CISOs at critical infrastructure organizations in Canada are eying an alert issued by the U.S. Computer Emergency Readiness Team (US-CERT) that the Russian government has been targeting American government entities as well as organizations in the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors for at least the past two years.
The allegations, made Thursday, said the Department of Homeland Security (DHS) and the FBI “characterize this activity as a multi-stage intrusion campaign by Russian government cyber actors who targeted small commercial facilities’ networks where they staged malware, conducted spear phishing, and gained remote access into energy sector networks. After obtaining access, the Russian government cyber actors conducted network reconnaissance, moved laterally, and collected information pertaining to Industrial Control Systems (ICS).”
The threat actors appear to have chosen targets deliberately, the US-CERT alert says, and not by chance. The attacks appear to be aimed at gathering network intelligence.
The alert reads like a CISO’s nightmare — and, arguably, a blueprint for what to look for in a sophisticated attack.
The document includes a lengthy list of indicators of compromise, including Microsoft Word documents that would be attached to email for stealing credentials which may or may not have been protected by hashing. Some of these messages were framed as what looked like legitimate résumés for industrial control systems personnel, and invitations and policy documents to entice the user to open the attachment.
It concludes with 28 recommendations for securing networks against this campaign.
Techniques include using spear-phishing emails from compromised legitimate accounts, compromising web sites of trade publications and partners (so-called watering-hole domain attacks) to spread malware to targets, credential gathering, open-source and network reconnaissance,host-based exploitation, and targeting industrial control system (ICS) infrastructure.
And no, some target networks — including third parties — weren’t protected with multi-factor authentication. So it may come as no surprise that where possible the actors created local administrator accounts they could control.
In multiple instances, says the alert, new accounts were created to clean up their activities. “The accounts created were used to clear the following Windows event logs: System, Security, Terminal Services, Remote Services, and Audit. The threat actors also removed applications they installed while they were in the network along with any logs produced.”
The two agencies recommend that network administrators review the IP addresses, domain names, file hashes, and YARA and Snort signatures provided and add the IPs to their watch list to determine whether malicious activity is occurring within their organization. Reviewing network perimeter netflow will help determine whether a network has experienced suspicious activity, they say. Network defenders and malware analysts should use the YARA and Snort signatures provided in the associated YARA and .txt file to identify malicious activity.
The alert also warns how seemingly innocent marketing materials can be used by threat actors. The investigation found the threat actors downloaded a small photo from a publicly accessible human resources page of an unidentified company. “The image, when expanded, was a high-resolution photo that displayed control systems equipment models and status information in the background.”
Some of the campaign was revealed by Symatec last September, which said North American and European energy sectors were being targeted by a group it dubbed Dragonfly.
The details in the alert aren’t a surprise, said Rick Kaun, vice-president of solutions at Calgary-based Verve Industrial Protection. Operational and industrial control systems “are not immune due to obscurity or air gaps,” he said in an interview this morning. “The only surprise for me is that we have yet another (attack). What remains to be seen is whether this is the one that finally pushes people to action … We still struggle to help clients figure out that you need to build a program over time to pay dividends. To wait until something happens is way too late.
While there have been a number of well-reported attacks on industrial control systems (ICS), there’s still a “huge amount of work to be done” securing critical infrastructure, he said.