A warning reportedly sent by the NCSC warns of attacks on British energy firms, following last month’s hack of a US nuclear plant
The National Cyber Security Centre (NCSC), GCHQ’s computer security organisation, has acknowledged it is investigating a broad wave of attacks on organisations that have reportedly targeted companies in the British energy and manufacturing sectors.
Those attacks are “likely” to have compromised some industrial control systems in the UK, according to a warning reportedly sent out by NCSC, which hasn’t been made public.
Energy sector targeted
“We are aware of reports of malicious cyber activity targeting the energy sector around the globe,” the NCSC said in a statement. “We are liaising with our counterparts to better understand the threat and continue to manage any risks to the UK.”
The attacks are part of a broader campaign targeting energy companies in countries including the US, Ireland and Turkey, according to computer security firm FireEye.
While authorities in the US and the UK have stopped short of identifying who they suspect to be behind the hacking activity, a report over the weekend by The Times cited unnamed sources as attributing the attacks to a group backed by Russia’s GRU intelligence agency.
In its alert, the NCSC reportedly makes reference to a similar warning sent by the US government in June indicating attacks on more than a dozen energy companies, including at least one nuclear plant.
The US Department of Energy (DOE) acknowledged those attacks earlier this month but said only administrative systems, and not industrial control systems, had been targeted.
Control systems ‘likely’ compromised
The NCSC alert says the attack infrastructure used indicates an unspecified state government.
“The NCSC is aware of connections from multiple UK IP addresses to infrastructure associated with advanced state-sponsored hostile threat actors, who are known to target the energy and manufacturing sectors,” reads a section of the message, according to a report by Motherboard.
Unlike the DOE, the NCSC reportedly warned that industrial control systems were involved in the British attacks.
Some of those control systems, including ones that may have remote access to critical infrastructure, are likely to have been successfully compromised, the NCSC reportedly warned.
“NCSC believes that due to the use of wide-spread targeting by the attacker, a number of Industrial Control System engineering and services organisations are likely to have been compromised,” the document states.
The wave of hacking activity began around 8 June and focuses on the engineering, industrial control and water sectors, in addition to energy companies, according to the NCSC document.
The attack infrastructure uses the SMB and HTTP protocols and the attacks appear to be aimed at trying to capture users’ passwords.
Like the US government warning, it suggests mitigations including the use of multi-factor authentication.
Motherboard didn’t indicate who provided it with the message, but said it had verified the alert’s authenticity with two other sources.
The US report, issued by the FBI and the Department of Homeland Security (DHS) to US businesses, said the hackers were using targeted malicious emails to deliver Word documents infected with malware.
The hackers reportedly obtained users’ credentials and attempted to map out their network drives.
FireEye analyst John Hultquist said earlier this month that the attacks on energy companies in the US, Ireland, Turkey and possibly other countries are believed to have been carried out by the same group.
The group’s activities stretch back as far as 2015, with the latest campaign including “watering hole” attacks aimed at infecting computers used by electrical engineers and control systems operators, Hultquist said.
Security experts monitoring the wave of attacks said that although there was no indication they had created a serious risk, they were a warning of the increasing vulnerability of critical infrastructure due to the broad use of Internet-connected computer systems in the energy sector and elsewhere.
Security firm Sophos said recent incidents such as the Petya or NotPetya and WannaCry malware campaigns, both of which spread using an exploit called EternalBlue allegedly developed by the NSA, show how damaging infrastructure attacks could become.
“As with Petya and WannaCry, the private worry about Nuclear 17 is that the unfolding EternalBlue leak of alleged NSA spying tools and vulnerabilities might be feeding attacks that are starting to manifest in all sorts of sectors,” Sophos said in an advisory.
Nuclear 17 is the code name given to last month’s attempted intrusion at the Wolf Creek nuclear plant in Kansas.
One of the most serious infrastructure attacks to date occurred in December 2015 when an incident at a Ukraine power company left parts of western Ukraine, including regional capital Ivano-Frankivsk, without power.
Security experts later said that a sophisticated Trojan horse called Black Energy was used in the hack, with the Ukraine blaming the incident on Russia. Security firms have as yet made no direct link between that attack and the more recent hacking campaign.
Do you know all about security in 2017? Try our quiz!