A recent technical alert is issued based on information from Department of Homeland Security and the Federal Bureau of Investigation about ongoing cyberattacks against critical industrial infrastructure and control systems across the United States.
The United States Computer Emergency Readiness Team (US-CERT) responds to major incidents, analyzes threats, and exchanges critical cybersecurity information in an effort to protect the Internet. Analysis by the Department of Homeland Security (DHS), the Federal Bureau of Investigation (FBI), and other trusted U.S. and international partners has resulted in US-CERT issuing a joint Technical Alert (TA17-293A) that warns of advanced and persistent cyberthreats targeting government entities and organizations in the energy, nuclear, water, aviation, and critical manufacturing sectors across the United States.
The alert published by US-CERT warns, “Since at least May 2017, threat actors have targeted government entities and the energy, water, aviation, nuclear, and critical manufacturing sectors, and, in some cases, have leveraged their capabilities to compromise victims’ networks.”
Though not named specifically, the attack is related to a campaign that Symantec reported on September 6 identified as Dragonfly 2.0. According to Symantec’s analysis, the attacks have been under way since December 2015, with an increasing number of attacks in 2017. The attack is considered to be ongoing. Systems affected include domain controllers, file servers, and e-mail servers.
“DHS assesses this activity as a multistage intrusion campaign by threat actors targeting low security and small networks to gain access and move laterally to networks of major, high value asset owners within the energy sector,” the US-CERT alert said. “Based on malware analysis and observed IOCs [indicators of compromise], DHS has confidence that this campaign is still ongoing, and threat actors are actively pursuing their ultimate objectives over a long-term campaign.”
The alert suggests two distinct categories of victims: staging and intended targets. The initial victims are peripheral organizations such as trusted third-party suppliers with less secure networks. The initial victims are referred to in the alert as “staging targets.” The threat actor uses the staging targets’ networks as pivot points and malware repositories when targeting their final intended victims. The ultimate objective of the cyberthreat actors is to compromise organizational networks, which are referred throughout the alert as “intended target.”
“The threat actors compromise the infrastructure of trusted organizations to reach intended targets,” said the alert.
The US-CERT technical alert provides detection and prevention guidelines to help defend against cyberattacks. It recommends that network administrators review the IP addresses, domain names, file hashes, and YARA and Snort signatures provided and add the IPs to their watch list to determine whether malicious activity is occurring within their organization. The report contains IOCs and technical details on the tactics, techniques, and procedures (TTPs) used by APT actors on compromised victims’ networks.
“Reviewing network perimeter net flow will help determine whether a network has experienced suspicious activity,” the technical alert states. “Network defenders and malware analysts should use the YARA and Snort signatures provided in the associated YARA and .txt file to identify malicious activity.”
US-CERT exchanges information across global communities to improve the security of the nation’s critical infrastructure and the systems and assets on which Americans depend.