By Heather MacKenzie and Moreno Carullo
The U.S. government just released an important cybersecurity alert that confirms Russian government cyberattacks targeting energy and other critical infrastructure sectors in the United States.
While there has been a significant rise in cyberattacks in these industries, up to now we’ve only been able to speculate on who the actors are, or what their motives may be. In this case, the threat actor and their strategic intent has been clearly confirmed, something the U.S. government rarely does publicly.
In addition, the US-CERT alert provides descriptions of each stage of the attack, detailed indicators of compromise (IoCs), and a long list of detection and prevention measures. Many of the attack tactics are like Dragonfly 2.0, so much so that one might call this an expanded playbook for Dragonfly.
This following is intended to help you gain perspective on this alert, and provide additional guidance on what security measures to take.
The US-CERT alert characterizes this attack as a multi-stage cyber intrusion campaign where Russian cyber actors conducted spear phishing and gained remote access into targeted industrial networks. After obtaining access, the threat vectors conducted network reconnaissance, moved laterally, and collected information pertaining to Industrial Control Systems (ICS).
This pattern of behavior is typical of APTs (Advanced Persistent Threats). APTs occur over an extended period, meaning there is an opportunity to detect and stop them before damage is done. With the right technology monitoring the industrial network, it is much harder for them to go unobserved before their final attack.
In this case, the Russian cyberattacks started by infecting staging targets, which are peripheral organizations, such as trusted third-party suppliers, as pivot points for attacking the final intended targets.
The attackers used a multitude of tactics involving information relevant to industrial control professionals for initial infection of the staging targets. Examples include:
• Altering trade publication websites
• Sending emails containing resumes for ICS personnel as infected Microsoft Word attachments
• Analyzing publicly available photos that inadvertently contained information about industrial systems
The credentials of staging targets’ staff were in turn used to send spear phishing emails to the staff of the intended targets. They received malicious .docx files, which communicated with a command and control (C2) server to steal their credentials.
The SMB (Server Message Block) network protocol was used throughout the spear phishing phases to communicate with external servers, as was described for the Dragonfly 2.0 attacks. This is a distinctive tactic. SMB is usually only used to communicate within LANs, not for outbound communications. Now that this is known, asset owners should ensure their firewalls are locked down for outbound service restrictions.
The credentials of the intended targets were used to access victim’s networks. From there, the malware established multiple local administrator accounts, each with a specific purpose. The goals ranged from creation of additional accounts to cleanup activity.
Next, tools were downloaded from a remote server, which manipulated Microsoft Window’s shortcut files and registries to gather and store user credentials. They also used the infrastructure of staging targets to connect to intended targets using the stolen credentials and remote access services.
An ICS reconnaissance phase followed, which included tactics like:
• Using batch scripts to enumerate the industrial control network
• Using scheduled tasks and a screenshot utility to capture the screens of systems across the network
• Using text files to hold lists of host information
• Accessing computers on the corporate network to take data output about control and SCADA systems, including ICS vendor names and reference documents
• Gathering profile and configuration information for ICS systems
The threat actors also conducted activity to hide their tracks, such as clearing logs and removing malware applications, registry keys and screen captures.
While long on details about the infection and reconnaissance phases of the Russian cyberattacks, the US-Cert advisory is notably, but not surprisingly, lacking in detail about what equipment was targeted and what disruption was intended.
The goal of the advisory is to provide the intended targets, which are asset owners, with a wide set of clues for determining if your facility is infected. If so, you need to eradicate the infection and report it to authorities.
The list of detection and prevention measures provided in the Alert (TA18-074A) is extensive. Anyone glancing at the list will realize it will take a lot of manpower and focus to do all the log and file checking, as well as the security improvements recommended.
This US-CERT alert is a milestone. It makes it perfectly clear that U.S. infrastructure and critical manufacturing sectors are under Russian cyberattack.
If your organization is in one of the targeted sectors, now is the time to check for and eradicate the malware before a final ICS attack occurs. Even if your operation is in another country or another sector, you likely want to do the same thing.
To help you efficiently deal with the risk level and workload associate with this alert, consider a real-time cybersecurity and operational visibility solution.
Moreno Carullo is founder and chief technology officer at Nozomi Networks. Heather MacKenzie is with Nozomi Networks. This is an excerpt from her blog.