US Critical Infrastructure Target of Russia-Linked Cyberattacks

Nation-state actors are trying to gain access to vital industrial control systems (ICS) at US energy companies and other critical infrastructure organizations via the networks of their suppliers and trusted third parties, the United States government has warned.

In an advisory issued late last week, the Department of Homeland Security (DHS) and the FBI said the threat activity has been ongoing since at least May 2017 and appears to be the handiwork of the Dragonfly advanced persistent threat (APT) group.

The group has been using a combination of tactics and techniques to break into victim networks including information harvesting using open-source reconnaissance, spear-phishing emails from compromised legitimate accounts, credential-gathering, and using watering-hole domains for hosting malware. Once on a victim's network, the attackers have focused on finding and browsing information pertaining to Supervisory Control and Data Acquisition (SCADA) systems and control systems.

Dragonfly, also known as Energetic Bear, is a Russia-linked group that is suspected of numerous attacks on organizations in the manufacturing, pharmaceutical, industrial, and construction sectors globally since 2011. Symantec in September had warned about renewed attacks by the group against energy sector targets in the US and Europe. The DHS/FBI alert basically confirms the findings in the report, while noting that the campaign has included targets across multiple critical infrastructure sectors - not just the energy sector.

"This is the first time we are seeing such a widespread campaign that is specifically targeting industrial control systems which are responsible for managing and controlling the physical processes in nuclear, water, aviation, and critical manufacturing sectors," says Dana Tamir VP of market strategy for Indegy.

The DHS and FBI advisory, which includes indicators of compromise and other pointers, described Dragonfly's activity as an ongoing "multi-stage intrusion campaign." The threat actors are targeting small and relatively low-security partner and peripheral networks to gain access to high-value asset owners in the energy and other sectors.  

The initial, or "staging," victims are not opportunistic targets. Instead, they are carefully chosen for their pre-existing relationships with the intended victim. Their networks, once compromised, are being used as malware repositories and as pivot points for gaining access to the network of the final intended victims, the DHS and FBI said.

Nearly 50% of the known watering holes being used in the campaign to serve malware on target networks are trade publications and informational websites related to critical infrastructure, ICS and process control the advisory said.

There is little evidence that the attackers are using any zero-day vulnerabilities, or particularly sophisticated tools to gain access to their intended victim's network. Rather, they have been using publicly available information to identify intended targets and craft customized spear-phishing campaigns for gathering credentials and information.

In instances where the threat actors managed to obtain a legitimate user's credentials, they have used the credentials to gain access to the victim's network and to download malware on it from remote servers. In some cases the malware created a user account and attempted to convert it to an administrator account with privileged access rights. The malware also disabled the host-based firewall on the compromised system and opened ports that would allow an attacker remote access to the system.

In addition to energy companies, others being targeted include organizations in the government, nuclear, aviation, water, and critical manufacturing sectors. The threat actors have succeeded in penetrating the networks of at least some of the intended targets, the advisory said.

"Threats to industrial control systems and critical infrastructure networks are definitely on the rise," says Patrick McBride, chief marketing officer at Claroty. "We've arguably seen more threat activity in this space in the past four- to five months than the past three years."

So far, the attacks have not caused actual physical disruption. But the theoretical is becoming reality, McBride says. "We need to recognize that nation-states are going to continue laying the groundwork for potential disruption in these networks. It is a logical action as a component of any potential conflict."

Phil Neray, vice president of industrial cybersecurity at CyberX, says the FBI and DHS warning highlights the urgent need to address security weaknesses in US industrial control networks. Real-world network data that CyberX collected over the past 18 months from 375 industrial networks worldwide shows that operational technology (OT) networks are riddled with vulnerabilities.

CyberX's data, contained in a soon-to-be published report, showed that industrial networks are not as air-gapped and isolated as many might imagine, with some one-third of them connected to the Internet. More than 75% of the sites had obsolete Windows technology such as XP and Windows 2000; 60% had plain-text passwords traversing their control networks; and 50% of the sites used no antivirus software at all.

"The data we've collected from real-world OT networks shows that once the adversaries get into the OT, it's relatively easy for them to move around and compromise industrial devices that control physical processes such as assembly lines, mixing tanks, and blast furnaces," he says.

Related Content:'Dragonfly' APT Now Able to Disrupt US Power Grid Operations, Symantec Warns

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.