Attacks/Breaches

10/23/2017
05:16 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

US Critical Infrastructure Target of Russia-Linked Cyberattacks

Attacks have been under way since May, targeting energy, nuclear, aviation, water, and manufacturing, FBI and DHS say.

Nation-state actors are trying to gain access to vital industrial control systems (ICS) at US energy companies and other critical infrastructure organizations via the networks of their suppliers and trusted third parties, the United States government has warned.

In an advisory issued late last week, the Department of Homeland Security (DHS) and the FBI said the threat activity has been ongoing since at least May 2017 and appears to be the handiwork of the Dragonfly advanced persistent threat (APT) group.

The group has been using a combination of tactics and techniques to break into victim networks including information harvesting using open-source reconnaissance, spear-phishing emails from compromised legitimate accounts, credential-gathering, and using watering-hole domains for hosting malware. Once on a victim's network, the attackers have focused on finding and browsing information pertaining to Supervisory Control and Data Acquisition (SCADA) systems and control systems.

Dragonfly, also known as Energetic Bear, is a Russia-linked group that is suspected of numerous attacks on organizations in the manufacturing, pharmaceutical, industrial, and construction sectors globally since 2011. Symantec in September had warned about renewed attacks by the group against energy sector targets in the US and Europe. The DHS/FBI alert basically confirms the findings in the report, while noting that the campaign has included targets across multiple critical infrastructure sectors - not just the energy sector.

"This is the first time we are seeing such a widespread campaign that is specifically targeting industrial control systems which are responsible for managing and controlling the physical processes in nuclear, water, aviation, and critical manufacturing sectors," says Dana Tamir VP of market strategy for Indegy.

The DHS and FBI advisory, which includes indicators of compromise and other pointers, described Dragonfly's activity as an ongoing "multi-stage intrusion campaign." The threat actors are targeting small and relatively low-security partner and peripheral networks to gain access to high-value asset owners in the energy and other sectors.  

The initial, or "staging," victims are not opportunistic targets. Instead, they are carefully chosen for their pre-existing relationships with the intended victim. Their networks, once compromised, are being used as malware repositories and as pivot points for gaining access to the network of the final intended victims, the DHS and FBI said.

Nearly 50% of the known watering holes being used in the campaign to serve malware on target networks are trade publications and informational websites related to critical infrastructure, ICS and process control the advisory said.

There is little evidence that the attackers are using any zero-day vulnerabilities, or particularly sophisticated tools to gain access to their intended victim's network. Rather, they have been using publicly available information to identify intended targets and craft customized spear-phishing campaigns for gathering credentials and information.

In instances where the threat actors managed to obtain a legitimate user's credentials, they have used the credentials to gain access to the victim's network and to download malware on it from remote servers. In some cases the malware created a user account and attempted to convert it to an administrator account with privileged access rights. The malware also disabled the host-based firewall on the compromised system and opened ports that would allow an attacker remote access to the system.

In addition to energy companies, others being targeted include organizations in the government, nuclear, aviation, water, and critical manufacturing sectors. The threat actors have succeeded in penetrating the networks of at least some of the intended targets, the advisory said.

"Threats to industrial control systems and critical infrastructure networks are definitely on the rise," says Patrick McBride, chief marketing officer at Claroty. "We've arguably seen more threat activity in this space in the past four- to five months than the past three years."

So far, the attacks have not caused actual physical disruption. But the theoretical is becoming reality, McBride says. "We need to recognize that nation-states are going to continue laying the groundwork for potential disruption in these networks. It is a logical action as a component of any potential conflict."

Phil Neray, vice president of industrial cybersecurity at CyberX, says the FBI and DHS warning highlights the urgent need to address security weaknesses in US industrial control networks. Real-world network data that CyberX collected over the past 18 months from 375 industrial networks worldwide shows that operational technology (OT) networks are riddled with vulnerabilities.

CyberX's data, contained in a soon-to-be published report, showed that industrial networks are not as air-gapped and isolated as many might imagine, with some one-third of them connected to the Internet. More than 75% of the sites had obsolete Windows technology such as XP and Windows 2000; 60% had plain-text passwords traversing their control networks; and 50% of the sites used no antivirus software at all.

"The data we've collected from real-world OT networks shows that once the adversaries get into the OT, it's relatively easy for them to move around and compromise industrial devices that control physical processes such as assembly lines, mixing tanks, and blast furnaces," he says.

Related Content:'Dragonfly' APT Now Able to Disrupt US Power Grid Operations, Symantec Warns

 

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Olaf Barheine
50%
50%
Olaf Barheine,
User Rank: Apprentice
10/24/2017 | 5:57:56 AM
IMHO
This is crazy! Every little schoolboy can find countless ICS on the Internet. No encryption, no firewall, no VPN, just a more or less difficult password to protect against unauthorized users.
Veterans Find New Roles in Enterprise Cybersecurity
Kelly Sheridan, Staff Editor, Dark Reading,  11/12/2018
Empathy: The Next Killer App for Cybersecurity?
Shay Colson, CISSP, Senior Manager, CyberClarity360,  11/13/2018
Understanding Evil Twin AP Attacks and How to Prevent Them
Ryan Orsi, Director of Product Management for Wi-Fi at WatchGuard Technologies,  11/14/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Flash Poll
Online Malware and Threats: A Profile of Today's Security Posture
Online Malware and Threats: A Profile of Today's Security Posture
This report offers insight on how security professionals plan to invest in cybersecurity, and how they are prioritizing their resources. Find out what your peers have planned today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-15759
PUBLISHED: 2018-11-19
Pivotal Cloud Foundry On Demand Services SDK, versions prior to 0.24 contain an insecure method of verifying credentials. A remote unauthenticated malicious user may make many requests to the service broker with different credentials, allowing them to infer valid credentials and gain access to perfo...
CVE-2018-15761
PUBLISHED: 2018-11-19
Cloud Foundry UAA release, versions prior to v64.0, and UAA, versions prior to 4.23.0, contains a validation error which allows for privilege escalation. A remote authenticated user may modify the url and content of a consent page to gain a token with arbitrary scopes that escalates their privileges...
CVE-2018-17190
PUBLISHED: 2018-11-19
In all versions of Apache Spark, its standalone resource manager accepts code to execute on a 'master' host, that then runs that code on 'worker' hosts. The master itself does not, by design, execute user code. A specially-crafted request to the master can, however, cause the master to execute code ...
CVE-2018-1841
PUBLISHED: 2018-11-19
IBM Cloud Private 2.1.0 could allow a local user to obtain the CA Private Key due to it being world readable in boot/master node. IBM X-Force ID: 150901.
CVE-2018-18519
PUBLISHED: 2018-11-19
BestXsoftware Best Free Keylogger 5.2.9 allows local users to gain privileges via a Trojan horse "%PROGRAMFILES%\BFK 5.2.9\syscrb.exe" file because of insecure permissions for the BUILTIN\Users group.