Recent international (and cybersecurity related) news indicates that Russian hackers have been targeting U.S. nuclear research laboratories.
News sources indicate that the Argonne, Brookhaven and Lawrence Livermore National Laboratories were targeted by the group.
Internet records show the hackers’ attempts to create fake login pages for the three laboratories. Following this, the rogue actors emailed nuclear scientists in an effort to trick them into revealing their passwords.
According to Adam Meyers, senior vice president of intelligence at U.S. cybersecurity firm CrowdStrike: “This is one of the most important hacking groups you’ve never heard of. They are involved in directly supporting Kremlin information operations.”
Looking into the significance of the activity for Digital Journal is Itay Glick, VP of Products at OPSWAT, a global firm involved in critical infrastructure protection cybersecurity.
According to Glick, the issue demonstrates the many sides that international conflict is taking: “The Cold River campaign against US nuclear facilities was likely cyber espionage as it directly correlates with geopolitical conflicts, as are other activities by this group.”
In terms of the seriousness, Glick explains: “We often hear how nuclear facilities are at risk of being targeted through the use of USBs and transient devices that can bypass air-gapped networks, or through remote access to Engineering Works Stations and HMIs – such as the 2015 BlackEnergy attack on Ukraine’s power grid.”
On December 23, 2015, the power grid in two western oblasts of Ukraine was hacked. This cyberattack resulted in power outages for 230,000 people in Ukraine for a period of between1-6 hours. The cyberattack took place during the ongoing Russo-Ukrainian War (2014-present). The attack was attributed to a Russian advanced persistent threat group called “Sandworm”.
In terms of the attack mode, Glick observes that the Cold River campaign leveraged what is still one of the most common attack vectors: email. Through this: “The hackers created fake login pages for each facility, attempting to get staff to log in and thus reveal their passwords, with the goal of possibly gaining scientific intel on the US nuclear manufacturing process.”
At the basis of the attack is a general vulnerability. According to Glick: 2With increased connectivity between IT and OT, we may expect to see advanced adversary groups attacking OT/ICS to interfere with our way of life.”
There are measures that can be taken to bolster defences. Glick identifies these as: “Incidents like the Cold River campaign can be mitigated through a prevention-based approach, including the use of email security solutions that leverage data sanitization, advanced threat prevention like multiscanning, and anti-phishing with IP, Domain, and URL-Reputation checks.”
