To better track advanced hacking groups, U.S.-based companies should watch for signals in human behavior instead of changing tactics, according to Casey Kahsen, an IT specialist at the Department of Homeland Security.
From one campaign to another, there are “a lot of similarities” in the behavior of a Russian government hacking group that has targeted U.S. energy companies, Kahsen said Friday at a cybersecurity event on Capitol Hill. “Some things have changed, but the behavior element remains largely the same because that’s expensive to change,” he said.
“The actors are going to change tactics; they’re going to change tools,” Kahsen explained at the event, hosted by the Lexington Institute. “We need to be looking for the things that they did that are more difficult to change – the human behavior element.”
The human behavior that Kahsen referenced typically includes a group’s hours of operations or coding style, which cybersecurity experts say offer clues on who is behind the keyboard.
The Moscow-backed hacking group that Kahsen discussed carried out a two-year campaign targeting U.S. companies in the energy and manufacturing sectors, according to a March advisory from DHS. The attackers used spear-phishing and watering hole attacks to collect information on industrial control systems, safety systems that are in use in facilities like power plants.
The Russian hackers were “going after documentation that would lead to a better understanding of the industrial processes” at each of their targets, Kahsen said in his presentation.
In one example of the hackers’ persistence, according to Kahsen, they lingered on an organization’s IT network until the administrators opened up a server to update their ICS. The attackers used that patching process to bridge the organization’s IT and operational technology networks, he said.
The hackers also used ICS trade publications and informational websites to conduct reconnaissance on energy companies. Such “staging targets” are hard to defend, Kahsen said. “How do we better defend a company that has one IT person that’s just contracted out to do periodic updates?”
To guard against such threats, DHS works with industry organizations like the Electricity Information Sharing and Analysis Center (E-ISAC) to warn companies of new malicious activity.
In an interview, E-ISAC Director Bill Lawrence said his organization had noticed the Russian hackers’ activity months, if not years, in advance of DHS’s March announcement. Public attribution on such a sensitive topic, however, takes much longer.
“With that specific one, it takes a long time for the [U.S.] government to get everything absolutely right because when they’re pointing fingers at a foreign government, they need to have the story absolutely right,” Lawrence told CyberScoop.