Investigators hot on the trail of cyberspies trying to infiltrate the computer networks of US natural-gas pipeline companies say that the same spies were very likely involved in a major cyberespionage attack a year ago on RSA Inc., a cybersecurity company. And the RSA attack, testified the chief of the National Security Agency (NSA) before Congress recently, is tied to one nation: China.
Three confidential alerts since March and a public report on May 4 by the Department of Homeland Security warn of a "gas pipeline sector cyber intrusion campaign," which apparently began in December. That campaign, against an undisclosed number of companies, is continuing, DHS said in the alerts, which were first reported by the Monitor.
"Analysis of the malware and artifacts associated with these cyber attacks has positively identified this activity as related to a single campaign," DHS said in its public statement May 4. It also described a sophisticated "spear-phishing" campaign – in which seemingly benign e-mails that are actually linked to malicious software are sent to specific company personnel in hopes of gaining access to corporate networks.
Along with the alerts, DHS supplied the pipeline industry and its security experts with digital signatures, or "indicators of compromise" (IOCs). Those indicators included computer file names, computer IP addresses, domain names, and other key information associated with the cyberspies, which companies could use to check their networks for signs they’ve been infiltrated.
Two independent analyses have found that the IOCs identified by DHS are identical to many IOCs in the attack on RSA, the Monitor has learned. RSA is the computer security division of EMC, a Hopkinton, Mass., data storage company.
Discovery of the apparent link between the gas-pipeline and RSA hackers was first made last month by Critical Intelligence, a cybersecurity firm in Idaho Falls, Idaho. The unpublished findings were separately confirmed this week by Red Tiger Security, based in Houston. Both companies specialize in securing computerized industrial control systems used to throw switches, close valves, and operate factory machinery.
"The indicators DHS provided to hunt for the gas-pipeline attackers included several that, when we checked them, turned out to be related to those used by the perpetrators of the RSA attack," says Robert Huber, co-founder of Critical Intelligence. "While this isn't conclusive proof of a connection, it makes it highly likely that the same actor was involved in both intrusions."
Mr. Huber would not release details about the indicators, because access is restricted by DHS.
Jonathan Pollet, founder of Red Tiger Security, has arrived at similar conclusions.
"The indicators from each source are a match," says Mr. Pollet, whose company has extensive experience in the oil and gas industry. "This does not directly attribute them to the same threat actor, but it shows that the signatures of the attack were extremely similar. This is either the same threat actor, or the two threat actors are using the same ‘command and control' servers that control and manage the infected machines."
Among several DHS indicators with links to the RSA campaign, Huber says, is an Internet "domain name" – a humanly recognizable name for a computer or network of computers connected to the Internet. Scores of computer-server "hosts" associated with that domain were already known to have participated in the RSA attack, Critical Intelligence found.
Alone, the domain-name finding was strongly suggestive. But along with many other indicators he's checked, a link between the RSA and pipeline-company attacks is clear, Huber says.
"I don't think there's much question that the attackers going after the pipelines are somehow connected to the group that went after RSA," he says.
So who went after RSA?
The infiltration of RSA by cyberspies is widely considered one of the most serious cyberespionage attacks to date on a nondefense industry company. Its SecurID system helps to secure many defense companies, government agencies, and banks. Information stolen from RSA has since been reported to have been used in attacks against defense companies Lockheed Martin, Northrop Grumman, and L-3 Communications.
Cyberspies attacked RSA using a spear-phishing e-mail that contained an Excel spreadsheet with an embedded malicious insert. Similarly, the gas-pipeline attacks have seen spear-phishing e-mails with an attachment or tainted link.
Nothing in cyberespionage is for sure, Huber and Pollet say – especially since identifying perpetrators is difficult or sometimes impossible because of the layers of digital obfuscation that’s possible for attackers. But as other security firms check and confirm the findings, it could reveal important things, the two experts agree.
First, it would show that the same group hacking the gas-pipeline companies is also interested in high-tech companies that have a focus on cryptography and cybersecurity.
Second, the question arises: Why did DHS provide the indicators to the industry, but didn’t identify the apparent link between the gas-pipeline and RSA attacks?
Finally, there's also the question of why DHS officials, in their alerts, requested companies that detected the intruders to only observe them and report back to DHS – but not act to remove or block them from their networks. Some speculate that blocking the intruders would have short-circuited intelligence gathering. (A DHS spokesman refused comment on the issue.)
This last point has raised consternation among security personnel at some pipeline companies. For a year now, big cybersecurity companies like McAfee have had digital defenses that could be deployed against the RSA hack. In fact, they might have been at least partially effective against the new pipeline hack, Huber says.
Has DHS’s advice to only observe the intruders come at the expense of allowing the cyberspies to become more deeply embedded on company networks?
Marty Edwards, director of the DHS Control Systems Security Program, which issued the alerts, referred questions to public-affairs officials.
“DHS’s Industrial Control Systems Cyber Emergency Response Team [ICS-CERT] has been working since March 2012 with critical infrastructure owners and operators in the oil and natural gas sector to address a series of cyber intrusions targeting natural gas pipeline companies," Peter Boogaard, a DHS spokesman, said in an e-mailed statement.
"The cyber intrusion involves sophisticated spear-phishing activities targeting personnel within the private companies," he continued. "DHS is coordinating with the FBI and appropriate federal agencies, and ICS-CERT is working with affected organizations to prepare mitigation plans customized to their current network and security configurations to detect, mitigate and prevent such threats.”
But if anything, questions are growing about China's role either directly or through its cyber militia in vacuuming up proprietary, competitive data on US corporate networks – as well as possibly mapping critical infrastructure networks.
Sen. Carl Levin (D) of Michigan queried Alexander about "China's aggressive and relentless industrial espionage campaign through cyberspace" and asked him to provide some unclassified examples. Alexander's first named example was RSA.
"We are seeing a great deal of DOD-related equipment stolen by the Chinese," he replied. "I can't go into the specifics here, but we do see that from defense industrial companies throughout. There are some very public ones, though, that give you a good idea of what's going on. The most recent one, I think, was the RSA exploits."
"The exploiters," he continued, "took many of those certifications and underlying software" from RSA, rendering the security system insecure until updated.
Chinese officials regularly pour cold water on such accusations. A Pentagon press conference on Monday with Defense Secretary Leon Panetta and Chinese Defense Minister Gen. Liang Guanglie was intended to show US-Chinese cooperation on cybersecurity. But Liang took the opportunity to condemn claims that Chinese cyberspies are the predominant actors in cyberspying on US networks.
"I can hardly agree with [that] proposition," said Liang, as reported by The Hill's DefCon blog. "During the meeting, Secretary Panetta also agreed on my point that we cannot attribute all the cyberattacks in the United States to China."