Attacks/Breaches

10/23/2017
05:16 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

US Critical Infrastructure Target of Russia-Linked Cyberattacks

Attacks have been under way since May, targeting energy, nuclear, aviation, water, and manufacturing, FBI and DHS say.

Nation-state actors are trying to gain access to vital industrial control systems (ICS) at US energy companies and other critical infrastructure organizations via the networks of their suppliers and trusted third parties, the United States government has warned.

In an advisory issued late last week, the Department of Homeland Security (DHS) and the FBI said the threat activity has been ongoing since at least May 2017 and appears to be the handiwork of the Dragonfly advanced persistent threat (APT) group.

The group has been using a combination of tactics and techniques to break into victim networks including information harvesting using open-source reconnaissance, spear-phishing emails from compromised legitimate accounts, credential-gathering, and using watering-hole domains for hosting malware. Once on a victim's network, the attackers have focused on finding and browsing information pertaining to Supervisory Control and Data Acquisition (SCADA) systems and control systems.

Dragonfly, also known as Energetic Bear, is a Russia-linked group that is suspected of numerous attacks on organizations in the manufacturing, pharmaceutical, industrial, and construction sectors globally since 2011. Symantec in September had warned about renewed attacks by the group against energy sector targets in the US and Europe. The DHS/FBI alert basically confirms the findings in the report, while noting that the campaign has included targets across multiple critical infrastructure sectors - not just the energy sector.

"This is the first time we are seeing such a widespread campaign that is specifically targeting industrial control systems which are responsible for managing and controlling the physical processes in nuclear, water, aviation, and critical manufacturing sectors," says Dana Tamir VP of market strategy for Indegy.

The DHS and FBI advisory, which includes indicators of compromise and other pointers, described Dragonfly's activity as an ongoing "multi-stage intrusion campaign." The threat actors are targeting small and relatively low-security partner and peripheral networks to gain access to high-value asset owners in the energy and other sectors.  

The initial, or "staging," victims are not opportunistic targets. Instead, they are carefully chosen for their pre-existing relationships with the intended victim. Their networks, once compromised, are being used as malware repositories and as pivot points for gaining access to the network of the final intended victims, the DHS and FBI said.

Nearly 50% of the known watering holes being used in the campaign to serve malware on target networks are trade publications and informational websites related to critical infrastructure, ICS and process control the advisory said.

There is little evidence that the attackers are using any zero-day vulnerabilities, or particularly sophisticated tools to gain access to their intended victim's network. Rather, they have been using publicly available information to identify intended targets and craft customized spear-phishing campaigns for gathering credentials and information.

In instances where the threat actors managed to obtain a legitimate user's credentials, they have used the credentials to gain access to the victim's network and to download malware on it from remote servers. In some cases the malware created a user account and attempted to convert it to an administrator account with privileged access rights. The malware also disabled the host-based firewall on the compromised system and opened ports that would allow an attacker remote access to the system.

In addition to energy companies, others being targeted include organizations in the government, nuclear, aviation, water, and critical manufacturing sectors. The threat actors have succeeded in penetrating the networks of at least some of the intended targets, the advisory said.

"Threats to industrial control systems and critical infrastructure networks are definitely on the rise," says Patrick McBride, chief marketing officer at Claroty. "We've arguably seen more threat activity in this space in the past four- to five months than the past three years."

So far, the attacks have not caused actual physical disruption. But the theoretical is becoming reality, McBride says. "We need to recognize that nation-states are going to continue laying the groundwork for potential disruption in these networks. It is a logical action as a component of any potential conflict."

Phil Neray, vice president of industrial cybersecurity at CyberX, says the FBI and DHS warning highlights the urgent need to address security weaknesses in US industrial control networks. Real-world network data that CyberX collected over the past 18 months from 375 industrial networks worldwide shows that operational technology (OT) networks are riddled with vulnerabilities.

CyberX's data, contained in a soon-to-be published report, showed that industrial networks are not as air-gapped and isolated as many might imagine, with some one-third of them connected to the Internet. More than 75% of the sites had obsolete Windows technology such as XP and Windows 2000; 60% had plain-text passwords traversing their control networks; and 50% of the sites used no antivirus software at all.

"The data we've collected from real-world OT networks shows that once the adversaries get into the OT, it's relatively easy for them to move around and compromise industrial devices that control physical processes such as assembly lines, mixing tanks, and blast furnaces," he says.

Related Content:'Dragonfly' APT Now Able to Disrupt US Power Grid Operations, Symantec Warns

 

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Olaf Barheine
50%
50%
Olaf Barheine,
User Rank: Apprentice
10/24/2017 | 5:57:56 AM
IMHO
This is crazy! Every little schoolboy can find countless ICS on the Internet. No encryption, no firewall, no VPN, just a more or less difficult password to protect against unauthorized users.
Crowdsourced vs. Traditional Pen Testing
Alex Haynes, Chief Information Security Officer, CDL,  3/19/2019
BEC Scammer Pleads Guilty
Dark Reading Staff 3/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Well, at least it isn't Mobby Dick!
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
The State of Cyber Security Incident Response
The State of Cyber Security Incident Response
Organizations are responding to new threats with new processes for detecting and mitigating them. Here's a look at how the discipline of incident response is evolving.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-3965
PUBLISHED: 2019-03-23
Hospira Symbiq Infusion System 3.13 and earlier allows remote authenticated users to trigger "unanticipated operations" by leveraging "elevated privileges" for an unspecified call to an incorrectly exposed function.
CVE-2016-10743
PUBLISHED: 2019-03-23
hostapd before 2.6 does not prevent use of the low-quality PRNG that is reached by an os_random() function call.
CVE-2019-9947
PUBLISHED: 2019-03-23
An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.2. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the query string or PATH_INFO) follo...
CVE-2019-9948
PUBLISHED: 2019-03-23
urllib in Python 2.x through 2.7.16 supports the local_file: scheme, which makes it easier for remote attackers to bypass protection mechanisms that blacklist file: URIs, as demonstrated by triggering a urllib.urlopen('local_file:///etc/passwd') call.
CVE-2019-9945
PUBLISHED: 2019-03-23
SoftNAS Cloud 4.2.0 and 4.2.1 allows remote command execution. The NGINX default configuration file has a check to verify the status of a user cookie. If not set, a user is redirected to the login page. An arbitrary value can be provided for this cookie to access the web interface without valid user...