Advertisement

DHS cyber specialist: look for behavior patterns with APTs

To better track advanced hacking groups, U.S.-based companies should watch for signals in human behavior instead of changing tactics.
(Getty Images)

To better track advanced hacking groups, U.S.-based companies should watch for signals in human behavior instead of changing tactics, according to Casey Kahsen, an IT specialist at the Department of Homeland Security.

From one campaign to another, there are “a lot of similarities” in the behavior of a Russian government hacking group that has targeted U.S. energy companies, Kahsen said Friday at a cybersecurity event on Capitol Hill. “Some things have changed, but the behavior element remains largely the same because that’s expensive to change,” he said.

“The actors are going to change tactics; they’re going to change tools,” Kahsen explained at the event, hosted by the Lexington Institute. “We need to be looking for the things that they did that are more difficult to change – the human behavior element.”

The human behavior that Kahsen referenced typically includes a group’s hours of operations or coding style, which cybersecurity experts say offer clues on who is behind the keyboard.

Advertisement

The Moscow-backed hacking group that Kahsen discussed carried out a two-year campaign targeting U.S. companies in the energy and manufacturing sectors, according to a March advisory from DHS. The attackers used spear-phishing and watering hole attacks to collect information on industrial control systems, safety systems that are in use in facilities like power plants.

The Russian hackers were “going after documentation that would lead to a better understanding of the industrial processes” at each of their targets, Kahsen said in his presentation.

In one example of the hackers’ persistence, according to Kahsen, they lingered on an organization’s IT network until the administrators opened up a server to update their ICS. The attackers used that patching process to bridge the organization’s IT and operational technology networks, he said.

The hackers also used ICS trade publications and informational websites to conduct reconnaissance on energy companies. Such “staging targets” are hard to defend, Kahsen said. “How do we better defend a company that has one IT person that’s just contracted out to do periodic updates?”

To guard against such threats, DHS works with industry organizations like the Electricity Information Sharing and Analysis Center (E-ISAC) to warn companies of new malicious activity.

Advertisement

In an interview, E-ISAC Director Bill Lawrence said his organization had noticed the Russian hackers’ activity months, if not years, in advance of DHS’s March announcement. Public attribution on such a sensitive topic, however, takes much longer.

“With that specific one, it takes a long time for the [U.S.] government to get everything absolutely right because when they’re pointing fingers at a foreign government, they need to have the story absolutely right,” Lawrence told CyberScoop.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts