Spear-phishing attacks hit gas pipeline networks
- By William Jackson
- May 08, 2012
A Homeland Security Department cyber response team focusing on industrial control systems has issued a warning to the natural gas pipeline industry of targeted cyberattacks that have compromised some networks.
According to the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), a partner organization of US-CERT, the attacks were discovered in March and have been going on for at least five months, using well-crafted spear-phishing e-mails targeting specific individuals.
“Various sources provided information to ICS-CERT describing targeted attempts and intrusions into multiple natural gas pipeline sector organizations,” the public alert states. “Analysis of the malware and artifacts associated with these cyberattacks has positively identified this activity as related to a single campaign with spear-phishing activity dating back to as early as December 2011.”
Industry needs government help to protect infrastructure, GAO study says
DHS outlines goals for nation's critical infrastructure
Few details are being released publicly, although more detailed alerts have been posted to the US-CERT Control Systems Center secure portal, which is not publicly available.
ICS-CERT is providing a number of organizations with remote and on-site assistance to confirm system compromises and the extent of infections and to help in removal. Industry representatives also are being briefed on the attacks.
The motive for the attacks is not yet known. It could run the gamut from intelligence gathering to theft of data for economic purposes to laying the groundwork for sabotage. But the target appears to be clear, said Andy Purdy, chief cybersecurity strategist for Computer Sciences Corp.
Because there have not been similar alerts for other sectors of the energy industry, “it looks like a sustained effort, with significant resources, to target one part of the industry and no other,” said Purdy, a former member of the White House staff team that drafted the U.S. National Strategy to Secure Cyberspace. “It’s not possible right now to see what they’re trying to do in that space,” but there have been no indications of physical disruptions of networks or pipelines yet.
Similar attacks on specific industries in recent years appear to have been for the purpose of data theft rather than sabotage, said Liam O Murchu, manager of operations for Symantec Security Response. "When industries are attacked like this, it usually is intellectual property that is sought," he said. "There is no reason to believe anything else is happening here. It probably is another information-stealing attack."
Spear phishing has become one of the most effective methods of delivering sophisticated malware into secure environments. If often takes the form of an e-mail that appears to come from a trusted source and with a credible message but contains a malicious attachment or a link to a malicious online site. Preparing and delivering such an e-mail usually requires intelligence gathering to identify a proper target and to craft a convincing attack.
“Analysis shows that the spear-phishing attempts have targeted a variety of personnel within these organizations; however, the number of persons targeted appears to be tightly focused,” the ICS-CERT alert states. “In addition, the e-mails have been convincingly crafted to appear as though they were sent from a trusted member internal to the organization.”
The attacks appear to have begun about two years after a series of attacks, dubbed Night Dragon, on the global energy industry. Those attacks began in November 2009 and, according to analysis by McAfee, used spear phishing to exploit vulnerabilities in Microsoft Windows operating systems and Active Directory to harvest sensitive information.
McAfee identified the tools, techniques and network activities used in the attacks as originating primarily in China. Attackers in China apparently used command-and-control servers hosted in the United States to compromise servers in the Netherlands that then attacked oil, gas and petrochemical companies around the world.
Information gathered from such compromises could be exploited for economic gain, military intelligence, or to prepare the ground for sabotage such as that carried out in Iran by the Stuxnet worm.
Purdy called the ICS-CERT alert an “excellent example of the information-sharing framework” that is emerging in government and industry. While Congress, the Obama administration and the private sector debate legislation that would determine the nature of the partnerships that all agree are needed to improve information sharing, robust systems already are in operation.
ICS-CERT is one component of the Homeland Security Department’s National Cybersecurity and Communications Integration Center, which produces a common operating picture of the cyber and communications infrastructures across local, state and federal governments, the intelligence and law enforcement communities, and the private sector. Also co-located at the center are US-CERT, the National Coordinating Center for Telecommunications, and the DHS Office of Intelligence and Analysis.
A growing number of companies also have seats at the NCCIC, Purdy said, although they are not publicly announced.
William Jackson is freelance writer and the author of the CyberEye blog.