When news broke on 6 July 2017, that companies who manage nuclear energy power stations within the US were hacked alarms were triggered. Rightly so, fears of what happened in Ukraine previously when its energy sector was essentially shut down by hackers must of being on many minds. On some other minds was probably the thought that this was the end and perhaps they should have been prepping for a doomsday scenario. While hacking of energy suppliers and companies associated with the maintenance and managing of power stations is a cause of concern, cybersecurity researchers at Cisco’s Talos Intelligence Division, worked hard to try to quell some of the fears many might have had.
Details of the hack
On the above-mentioned date, the New York Times reported that computer networks of companies that operate nuclear power stations had been targeted by hackers. The Department of Homeland Security and the Federal Bureau of Investigation in a joint report confirmed that the companies, including Wolf Creek Nuclear Operating Corporation which operates a nuclear power station in Kansas, were indeed targeted. The report issued by the two law bodies carried an urgent warning, in the form of an amber warning, the second highest rating regarding such threats.
It is still not yet known what the overall aims of the hack were, whether espionage to steal industry secrets or if the aims were more destructive in intent. As of yet, there is no evidence that those hacking the targeted systems managed to infiltrate the station's control systems. This would give credence to the theory that the attack was not intended to be destructive. While the control systems were not affected, it was rather personal within the administrative and business side. The hackers seemed determined to map out networks for future attacks according to the jointly issued report. A spokesman for the Department of Homeland Security issued a joint statement of both departments that:
There is no indication of a threat to public safety, as any potential impact appears to be limited to administrative and business networks.
As with most hacks, the difficulty of pinpointing who exactly is responsible can be a nearly impossible task. Security analysts believe the attack mimics methods employed by the Russian group Energetic Bear who are widely believed to have links to the Russian government. In the summer of 2014, the group was believed to be behind an attack campaign targeting hundreds of Western oil and gas companies. The attack was seen as industrial sabotage, given the importance of the Russian oil and gas industry. Like with the 2014 attack the hackers were careful to cover up their tracks to leave no concrete evidence as to the identity of the attackers, leaving researchers and investigators to assume the group's involvement based on prior attacks with the group been tied to attacks on the global energy sector since 2012.
In order to gain access to the targeted systems fake resumes were sent with Microsoft Word documents laced with malicious code. A second attack vector used by the hackers was by compromising legitimate websites visited regularly by company employees and by also redirecting internet traffic through the employees own machines.
A cunning phishing scheme
While the use of using phishing email scams and jeopardized Word documents is not by any means a new method used by hackers to install malware, in this instance how the hackers managed to gain access to targeted systems was frustratingly cunning. Researchers at Cisco’s Talos Intelligence Division assumed firstly that they would find malicious macros embedded in the scripting as this seems to be the traditional method employed by hackers. However, no such methods were found employed in the script. After trying and employing a few tools and methods to detect if any malicious macros had been employed in the script they came out empty handed. A chance discovery in the loading screen for Microsoft Word would help researchers discover the method employed by the hackers.
On the load screen, researchers noticed the following being displayed “Contacting:\\ . . .\Template.dotm” which should not be there. It was proved by the researchers that the document was attempting to pull a template from an IP address. It was later determined that the hackers using template injection, the malicious code was attempting to silently harvest user credentials. However, when it came to analyzing the hacker-controlled SMB, the server was found to be down. Thus no analysis could be done on the ultimate payload if any, the hackers intended on deploying. Researchers have warned that the threat can become far more serious if the attacker is able to compromise a host and run the server internally.
Researchers at Cisco’s Talos Intelligence Division concluded that:
Talos responded to these attacks by reaching out to known affected customers and ensuring that they were aware of and capable of responding to the threat. It also illustrates the importance of controlling your network traffic and not allowing outbound protocols such as SMB except where specifically required for your environment. Additionally, a number of ClamAV signatures and email rules were written in order to ensure that threats leveraging this Office template injection technique are blocked in the future.
This attack, as well as others that have come in the wake of President Trump signing an executive order on 11 May 2017 geared towards strengthening the cybersecurity defenses of federal networks and critical infrastructure. This order dictates that government agencies should work closely with public companies in an attempt to mitigate the risk faced by agencies guarding critical infrastructure. This recent attack could be seen as an acid test for the order.