Somebody wants to punch our lights out – literally turn off the electric power grid. Who would want to do this? Russia? North Korea? Cybersecurity firm Symantec has attributed this attack to a group they have identified as the Dragonfly Group, who may have been responsible for the attack on the Ukrainian electric grid in 2015 and 2016. Let’s continue the discussion we started on Wednesday.
On October 20, US-CERT, the Department of Homeland Security, and the FBI released an alert that detailed an ongoing advanced persistent threat targeting the US electric grid and other infrastructure in the energy, nuclear, aviation, water, and critical manufacturing sectors. If you are involved in security in those industries, I advise you to click through and read the entire alert. And if you are responsible for the security of a governmental, financial, or health care organization, you may want to consider how an exploit such as this could be used against you.
The threat actors in this campaign are employing a variety of tactics, techniques, and procedures, including:
- Open-source reconnaissance – AKA Googling. These attackers are performing in depth reconnaissance on their target using information that can be found on the web. Additionally, they are gathering information about third parties that are frequently accessed by employees of the targeted companies, or third party companies that have access to the utilities. It is often easier to breach a small partner or supplier, and gain access to the larger target through them.
- Spear-phishing emails – Using the research gathered through reconnaissance, emails are designed to trick specifically chosen employees or officers to revealing user credential or other compromising information. These attackers appear to be leveraging Server Message Block (SMB) authentication requests and then use the revealed password using “pass the hash” or crack the password using other techniques.
- Email account hijacking – Often, the phishing emails will arrive from the actual account of a known associate, and make the email more convincing and harder to detect. Emails arriving from legitimate known users will sail past any email filtering the organization may have in place. This is especially true when the hijacked account is on the target’s email domain.
- Malicious attachments – This attack uses spearphishing emails with a subject line of “AGREEMENT and confidential” and PDF contract attachment titled “document.pdf.” The document itself does not contain malicious code, but contains a hyperlink that redirects the recipient to a website via a shortened Bitly link to another malicious document download. Sometimes the email refer to “control systems” or “process control systems” and the attachments appear to be career resumes in Word format. These documents use known Word exploits to launch malicious code.
- Watering-hole domains – Another way the attackers are getting is by compromising the web sites and resources of trusted support organizations such as trade publications or industry associations. Half of the known watering holes are trade publications and informational websites related to process control, ICS, or critical infrastructure.These entities are more more lightly defended than the target companies. These resources are being used as staging areas used to download and install malware onto the systems of visitors from the targeted networks.
- Host-based exploitation – With a foothold in the targeted company, the threat actors used compromised user credentials to download more tools from their command and control server. Some of these exploits allowed the attacker to create accounts in the domain, including domain and email administrator accounts.
- Industrial control system (ICS) and SCADA infrastructure targeting – Once on the network, the attackers are using reconnaissance to find and develop access nodes to the industrial control system. Usually the ICS system is designed with an “air gap” that is supposed to prevent access from the business network into the operations network. Often there are one or two systems that violate this assumption, and provide access to control systems.
- Ongoing credential gathering – While executing other aspects of this campaign, the attackers are continuing to gather or create new credentials that can be used as compromised credentials are discovered and disabled by the security team.
Included in this alert are a lengthy list of best practices, detection and prevention measures, and even a long set of network signatures and host based rules to help the cybersecurity team defend against this exploit. If you work in the energy sector, hopefully you and your team are already working this plan. On Monday we will look at some of these best practices.