Critical National Infrastructure in the Firing Line

CNI attacks

The cybersecurity of critical national infrastructure (CNI) is hardly a new source of concern. However, the war in Ukraine has brought the existential threat of attacks on vital services such as water supply systems, energy companies, and transport networks into stark reality as Russian-affiliated groups set their sights on the CNI of Ukraine and its allies. 

In the past year, 65 percent of CNI in the UK and US has been hit by a cyberattack according to research from Forcepoint, and the summer was marked by a series of incidents across Europe. These three attacks over a two week period in August demonstrate a pattern:

August 15, 2022 – Attack Against a UK Water Company

In mid-August the Russia-affiliated ransomware group Cl0p claimed to have compromised Thames Water, the UK’s largest water treatment company. In fact, examination of the samples provided by Cl0p showed that they had actually breached a different water company, South Staffs Water. The timing of the attack during a drought in the UK – whether intentional or not – capitalized on the public’s very real concerns about the security of water treatment facilities, especially as the group claimed to have compromised operational technology (OT) that could impact water supply. South Staffs denied that OT was actually impacted and it is possible that the threat group also intentionally lied about which company it had breached to exacerbate fears.

August 29, 2022 – Italian Energy Agency is Breached

At the end of August Italy’s GSE energy agency reported a breach that resulted in it shutting down some of its IT systems. The Russia-affiliated ransomware group BlackCat took responsibility for the attack on its dark web site, claiming to have stolen 700 gigabytes of data and threatening to publish it online. The Italian foreign minister described the attack as being part of a “destabilization strategy” that has been underway since the Ukrainian invasion in February.

August 31, 2022 – FBI Investigates Attacks Against Montenegro

Just two days after the attack against Italian energy, the FBI was forced to deploy a team of cybersecurity experts to Montenegro to investigate a series of cyberattacks – including ransomware and DDoS – against the Balkan nation’s water supply, transport services, and online government services. Montenegro, which had recently sanctioned Russia for its invasion of Ukraine, claimed that the Russian government had orchestrated the attack as an act of “hybrid war”. As a consequence of the attacks, the country’s electrical utility was forced to switch to manual control.

These incidents demonstrate some common trends in the threats currently facing CNI:

The Actors and Victims

As the examples above illustrate, attacks are orchestrated by threat groups that align their objectives with the Russian state. Some groups are directly backed by Russia, while others are allowed to operate as long as they only target enemy states. 

Sandworm is one of the most notable of a Russian-backed group with direct ties to the Russian military. Its attacks on CNI long pre-date the 2022 war in Ukraine, having first created  the BlackEnergy malware as far back as 2007. This trojan has been used to perform several DDoS attacks against Ukraine’s CNI since then. Sandworm was also behind the 2017 NotPetya attack that – once again – was designed to target Ukrainian businesses, CNI, and government institutions but propagated around the world. It is no surprise, then, that Sandworm has been active in targeting Ukrainian infrastructure since the beginning of the most recent conflict, for example attempting to deploy a malware known as Industroyer2 against electrical stations in April 2022.

The outbreak of war has seen Russian groups extending their targeting to Ukraine’s allies but, of course, the country itself remains the primary target. After the Ukrainian Defense Ministry’s warning in late September that Russia was planning to launch “massive cyberattacks” against its critical infrastructure, our threat intelligence team has been keeping an eye on the communication channels of threat groups affiliated with Russia. One post we spotted on the Telegram channel “CyberArmyofRussia_Reborn” (which researchers have identified as a hacktivist channel) is typical of communications we see from other groups such as Killnet and BlackCat:

The post reads:

Good morning fighters! The goal for today is a company with a funny name KievGaz ?. 

? Let’s remind the Ukranians that winter is coming!

Destruction Over Extortion

An important aspect that sets these Russian-affiliated attacks on CNI apart from other cybercriminal activity is motive. It is important to recognize that, even if ransomware is deployed, the primary objective of these groups is not extortion for financial gain but disruption and destruction. The threat actors targeting Ukraine and its allies are primarily interested in sowing confusion, damaging the integrity of infrastructure, and – in some cases – having a real world impact on the wider population (see next section).

This is perhaps most clearly evident in the actions of Sandworm, which uses a combination of malware types to cause as much disruption as possible. As the UK agency NCSC noted in its assessment of the NotPetya attack, “the destructive attack masqueraded as ransomware, but its purpose was principally to disrupt.”