US energy, nuke and aviation sectors under sustained attack

The United States' Department of Homeland Security has issued an alert that warns of “advanced persistent threat (APT) actions targeting government entities and organizations in the energy, nuclear, water, aviation, and critical manufacturing sectors.”

The alert says an unknown actor has been at it since May 2017 and has compromised some networks.

Compiled with the help of the FBI, the alert also acknowledges Symantec's September 2017 report on attacks labelled 'Dragonfly', and says “The threat actors appear to have deliberately chosen the organizations they targeted, rather than pursuing them as targets of opportunity. Staging targets held preexisting relationships with many of the intended targets.”

The attackers “are seeking to identify information pertaining to network and organizational design, as well as control system capabilities, within organizations.” The alert adds “the threat actors focused on identifying and browsing file servers within the intended victim’s network [and] viewed files pertaining to ICS or Supervisory Control and Data Acquisition (SCADA) systems. Based on DHS analysis of existing compromises, these files were originally named containing ICS vendor names and ICS reference documents pertaining to the organization (e.g., “SCADA WIRING DIAGRAM.pdf” or “SCADA PANEL LAYOUTS.xlsx”).”

The attacks were conducted with depressingly-familiar tactics: the perps would first figure out high-value targets in the organisations they sought to crack, then spear-phished them with emails bearing subject lines such as “AGREEMENT & Confidential” containing benign attachments that “prompted the user to click on a link should a download not automatically begin.” In a colossal non-surprise, some of those links led to malware.

Other phishing campaigns led to fake login pages that harvested credentials.

Once the attackers had credentials, they loaded malware that started to sniff for and exfiltrate data, sometimes by creating new users on targeted domains.

The alert notes that the phishing payloads were legitimate attachments that did not contain malware, but exploited either user gullibility or known-to-be-risky features of tools like initiating downloads of documents using Server Message Block.

The attackers' tactics worked just as well on standalone computers as they did on virtual desktops, a worrying outcome given government agencies frequent use of virtual PCs as a way to improve security.

The Department's recommended actions therefore reference existing and long-standing security advice and include things like deploying email and web filters, checking for obvious signs of intrusion like frequent deletion of log files and checking to see if new users have unexpectedly been created.

The alert doesn't say what damage, if any, the attacks have wrought. Nor does it attempt to reveal the origins of the attacks, although the Department has previously suggested [PDF] that Dragonfly was a Kremlin-sponsored operation. ®