ICS-CERT continues to gather information on the recent Oil and Natural Gas (ONG) pipeline intrusion campaign.
This campaign, as first outlined in the April issue of the Monthly Monitor, refers to an active series of cyber intrusions targeting natural gas pipeline sector companies.
Recent reports and analysis conducted by ICS-CERT indicate that information pertaining to the ICS/SCADA environment, including data that could facilitate remote unauthorized operations, has been exfiltrated as part of this campaign.
Despite this, ICS-CERT has not received any reports of unauthorized access into the ICS environment; however, this may be due to limited monitoring and intrusion detection capabilities in the targeted companies control networks. The intent of the attackers remains unknown.
ICS-CERT recently issued an update to the original advisory (ICSA-12-136-01BP) with new information, indicators, and updated malware characterization. This advisory is available to asset owners/operators who have portal accounts in the Control Systems Center on the US-CERT secure portal (https://portal.us-cert.gov). Asset owners/operators can request a portal account by sending an email to: firstname.lastname@example.org.
In May, ICS-CERT provided onsite assistance to an energy company targeted in the ONG pipeline campaign. Prior to the onsite visit, the asset owner provided ICS-CERT with firewall logs, samples of the spear phishing emails, and hard drive images from the targeted systems for offsite analysis.
Although the initial analysis of asset owner artifacts indicated that the attempted compromise was not successful, the asset owner requested an onsite visit by ICS-CERT.
In addition to providing ICS-CERT with artifacts, the company decided to temporarily disconnect its control systems from all other networks, including the business network. The asset owner had initially assessed the control system disconnection as infeasible; however, closer inspection of actual user needs confirmed that real-time access was not required and manual daily data transfers would serve company needs.
Ultimately, the company has decided to keep their control systems network disconnected indefinitely. While onsite ICS-CERT provided guidance and recommendations for improving the company’s overall cybersecurity posture as well as a threat briefing for company executives. ICS-CERT also conducted a CSET evaluation to help the company assess their security posture.
In June, ICS-CERT provided onsite assistance to a manufacturing company that detected intrusion activity related to the ONG pipeline campaign.
ICS-CERT onsite analysis included a search for host-based and network-based indicators to identify additional hosts for further analysis. ICS-CERT hashed files from approximately 1700 machines and compared them to hashes of known malicious files and examined proxy logs to identify any suspicious network activity.
ICS-CERT discovered some indicators of compromise in the network logs and identified the hosts that made the requests. At the end of the onsite visit, the company provided ICS-CERT with a complete database dump of logging data and forensic images from an additional five machines for further analysis.
Since the onsite visit, the company has reported receiving additional spear-phishing emails and has coordinated them with ICS-CERT for follow on analysis. Incident response activities for this company are ongoing.
Common Onsite Activities
In both onsite cases, ICS-CERT performed the following activities at the customers’ facilities:
• Reviewed the corporate and ICS network/communications architecture and provided guidance on reducing risk footprint.
• Discussed the company’s connection points between the corporate and ICS networks and strategies to reconfigure systems in a more defensible manner.
• Delivered a high-level threat briefing to technical staff and senior management with a focus on how spear-phishing campaigns are conducted, and how policies, people, and procedures impact incident response.
Combating sophisticated attacks is challenging for any organization. For that reason, ICS-CERT works with the community to develop more strategic and layered approaches to detecting and mitigating these threats.
ICS-CERT continues to recommend defense-in-depth practices and to educate users about social engineering and spear-phishing attacks.
In addition, ICS-CERT recently released an update to its Targeted Cyber Intrusion Mitigation Strategies (ICS-TIP-12-146-01A) in response to this specific campaign. Readers are also encouraged to review the ICS-CERT Incident Handling Brochure for tips on preparing for and responding to an incident.