The Russian connectionDHS, FBI warn critical infrastructure firms of attacks by “Russia-linked” hackers

Methods of attack and mitigation illustrated against OSI model // Source: yahoo.com

DHS and the FBI on Friday have issued an alert that warning critical infrastructure companies of “advanced persistent threat (APT) actions targeting government entities and organizations in the energy, nuclear, water, aviation, and critical manufacturing sectors.”

DHS said the hacking campaign, labeled Dragonfly, is a Kremlin-sponsored operation.

Cybersecurity experts agree. Cybersecurity firm CrowdStrike has said the technical indicators outlined in the DHS and FBI alert suggest the attacks were by a hacking group it calls “Berserk Bear,” which is affiliated with Russia and has targeted the energy, financial, and transportation industries.

In an email to the Express, CrowdStrike Vice President Adam Meyers said: “We have not observed any destructive action by this actor.”

Robert Lee, chief executive of cyber-security firm Dragos, has said the report appears to describe hackers working in the interests of the Russian government.

The alert says the attack has been on-going since May 2017, and that the hacker have compromised some networks.

The alert also acknowledges Symantec’s September report on a series of attacks labelled “Dragonfly” (see “Western energy sector target of sophisticated attack by Russian-linked group Dragonfly,” HSNW, 11 September 2017).

The Friday alert says: “The threat actors appear to have deliberately chosen the organizations they targeted, rather than pursuing them as targets of opportunity. Staging targets held preexisting relationships with many of the intended targets.”

The attackers “are seeking to identify information pertaining to network and organizational design, as well as control system capabilities, within organizations.” The alert adds “the threat actors focused on identifying and browsing file servers within the intended victim’s network [and] viewed files pertaining to ICS or Supervisory Control and Data Acquisition (SCADA) systems. Based on DHS analysis of existing compromises, these files were originally named containing ICS vendor names and ICS reference documents pertaining to the organization (e.g., “SCADA WIRING DIAGRAM.pdf” or “SCADA PANEL LAYOUTS.xlsx”).”

The Express reports that e attacks employed familiar tactics: the hackers first identified high-value targets in the organizations they sought to infiltrate, then sent spear-phishing emails with subject lines such as “AGREEMENT & Confidential” containing benign attachments that “prompted the user to click on a link should a download not automatically begin.” Some of those links led to malware. Other phishing emails led to fake login pages which harvested the users’ credentials.

Once the attackers collected the users’ credentials, they loaded malware that started to search for and exfiltrate data, sometimes by creating new users on targeted domains.

The Register reports that the DHS and FBI alert notes that the phishing payloads were legitimate attachments that did not contain malware, but exploited either user gullibility or known-to-be-risky features of tools like initiating downloads of documents using Server Message Block.

The attackers’ tactics worked well on both standalone computers and on virtual desktops, which security experts said was worrisome, since government agencies often use virtual PCs as a way to improve security.

As a way to counter the hacking campaign, DHS recommended deploying email and web filters, checking for obvious signs of intrusion like frequent deletion of log files, and checking to see whether new users have unexpectedly been created.

The alert does not specify whether or not the attacks have caused any damage.

Department of Homeland Security spokesman Scott McConnell also declined to elaborate on the information provided in the report.

He also did not say what prompted the DHS to go public with the information at this time.

McConnell said: “The technical alert provides recommendations to prevent and mitigate malicious cyber activity targeting multiple sectors and reiterated our commitment to remain vigilant for new threats.”