According to an FBI memo obtained by CBS News and CNN Tuesday, hackers “believed to be associated with cyber actors who previously conducted destructive cyber activity against foreign critical infrastructure” have been scanning the networks of five US energy companies in a possible prelude to hacking attempts. The memo stated, “This scanning activity has increased since the start of the Russia/Ukraine conflict, leading to a greater possibility of future intrusions.”
CBS news reported today, the FBI has identified 140 overlapping IP addresses linked to “abnormal scanning” activity of at least five U.S. energy companies, as well as at least 18 other U.S. companies spanning the defense industrial base, financial services, and information technology.
“US Energy Sector entities are advised to examine current network traffic for these IP addresses and conduct follow-on investigations if observed,” the alert reads.
According to the FBI, IP addresses identified by law enforcement began scanning U.S. critical infrastructure as early as March 2021.
Critical Infrastructure and energy sectors are prime targets for Nation state threat actors. Nation states have virtually unlimited compute and people resources at their disposal and their toolkits can be highly effective against Industry standard IPsec VPN as well as TLS encryption. Also, motivation in such situations is not just about breaking the encryption but also potential disruption or diversion. Even detection of flows of interest and reverse engineering source and destination relationships between network resources could be a huge problem. Furthermore, Nation state toolkits can use public cloud as a gateway to get underneath the encryption layer and capture the data flow itself for future analysis.
Traditional zero trust approaches stop at the network and are largely ineffective against Nation state actors. Critical infrastructure companies should bolster their cyber defense posture with advanced communications security that can obfuscate resources, as well as leverage data multipathing to present a harder target for such threat actors.