In an uncharacteristic move on the part of the part of the Department of Homeland Security, US-CERT released a Technical Alert resulting from analytic efforts between the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI). The alert warns of ongoing advanced persistent threat (APT) actions targeting government entities and organizations in the energy, nuclear, water, aviation, and critical manufacturing sectors.
DHS has deemed these actions to be a multi-stage intrusion campaign that targets low security and small networks to infiltrate major networks of high-value asset owners within the energy sector. Based on their analysis DHS has determined this is an active long-term campaign. The Technical Alert has been issued to educate network security managers and enable them to identify and reduce exposure to malicious activity.
According to US-CERT, the activity can be traced back to May 2017. They have targeted industrial and government entities. In the past, the energy sectors have been targeted resulting in cyber espionage to the extreme of disrupting energy systems. Once deemed successful these activities have been carried out on other critical infrastructures.
DHS, FBI, and trusted partners identified unique indicators and behaviors related to the threatening behavior. They have called out the report, “Dragonfly: Western energy sector targeted by sophisticated attack group,” released by Symantec on September 6, 2017, which provides additional information about this ongoing campaign.
Intended targets of these campaigns can be identified as staging and intended targets. The gateway to the intended targets is through the staging targets which are peripheral organizations including trusted partners and suppliers with less secure networks. CERT states that the staging targets’ networks are uses as “pivot points and malware repositories when targeting their final intended victims.” The ultimate intended target are the infrastructure government and infrastructure networks.
DHS used the phases of the Cyber Kill Chain model to discover and dissect the threats. These phases include reconnaissance, weaponization, delivery, exploitation, installation, command and control, and actions on the objective. Through this model, they have determined the threats were not opportunistic but deliberately chosen for their existing relationships to the end targets.
In the weaponization stage spear-phishing campaigns, used email attachments to leverage legitimate Microsoft Office functions to retrieve a document from a remote server using the Server Message Block (SMB) protocol. They then employ password-cracking methods to obtain the password. Once the password is discovered, they are home free.
A new type of spear-phishing email was used in the delivery stage. The spear-phishing email used a generic contract agreement theme, containing a non-malicious pdf. The user was instructed to click on a link if the download did not automatically begin. This is where the trouble begin. The link directed users to a website with an abbreviated URL, which could prompt them to retrieve a malicious file.
In the fourth stage, distinct and unusual TTPs (i.e., successive redirects) were used in the phishing campaign directed at staging targets. Emails contained a stacked URL-shortening link that directed the user to a series of redirects with the ultimate destination containing an email address and password input fields mimicking a login page for a website.
The threat actors leveraged used the obtained information to access victims’ networks where multi-factor authentication is not in play. When the network is compromised, tools are downloaded tools from a remote server.
In the final stage, web shells were prevalent and used to compromise publically available servers. These servers were used to gain a foothold into internal networks. Web and email servers were both targets. They used port 443 to create an encrypted connection to the web shell. Once connected, the malicious files were transferred to the compromised servers.
New cyber security threats targeting IIoT are emerging every day, risking public and employee safety, operational disruptions and plant downtime, and costly physical damage to plants, machines, and products, in addition to loss of intellectual property via espionage on the corporate network. Identifying and protecting against cyber threats is a mandatory first step before connecting plant processes, networks, and applications. Bayshore inspects machine-specific industrial protocol traffic, which eliminates cyber threats before they reach critical equipment, protecting OT applications, networks, machines, workers, and the environment. Additionally, Bayshore’s Managed Remote Access solution allows manufacturers to grant tightly controlled access to third parties, such as equipment vendors, for maintenance and troubleshooting.
Download US-CERT Alert (TA17-293A) Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors for more detailed information.
As Chief Marketing Officer at Bayshore Networks, Kirby is on a mission to educate and inspire leaders to act now to protect our industrial infrastructure - and our way of life - from cyber threats. Bringing more than two decades of executive leadership in both public enterprises and emerging startups, Kirby is a published author, keynote speaker, teacher, and frequent contributor to over 20,000 online followers.