What does Russian hacking of U.S. infrastructure have to do with small business owners and operators of motorcoaches?
The Department of Homeland Security (DHS) National Cybersecurity & Communications Integration Center (NCCIC) presented several unclassified, virtual awareness briefings July 23 – August 1 on Russian government cyber activity against critical infrastructure including motorcoaches. The focus was to help company owners understand how threat actors (hackers) work, what they look for and how any business might be vulnerable.
Threat actors have several means of reaching “staging” or “intended” targets, NCCIC experts said. Staging targets are usually smaller organizations with less sophisticated networks that have a pre-existing relationship with the intended target, speakers said, offering examples.
“The size of the organization is not a delineation factor,” said the NCCIC representative. “This [the Russia hacking] was not an instance when the threat actor went after low hanging fruit. This was a situation that was strategically laid out: ‘I want to get into a specific organization.’ They get there by going through other organizations that have weaker defenses [staging targets] that are less defended and use them to pivot through to the intended target.”
Threat actors use publicly available information such as open-source lists, such as membership rosters or event attendance rosters to find affiliations between organizations. They download photos where an event may be happening in the foreground, then zoom in to extract data or sensitive information that may be present in the background. They also leverage VPN channels to use credentials they’ve capture to access a network from within.
The primary victims in cyber-attacks described in the awareness briefing have external-facing, single-factor authenticated systems. VPNs, Outlook Web Access, and remote desktop were the three known intrusion vectors in the briefing. The NCCIC representative stressed the importance of companies verifying their “whitelists,” trusted partners, regularly and not necessarily giving them easy access to the network, as well as implementing multi-authentication, such as requiring credentials and a pin number sent by text to access a remote connection.
