The Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) issued a joint alert concerning an advanced persistent threat currently targeting the government and organizations in the energy, nuclear, water and manufacturing sectors.
DHS believes this on-going, long-term campaign is an attempt to enter systems and then move malware laterally throughout the organization. The end game of theses intrusions is not known, said DHS in a U.S. CERT report, but many believe these are nation-state sponsored.
“The U.S. government's warning should come as no surprise, nation-state hackers have been targeting critical infrastructure facilities for years and they are ripe targets. Many of these industries like energy, manufacturing, and aviation are large distributed networks that rely on aging infrastructure. This type of environment is a playground for hackers, they have thousands of potential entry points and they only have to find one outdated software system to penetrate the network defenses," said Paul Martini, CEO and co-founder of iboss, said to SC Media in an emailed comment.
DHS said attacks began in May 2017 and have been spotted in the aforementioned sectors, however, some in the industry believe this is not a new campaign.
“While the alert states that this has been going on since May of this year, one can certainly speculate that these attacks have been going on for a much longer period of time,” Brad Keller, senior director of third party strategy at Prevalent told SC Media.
In order to discover what was going on DHS leveraged the Cyber Kill Chain model to analyze, discuss, and dissect malicious cyber activity. Phases of the model include reconnaissance, weaponization, delivery, exploitation, installation, command and control, and actions on the objective, CERT stated.
An examination of the tactics, techniques and procedures uncovered so far see the malicious actors using a myriad of attack vectors spear-phishing emails based on data gleaned from previously compromised accounts, watering hole domains, host-based exploitation, industrial control system infrastructure targeting and gathering additional credentials.
Another early move is to first target third-party vendors that work with their intended targets as these tend to have lower levels of security and once penetrated can give them direct access to the higher profile organization.
In the early reconnaissance phase the threat actors scan the internet for all the freely available information on their target, some of which then will be used in upcoming spearphishing attacks. The emails with the subject line
"AGREEMENT & Confidential" generally use a phony contract as the bait to entice someone to open and click on the attached PDF. The PDF itself is not malicious, but there is a note prompting the recipient to click on a link if the file does not start to download which can lead to a malicious site.
While the domains being used as watering holes by the attackers were not listed, the report said more than half of those found belong to trade publications and informational websites related to process control, ICS, or critical infrastructure.
“The compromised sites include both custom developed web applications and template-based frameworks. The threat actors injected a line of code into header.php, a legitimate PHP file that carried out the redirected traffic. There is no indication that threat actors used zero-day exploits to manipulate the sites; the threat actors more likely used legitimate credentials to access the website content directly,” DHS said.
The government included a long list of detection and preventative measures that they recommended be taking, including:
- network intrusion detection system/network intrusion protection system logs
- web content logs
- proxy server logs
- domain name server resolution logs
- packet capture (PCAP) repositories
However, not everyone believes these suggestions are enough.
“While the DHS warnings are warranted, their specific security recommendations are inadequate. The security mindset of watching for anomalies at the perimeter often becomes the equivalent of closing the barn door after the horses have bolted,” Satya Gupta, Virsec Systems founder and CTO told SC Media, adding that security focus needs to shift from the network perimeter to the applications themselves.