The US Department of Homeland Security (DHS) and the FBI have issued a warning that APT groups are actively targeting government departments, and firms working in the energy, nuclear, water, aviation, and critical manufacturing sectors.
The warning was sent to the organization via email on Friday to inform them of Advanced Persistent Threat Activity targeting energy and other critical infrastructure sectors since at least May 2017.
“Since at least May 2017, threat actors have targeted government entities and the energy, water, aviation, nuclear, and critical manufacturing sectors, and, in some cases, have leveraged their capabilities to compromise victims’ networks.” reads the alert.
“Analysis by DHS, FBI, and trusted partners has identified distinct indicators and behaviors related to this activity. Of specific note, the report Dragonfly: Western energy sector targeted by sophisticated attack group, released by Symantec on September 6, 2017, provides additional information about this ongoing campaign. “
The hackers use to target third-party suppliers and contractors (“staging targets”) to hit intended institution.
The attackers leverage the staging targets’ networks as pivot points and malware repositories when launching the attacks on their final intended victims.
According to the warning, the campaign is still ongoing, the government experts believe it is operated by the Dragonfly hacking group (aka Energetic Bear) that has been active since at least 2011 when it targeted defense and aviation companies in the US and Canada. Only in a second phase Dragonfly has focused its effort on US and European energy firms in early 2013.
In 2014, security experts at Symantec uncovered a new campaign targeting organizations located in the US, Italy, France, Spain, Germany, Turkey, and Poland.
Dragonfly gang conducted a cyber espionage campaign against energy grid operators, major electricity generation firms, petroleum pipeline operators, and energy industry industrial equipment providers.
According to the JAR report published by the US Department of Homeland Security, Dragonfly was Russian APT actor linked to the Government.
The infamous group remained under the radar since December 2015, but now the researchers pointed out Dragonfly targeted energy companies in Europe and the US.
In September 2017, the attackers aimed to control or even sabotage operational systems at energy facilities.
Back to the ongoing campaign, the attackers launched a spear-phishing campaign.
“Throughout the spear-phishing campaign, threat actors used email attachments to leverage legitimate Microsoft Office functions to retrieve a document from a remote server using the Server Message Block (SMB) protocol. (An example of this request is: file[:]//<remote IP address>/Normal.dotm). As a part of the standard processes executed by Microsoft Word, this request authenticates the client with the server, sending the user’s credential hash to the remote server prior to retrieving the requested file.” states the alert. “(Note: It is not necessary for the file to be retrieved for the transfer of credentials to occur.) The threat actors then likely used password-cracking techniques to obtain the plaintext password. Once actors obtain valid credentials, they are able to masquerade as authorized users.”
APT28 hackers also used spear-phishing emails with a generic contract agreement in the form of a PDF that even if doesn’t include a malicious code prompts the victim to click a link which (via a shortened URL) downloads a malicious file.
The weaponized attachments may refer to legitimate curricula vitae CVs or resumés for industrial control systems personnel, invitations or policy documents designed to entice users into clicking on the attachment.
“The emails leveraged malicious Microsoft Word attachments that appear to be legitimate résumés or curricula vitae (CVs) for industrial control systems personnel, as well as invitations and policy documents that entice the user to open the attachment. The list of file names has been published in the IOC.” continues the alert.
Attackers also used watering hole attacks, attackers compromise trade publications and informational websites related to process control, ICS, or critical infrastructure.
Much more detail, including indicators of compromise, filenames used in the attacks, and MD5 hashes, can be found in the alert published on US-CERT.