The cyber research firm Dragos today detailed the operations of a suspected Russian hacker group that focuses on penetrating critical infrastructure networks. The group, which Dragos calls ALLANITE, “accesses business and industrial control (ICS) networks, conducts reconnaissance and gathers intelligence in United States and United Kingdom electric utility sectors,” according to a newly published profile, the first in a series about infrastructure-focused hacking teams. Dragos said that ALLANITE hackers “continue to maintain ICS network access” so they can “understand the operational environment necessary to develop disruptive capabilities” and be ready to disrupt those systems when called upon to do so. The company, which does not attribute hacking groups to nation-states, acknowledged that ALLANITE'S “activity closely resembles” a Russian cyber intrusion campaign that U.S. officials have dubbed Palmetto Fusion. “Russian government cyber actors ... targeted small commercial facilities’ networks where they staged malware, conducted spear phishing and gained remote access into energy sector networks,” DHS said in a March 15 alert. Dragos said that ALLANITE uses spearphishing and malware-laden websites to harvest the login information necessary to penetrate networks. So far, the company said, ALLANITE campaigns “limit themselves to information gathering and have not demonstrated any disruptive or damaging capabilities.”
E-ISAC Update – March 13, 2020
In coordination with NERC, the E-ISAC, continues to track the evolving situation with regard to COVID-19. The E-ISAC is monitoring cyber and physical security issues related to coronavirus and encourage industry to continue sharing information related to grid security issues.
At this point, the E-ISAC is limiting all non-essential travel for staff, encouraging full-time telework, and is restricting visitors to our offices. Through these unprecedented times, the E-ISAC continues to serve the electricity industry to support information sharing, and reduce cyber and physical risk to the North American power grid.
On March 12, NERC posted an announcement [hXXps://www.nerc.com/news/Headlines%20DL/Coronavirus%20Impacts%2011MAR20_final.pdf] on steps it is taking to prevent the impact of the coronavirus. This includes links to the Level 2 NERC Alert [hXXps://www.nerc.com/pa/rrm/bpsa/Alerts%20DL/NERC_Alert_R-2020-03-10-01_COVID-19_Pandemic_Contingency_Planning.pdf] issued on March 10 and ESCC Guidance [hXXps://images.magnetmail.net/documents/clients/EEI_/2020-03/ovodrzgn.2mp/ESCC_Coronovirus_Resource_Guide_031020.pdf] “Assessing and Mitigating the Novel Coronavirus [COVID-19].”
We are committed to the safety and security of our industry members and government and cross-sector partners and will continue to work with you to share information, best practices, and lessons learned.
Visit the CDC [hXXps://www.cdc.gov/coronavirus/2019-ncov/index.html] and World Health Organization (WHO) [hXXps://www.who.int/emergencies/diseases/novel-coronavirus-2019] for the latest health information.
Find out more about the U.S. Government response [hXXps://www.usa.gov/coronavirus] to coronavirus including international travel restrictions, how you can prepare for coronavirus, and what the U.S. government is doing in response to the virus.
Check out guidance from the Department of Homeland Security on risk management [hXXps://www.cisa.gov/sites/default/files/publications/20_0306_cisa_insights_risk_management_for_novel_coronavirus.pdf] and ongoing DHS Coronavirus News and Updates [hXXps://www.dhs.gov/coronavirus-news-updates].
For additional questions for the E-ISAC, contact us at Operations[@]eisac.com [mailto:Operations[@]eisac.com] or memberservices[@]eisac.com [mailto:memberservices[@]eisac.com]
March Event - CYBER STRIKE WORKSHOP
The training will offer attendees a hands-on, simulated demonstration of a cyber-attack, drawing from elements of the December 2015 Ukraine cyber incident. The workshop will be conducted by utilizing a series of exercises/labs listed below that workshop attendees will have to work through in teams. Other topics that will be referenced include the North American Electric Reliability Corporation (NERC) alert related to the 2015 Ukraine cyber incident and the applicability of NERC Critical Infrastructure Protection (CIP) reliability standards* for such an incident. However, the primary focus will not be standards, but rather understanding the Ukraine cyber incident from a technical perspective to enhance cyber preparedness.
experts will come together to share ideas, methods, and techniques for defending control systems. In-depth
presentations and interactive panel discussions will highlight real-world approaches that work and make a difference
for the individuals fighting this fight every day.
A new program aims to increase involvement and enhance collaboration and information sharing between member utilities of The North American Electric Reliability Corporation (NERC) Electricity Information Sharing and Analysis Center (E-ISAC). E-ISAC, in partnership with the Large Public Power Council, began an initiative in January called the Industry Augmentation Program, which invites utility staff for multi-day visits to work with E-ISAC personnel. The Industry Augmentation Program aims to raise awareness of E-ISAC cyber and physical security analysis processes, data protection and the separation from NERC’s compliance functions, provide an avenue for the E-ISAC to receive feedback from industry on tools and communications protocols and strengthen utility security programs and staff expertise. “This program highlights the benefit of multi-directional information sharing between the E-ISAC and industry,” Bill Lawrence, director of the E-ISAC, said.
A Radware blog post has identified a new malware campaign- "Nigelthorn"- aimed at the Facebook network that not only steals account credentials, but also installs a covert cryptominer. The malware abuses a legitimate Google Chrome extension called Nigelify, from where the malware campaign derives its name.