US cyber attack on Venezuela exposes CNI vulnerabilities

The alleged role of cyber operations in a recent US attack on Venezuela has highlighted growing concern over the exposure of critical national infrastructure to state-linked hacking campaigns, according to cyber security specialist e2e-assure.

Rob Demain, Chief Executive of UK-based e2e-assure, said the incident illustrated how multi-domain operations now combine cyber, space and conventional military action against national infrastructure targets.

"When the US attacked Venezuela it was the final stage of a much longer campaign carried out in the cyber realm. SPACECOM and CYBERCOM and other interdepartmental agencies were all used to lay the groundwork, including cutting the power to Caracas to allow the attack to proceed under cover of darkness," said Demain, CEO, e2e-assure.

Demain described a tightly synchronised operation that he said relied on prior access to power grid control systems.

"Turning out the lights would have required months of preparation, enabling the US to shut down specific substations in the region where the helicopters were flying, which would have required access to the computer systems controlling the power grid. The power went out at 2:00am with the helicopters landing at 2:01am meaning cyber, space command and military forces coordinated efforts to execute the attack in just a one minute window - a far faster and more precise assault than we've ever seen in previous cyber kinetic attacks such as those carried out by Russia against Ukraine," said Demain.

He said publicly visible network data showed signals that an operation was under way well before the physical raid.

"There were indicators that the attack was imminent, however. Internet routing showed suspicious activity 14 hours before the raid, with data that is publicly available showing that traffic was being redirected: a classic indication of intelligence gathering. But I suspect the Venezuelans, in common with critical national infrastructure (CNI) organisations the world over, were looking for indicators of an attack, not the steps leading up to it," said Demain.

Multi-phase campaigns

Demain outlined a three-phase model that he said reflects how sophisticated actors prepare, shape and then execute complex attacks against power and other operational technology environments.

"Threat actors will prepare such attacks well in advance. Phase one sees infiltration of the supply chain and human access seeding. The low level noise created by the compromise of initial access points, credential harvesting and use of persistence mechanisms will to all intents and purposes make it appear as business as usual. And once inside, the threat actor can perform deep reconnaissance of the infrastructure, mapping OT/IT convergence and business processes as well as carrying out control dependency analysis to identify which systems need to be shut off or used to create a cascade effect that achieves the end goal i.e. a regional blackout," said Demain.

He said attackers then alter both internal and external environments before any overt disruption takes place.

"Phase two will see the attacker subtly reshape the environment by introducing new firewall rules, backup routing paths and shadow admins while weakening detection mechanisms. In parallel, internet controls are also subverted through BGP/DNS surveillance, traffic redirection rehearsals, and intelligence collection that monitors the response times of SOCs and ISPs to see who notices. It's this phase that is visible in the public telemetry but almost no organisations monitor this data," said Demain.

The final stage focuses on short, intense disruption across multiple domains, he said.

"The final execution phase sees disruption precisely timed to occur in minutes. At an opportune moment, multi-domain events are triggered that target identity through account disablement and conditional access failures, OT systems or production by tripping systems on select lines and pausing PLC logic without a hard shutdown, IT communications from plant-to-HQ and ERP system schedules, and externally, routing instability and API throttling," said Demain.

Lessons for operators

Demain said the case underlined several defensive priorities for operators of critical national infrastructure, including energy, transport and industrial systems.

"There are some clear lessons here for defenders. Firstly, they need to watch for the steps that indicate an adversary may be preparing to attack. The real detection window is weeks if not months before a sophisticated attack rather than the day it is executed. Secondly, CNI organisations need to consider the threat posed by geopolitical events and not just hackers intent on disruption or financial gain. And finally, air gapped systems aren't nearly as isolated as people think," said Demain.

He said the nature of such attacks differed in important ways from more familiar financially motivated intrusions.

"These cyber kinetic attacks are very different from traditional attacks. They're quiet, focus on configuration abuse, IT/OT and identity systems and are environment driven, meaning defenders must shift focus and look for long-lived dormant access, identity privilege drift, OT telemetry inconsistencies, internet routing anomalies and config changes. For the SOC that places the emphasis on continuous threat hunting - not alert triage," said Demain.

Security teams across the CNI sector are now assessing whether monitoring of internet routing data, configuration changes and OT telemetry is sufficient to detect similar long-term preparatory activity.