Cyberstrike: Training for Nation State Attacks

Cyberstrike: Training for Nation State Attacks

On January 14^th and 15^th of 2025, Vertek was proud to help sponsor and attend a Department of Energy training held at Burlington Electric’s Spark-Space. The training brought together representatives for Cybersecurity, Information Technology, and Operations from regional energy and government organizations. The training was delivered by Tim Conway over two days, covering the landscape of Advanced Persistent Threats (ATPs); their strategies brought the team step by step through the Sandworm attacks of 2015 & 2016 over their precise targets in Ukraine.

Day 1: Nemesis

Day One of the training brought the team through a series of lectures and penetration testing exercises that put us in the headspace of the attacker. Attendees were provided with a piece of operational technology and a platform from which to attack it. Operational Technology is a piece of equipment with a digital interface and mechanical function, such as a PLC. We were brought through multiple ATP Organizations, their strategies, and their few constraints. This was done through the lens of the energy sector with a detailed geopolitical context.

Day 2: Lights Out

Day Two was all about Sandworm. Sandworm is a hacker group known for supporting Russian military objectives. The team was brought step by step through the attack chain used on the 2015-2016 attacks targeting separate energy utilities in Ukraine and the coordinated Sandworm teams that likely performed them. This began with an extremely well-crafted spear phishing attack for initial access, and from there, the threat actor lived off the land, using common malware and capabilities that the targets already possessed to pivot through their network. They burned exactly one ‘advanced’ capability: Industroyer/Crash-Override to perform a destructive attack on operational power distribution technology that impacted up to 225,000 customers in outages that lasted several hours.

Takeaways

Nation State Actors have the most advantages, such as coordinated manpower, finance, and protections, but have restrictions. A nation state actor will always be most restricted by resource management and geopolitical accountability. Capabilities such as banked zero-day vulnerabilities can only be used once before they stop being zero-days, this makes them a resource that has a cost of use. Nation state teams are also held accountable by the officials in the state to whom they report to. This is why these groups are so precise: because targets, executions, and results must be cleared before launch to have the geopolitical impact that is desired.

What to do about it

Know your environment! You, the administrator, should have the home-field advantage. You know how your environment is supposed to operate. Have visibility in your network and correlate your logs. When you encounter an anomaly, don’t brush it off; understand the reason for it.

Know your business. Know what asset losses will disrupt your business. Whether production is intellectual property or power supply to a community, understand what assets and devices your business relies on for production. Then figure out how YOU would attack and disrupt production. Discuss them as a team and as necessary with your vendors. These threat avenues should be mitigated.

Segment your networks. Security will always be a conflict of attrition, and the more controls put in place, the higher the cost of pivoting into critical assets. Threat groups are not cost-avoidant but are cost-adverse.

Vertek can help you have visibility over your network and leave you feeling secure. No matter what threat you are worried about, we have a solution to leave you stress-free. Contact Vertek today to learn more!

Contact us: Contact Us – Vertek