From the beginning, the Trump administration has seemed reluctant to impose any sort of consequences on Russia or blame it for hacking activity against the US. On Thursday, however, the dam broke. The Treasury Department imposed delayed sanctions and two intel agencies issued a warning that “Russian government cyber actors” had “gained remote access into energy sector networks” over the last two years.
The Technical Alert was credited to the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI). For the first time, the agencies have publicly accused hackers working on behalf of the Russian government of implementing a “multi-stage intrusion campaign” that targeted “government entities and multiple U.S. critical infrastructure sectors, including the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors.”
The alert claims the campaign has been going on since at least March of 2016 and that the motive seems to be focused on spying and collecting data. Typical attacks like spear-phishing emails and watering-hole domains were listed as the methods used to gain access to individuals or companies that were peripherally-related to their primary targets. The hackers apparently used those compromised systems to lure industrial control systems personnel with malware-loaded Word docs disguised as legitimate résumés, invitations, and policy documents.
Anyone who’s followed reports from private security companies over the last couple of years will find the details in the alert to be familiar, but the US government rarely jumps into finger pointing on cyber attacks. The Trump administration itself has acknowledged the US intel community’s conclusion that Russia was involved in various forms of cyber-meddling to influence the 2016 election, but Trump himself has wavered on that point. The White House caught flack for slow-walking the implementation of fresh sanctions against Russia but on Thursday it followed through.
The new sanctions target the same bad actors involved with the Internet Research Agency that were identified last month in an indictment by Special Counsel Robert Mueller. On top of hacking activities related to the presidential elections, the Treasury Department accused Russia of being responsible for the NotPetya cyberattack that caused chaos with systems around the world last June.
It’s worth noting that previous reports of Russian hackers penetrating the US electric grid have proven to be exaggerated and it’s unclear what kind of damage could be inflicted if the attackers decided to take advantage of their access to control systems. Russia has previously been accused of using cyberweapons to cause blackouts in the Ukraine.
Today’s alert also confirmed a Symantec report from last year that detailed the work of a hacking group identified as “Dragonfly.” Symantec’s analysis is said to have provided “additional information” in the investigation of Russia’s activities.
Secretary of Energy Rick Perry set up a new Office of Cybersecurity, Energy Security, and Emergency Response last month to help address the cyber-threats his department faces. At a Congressional subcommittee hearing on Thursday, he primarily focused on his proposed cuts to the DOE’s budget but he acknowledged that leading the world in confronting cyberthreats “is a responsibility that weighs heavily on the shoulders of the United States.”