A new joint FBI-DHS report dishes the dirt on recent sophisticated attacks targeting the US energy grid and critical infrastructure, saying third party firms and web sites to gain access to energy and other critical infrastructure networks. It also names a sophisticated hacking group believed to be linked to the government of Russia.
The FBI and Department of Homeland Security released a report on Saturday that fills in critical details about a spate of recent attacks on U.S. critical infrastructure providers, including the use of both phishing style attacks and so-called “watering holes” to lure victims.
The joint FBI-DHS Technical Alert (TA17-293A) describes the actions of a so-called Advanced Persistent Threat (or APT) group known as “DragonFly.” That group has been linked by private firms like Symantec and Crowdstrike to the government of Russia. The group is targeting government agencies and private firms in sectors like energy, nuclear, water and aviation, as well as critical manufacturing in recent months as part of a campaign described by DHS and FBI as “ongoing.”
Third parties targeted in web of attacks
The report describes a complex web of attacks beginning with “peripheral organizations” such as industry publications and community sites for the industrial control sector. In some cases, attackers also used websites owned by ICS product vendors to insert malware directly in software that would be downloaded and used by those concerned with ICS systems, DHS and FBI report. The hackers used compromises of these so-called “staging targets” to pivot to their final intended victims: probing the target network from the trusted partner’s network or using the compromised staging target network to host malware intended for delivery to the final and intended target.
The Dragonfly or “Energetic Bear” group has active since at least 2012 and was first identified in 2014 by security firms Symantec and CrowdStrike. According to a report by SANS on the group published in 2016, it first targeted the aviation and defense industries in the U.S. and Canada, but expanded to target energy sector firms in 2013. The group used a combination of social engineering attacks like spear phishing and attacks on unaffiliated web sites that are then turned into “watering holes” that lure intended victims.
The DHS and FBI joint technical analysis confirms many details of the DragonFly group that were already known: that it targets specific, typically high level individuals after first researching those targets using open source information. The group’s campaigns typically employ phishing email attacks, sometimes with links to malicious websites controlled by the group that install data stealing Trojans and other malware.
Windows and Word weaponized
However, the joint technical analysis also provides specific details on the maneuvers used in the most recent attacks, which date to May. Among other things, the report notes that attackers used so-called “fileless” approaches to compromise, leveraging existing and sanctioned programs on compromised systems. For example, a feature of Microsoft Word was exploited to harvest credentials from targets by prompting users with a domain login screen and then sending a hash of the captured password to the attackers for cracking offline. FBI and DHS also observed Windows .LNK format files – which are used as application icons – abused to gather user credentials from victims, DHS and FBI assert.
Once they had a foothold on the networks they were targeting, the DragonFly hackers used a variety of commercial and open source tools to move laterally within it and escape detection. Those tools include t. Those include Forticlient, a free security tool that was used as a VPN client on targets. Open source tools like Hydra, SecretsDump, and CrackMapExec were also downloaded from public repositories like GitHub and used to expand the attackers control over the target network.
Common tools and techniques
Security experts said the report underscores that attackers are both clever and determined in gaining access to networks. Mark Dufresne the Director of Threat Research and Adversary Prevention at the security firm Endgame said the report was unique in going deeper in mapping technique used by the DragonFly group to the so called cyber “kill chain” – which focuses on all the steps attackers take both to prepare for and then execute the attack. Prior reports of this sort often focused on post-exploitation tools and techniques, like the deployment of particular types of malicious software or communications with known, malicious Internet domains.
“If you go through this they talk about things the adversary did,” he said. Companies should focus not just on the links back to the hacking group, but also behaviors such as the use of .LNK and Microsoft Word .DOCx files and the creation of new user accounts that might otherwise go unnoticed, Dufresne said.
Itzik Kotler, the Chief Technology Officer at the firm Safebreach also praised the DHS and FBI report. Still, he said that there was little news in the report concerning the activity of groups like DragonFly/Energetic Bear.
Sophisticated attackers – like white hat developers – reuse code and tools just like ordinary developers and technology firms. “We see the same kind of usual suspects over and over,” he said. For example, the detail about DragonFly using Windows .LNK files to steal credentials is a well-known technique, he said. “We’re seeing this trend of reusing tools,” he said.
Security companies that can spot those similarities can curtail compromises even when truly novel tools – like the exploitation of previously undiscovered (or “zero day”) vulnerabilities – are used to gain a foothold.