Energy Organizations Continue to be Compromised Globally
Electric energy-associated organizations are at risk for network intrusions and continue to be compromised globally. Recent compromises at entities supporting electric utilities, including business associations and regulatory bodies, underscore the potential for adversaries to target organizations and leverage trusted relationships to launch further intrusions on supported utilities.
The European Network of Transmission System Operators for Electricity (ENTSO-E) confirmed on 09 March 2020 an adversary successfully compromised its office network. The organization conducted a risk assessment, and contingency plans are now in place to reduce the impact of further attacks on the network.
ENTSO-E represents 42 electric Transmission System Operators (TSOs) from 35 countries throughout Europe. TSOs are the entities responsible for transporting electric power across the main high voltage power networks, providing grid access to various electric entities including generators and distributors, and assuring the safe and reliable operation and maintenance of the electric power system. ENTSO-E works with member organizations to achieve various policy, business, and environmental objectives.
At this time, the organization is sharing limited information publicly about the cyber event. The ENTSO-E statement said its office network is not connected to any operational TSO system. The organization informed its members as it continues to monitor the situation.
Additionally, in January 2020, the New Mexico Public Regulation Commission (NMPRC) experienced an alleged cyberattack, publicly reported to be ransomware, that compromised its web servers. Limited information exists at this time regarding the strain of ransomware or the full scope of the attack.
The NMPRC is the regulatory body for utilities, telecommunications, and motor carrier industries in New Mexico. According to the commission, the malware attack caused the website and electronic filing system to go offline. A spokesperson for the commission said no sensitive or confidential data was compromised. The commission keeps records of technical information on power plants and operations networks of the utilities and other entities it regulates. If attackers were able to obtain such information, it could be used to facilitate operations against the utilities directly.
Attackers have previously targeted trusted connections between vendors, contractors, and other entities and ultimate targets. ALLANITE, for instance, targeted multiple utilities in North America and Europe and were able to exfiltrate sensitive HMI screenshots and obtain SCADA diagrams. The activities described in previous Dragos reporting and in a public report by the Wall Street Journal, include a supply chain compromise campaign that targeted numerous vendors, contractors, and business partners of U.S. utilities with the intent to launch phishing campaigns masquerading as legitimate business email activity to gain initial access to target utilities.
Asset owners and operators are encouraged to monitor trusted third-party links and similar connections to identify potential abuse. Additionally, ensure employees are trained to recognize phishing campaigns and report to security personnel when observed.
The intrusions at ENTSO-E and NMPRC do not appear to be related but demonstrate the potential for adversaries to target such organizations to further attack objectives on the electric utilities or energy organizations working with the target companies. These intrusions – both in Europe and the U.S. – impact organizations that do not manage or control any industrial assets but are linked to various ICS entities for regulatory or similar reasons. Based on this connection, a successful intrusion at one of the victim entities could be leveraged to facilitate follow-on access or exploitation at supported utility organizations.
An attacker may access these organizations to harvest sensitive information about supported entities. This may facilitate information gathering and target development operations while avoiding any direct access to the victims. As a result, the attacker would effectively expose information from several organizations at the same time through a single intrusion.
*Note: PupyRAT is a remote access tool used to compromise and maintain access to victim networks detected by Recorded Future communicating with a mail server for a European energy sector organization from November 2019 to January 2020. Although publicly available data do not tie events together, it adds to information of ongoing targeting of electric organizations.
Learn More: Dragos 2019 Year In Review
3 America’s Electric Grid Has a Vulnerable Back Door – and Russia Walked Through It – The Wall Street Journal