Last week, the Department of Homeland Security and Federal Bureau of Investigation issued a joint technical alert to warn of attacks on US critical infrastructure powered by Russian threat actors. The US-CERT blamed the APT group tracked as Dragonfly, Crouching Yeti, and Energetic Bear.
Last week the US-CERT updated its alert by providing further info that and officially linking the above APT groups to the Kremlin.
The Alert (TA18-074A) warns of “Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors,” it labels the attackers as “Russian government cyber actors.”
“This alert provides information on Russian government actions targeting U.S. Government entities as well as organizations in the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors.” reads the alert.
“It also contains indicators of compromise (IOCs) and technical details on the tactics, techniques, and procedures (TTPs) used by Russian government cyber actors on compromised victim networks.”
The analysis of indicators of compromise (IoCs), the Dragonfly threat actor is still very active and its attacks are ongoing.
“DHS and FBI characterize this activity as a multi-stage intrusion campaign by Russian government cyber actors who targeted small commercial facilities’ networks where they staged malware, conducted spear phishing, and gained remote access into energy sector networks.” continues the alert. “After obtaining access, the Russian government cyber actors conducted network reconnaissance, moved laterally, and collected information pertaining to Industrial Control Systems (ICS).”
On the other side, the Russian Government has always denied the accusations, in June 2017 Russian President Putin declared that patriotic hackers may have powered attacks against foreign countries and denied the involvement of Russian cyberspies.
According to the DHS, the Russi-linked APT groups targeted two groups. the infrastructure operators and also peripheral “staging targets” which could be used as stepping stone into the intended targets.
“This campaign comprises two distinct categories of victims: staging and intended targets. The initial victims are peripheral organizations such as trusted third-party suppliers with less secure networks, referred to as “staging targets” throughout this alert.” continues the alert.
“The threat actors used the staging targets’ networks as pivot points and malware repositories when targeting their final intended victims. NCCIC and FBI judge the ultimate objective of the actors is to compromise organizational networks, also referred to as the “intended target.“”
The alert doesn’t include details of specific targets compromised by Russians hackers.
The Russian hackers were able to compromise the control systems by installing their custom malware to harvest credentials of authorized users, monitor communications, and gain control of the systems.
Only last week, the government announced sanctions against Russia’s top spy agencies and more than a dozen individuals.
(Security Affairs – Russia, critical infrastructure)