Attackers Pivot Into Targeted Networks via Suppliers, DHS-FBI Alert Warns
The U.S. government has issued a rare technical alert, warning that attackers are continuing to compromise organizations across the energy sector, oftentimes by first hacking into less secure business partners and third-party suppliers.
See Also: Ransomware: The Look at Future Trends
The joint technical alert, running to 16 pages, was issued late Friday by the U.S. Department of Homeland Security and the FBI, which wants targeted organizations to better secure their systems and block attacks, to help arrest this hacking campaign.
The alert warns that since at least May, “a multi-stage intrusion campaign by threat actors” continues to target “low security and small networks to gain access and move laterally to networks of major, high-value asset owners within the energy sector.”
Initial targets have included firms across the nuclear, water, aviation, and critical manufacturing sectors, it says.
Despite this attack campaign having been previously spotted and attack methodologies detailed by security researchers, the U.S. government warns that the attacks have continued unabated.
“Based on malware analysis and observed IOCs, DHS has confidence that this campaign is still ongoing, and threat actors are actively pursuing their ultimate objectives over a long-term campaign,” the DHS-FBI alert warns. Its alert includes indicators of compromise, or IOCs, as well as technical details on the tactics, techniques, and procedures, or TTPs, used by the APT attackers tied to this campaign.
Attackers are Pivoting
These TTPs continue to include open-source reconnaissance, spear-phishing emails from legitimate but compromised accounts, watering-hole attacks, credential harvesting as well as targeting industrial control systems, the alert warns.
The DHS-FBI alert warns that larger energy sector organizations are suffering intrusions because of poor information security practices on the part of their business partners and third-party suppliers.
“The initial victims are peripheral organizations such as trusted third-party suppliers with less secure networks,” the alert says, adding that these victims function as the first stage in many attacks. “The threat actor uses the staging targets’ networks as pivot points and malware repositories when targeting their final, intended victims. The ultimate objective of the cyber threat actors is to compromise organizational networks.”
Critical infrastructure security expert Robert M. Lee says that while the DHS-FBI alert warns of an ongoing and successful “multi-stage intrusion campaign,” by that the report is referring to both intrusions as well as attacks.
The terminology is in relation to intrusion analysis; and much is leaned from failed intrusions (sometimes more than the successful ones).
— Robert M. Lee (@RobertMLee) October 21, 2017
Lee, who heads the cybersecurity firm Dragos, notes that the kill chain model developed by Lockheed Martin separates intrusions and attacks into two separate categories, and he urges DHS and the FBI to begin following this model.
“It’s much better to refer to Stage 1 intrusions on infrastructure as just that, intrusions. Attacks are successful Stage 2 acts,” Lee says via Twitter.
The DHS-FBI alert says the attack activity ties to the so-called Dragonfly campaign, as detailed by security firm Symantec in September (see Russia-Linked Hackers Could Sabotage U.S. Energy Systems).
“What is clear is that Dragonfly is a highly experienced threat actor,” Symantec said in its report into hack attacks against the energy sector. “What it plans to do with all this intelligence has yet to become clear, but its capabilities do extend to materially disrupting targeted organizations should it choose to do so.”
Last December, the U.S. government linked the Dragonfly group – aka Energetic Bear, Havex, Iron Liberty and Koala – to the Russian government. The group has been previously tied to attacks not just against the energy sector, but also the financial and transportation industries, according to cybersecurity firm CrowdStrike.
Goals: Cyber Espionage, Sabotage?
Symantec says that while group has been active since 2011, since 2015 its attacks appear to have focused on gaining the ability to sabotage energy systems in the United States, Switzerland and Turkey.
So far, however, any sabotage capabilities being developed by the Dragonfly group appear to have remained hypothetical. Indeed, the DHS-FBI alert notes that while previous intrusions targeting the energy sector and industrial control systems in general have pursued cyber espionage or sabotage ends, it’s not clear what the purpose of the Dragonfly campaign might be.
“We have not observed any destructive action by this actor,” Adam Meyers, vice president at CrowdStrike, tells Reuters.
Lee at Dragos says that information about the Dragonfly campaigns cited in the alert has already been publicly released. But he also warns that while the DHS-FBI report is “overall well done,” the indicators of compromise it contains should not be immediately used; they still need vetting. “We’ve found many you shouldn’t run,” he says.