is actively tracking, nearly two-thirds of the groups performing ICS specific targeting and disruption activities are focused on the North American electric sector. Additionaly, existing threats to ICS are expanding and establishing new interest in electric utility operations in North America. For example, the Dragos tracked activity group XENOTIME the most dangerous and capable activity group initially focused its targeting eforts on oil and gas operations before expanding to include North American electric utilities. Dragos also identified the MAGNALLIUM activity group expanding targeting to include electric utilities in the US. This activity group expansion and shift to the electric sector coincided with increasing political and military tensions in Gulf Coast Countries (GCC). Dragos research of the CRASHOVERIDE atack indicates ELECTRUM targeted recovery operations. Such activity, if sucesful, could prolong outages folowing a cyberattack and cause physical damage to equipment or harm to operators. These findings suggest the group had greater ambitions than what it achieved during its 2016 atack, and represent worying posibilities for safety and protection-focused atacks in the future. Historicaly, adversaries have demonstrated the capabilities to significantly disrupt electric operations in large-scale cyber events through specialized malware and deep knowledge of targets operations environments. Although North America has not experienced similar atacks, ICS-targeting adversaries exhibit the interest and ability to target such networks with activities that could facilitate such attacks. North American Electric Cyber Threat Perspective January 2020 2019 Dragos, Inc. Al rights reserved. Protected Non-confidential content. January 8, 2020 2 The electric sector, as a whole, has ben working for over a decade to adres cyber threats through board level decisions,1preparednes exercises like GridEx, the NERC CIP standards, and direct investment in ICS-specific security technologies. However, adversaries wil continue to evolve and the industry must be ready to adapt. This report provides a snapshot of the threat landscape as of January 2020 and is expected to change in the future as adversaries and their behaviors evolve. Key Findings The threat landscape focusing on electric utilities in North America is expansive and increasing, led by numerous intrusions into ICS networks for reconaissance and research purposes and ICS activity groups demonstrating new interest the electric sector. Attacks on electric utilities can have significant geopolitical, humanitarian, and economic impact. Thus, state-associated actors wil increasingly target power and related industries like natural gas to further their goals. One significant threat includes active suply chain compromises by activity groups targeting original equipment manufacturers, third-party vendors, and telecomunications providers. Research into the 2016 CRASHOVERRIDE atack demonstrates the adversarys intent and ability to target protection and safety operations to cause prolonged outages, equipment destruction, and human health and safety concerns. Utilities are slowly improving visibility in electric operational environments, and current regulatory standards in North America ensure the electric power sector maintains a minimum level of cybersecurity for al of the in-scope facilities. Further recomendations are included in this report for asset owners and operators to addres cyber risk in their operations environment. The complete “energy infrastructure sector” (electric, oil and gas, etc) of al countries are at risk as companies and utilities are facing multiple global adversaries. Cyberatacks are an increasing means to project dominance using cyberattacks in the energy domain. Activity Groups Dragos tracks seven activity groups2targeting electric utilities in North America, and 1 total groups. Dragos does not perform state or actor atribution of activity groups and none should be implied. 1dragos/wp-content/uploads/yir-execs-2018.pdf 2Dragos categorizes ICS-targeting activity into activity groups based on observable elements that include an adversarys methods of operation, infrastructure used to execute actions, and the targets they focus on. The goal, as defined by the Diamond Model of Intrusion Analysis, is to delineate an adversary by their observed actions, capabilities, and demonstrated impact not implied or asumed intentions. These atributes combine to create a construct around which defensive plans can be built. At this time, two activity groups poses ICS-specific capabilities and tols to cause disruptive events: XENOTIME and ELECTRUM. 2019 Dragos, Inc. Al rights reserved. Protected Non-confidential content. January 8, 2020 3 PARISITE targets utilities, aerospace, and oil and gas entities. Its geographic targeting includes North America, Europe, and the Middle East. PARISITE uses open source tols to compromise infrastructure and leverages known virtual private network (VPN) vulnerabilities for initial aces. The scope of this groups targeting also includes government and non-governmental organizations. This group has operated since at least 2017 based on infrastructure Dragos identified. Dragos inteligence indicates PARISITE serves as the initial access group and enables further operations for MAGNALIUM. Links3: MAGNALIUM XENOTIME is known for its TRISIS atack which caused the disruption at an oil and gas facility in the Kingdom of Saudi Arabia in August 2017. It was specialy tailored to interact with Triconex safety controllers and represented an escalation of ICS atacks due to its potential catastrophic capabilities and consequences. In 2018 XENOTIME activity expanded to include electric utilities in North America and the APAC region; oil and gas companies in Europe, the US, Australia, and the Midle East; as wel as devices beyond the Triconex controllers. This group also compromised several ICS vendors and manufacturers, providing a potential suply chain threat.4Links: Temp.Veles53Links means that there are technical overlaps or assesments made from other entities that provide some conection to the groups; however this is not to iply that there is a one to one relationship to these groups and they should not be considered aliases. 4dragos/resource/xenotime/ 5atack.mitre/groups/G08/ 2019 Dragos, Inc. Al rights reserved. Protected Non-confidential content. January 8, 2020 4 MAGNALIUM has targeted energy and aerospace entities since at least 2013. The activity group initially targeted an aircraft holding company and oil and gas firms based in Saudi Arabia, but expanded their targeting to include entities in Europe and North America. In the fal of 2019, folowing increasing tensions in the Midle East, Dragos identified MAGNALIUM expanding its targeting to include electric utilities in the US. MAGNALIUM apears to stil lack an ICS-specific capability, and the group remains focused on initial IT intrusions.6Links: APT 3, Elfin7, PARISITE DYMALOY is a highly agresive and capable activity group that has the ability to achieve long-term and persistent aces to IT and operational environments for intelligence collection and posible future disruption events. The groups victims include electric utilities, oil and gas, and advanced industry entities in Turkey, Europe, and North America.8In recent months, Dragos has identified this actor expanding its targeting to include the APAC region based on newly identified malware samples. Links: Dragonfly 2.0, Berserk Bear9ELECTRUM curently focuses on electric utilities and mostly targets entities in Ukraine. It is responsible for the disruptive CRASHOVERIDE event in 2016.10This group is capable of developing malware that can modify electric equipment proceses, leveraging ICS protocols and comunications. Links: SANDWORM116dragos/resource/magnalium/ 7atack.mitre/groups/G064/ 8dragos/resource/dymaloy/ 9atack.mitre/groups/G074/ 10dragos/resource/anatomy-of-an-attack-detecting-and-defeating-crashoveride/ 11atack.mitre/groups/G034 2019 Dragos, Inc. Al rights reserved. Protected Non-confidential content. January 8, 2020 5 RASPITE targets electric utilities in the US and government entities located in the Midle East. Dragos also identified additional victims in Saudi Arabia, Japan, and Western Europe, but has not identified new RASPITE activity since mid-2018.12Links: Leafminer13ALLANITE targets busines and ICS networks in the US and UK electric utility sectors. The group maintains performs reconaisance in operational environments to potentialy stage disruptive events. There is no indication ALANITE has a disruptive or damaging capability or intent at this time.14Links: PALMETO FUSION,15Dragonfly 2.0, Berserk Bear COVELITE compromised networks associated with electric energy, primarily in Europe, East Asia, and North America. The group has not shown an ICS-specific capability at this time. While technical activity linked to COVELITE behaviors exist in the wild, there has been no evidence or indications this group remains active from an electric-targeting perspective.16Links: Lazarus Group,17WASONITE CHRYSENE developed from an espionage campaign that first gained atention after the destructive Shamon cyberattack in 2012 that impacted Saudi Aramco. The activity group targets petrochemical, oil and gas, and electric generation sectors. Targeting has shifted beyond the groups initial focus on the Gulf Region and the group remains active and evolving in more than one area.18Links: APT 34, GRENBUG, OilRig1912dragos/resource/raspite/ 13atack.mitre/groups/G07/ 14dragos/resource/alanite/ 15ww.us-cert.gov/ncas/alerts/TA17-293A 16dragos/resource/covelite/ 17atack.mitre/groups/G032 18dragos/resource/chrysene/ 19atack.mitre/groups/G049/ 2019 Dragos, Inc. Al rights reserved. Protected Non-confidential content. January 8, 2020 6 HEXANE targets oil and gas and telecommunications in Africa, the Middle East, and Southwest Asia. Dragos identified the group in May 2019. HEXANE operations rely on malicious document files to drop malware on victim machines, from which HEXANE can then proced to further goals in the target network.20Links: CHRYSENE, OilRig WASONITE targets electric generation, nuclear energy, manufacturing, and research entities in India, and likely South Korea and Japan. The groups operations rely on DTrack malware, credential capture tools, and system tools for lateral movement. WASONITE has operated since at least 2018. Links: Lazarus Group, COVELLITE Threats to Energy Infrastructure As evidenced by the expansion of oil and gas targeting adversaries XENOTIME and MAGNALLIUM into the electric sector, there is a growing trend of threat proliferation across critical infrastructure sectors. That is, threats to ne ICS entity are potential threats to ther industrial verticals. Adversaries are increasingly targeting multiple verticals with purposes including espionage, information gathering, and potentialy disruptive vents.21This trend is driven by multiple variables including an increasing investment to develop ofensive capabilities specificaly for ICS-targeting operations. Attackers are obtaining the skils necesary for a cyber-physical event as greater attention is paid to ICS in general and as open-source information on industrial networks, protocols, and devices becomes more widely available. Aditionally, the spread of comodity IT hardware and software into OT networks increases the atack surface, providing ingres opportunities via techniques familiar to the adversary. Therefore, al energy-related entities should be familiar with malicious activity acros critical infrastructure sectors. Overview of the North American Electric System The phrase “electric grid” as a single entity is a bit of a misnomer. The way power is generated, transmitted, and distributed acros North America is best described as an electric system: the Bulk Electric System. The 20dragos/resource/hexane/ 21dragos/blog/industry-news/threat-proliferation-in-ics-cybersecurity-xenotime-now-targeting-electric-sector-in-addition-to-oil-and-gas/ 2019 Dragos, Inc. Al rights reserved. Protected Non-confidential content. January 8, 2020 7 system is complex, resilient, and segmented. The North American Bulk Electric System is broken down into four Interconections, the Eastern, Western, Texas, and Quebec Interconections.22Certain electric power entities in the United States must adhere to mandatory cybersecurity standards under authority from the Federal Energy Regulatory Comision (FERC) and established by the North American Electric Reliability Corporation (NERC). These Critical Infrastructure Protection (CIP) Reliability Standards have several requirements for in-scope facilities and systems across Bulk Electric System (BES). These regulations are also used outside of the United States acros North America. Each Canadian province adopts the standards for their utilities and the Mexican regulator, Comisin Reguladora de Energia (CRE),works with NERC on reliability eforts and defines cybersecurity rules for their country.23The NERC CIP Reliability Standards are seperated into several topic areas, outlined below: CIP-002-5.1 Bulk Electric System (BES) Cyber System Categorization CIP-003-6 Security Man