The US-CERT Webinar on Russian Government Cyber Activity: a Review
Despite the sophisticated webinar title, all material provided was called Russian Activities.
Due to great number of cybersecurity professionals from all over the world participated, the webinar service experienced frequent outages like freezing slides or audio being cut out. American colleagues even left several funny comments like ‘Please use my Tax Dollars for better Internet’ or ‘Russians are DDoSing the presentation’. Nevertheless, the webinar did continue.
The event was divided into 3 parts: the main presentation on Russian Activities, the presentation on what National Cybersecurity and Communications Integration Center (NCCIC) is, and the Q&A section. The webinar presentation can be found here.
The first part of webinar focused on particular techniques so-called Russian Hackers used.
The first part of webinar focused on particular techniques so-called Russian Hackers used: critical infrastructure (particularly energy) employees are being searched on the Internet to gather all kinds of data related to their everyday duties including photographs even made at workplace, which sometimes, being full-size, allow to see tons of sensitive intel on equipment used, room plans, etc. Next stage is sending out emails containing infected MS Office documents or PDFs to those employees. Once opened, those files execute a code to access SMB share outside of local area network located at malicious server. This is the way to receive logins and password hashes. Complete user logon credentials are being recovered with the help of special software. Now is the time to use regular remote-access VPN to get inside of a corporate network. Once inside, hackers download a number of ‘sophisticated tools’ (that’s how US-CERT calls them), including notorious software like mimikatz, hydra, etc. and start gathering logon credentials on servers. Then, so-called Russian Hackers hack into ICS networks and study equipment, process, search for manuals. According to US-CERT, this usually takes from several months to several years. The final step is gaining access to HMI, control interfaces where you could actually turn something off or issue a command. That’s where they stopped and decided to suspend an attack, which was a great surprise to US-CERT. I’d like to point out that this presentation disappointed many security professionals: many of them commented with frustration that restricting unwanted traffic (especially SMB) is a basic rule to be implemented in the first place.
Second part of the webinar was really short and it looked like everyone was waiting for Q&A section. As a Russian, I had to ask question on evidence of hacker groups being related to Russian Government, but that question was avoided by the organizers. Nevertheless, colleagues from the US supported me by commenting ‘Because CIA said so’. Some other participants asked similar questions, none were answered.
Somehow, part of audience strongly believes that Russian Government is behind those attacks on critical infrastructure.
Certain recommendations were given to avoid that deadly scenario: no SMB traffic should be allowed to outside of the local network and two-factor authentication should be used. Besides that, it was stated that behavior analysis, log study and protecting communication to partner’s networks are also very important. Those obvious recommendations lead me to an unpleasant conclusion that the main idea of this webinar is not critical infrastructure protection, but propaganda of anti-Russian prejudice.
The webinar will be repeated on July, 30 and August, 1. Data on cyberattacks can be found here.
The opinions expressed on the site do not necessarily represent the views of the editorial staff.